All you need to know about Linux whois command (domain lookup)
Just like your phone directory, whois is a lookup tool that allows you to stalk on Internet resources. Specifically, you can lookup information about
- Domain names (e.g. google.com)
- IP address (e.g. 216.58.208.78)
- ASN (Autonomous System Numbers) (e.g. AS15169)
From here on, I will focus only on domain names as it is the most prevalent WHOIS lookup.
Registries and Registrars
When you lookup a domain name (e.g. google.com) using the command “whois google.com”, you will probably end up with the following result:
As you can see, it shows domain registrar’s (Mark Monitor) information along with domain registration, expiration dates and authoritative name servers (e.g. ns1.google.com).
It does not show many other information though. Like registrant’s (Google in this case) information, administrative or technical contact information. Why didn’t we get these information?
This is because how ICANN, the non-profit organization that oversees the assignment of both IP addresses and domain names, have structured WHOIS lookup. There are two main entities in this ecosystem: registries and registrars. There are only a few registries (e.g. Verisign), but there are thousands of registrars (e.g. GoDaddy, NetworkSolutions, TuCows, etc.). The following figure illustrate this point.
Registries are responsible for managing top-level domains. For example, Verisign manages all .com domains.
Registrars have contract registries to sell domains to general public. For example, you can signup with GoDaddy to buy the domain mysuperawsomedomain.com.
Let’s get back to the initial question: why we didn’t get the full WHOIS record for google.com in the first attempt? This is because there are two types of WHOIS records in the wild. While registries maintain what are called thin records which mostly has only registrar’s information, respective registrars maintain what are called thick records which contain registrant information in addition to registrar information.
Who answer this whois command? When you do not specify a whois server in your whois command, it returns the whois information from a registry database which is responsible for managing that TLD (top-level domain). In this specific case, verisign whois server was listening on port 43 to return the thin WHOIS record for google.com.
How do we get the thick record for google.com?
Notice in the above whois output, there is a pointer to the registrar’s whois server: whois.markmonitor.com (over port 43 to be exact). Now you must have figured out that we need to specify the whois server in the command:
whois -h whois.markmonitor.com google.com
With no surprise, you get the following thick WHOIS record:
Notice that you need to query the registrar with which the domain is registered in order to get the thick record. For example, if you try to query Network Solution’s whois server for googe.com WHOIS record, you will not an answer — it will simply say that there is no match.
No match:
whois -h whois.networksolutions.com google.com
That’s is because registrars mostly maintain only those domains that are registered with them.
Just to summarize, whois lookup is a two step process:
- Get the thin record from the registry.
- Extract the registrar’s whois server from the thin record and get the thick record from registrar’s who is server.
I must tell you that it is not always nice and rosy as I mentioned above due to a number of reasons:
- Sometimes, thick record does not mention the whois server to lookup. You may need to use your wit to find the whois server based on the registrar’s name.
- Some registrars explicitly block whois lookup from command line (e.g. whois.godaddy.com). They provide web based lookup with CAPTCHA protection — you need to manually look it up — no automation. It makes sense have such rate limitations to prevent DoS attacks on whois servers maintained by registrars.
Hope that helps. Stay tuned for more focused posts on whois command.
