Whois is often used to find out the details of the owners or the registrants of a domain name. The details includes name, address, telephone number etc. Whenever a domain is registered by a user, the user has to fill out own details at the domain registrar. These details are fed into the whois system, which can be fetched later through whois queries.
The whois data is supposed to be available publicly. But users might fill out fake information to avoid revealing actual identities. Now a days domains also have a privary protection feature that hides the whois information from the public if the registrant wishes to do so.
According to the wikipedia article :
WHOIS (pronounced as the phrase who is) is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format. The Whois protocol is documented in RFC 3912.
So basically whois is a protocol to query and fetch registration details of a domain name or ip allocation. There are lots of online websites that provide free whois service. Simply logon to them and enter the domain name and they would show the whois information. Another way to get the whois information by using some program that can contact these whois servers and fetch the necessary data.
On linux for example there is a commandline utility called whois that does this task. Try it out like this
$ whois microsoft.com
And you should get to see plenty of information like the registrar and other details. Try it on other domains of your choice and check the results. So basically whois serves as a register book that keeps record of every registered domain and details of those who registered it. This is necessary and useful.
Apart from the terminal program whois there are plenty of other utilities available for both windows and linux that can do the same thing.
In this post we are going to try to fetch the whois information from the commandline using the telnet command. This is a useful exercise for those who want to understand how exactly does the communication of whois protocol work.
Lets say the domain name we wish to query for is :
binarytides.com
OK, before moving further lets get on to some theory about how and where the whois data is stored.
1. Every domains whois data is stored in its registrars whois server. The registrar is the company/organisation that registered the domain. For example godaddy. There is no single server that holds the whois data of all domains.
2. There are parent or tld whois servers that hold information about the above mentioned actual whois server of a domain. These tld whois servers are separate for each tld, like com, org, net and so on.
So in our case(binarytides.com) its a 'com' domain. Therefore we need to contact the parent whois server for com domains and ask them the real whois server of binarytides.com
3. Next question is, how to get the parent whois server for a given tld. There are 2 ways to do this. Either do a whois query on 'whois.iana.org' on port 43 and ask them for the whois server of 'com' domains.
Or, simply connect to 'com.whois-servers.net' It will take you to the whois server of com domains. Yes you guessed it right, for org it would be org.whois-servers.net. Its the extension prefixed to '.whois-servers.net'.
Now the second method is cheaper since it involves 1 less query. In this example however I am going to show you both the methods.
So that was the short and simple theory. Also note that whois protocol works on tcp/ip port number 43. Just like http server works on port 80. Now lets proceed with the rest of the steps to extract the whois data for binarytides.com
Get parent whois server for com domains
The domain here is a .com domain , so first we need to find out the registry which holds whois data for .com domains
desktop:~$ telnet whois.iana.org 43 Trying 192.0.47.59... Connected to ianawhois.vip.icann.org. Escape character is '^]'.
Now we are connected to whois.iana.org. Now enter 'com' and hit enter
com % IANA WHOIS server % for more information on IANA, visit http://www.iana.org % This query returned 1 object domain: COM organisation: VeriSign Global Registry Services address: 21345 Ridgetop Circle address: Dulles Virginia 20166 address: United States contact: administrative name: Registry Customer Service organisation: VeriSign Global Registry Services address: 21345 Ridgetop Circle address: Dulles Virginia 20166 address: United States phone: +1 703 925-6999 fax-no: +1 703 421-5828 e-mail: [email protected] contact: technical name: Registry Customer Service organisation: VeriSign Global Registry Services address: 21345 Ridgetop Circle address: Dulles Virginia 20166 address: United States phone: +1 703 925-6999 fax-no: +1 703 421-5828 e-mail: [email protected] nserver: A.GTLD-SERVERS.NET 192.5.6.30 2001:503:a83e:0:0:0:2:30 nserver: B.GTLD-SERVERS.NET 192.33.14.30 2001:503:231d:0:0:0:2:30 nserver: C.GTLD-SERVERS.NET 192.26.92.30 nserver: D.GTLD-SERVERS.NET 192.31.80.30 nserver: E.GTLD-SERVERS.NET 192.12.94.30 nserver: F.GTLD-SERVERS.NET 192.35.51.30 nserver: G.GTLD-SERVERS.NET 192.42.93.30 nserver: H.GTLD-SERVERS.NET 192.54.112.30 nserver: I.GTLD-SERVERS.NET 192.43.172.30 nserver: J.GTLD-SERVERS.NET 192.48.79.30 nserver: K.GTLD-SERVERS.NET 192.52.178.30 nserver: L.GTLD-SERVERS.NET 192.41.162.30 nserver: M.GTLD-SERVERS.NET 192.55.83.30 ds-rdata: 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766 whois: whois.verisign-grs.com status: ACTIVE remarks: Registration information: http://www.verisign-grs.com created: 1985-01-01 changed: 2011-03-31 source: IANA Connection closed by foreign host.
So we have the output with some useful information. The line of interest is :
whois: whois.verisign-grs.com
It says that for com domains whois.verisign-grs.com is the parent whois server for 'com' domains.
Connect to tld whois server and get the actual whois server
Now that we have the tld whois server, we shall connect to it and get the actual whois server for the domain. The next query is also a whois query like before.
$ telnet whois.verisign-grs.com 43 Trying 199.7.57.74... Connected to whois.verisign-grs.com. Escape character is '^]'.
Note : If we were to omit the previous step, then without knowing 'whois.verisign-grs.com' we could straight away connect to 'com.whois-servers.net' in this step and it would connect us to the same server
$ telnet com.whois-servers.net 43 Trying 199.7.52.74... Connected to whois.verisign-grs.com. Escape character is '^]'.
Saw the name ? its the same server.
Now we are connected to the server. Type the domain name (without www) and hit enter.
binarytides.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: BINARYTIDES.COM Registrar: NETLYNX, INC. Whois Server: whois.netlynx.com Referral URL: http://www.netlynx.com Name Server: OMIKRO1.ALLWEBSERVER.COM Name Server: OMIKRO2.ALLWEBSERVER.COM Status: ok Updated Date: 14-jun-2011 Creation Date: 30-jun-2009 Expiration Date: 30-jun-2012 >>> Last update of whois database: Sat, 22 Oct 2011 13:59:39 UTC <<< ........TRUNCATED The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars.Connection closed by foreign host.
Now we have the actual whois server of the domain. The line of interest is :
Whois Server: whois.netlynx.com
Get domain whois information
So we have to repeat the above process with this final whois server whois.netlynx.com
desktop:~$ telnet whois.netlynx.com 43 Trying 67.15.47.4... Connected to whois.netlynx.com. Escape character is '^]'.
Now we are connected with the whois server. Type the domain name binarytides.com and hit enter
binarytides.com
Registration Service Provided By: OMIKROSYS
Contact: +91.123456
Domain Name: BINARYTIDES.COM
Registrant:
PrivacyProtect.org
Domain Admin ([email protected])
ID#10760, PO Box 16
Note - All Postal Mails Rejected, visit Privacyprotect.org
Nobby Beach
null,QLD 4218
AU
Tel. +45.36946676
Creation Date: 30-Jun-2009
Expiration Date: 30-Jun-2012
Domain servers in listed order:
omikro1.allwebserver.com
omikro2.allwebserver.com
Administrative Contact:
PrivacyProtect.org
Domain Admin ([email protected])
ID#10760, PO Box 16
Note - All Postal Mails Rejected, visit Privacyprotect.org
Nobby Beach
null,QLD 4218
AU
Tel. +45.36946676
Technical Contact:
PrivacyProtect.org
Domain Admin ([email protected])
ID#10760, PO Box 16
Note - All Postal Mails Rejected, visit Privacyprotect.org
Nobby Beach
null,QLD 4218
AU
Tel. +45.36946676
Billing Contact:
PrivacyProtect.org
Domain Admin ([email protected])
ID#10760, PO Box 16
Note - All Postal Mails Rejected, visit Privacyprotect.org
Nobby Beach
null,QLD 4218
AU
Tel. +45.36946676
Status:ACTIVE
......TRUNCATED
Connection closed by foreign host.
So now we have all the necessary whois information available.
Whois command
The whois command on linux can be used to make this telnet query. Here is an example
$ whois -h com.whois-servers.net stackoverflow.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: STACKOVERFLOW.COM Registrar: NAME.COM LLC Whois Server: whois.name.com Referral URL: http://www.name.com Name Server: NS1.SERVERFAULT.COM Name Server: NS2.SERVERFAULT.COM Name Server: NS3.SERVERFAULT.COM Name Server: NS4.SERVERFAULT.COM Status: clientTransferProhibited Updated Date: 19-mar-2013 Creation Date: 26-dec-2003 Expiration Date: 26-dec-2015 >>> Last update of whois database: Thu, 02 May 2013 15:57:21 UTC <<<
The above example queries com.whois-servers.net for the search term "stackoverflow.com". The query returns the actual whois server of stackoverflow.com
Next query the whois server 'whois.name.com'
$ whois -h whois.name.com stackoverflow.com
__ _ ____
| \ | | __ _ _ __ ___ ___ / ___|___ _ __ ___
| \| |/ _` | '_ ` _ \ / _ \ | | / _ \| '_ ` _ \
| |\ | (_| | | | | | | __/ _ | |__| (_) | | | | | |
|_| \_|\__,_|_| |_| |_|\___| (_) \____\___/|_| |_| |_|
On a first name basis with the rest of the world.
Get your <a href="http://www.name.com">domains</a> at Name.com.
Domain Name: stackoverflow.com
Registrar: Name.com LLC
Expiration Date: 2015-12-26 19:18:07
Creation Date: 2003-12-26 19:18:07
Name Servers:
ns1.serverfault.com
ns2.serverfault.com
ns3.serverfault.com
ns4.serverfault.com
REGISTRANT CONTACT INFO
Stack Exchange, Inc.
Sysadmin Team
1 Exchange Plaza
Floor 26
New York
NY
10006
US
Phone: +1.2122328280
Email Address: [email protected]
...............
So now we have the final and full whois information of stackoverflow.com available.
So, what’s the process if I whois query an IP address?