Get domain whois information with telnet
Whois is often used to find out the details of the owners or the registrants of a domain name. The details includes name, address, telephone number etc. Whenever a domain is registered by a user, the user has to fill out own details at the domain registrar. These details are fed into the whois system, which can be fetched later through whois queries.
The whois data is supposed to be available publicly. But users might fill out fake information to avoid revealing actual identities. Now a days domains also have a privary protection feature that hides the whois information from the public if the registrant wishes to do so.
According to the wikipedia article :
So basically whois is a protocol to query and fetch registration details of a domain name or ip allocation. There are lots of online websites that provide free whois service. Simply logon to them and enter the domain name and they would show the whois information. Another way to get the whois information by using some program that can contact these whois servers and fetch the necessary data.
On linux for example there is a commandline utility called whois that does this task. Try it out like this
$ whois microsoft.com
And you should get to see plenty of information like the registrar and other details. Try it on other domains of your choice and check the results. So basically whois serves as a register book that keeps record of every registered domain and details of those who registered it. This is necessary and useful.
Apart from the terminal program whois there are plenty of other utilities available for both windows and linux that can do the same thing.
In this post we are going to try to fetch the whois information from the commandline using the telnet command. This is a useful exercise for those who want to understand how exactly does the communication of whois protocol work.
Lets say the domain name we wish to query for is :
OK, before moving further lets get on to some theory about how and where the whois data is stored.
1. Every domains whois data is stored in its registrars whois server. The registrar is the company/organisation that registered the domain. For example godaddy. There is no single server that holds the whois data of all domains.
2. There are parent or tld whois servers that hold information about the above mentioned actual whois server of a domain. These tld whois servers are separate for each tld, like com, org, net and so on.
So in our case(binarytides.com) its a 'com' domain. Therefore we need to contact the parent whois server for com domains and ask them the real whois server of binarytides.com
3. Next question is, how to get the parent whois server for a given tld. There are 2 ways to do this. Either do a whois query on 'whois.iana.org' on port 43 and ask them for the whois server of 'com' domains.
Or, simply connect to 'com.whois-servers.net' It will take you to the whois server of com domains. Yes you guessed it right, for org it would be org.whois-servers.net. Its the extension prefixed to '.whois-servers.net'.
Now the second method is cheaper since it involves 1 less query. In this example however I am going to show you both the methods.
So that was the short and simple theory. Also note that whois protocol works on tcp/ip port number 43. Just like http server works on port 80. Now lets proceed with the rest of the steps to extract the whois data for binarytides.com
Get parent whois server for com domains
The domain here is a .com domain , so first we need to find out the registry which holds whois data for .com domains
desktop:~$ telnet whois.iana.org 43 Trying 126.96.36.199... Connected to ianawhois.vip.icann.org. Escape character is '^]'.
Now we are connected to whois.iana.org. Now enter 'com' and hit enter
com % IANA WHOIS server % for more information on IANA, visit http://www.iana.org % This query returned 1 object domain: COM organisation: VeriSign Global Registry Services address: 21345 Ridgetop Circle address: Dulles Virginia 20166 address: United States contact: administrative name: Registry Customer Service organisation: VeriSign Global Registry Services address: 21345 Ridgetop Circle address: Dulles Virginia 20166 address: United States phone: +1 703 925-6999 fax-no: +1 703 421-5828 e-mail: firstname.lastname@example.org contact: technical name: Registry Customer Service organisation: VeriSign Global Registry Services address: 21345 Ridgetop Circle address: Dulles Virginia 20166 address: United States phone: +1 703 925-6999 fax-no: +1 703 421-5828 e-mail: email@example.com nserver: A.GTLD-SERVERS.NET 188.8.131.52 2001:503:a83e:0:0:0:2:30 nserver: B.GTLD-SERVERS.NET 184.108.40.206 2001:503:231d:0:0:0:2:30 nserver: C.GTLD-SERVERS.NET 220.127.116.11 nserver: D.GTLD-SERVERS.NET 18.104.22.168 nserver: E.GTLD-SERVERS.NET 22.214.171.124 nserver: F.GTLD-SERVERS.NET 126.96.36.199 nserver: G.GTLD-SERVERS.NET 188.8.131.52 nserver: H.GTLD-SERVERS.NET 184.108.40.206 nserver: I.GTLD-SERVERS.NET 220.127.116.11 nserver: J.GTLD-SERVERS.NET 18.104.22.168 nserver: K.GTLD-SERVERS.NET 22.214.171.124 nserver: L.GTLD-SERVERS.NET 126.96.36.199 nserver: M.GTLD-SERVERS.NET 188.8.131.52 ds-rdata: 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766 whois: whois.verisign-grs.com status: ACTIVE remarks: Registration information: http://www.verisign-grs.com created: 1985-01-01 changed: 2011-03-31 source: IANA Connection closed by foreign host.
So we have the output with some useful information. The line of interest is :
It says that for com domains whois.verisign-grs.com is the parent whois server for 'com' domains.
Connect to tld whois server and get the actual whois server
Now that we have the tld whois server, we shall connect to it and get the actual whois server for the domain. The next query is also a whois query like before.
$ telnet whois.verisign-grs.com 43 Trying 184.108.40.206... Connected to whois.verisign-grs.com. Escape character is '^]'.
Note : If we were to omit the previous step, then without knowing 'whois.verisign-grs.com' we could straight away connect to 'com.whois-servers.net' in this step and it would connect us to the same server
$ telnet com.whois-servers.net 43 Trying 220.127.116.11... Connected to whois.verisign-grs.com. Escape character is '^]'.
Saw the name ? its the same server.
Now we are connected to the server. Type the domain name (without www) and hit enter.
binarytides.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: BINARYTIDES.COM Registrar: NETLYNX, INC. Whois Server: whois.netlynx.com Referral URL: http://www.netlynx.com Name Server: OMIKRO1.ALLWEBSERVER.COM Name Server: OMIKRO2.ALLWEBSERVER.COM Status: ok Updated Date: 14-jun-2011 Creation Date: 30-jun-2009 Expiration Date: 30-jun-2012 >>> Last update of whois database: Sat, 22 Oct 2011 13:59:39 UTC <<< ........TRUNCATED The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars.Connection closed by foreign host.
Now we have the actual whois server of the domain. The line of interest is :
Whois Server: whois.netlynx.com
Get domain whois information
So we have to repeat the above process with this final whois server whois.netlynx.com
desktop:~$ telnet whois.netlynx.com 43 Trying 18.104.22.168... Connected to whois.netlynx.com. Escape character is '^]'.
Now we are connected with the whois server. Type the domain name binarytides.com and hit enter
binarytides.com Registration Service Provided By: OMIKROSYS Contact: +91.123456 Domain Name: BINARYTIDES.COM Registrant: PrivacyProtect.org Domain Admin (firstname.lastname@example.org) ID#10760, PO Box 16 Note - All Postal Mails Rejected, visit Privacyprotect.org Nobby Beach null,QLD 4218 AU Tel. +45.36946676 Creation Date: 30-Jun-2009 Expiration Date: 30-Jun-2012 Domain servers in listed order: omikro1.allwebserver.com omikro2.allwebserver.com Administrative Contact: PrivacyProtect.org Domain Admin (email@example.com) ID#10760, PO Box 16 Note - All Postal Mails Rejected, visit Privacyprotect.org Nobby Beach null,QLD 4218 AU Tel. +45.36946676 Technical Contact: PrivacyProtect.org Domain Admin (firstname.lastname@example.org) ID#10760, PO Box 16 Note - All Postal Mails Rejected, visit Privacyprotect.org Nobby Beach null,QLD 4218 AU Tel. +45.36946676 Billing Contact: PrivacyProtect.org Domain Admin (email@example.com) ID#10760, PO Box 16 Note - All Postal Mails Rejected, visit Privacyprotect.org Nobby Beach null,QLD 4218 AU Tel. +45.36946676 Status:ACTIVE ......TRUNCATED Connection closed by foreign host.
So now we have all the necessary whois information available.
The whois command on linux can be used to make this telnet query. Here is an example
$ whois -h com.whois-servers.net stackoverflow.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: STACKOVERFLOW.COM Registrar: NAME.COM LLC Whois Server: whois.name.com Referral URL: http://www.name.com Name Server: NS1.SERVERFAULT.COM Name Server: NS2.SERVERFAULT.COM Name Server: NS3.SERVERFAULT.COM Name Server: NS4.SERVERFAULT.COM Status: clientTransferProhibited Updated Date: 19-mar-2013 Creation Date: 26-dec-2003 Expiration Date: 26-dec-2015 >>> Last update of whois database: Thu, 02 May 2013 15:57:21 UTC <<<
The above example queries com.whois-servers.net for the search term "stackoverflow.com". The query returns the actual whois server of stackoverflow.com
Next query the whois server 'whois.name.com'
$ whois -h whois.name.com stackoverflow.com __ _ ____ | \ | | __ _ _ __ ___ ___ / ___|___ _ __ ___ | \| |/ _` | '_ ` _ \ / _ \ | | / _ \| '_ ` _ \ | |\ | (_| | | | | | | __/ _ | |__| (_) | | | | | | |_| \_|\__,_|_| |_| |_|\___| (_) \____\___/|_| |_| |_| On a first name basis with the rest of the world. Get your <a href="http://www.name.com">domains</a> at Name.com. Domain Name: stackoverflow.com Registrar: Name.com LLC Expiration Date: 2015-12-26 19:18:07 Creation Date: 2003-12-26 19:18:07 Name Servers: ns1.serverfault.com ns2.serverfault.com ns3.serverfault.com ns4.serverfault.com REGISTRANT CONTACT INFO Stack Exchange, Inc. Sysadmin Team 1 Exchange Plaza Floor 26 New York NY 10006 US Phone: +1.2122328280 Email Address: firstname.lastname@example.org ...............
So now we have the final and full whois information of stackoverflow.com available.