1. Overview

In this tutorial, we’ll learn how to use whois, a Linux command-line client to make WHOIS protocol queries. It gives human-readable information about the assigner of an IP address or a domain name.

We’ll perform queries to get information about the domain britannica.com and a couple of IP addresses. This way, we’ll see the primary information whois can give us.

2. Using whois With an IP Address

The information we can obtain about an IP address can vary significantly in accuracy and details. Usually, there are indications of the IP’s country, but its exact geolocation is rarely available. In any case, we’re typically interested in the organization owning the IP and whom to contact to report abuses.

Let’s take two IPs associated with britannica.com and admin.dc7.computing.cloud.it as examples.

2.1. An IP of britannica.com

First, let’s obtain one of the IPs associated with britannica.com:

$ host britannica.com
britannica.com has address

Then, let’s execute a query to get information about that IP:

$ whois

Since the output is verbose, let’s look at only the most relevant parts. The first few lines tell us about the network to which the IP belongs:

NetRange: -
CIDR: ,,,,,
Organization:   Amazon Technologies Inc. (AT-88-Z)

So, the IP is owned by an organization with the code AT-88-Z, headed by Amazon. The next part of the output gives us the address of that organization:

OrgName:        Amazon Technologies Inc.
OrgId:          AT-88-Z
Address:        410 Terry Ave N.
City:           Seattle
StateProv:      WA
PostalCode:     98109
Country:        US

Finally, there are an email address and phone number to use for reporting abuse:

OrgAbuseName:   Amazon EC2 Abuse
OrgAbusePhone:  +1-206-555-0000 
OrgAbuseEmail:  [email protected]

An interesting issue is that the whois output gives no details about the organization to which Amazon rented the IP address, which is Encyclopædia Britannica Inc. in this case.

2.2. An IP Providing Its Own Geolocation

In some exceptional cases, we can get the exact location of an IP. One such case involves the IP associated with admin.dc7.computing.cloud.it, which is the administration panel of Aruba’s IT3 server farm:

$ host admin.dc7.computing.cloud.it
admin.dc7.computing.cloud.it has address
$ whois
geoloc:         45.7063525 9.59049

We can put these GPS coordinates into Google Maps to see the building that houses that server farm:

Google Maps - Aruba Server FarmThe whois output continues with information about the company holding the IP address and its contacts for reporting abuse:

netname:        ARUBA-NET
descr:          Aruba S.p.A. - Cloud Services Farm IT3
country:        IT
address:        Aruba S.p.A.
address:        via S.Clemente 53
address:        24036 Ponte San Pietro (BG)
address:        Italy
abuse-mailbox:  [email protected]
person:         Susanna Santini
phone:          +39 0575 0505
fax-no:         +39 0575 862000

In general, however, Linux has specific tools for geolocating IP addresses, such as geoiplookup.

3. Using whois With a Domain

The output of whois britannica.com is a comprehensive example of the information we can obtain about a domain. Because it’s lengthy, we’ve extracted the most relevant information, grouping it into sections corresponding to the expected basic knowledge of any domain.

The order in which we report the data differs from how it appears in the original full output, which we can consult for a comparison.

3.1. Registry ID

A registry is one of the companies that manage a list containing a set of domain names. Like all houses are registered with a government authority, all domain name registries keep records about every domain name purchased through them.

Let’s see the ID assigned by the registry to the domain:

Registry Domain ID: 3021450_DOMAIN_COM-VRSN

That ID is guaranteed to be unique, but beyond that, it’s not particularly meaningful information.

3.2. Registrant

The registrant is the legal owner of the domain. Usually, this information is redacted for privacy reasons. This, however, is one of those rare cases in which we have accurate actual data:

Registrant Organization: Encyclopaedia Britannica, Inc.
Registrant Street: 325 North LaSalle Street
Registrant City: Chicago
Registrant State/Province: IL
Registrant Postal Code: 60654
Registrant Country: US
Registrant Phone: +1.3123477000

This data refers to the Global Headquarters of The Britannica Group. We can verify that this information is publicly accessible on the web as well.

3.3. Registrar

The registrar is the organization that registered the domain name at the registrant’s request. This information can also be redacted, but in this case, it’s freely available:

Registrar URL: http://cscdbs.com
Sponsoring Registrar IANA ID: 299
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.8887802723

However, let’s take the case of another domain where the registrar’s information is hidden:

$ whois informatica-libera.net | grep Registrar
Registrar URL: http://www.tucows.com
Registrar: Tucows Domains Inc.
Registrar IANA ID: 69
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.4165350123

This is fake, as Tucows isn’t the registrar. But it’s enough to go to the given registrar’s URL, enter the domain, and pass a captcha to get complete details on the actual registrar (Aruba S.p.A.).

As a general rule, there should always be a way to discover whom to contact in case of abuse.

3.4. Creation, Updated, and Expiration Dates

The creation date refers to the first purchase of the domain, the updated date to the last renewal, and the expiration date to the term after which it’ll be for sale again if not renewed:

Updated Date: 2022-06-09T05:06:27Z
Creation Date: 1995-06-14T04:00:00Z
Registry Expiry Date: 2023-06-13T04:00:00Z

According to ICANN’s Registrar Accreditation Agreement (sec., the creation date can’t be changed. One reason is that it’s rapidly becoming part of case law, as the creation date can be used as evidence for trademark defense in some instances. In general, when the creation date manipulation succeeds, it’s a scam.

3.5. Domain Status Codes

The whois output may contain one or more domain status codes:

  • addPeriod
  • autoRenewPeriod
  • inactive
  • ok
  • pendingCreate
  • pendingDelete
  • pendingRenew
  • pendingRestore
  • pendingTransfer
  • pendingUpdate
  • redemptionPeriod
  • renewPeriod
  • serverDeleteProhibited
  • serverHold
  • serverRenewProhibited
  • serverTransferProhibited
  • serverUpdateProhibited
  • transferPeriod
  • clientDeleteProhibited
  • clientHold
  • clientRenewProhibited
  • clientTransferProhibited
  • clientUpdateProhibited

ICANN’s EPP Status Codes document explains the meaning of each code. In our case, we have the clientTransferProhibited status code:

Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited

This status indicates that we can’t transfer the domain name registration of britannica.com. So, it prevents unauthorized transfers resulting from domain hijacking or other frauds.

4. Conclusion

In this article, we saw how whois gives us information about an IP address or domain. These days, however, almost all WHOIS queries provide redacted information for privacy and legal reasons. In fact, the WHOIS requirements conflict with the EU GDPR, which imposes strict rules on publishing personally identifiable information.

Nevertheless, in cases of abuses or unintentional errors, whois is usually of great help. For example, a no-longer-used but still existing domain can mistakenly continue to have DNS resolution to an IP assigned to a new user and a new domain. In such a case, Google may provide inappropriate results, and whois will be our friend in knowing whom to contact.

Besides that, whois is also very useful for checking our domains’ expiration dates and automating this and other checks within a Bash script.

Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.