whois

Get information about a domain name

$ whois [example.com]

$ whois [8.8.8.8]

$ whois -b [8.8.8.8]

whois [OPTIONS] OBJECT
whois [-h HOST] [OPTIONS] OBJECT

OBJECT refers to the domain name (e.g., example.com), IP address (e.g., 203.0.113.45), or Autonomous System Number (e.g., AS12345) you wish to query.

-h HOST
    Specifies the WHOIS server HOST to connect to directly, bypassing automatic server discovery. This is useful when the default lookup doesn't find the correct server or for querying specific regional registries.

-p PORT
    Connects to the specified PORT on the WHOIS server instead of the default port 43. This is rarely needed unless interacting with non-standard WHOIS services.

-Q
    Performs a "quick" lookup, instructing the server not to follow referrals to other WHOIS servers. This limits the query to the initial server, providing less comprehensive but faster results, often used for debugging or specific registry lookups.

-i
    Performs an inverse query, searching for objects (e.g., domain names) associated with a given value (e.g., an IP address). Support for inverse queries varies significantly among WHOIS servers and is often limited or disabled due to privacy concerns.

-V
    Displays the version information of the whois client and exits. Useful for verifying the installed version.

The whois command is a client-side utility used to query distributed databases that store registration information for domain names, IP addresses, and Autonomous System Numbers (ASNs). When you execute whois, it connects to the appropriate WHOIS server – managed by domain registrars, regional internet registries (RIRs), or national internet registries (NIRs) – to retrieve publicly available data. This information typically includes the registrant's name, organization, contact details (often redacted for privacy), registration and expiration dates, name servers, and administrative/technical contacts. whois is an invaluable tool for network administrators, security researchers, and anyone needing to verify ownership, track domain history, or troubleshoot network issues. Its output can be critical for investigating phishing attempts, identifying website owners, or understanding IP address allocations. Due to the decentralized nature of WHOIS, the format and completeness of the returned data can vary significantly between different servers.

Data Accuracy and Privacy: Information retrieved via WHOIS can be outdated, incomplete, or intentionally obfuscated. Due to privacy regulations like GDPR, registrant contact details are often redacted or replaced with anonymized information (e.g., 'Privacy Protect' services), limiting the direct visibility of domain owners.

Rate Limiting: Many WHOIS servers implement rate limiting to prevent abuse, which can temporarily block your IP address if too many queries are made in a short period. This is a common challenge for automated WHOIS queries.

Varying Output Formats: The structure and content of WHOIS query results differ significantly between registrars, registries, and RIRs (Regional Internet Registries), making automated parsing and consistent data extraction challenging without specialized tools.

Decentralized Nature: For a complete picture of a domain or IP block, multiple queries might be necessary as information can be distributed across various servers (e.g., a query for a .com domain might first hit the Verisign server, which then refers to the domain's registrar's WHOIS server). The whois command attempts to follow these referrals automatically, but it's not always exhaustive.

Some registries (e.g., .com, .net) use a "thin" WHOIS model, meaning their servers only store basic information (like name servers and registrar) and refer you to the domain's registrar for full details. Others use a "thick" model, where the registry's WHOIS server holds all registrant information directly. The whois command attempts to navigate this automatically by following referrals, but understanding this distinction helps in interpreting results.

Here are some typical ways to use the whois command:

whois example.com
(Query a domain name to find its registrant, dates, and name servers)

whois 203.0.113.45
(Query an IPv4 address to find its allocation block, organization, and contact details)

whois 2001:db8::1
(Query an IPv6 address for similar allocation information)

whois AS12345
(Query an Autonomous System Number to find its owner and related information, often for routing purposes)

whois -h whois.arin.net 203.0.113.45
(Specify a WHOIS server directly, useful if you know which Regional Internet Registry manages the IP block)

The whois service is one of the oldest internet services, predating the World Wide Web itself. It originated in the early 1980s for ARPANET users to look up contact information for network administrators. As the internet expanded and domain names became prevalent, whois evolved to track domain registrations and IP address allocations. Initially, the system was more centralized, but it quickly became distributed, with different registries and registrars maintaining their own databases. The whois command-line client reflects this distributed nature, often automatically following referrals to the correct server. Recent years have seen significant changes, particularly with the introduction of privacy regulations like GDPR, which have led to much of the personal registrant data being redacted or anonymized from public WHOIS queries. This has shifted the focus from direct personal contact information to more organizational and technical details, emphasizing the integrity and stability of the internet's addressing system.

dig(1), host(1), nslookup(1), grep(1), netcat(1)