Luke Sheppard's blog about information security, web development, and hacking 

Home Blog How to use and understand “whois” in its many forms

How to use and understand “whois” in its many forms

 

Photo courtesy of Library of Congress.

 

The whois command line utility, available on all modern Unix and Linux variants, can be a fast, concise, and scriptable way to identify unknown and distant hosts, networks, and even netadmins. By the way, if you’re an I-hate-the-shell user, no big deal. The knowledge you’ll acquire here will definitely help you understand the input and output of the many “whois” websites out there.

Which version of whois you have is not terribly important

The options and arguments used with each version of whois vary widely, and generally you’ll get a lot more features on thewhois that commonly comes with Linux than the whois that comes with something like Solaris. The whois I use is an older BSD whois, found on OS X 10.4.11. You’ll find it at /usr/bin/whois. It has more features than the bare bones Sun version you’ll find in Solaris 10. But my BSD version probably has fewer features than the one you’ve probably got running on your Linux box.

But regardless of the heredity of the whois you’re using, the usage always requires at least one argument, usually an IP address or domain name you’re curious about. But I like to always specify which server to ask, since different servers have different data. Chances are your default server only knows about domain names, not IP addresses, and might only know about domains under the the three biggest top level domains (TLDs): .com, .net, and .edu.

You’re not stuck with only one whois server

You can use whois to query any server running some version of whois. There are dozens out there. Some, like ARIN and RIPE host massive databases of every IP address in North America and Europe (respectively). Others are tiny, such as whois.rotld.ro which hosts all the IP address in Romania and also all domain names ending in “.ro”. So don’t give up just because your default whois server has no answer for you. Chances are that there is a whois server out there for just what you want. Just Google “list of whois servers” and you’re likely to find what you need. In the example below I’m getting no answer from my default whois server (whois.internic.net), so I try one that is specific for “.org” domains.

 

>whois eff.org | grep -i eff.org
No match for "EFF.ORG".
>whois -h whois.pir.org eff.org | grep Organization | awk -F: '{print $2}' | uniq
Electronic Frontier Foundation

 

Again, please forgive the extra shell foo, we want to keep the examples concise and tidy here.

Make whois more versatile with shell aliases

Since memorizing the full hostname of every whois server out there is unreasonably 1337, and not an option for me, I put these aliases in my .bash_profile:

 

alias apnic='whois -h whois.apnic.net'
alias ripe='whois -h whois.ripe.net'
alias arin='whois -h whois.arin.net'
alias afrinic='whois -h whois.afrinic.net'
alias lacnic='whois -h whois.lacnic.net'
alias org='whois -h whois.pir.org'
alias edu='whois -h whois.educause.edu'
alias cctld='whois -h whois.iana.org'
alias bgp='whois -h riswhois.ripe.net'

Those aliases enable me to ask about domains or ip addresses from the appropriate server just by typing what I think is the right place. If I get it wrong, I can go with my next guess, etc., pretty quickly.

Use names to ask whois for all the IP addresses owned by one company

Sophisticated whois servers, like the one run by ARIN, will do their best to search on a wide variety of input. For example, the following query returns over 170 results. I’ll just show you the first five network ranges. Please excuse the ugly shell foo I’ve put at the end of the whois query to clean up the output.

 

>arin "level 3" | grep NET | head -5 | awk '{print $1, $2, $7, $8, $9}'
Level 3 206.242.0.0 - 206.242.255.255
Level 3 206.241.0.0 - 206.241.255.255
Level 3 216.140.0.0 - 216.143.255.255
Level 3 165.236.0.0 - 165.236.255.255
Level 3 209.244.0.0 - 209.247.255.255

Use whois to lookup the country where an IP address lives

Your bank sends you some urgent email wanting you to email back some sensitive information. Obviously this is probably aphishing scam. But unfortunately there are still legitimate banks that send out emails like this to their customers. So it is always prudent to look up where the email came from before deciding that the email is legit or not. We don’t have enough room here to go over how to read SMTP headers, so I’ll just have to assume that you’ve dug the originating mail server’s IP address out of the header of the suspicious email message. Let’s say it’s “41.205.188.2”. We don’t know where to start, so let’s start with ARIN. Using my aliases from above, and piping the output to “head -3” to read just the top three lines we type:

 

>arin 41.205.188.2 | head -3

OrgName:    African Network Information Center 
OrgID:      AFRINIC

OK. It is not from ARIN at all. But we have an alias for Africa’s version of ARIN:

>afrinic 41.205.188.2 | grep -i -B 1 country
descr:          Assigned to Lagos dial-pool customers
country:        NG

 

Forgive me for throwing in some grep foo, but it serves the purpose here of isolating just what we need to know, that this IP address is a dialup account from Nigeria — probably not where your bank houses their mail servers.

Use whois to look up country code top level domains (ccTLDs)

Some ccTLDs are unexpected letter pairs, and so they’re impossible to remember. For example, is “.sa” Saudi Arabia or South Africa?

 

>cctld sa | grep Country | uniq
    Country: Saudi Arabia
>cctld za | grep Country | uniq
    Country: South Africa

Not all whois servers default to English

If you get non English characters back when querying a server located in a non-Western country, sometimes adding a “/e” to the end of the last argument will tell the server to only return English language data.

 

>whois -h whois.jp toyota.jp/e

 

If you’re lucky the whois server outputs the same data in the local language and in English.

 

>whois -h whois.nic.or.kr hyundai.kr

Some esoteric uses of whois

There are least two whois servers available that will serve up BGP routing information for a given IP address. The one run by RIPE gives very short answers.

 

>whois -h riswhois.ripe.net 198.41.0.4 | tail -10
route:        198.41.0.0/24
origin:       AS26415
descr:        VERISIGN-INC Verisign
lastupd-frst: 2009-10-07 19:42Z  195.66.224.35@rrc01
lastupd-last: 2009-10-16 15:53Z  217.29.66.36@rrc10
seen-at:      rrc01,rrc04,rrc05,rrc06,rrc07,rrc10,rrc11,rrc12,rrc13,rrc15,rrc16
num-rispeers: 70
source:       RISWHOIS

 

Another, whois.ra.net, run my Merit Networks, returns more verbose routing and peering data. Large ISPs use this kind of data to confirm which IP addresss blocks should be “advertised” by whom.

Whois servers are just databases of various kinds that all respond to whois type queries over port 43. So some whois servers are used for hosting very specific data, such as phone numbers registered in the experimental e.164 ENUM system. Here is an example query of an ENUM phone number domain hosted on a server in Germany.

 

whois -h whois.enum.denic.de "-T dn 0.5.3.2.7.2.9.6.9.4.e164.arpa"

As a last resort, use telnet in place of a whois client

Finally, if you don’t have whois installed, but you prefer to do everything on the command line, you can always telnet to the whois server on port 43. This is considered slightly rude since it locks up a TCP socket on the server for longer than a “regular” whois query. But it can really help in a pinch:

 

>telnet whois.arin.net 43
Trying 199.71.0.43...
Connected to whois.arin.net.
Escape character is '^]'

 

After the prompt just type your query (e.g., an IP address) and hit return.

 
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn