Notes on whois

If your system has the whois command, you may type
whois sitename
You may also specify the server with
whois -h whoisserver sitename
See below for a list of whois servers

Otherwise, you may visit the internic's web interface to whois, and enter the site name in the search field provided.



First, a quick glossary:

Host
An individual computer on the internet
Domain
A set of names in the internet namespace, e.g. "anything.rahul.net"
IP Address
The internet address of a host, e.g. "206.138.239.10"

The arguments to whois

Arguments to whois are a search pattern and optional keywords. Keywords fall into four types: Those that specifiy a FIELD to be searched, those that specify the TYPE of record to be returned, those that modify the interpretation of the input or tell the type of output to produce, and those that are commands, such as HELP, QUIT, and so forth
help
Get information on various arguments and their meanings.
sitename
Where sitename is the domain name of the site for which you want information. Only give the domain name (e.g. whois online18.com), and not the full host name (e.g. www.online18.com). This will give you all the information the internic has about the given site. The whois server will attempt to match this name against all types of records: name, nicknames, hostname, net address, etc.) If there are multiple matches, whois will list them, one per line. If there is a single match, whois will give all the information about it.
pattern.
Where pattern. is the partial pattern you wish to match (note the terminating dot). Whois will return all patterns that begin with this pattern. (Example: whois online18.).
IP Address
Where IP Address is the full IP address in dotted-decimal notation of a host, (e.g. whois 206.138.239.10). Whois will return the hostname for this address if it is found in the database. This can often be used to determine a site's network server.
subnet
Where subnet is the IP address in dotted-decimal notation (e.g. whois 206.138.239.0 or 206.138.239) Whois will return the site or sites listed under this subnet. If there is no match, make the search more broad (e.g. whois 206.138.0.0 or 206.138); this can often be used to determine a site's upstream provider.
subnet.
(Note the terminating dot). Find all addresses matching this pattern, e.g. whois 206.138.239. returns all hosts belonging to Online18.

Keywords that restrict the fields to be searched

HA handle
!handle
Where !handle is a handle returned when there are multiple matches, (e.g. whois !ONLINE16-DOM or whois !CF624 This will return the single indicated record.
NAme name
.name
Search only the Name field. Example: whois ".Chandler, Andrew"
M mailbox
mailbox@addr
Search only the Mailbox field. Example: whois "admin@xxxyes.com"

Keywords that restrict the record type to return

DOmain pattern
Search only domain records, e.g. "COM", "DOM MIT" or "DOM MIT.EDU".
GAteway pattern
Search only gateway records.
HOst pattern
Search only host records, e.g. whois "HO WWW1032-HST"
SErver pattern
Search only server records. This can be very useful for finding out which sites share the same server.
For example, the search: whois online18.com reveals that the domain name server for online18 is "www.online18.com". Executing whois host www.online18.com gives the host handle "WWW1032-HST". Executing the command whois "server www1032-hst" returns a list of hosts sharing the same server, which reveals that the porn spammer "Online18" is the same as -- or associated with -- the "Psychic Spammer as well as a host of others.
ASm pattern
Search only autonomous system numbers records.
NEtwork pattern
Search only network records, e.g. whois "NE WWW1032-HST"
O pattern
Search only organization records.

Keywords that modify the output returned

Full search
Give full records, even if multiple matches.
SUMmary search
Give summary records, even if single match.

Determining a site's netblock

The
Arin.net whois server returns netblock information for all sites which match the search pattern.

Whois servers around the world

First, examine the end of the hostname to determine the
country code of the host, and try to determine which of the following servers is applicable. In many cases, the domain name server is whois.nic.countrycode.
U.S.
Arin.net
Arin.net runs a fairly sophisticated search engine. It is sufficient to enter keywords to the search. For example, searching for "special fx" returns all of the domain registrations belonging to Special-FX.
Europe
whois.ripe.net
Asia-Pacific
whois.apnic.net
Australia
whois.aunic.net
Canada
whois.canet.ca
Netherlands
domain-registry.nl
Switerzerland
whois.nic.ch
Tonga (hosted in the basement of their Consolate in San Francisco.)
www.tonic.to/
AllWhois.com -- smart whois service.
http://www.allwhois.com

Back to top

The opinions expressed on this page are solely those of Ed Falk and do not necessarily represent those of any other organization, (although I hope they do). I wish to thank Rahul.net for hosting this web page.

This page maintained by Ed Falk