In this tutorial, we’ll learn how to use whois, a Linux command-line client to make WHOIS protocol queries. It gives human-readable information about the assigner of an IP address or a domain name.
We’ll perform queries to get information about the domain britannica.com and a couple of IP addresses. This way, we’ll see the primary information whois can give us.
2. Using whois With an IP Address
The information we can obtain about an IP address can vary significantly in accuracy and details. Usually, there are indications of the IP’s country, but its exact geolocation is rarely available. In any case, we’re typically interested in the organization owning the IP and whom to contact to report abuses.
Let’s take two IPs associated with britannica.com and admin.dc7.computing.cloud.it as examples.
2.1. An IP of britannica.com
First, let’s obtain one of the IPs associated with britannica.com:
$ host britannica.com britannica.com has address 188.8.131.52 [...]
Then, let’s execute a query to get information about that IP:
$ whois 184.108.40.206
Since the output is verbose, let’s look at only the most relevant parts. The first few lines tell us about the network to which the IP belongs:
[...] NetRange: 220.127.116.11 - 18.104.22.168 CIDR: 22.214.171.124/15, 126.96.36.199/12, 188.8.131.52/13, 184.108.40.206/11, 220.127.116.11/12, 18.104.22.168/14 [...] Organization: Amazon Technologies Inc. (AT-88-Z) [...]
So, the IP is owned by an organization with the code AT-88-Z, headed by Amazon. The next part of the output gives us the address of that organization:
[...] OrgName: Amazon Technologies Inc. OrgId: AT-88-Z Address: 410 Terry Ave N. City: Seattle StateProv: WA PostalCode: 98109 Country: US [...]
Finally, there are an email address and phone number to use for reporting abuse:
[...] OrgAbuseName: Amazon EC2 Abuse OrgAbusePhone: +1-206-555-0000 OrgAbuseEmail: [email protected] [...]
An interesting issue is that the whois output gives no details about the organization to which Amazon rented the IP address, which is Encyclopædia Britannica Inc. in this case.
2.2. An IP Providing Its Own Geolocation
In some exceptional cases, we can get the exact location of an IP. One such case involves the IP associated with admin.dc7.computing.cloud.it, which is the administration panel of Aruba’s IT3 server farm:
$ host admin.dc7.computing.cloud.it admin.dc7.computing.cloud.it has address 22.214.171.124 $ whois 126.96.36.199 [...] geoloc: 45.7063525 9.59049 [...]
We can put these GPS coordinates into Google Maps to see the building that houses that server farm:
The whois output continues with information about the company holding the IP address and its contacts for reporting abuse:
[...] netname: ARUBA-NET descr: Aruba S.p.A. - Cloud Services Farm IT3 country: IT [...] address: Aruba S.p.A. address: via S.Clemente 53 address: 24036 Ponte San Pietro (BG) address: Italy abuse-mailbox: [email protected] [...] person: Susanna Santini [...] phone: +39 0575 0505 fax-no: +39 0575 862000 [...]
In general, however, Linux has specific tools for geolocating IP addresses, such as geoiplookup.
3. Using whois With a Domain
The output of whois britannica.com is a comprehensive example of the information we can obtain about a domain. Because it’s lengthy, we’ve extracted the most relevant information, grouping it into sections corresponding to the expected basic knowledge of any domain.
The order in which we report the data differs from how it appears in the original full output, which we can consult for a comparison.
3.1. Registry ID
A registry is one of the companies that manage a list containing a set of domain names. Like all houses are registered with a government authority, all domain name registries keep records about every domain name purchased through them.
Let’s see the ID assigned by the registry to the domain:
[...] Domain Name: BRITANNICA.COM Registry Domain ID: 3021450_DOMAIN_COM-VRSN [...]
That ID is guaranteed to be unique, but beyond that, it’s not particularly meaningful information.
The registrant is the legal owner of the domain. Usually, this information is redacted for privacy reasons. This, however, is one of those rare cases in which we have accurate actual data:
[...] Registrant Organization: Encyclopaedia Britannica, Inc. Registrant Street: 325 North LaSalle Street Registrant City: Chicago Registrant State/Province: IL Registrant Postal Code: 60654 Registrant Country: US Registrant Phone: +1.3123477000 [...]
This data refers to the Global Headquarters of The Britannica Group. We can verify that this information is publicly accessible on the web as well.
The registrar is the organization that registered the domain name at the registrant’s request. This information can also be redacted, but in this case, it’s freely available:
[...] Registrar URL: http://cscdbs.com [...] Registrar: CSC CORPORATE DOMAINS, INC. Sponsoring Registrar IANA ID: 299 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.8887802723 [...]
However, let’s take the case of another domain where the registrar’s information is hidden:
$ whois informatica-libera.net | grep Registrar [...] Registrar URL: http://www.tucows.com Registrar: Tucows Domains Inc. Registrar IANA ID: 69 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.4165350123 [...]
This is fake, as Tucows isn’t the registrar. But it’s enough to go to the given registrar’s URL, enter the domain, and pass a captcha to get complete details on the actual registrar (Aruba S.p.A.).
As a general rule, there should always be a way to discover whom to contact in case of abuse.
3.4. Creation, Updated, and Expiration Dates
The creation date refers to the first purchase of the domain, the updated date to the last renewal, and the expiration date to the term after which it’ll be for sale again if not renewed:
[...] Updated Date: 2022-06-09T05:06:27Z Creation Date: 1995-06-14T04:00:00Z Registry Expiry Date: 2023-06-13T04:00:00Z [...]
According to ICANN’s Registrar Accreditation Agreement (sec. 188.8.131.52), the creation date can’t be changed. One reason is that it’s rapidly becoming part of case law, as the creation date can be used as evidence for trademark defense in some instances. In general, when the creation date manipulation succeeds, it’s a scam.
3.5. Domain Status Codes
The whois output may contain one or more domain status codes:
ICANN’s EPP Status Codes document explains the meaning of each code. In our case, we have the clientTransferProhibited status code:
[...] Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited [...]
This status indicates that we can’t transfer the domain name registration of britannica.com. So, it prevents unauthorized transfers resulting from domain hijacking or other frauds.
In this article, we saw how whois gives us information about an IP address or domain. These days, however, almost all WHOIS queries provide redacted information for privacy and legal reasons. In fact, the WHOIS requirements conflict with the EU GDPR, which imposes strict rules on publishing personally identifiable information.
Nevertheless, in cases of abuses or unintentional errors, whois is usually of great help. For example, a no-longer-used but still existing domain can mistakenly continue to have DNS resolution to an IP assigned to a new user and a new domain. In such a case, Google may provide inappropriate results, and whois will be our friend in knowing whom to contact.
Besides that, whois is also very useful for checking our domains’ expiration dates and automating this and other checks within a Bash script.