Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.

For the best experience please use the latest Chrome, Safari or Firefox browser.


Behind the scenes

What is behind the web interfaces


RFC (Request For Comment)

-> "Rules" for Internet

RFC 812 - NICNAME/WHOIS (1982, obsolète)
RFC 954 - NICNAME/WHOIS (1985, obsolète)
RFC 3912 - WHOIS protocol specification (2004, actuel)

In short WHOIS RFC is only:

Protocol Specification

A WHOIS server listens on TCP port 43 for requests from WHOIS clients. The WHOIS client makes a text request to the WHOIS server, then the WHOIS server replies with text content. All requests are terminated with ASCII CR and then ASCII LF. The response might contain more than one line of text, so the presence of ASCII CR or ASCII LF characters does not indicate the end of the response. The WHOIS server closes its connection as soon as the output is finished. The closed TCP connection is the indication to the client that the response has been received.

The RFC does not specify the output format:


Registry Expiry Date: 2023-01-13T00:12:14Z

Expiry Date: 10/12/2016

Both, fields and values are not the same format !

TCP port 43

Web browsers are not able to "talk" raw data to TCP 43, so they can't connect to WHOIS server directly.

Some web sites provide a "connector"

          TCP/80 (HTTP)           TCP/43
+---------+        +-------------+       +---------------+
| Browser +------> |  Web Site   +---->  | WHOIS Server  |
+---------+        +-------------+       +---------------+

Bad uses made from such web sites in the past

What happened when such "connector" web site registered/blocked the domain name right after you did the search ?

Domain Tasting / Front Running

Domain tasting is the practice of temporarily registering a domain under the five-day Add Grace Period at the beginning of the registration of an ICANN-regulated second-level domain.

During this period, a registration must be fully refunded by the domain name registry if cancelled. This was designed to address accidental registrations.

"Direct" access to WHOIS servers

In the following part, we will focus on "real" Whois servers (not web sites).

There is not one single Whois server/database, but many.

Let's see how this works...

There are 2 classes of Whois Servers:

A Thin WHOIS server stores (more or less) only the name of the WHOIS server of the registrar of a domain...

A Thick WHOIS server stores the complete WHOIS information from all the registrars...

.com managed by Verisign

$ telnet 43

   Domain Name: AUFEMININ.COM
   Registrar: SAFEBRANDS SAS
   Sponsoring Registrar IANA ID: 1290
   Whois Server:
   Referral URL:
   Name Server: NS1.MAILCLUB.FR
   Name Server: NS2.MAILCLUB.FR
   Status: clientTransferProhibited
   Updated Date: 08-apr-2015
   Creation Date: 30-may-1999
   Expiration Date: 30-may-2016

Nothing else...

Whois Server:

$ telnet 43

Registry Domain ID: 6907349_DOMAIN_COM-VRSN
Registrant Name: AUFEMININ, Aufeminin
Registrant Organization: SA
Registrant Street: 78 avenue des champs Elysees   
Registrant Email:
Admin Name: AUFEMININ, Aufeminin
Admin Organization: SA
Admin Street: 78 avenue des champs Elysees  
Tech Name: TINE, Charles
Tech Organization: MAILCLUB S.A.S.
Tech Street: Pole Media de la Belle de Mai 37 rue Guibal 
Tech Email:
Name Server:
Name Server:

.org managed by PIR

(Public Interest Registry) contain all informations

$ telnet 43

Domain ID: D51687756-LROR
WHOIS Server:
Creation Date: 2001-01-13T00:12:14Z
Registrant Organization: Wikimedia Foundation, Inc.
Registrant Street: 149 New Montgomery Street
Admin Name: Domain Admin
Admin Organization: Wikimedia Foundation, Inc.
Tech City: San Francisco

What happen if you don't query the right Whois Server ?

$ telnet 43

TLD "com" is not supported

$ telnet 43

Not found

$ telnet 43

No match for "AFNIC.FR".

Quick summary of previous slides

How to know what Whois server to ask for a particular domain ?

Before the large amount of TLD, there was few "static" lists available of names of Whois servers (listening on port 43).

I'm not aware of an official list of such whois server.. but this can be extracted from IANA data.

What the ICANN documents say ?

3.3.1 At its expense, Registrar shall provide an interactive web page and, with respect to any gTLD operating a "thin" registry, a port 43 Whois service (each accessible via both IPv4 and IPv6) providing free public query-based access to up-to-date (i.e., updated at least daily) data concerning all active Registered Names sponsored by Registrar in any gTLD.

What the ICANN documents say ?

Until ICANN requires a different protocol, Registry Operator will operate a WHOIS service available via port 43 in accordance with RFC 3912, and a web-­‐based Directory Service at providing free public query-­‐based access ...

So web whois must be on:


The "IANA List" way

$ telnet 43
> com
> org
> bzh
> ninja
> bnpparibas
> porn
> paris

IANA also provide information on their web site.

Exemple .paris

$ telnet 43
Domain Name:
Domain ID: DOM000000021725-PARIS
Updated Date: 2015-05-04T15:15:06Z
Creation Date: 2014-06-03T13:05:37Z
Registry Expiry Date: 2016-06-03T13:05:37Z
Registrant Name: Domain Administrator
Registrant Organization: VILLE DE PARIS
Registrant Street: 4, rue Lobau
Registrant City: Paris
Registrant Postal Code: 75004
Registrant Country: FR
Registrant Phone: +33.143476538
Registrant Email:

Root Zone Database

The Root Zone Database represents the delegation details of top-level domains [...] Much of this data is also available via the WHOIS protocol at

1275 .tld in March 2016

$ cat db | grep "domain tld" | awk -F ">." '{print $3}' | awk -F "<" '{print $1}' > toto

$ for i in `cat toto` ; do  echo "" >> out &&   echo -n -e "$i " >> out && echo "$i" | nc 43 | grep "^whois:" >> out     ; done

975 .tld returned a Whois Server data (300 missing)

For fun

.点看               whois.nic.xn--3pxu8k
.คอม               whois.nic.xn--42c2d9a
.八卦               whois.nic.xn--45q11c
.москва            whois.nic.xn--80adxhks

Some domains with missing Whois server running on port 43 (IANA March 2016)

.axa    (neustar)
.bloomberg (verisign)
.cisco (neustar)
.dell (neustar)
.gucci (neustar)
.hotmail (verisign)
.hsbc   (neustar)
.kinder  (neustar)
.maif (verisign)
.microsoft (verisign)
.skype (neustar)
.windows (verisign)

But ok web Directory Service at whois.nic.TLD

Whois client (command line)

$ whois --verbose
Using server
Query string:

Domain Name:
Domain ID: DOM000000000091-BZH
Updated Date: 2015-12-03T14:48:14Z
Creation Date: 2014-06-19T12:49:09Z
Registry Expiry Date: 2016-06-19T12:49:09Z
Sponsoring Registrar: Registry Operations
Sponsoring Registrar IANA ID: 9999
Domain Status: ok
Registrant ID: DL100-BZH
Registrant Name: David LESVENAN
Registrant Organization: Association
Registrant Street: 140, boulevard de Creac h Gwen
Registrant City: Quimper

No need to specify a WHOIS server.

But does not found everything by default:

$ whois --verbose corsica

No whois server is known for this kind of object.

But it exists:

$ whois --verbose corsica -h
Using server
Query string: corsica
Domain Name: corsica
Domain ID: DOM000000000001-CORSICA
Updated Date: 2015-01-16T09:07:22Z
Registry Expiry Date: 2114-01-16T08:57:45Z
Sponsoring Registrar: Registry Operations
Registrant ID: RC100-CORSICA
Registrant Name: Registry Contact
Registrant Street: immeuble le Stephenson

It's possible to update the whois.conf configuration file to add more Whois Servers

whois.conf - alternative WHOIS servers list for whois client.

This file contains a list of WHOIS servers which can augment or override the built-in list of the client.

It's a plain text file in ASCII encoding. Each line consists of two fields: a pattern to match WHOIS object identifier and a corresponding WHOIS server domain name.

       # Hangul Korean TLD

Update whois.conf

This is an ugly hack to harvest the official list of WHOIS servers from IANA for all TLDs, and build a unified whois.conf.

Improve performances:

$ egrep "/domains/root/db/.*.html" db | cut -d\" -f4 > out
$ for i in `cat out`; do echo ""$i >> out2 ; done 
$ cat out2 | xargs -n 1 -P 8 wget -q
$ ls /tmp/*.html | wc -l
$ ./ > out3
$ wc -l out3
990 out3

+15 more in web pages compared to whois server ?

Note: May be useful to remove the .com and .net created so Whois client can "folow" automaticaly to the "deleguation" Whois server

By default:

$ whois
No whois server is known for this kind of object.

With the update /etc/whois.conf (that contain )

$ whois
Domain Name:
Domain ID: DOM000000229850-CORSICA
Creation Date: 2015-09-04T09:07:28Z
Registry Expiry Date: 2017-09-04T09:07:29Z
Sponsoring Registrar: Gandi SAS
Sponsoring Registrar IANA ID: 81
Registrant Name: Eric Ferrari
Registrant Organization: Collectivite Territoriale de Corse
Registrant Street: 22, cours Grandval - B.P. 215
Registrant City: Ajaccio

Searching in Whois Servers more than Domain names

It's possible to seach for some other "data"

While originally used to provide "white pages" services and information about registered domain names, current deployments cover a much broader range of information services.

AS search

$ telnet 43
> AS12322
as-block:     12288-12454
organisation: Assigned by RIPE NCC

Redirection to another WHOIS server that will have more informations

$ telnet 43
> AS12322

% Information related to 'AS12322'
% Abuse contact for 'AS12322' is ''
aut-num:        AS12322
as-name:        PROXAD
descr:          Free SAS
org-type:       LIR
address:        Free SAS
address:        8 rue de la Ville l'Eveque
address:        75008 Paris
export:         to AS112 announce AS-PROXAD
export:         to AS174 announce AS-PROXAD

Search of IPs

$ telnet 43
inetnum: -
organisation: RIPE NCC
status:       ALLOCATED
changed:      2011-02

Here we have again a "redirection" to another Whois Server to get more informations

$ telnet 43
inetnum: -
netname:        DE-TEAMINTERNET-20140411
descr:          Team Internet AG
country:        DE
org:            ORG-TIA27-RIPE
ddress:        Team Internet AG
address:        Liebherrstr. 22
address:        80538
address:        Muenchen
address:        GERMANY
phone:          +4989416146013

Reverse lookup

Links provided by Loïc into the last meeting:

Reverse lookup

I'm not aware of "official" Reverse WHOIS lookup database.

Process seems to be:


The publicly viewable data on Whoisology is updated approximately 4 times a year. Information contained in the quarterly updates is from the 3-4 month period before the release.

A number of tools provided by require significant amounts of backend data. A large proportion of this data has been built in house by

Whois Web sites limitations

In addition to have no idea what most of Whois web site do with submitted data, they don't all manage properly all .TLDs

Some exemples...

Invalid domain name... We are unable to perform a lookup for It appears to be an invalid or an unsupported domain extension. is already registered

Mmm.. Yes.. But not what I requested !!! :)

Invalid Domain Name: 
Please double check your input

There is one Web Whois I like

It's as I would have build it myself:

  • Performs a live Whois lookup. No caching of old data!
  • Performs an authoritative Whois lookup. starts straight at the root ( and then traverses down to the registry and registrar as needed.
  • Supports all existing top level domain names (TLD's).
  • Supports Internationalized Domain Names (IDN's)! it's in addition:

  • If you entered a domain name, only the TLD (e.g. .com) of the domain name is recorded. Other than that, does not hold on to any information you enter
  • cannot and does not engage in domain name front running.
  • Search engines are instructed not to index or cache Whois data
  • is ad-free & hosting costs are paid for out-of-pocket.

--> Donate :)