WHOIS, pronounced who is, is a simple protocol which can be used to identify the owner of a domain name or IP prefix. Similar to FTP and SMTP, WHOIS is a character-oriented protocol which can be used by hand over a Telnet connection. However, it is more practical to use a purpose-built WHOIS command line or web-based client. Most Linux and BSD systems come with a WHOIS client pre-installed, and free WHOIS clients are available for other platforms.
To get a sense for how simple the protocol is, let's look at an example using Telnet. We'll telnet to whois.crsnic.net (a well-known WHOIS server) on port 43.
$ telnet whois.crsnic.net 43 Trying 126.96.36.199... Connected to whois.crsnic.net. Escape character is '^]'. cisco.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: CISCO.COM Registrar: NETWORK SOLUTIONS, LLC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS1.CISCO.COM Name Server: NS2.CISCO.COM Status: ok Updated Date: 19-apr-2010 Creation Date: 14-may-1987 Expiration Date: 15-may-2011 >>> Last update of whois database: Thu, 10 Mar 2011 22:01:40 UTC <<< ...
That's it; we type the domain, and the server terminates the connection after providing its response. The output above tells us where to find the appropriate WHOIS server for the .com top-level domain: whois.networksolutions.com. This is referred to as a thin WHOIS model; other TLDs, most notably .org, operate a thick model wherein all domain information is maintained in a single central database.
Next, we telnet to whois.networksolutions.com and repeat the query.
Dedicated WHOIS clients automate this process, automatically querying additional WHOIS servers as needed to find the desired record. The two queries above could be accomplished with the simple command
whois cisco.com. WHOIS clients also come with well-known WHOIS servers compiled in, saving the user the trouble of looking up the appropriate server for a domain.
WHOIS can also be used to look up IP prefix information. These records are held not by domain registrars but by the five regional Internet registries (RIRs).
$ nslookup packetlife.net Server: 188.8.131.52 Address: 184.108.40.206#53 Non-authoritative answer: Name: packetlife.net Address: 220.127.116.11 $ whois 18.104.22.168 # # Query terms are ambiguous. The query is assumed to be: # "n 22.214.171.124" # # Use "?" to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=126.96.36.199?showDetails=true&showARIN=false # Slicehost RSPC-1246472891078100 (NET-174-143-212-0-1) 188.8.131.52 - 184.108.40.206 Rackspace Hosting RSCP-NET-4 (NET-174-143-0-0-1) 220.127.116.11 - 18.104.22.168
Here we see two records which match our query: Slicehost (22.214.171.124/22) and Rackspace Hosting (126.96.36.199/16). This indicates that Rackspace allocated a portion of its address space to Slicehost, which it recently acquired. (This is actually a bit misleading: packetlife.net is in fact hosted by Rackspace.)
To get more detail about these entries, we could reissue the WHOIS query with a plus sign prepended to the IP address; this instructs the ARIN WHOIS server to respond with detailed information about both records. (Note that some whois clients handle such requests better than others.) Alternatively, we could also try ARIN's web-based WHOIS interface mentioned in the reply.