Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.

For the best experience please use the latest Chrome, Safari or Firefox browser.

WHOIS

Behind the scenes

What is behind the web interfaces

Summary

RFC (Request For Comment)

-> "Rules" for Internet

RFC 812 - NICNAME/WHOIS (1982, obsolète)
RFC 954 - NICNAME/WHOIS (1985, obsolète)
RFC 3912 - WHOIS protocol specification (2004, actuel)

http://www.rfc-editor.org/rfc/rfc3912.txt

In short WHOIS RFC is only:

Protocol Specification

A WHOIS server listens on TCP port 43 for requests from WHOIS clients. The WHOIS client makes a text request to the WHOIS server, then the WHOIS server replies with text content. All requests are terminated with ASCII CR and then ASCII LF. The response might contain more than one line of text, so the presence of ASCII CR or ASCII LF characters does not indicate the end of the response. The WHOIS server closes its connection as soon as the output is finished. The closed TCP connection is the indication to the client that the response has been received.

The RFC does not specify the output format:

Exemples:

Registry Expiry Date: 2023-01-13T00:12:14Z

Expiry Date: 10/12/2016

Both, fields and values are not the same format !

TCP port 43

Web browsers are not able to "talk" raw data to TCP 43, so they can't connect to WHOIS server directly.

Some web sites provide a "connector"

          TCP/80 (HTTP)           TCP/43
+---------+        +-------------+       +---------------+
| Browser +------> |  Web Site   +---->  | WHOIS Server  |
+---------+        +-------------+       +---------------+

Bad uses made from such web sites in the past

What happened when such "connector" web site registered/blocked the domain name right after you did the search ?

Domain Tasting / Front Running

Domain tasting is the practice of temporarily registering a domain under the five-day Add Grace Period at the beginning of the registration of an ICANN-regulated second-level domain.

During this period, a registration must be fully refunded by the domain name registry if cancelled. This was designed to address accidental registrations.

https://en.wikipedia.org/wiki/Domain_tasting https://en.wikipedia.org/wiki/Domain_name_front_running

"Direct" access to WHOIS servers

In the following part, we will focus on "real" Whois servers (not web sites).

There is not one single Whois server/database, but many.

Let's see how this works...

There are 2 classes of Whois Servers:

A Thin WHOIS server stores (more or less) only the name of the WHOIS server of the registrar of a domain...

A Thick WHOIS server stores the complete WHOIS information from all the registrars...

https://en.wikipedia.org/wiki/WHOIS

.com managed by Verisign

$ telnet whois.verisign-grs.com 43

aufeminin.com

   Domain Name: AUFEMININ.COM
   Registrar: SAFEBRANDS SAS
   Sponsoring Registrar IANA ID: 1290
   Whois Server: whois.mailclub.net
   Referral URL: http://safebrands.com
   Name Server: NS1.MAILCLUB.FR
   Name Server: NS2.MAILCLUB.FR
   Status: clientTransferProhibited
   Updated Date: 08-apr-2015
   Creation Date: 30-may-1999
   Expiration Date: 30-may-2016

Nothing else...

Whois Server: whois.mailclub.net

$ telnet whois.mailclub.net 43

Domain Name: AUFEMININ.COM
Registry Domain ID: 6907349_DOMAIN_COM-VRSN
......
Registrant Name: AUFEMININ, Aufeminin
Registrant Organization: auFeminin.com SA
Registrant Street: 78 avenue des champs Elysees   
....
Registrant Email: infra@aufeminin.com
Admin Name: AUFEMININ, Aufeminin
Admin Organization: auFeminin.com SA
Admin Street: 78 avenue des champs Elysees  
.....
Tech Name: TINE, Charles
Tech Organization: MAILCLUB S.A.S.
Tech Street: Pole Media de la Belle de Mai 37 rue Guibal 
....
Tech Email: clientele@mailclub.fr
Name Server: ns1.mailclub.fr
Name Server: ns2.mailclub.fr

.org managed by PIR

(Public Interest Registry) contain all informations

$ telnet whois.pir.org 43

Domain Name: WIKIPEDIA.ORG
Domain ID: D51687756-LROR
WHOIS Server:
..etc...    
Creation Date: 2001-01-13T00:12:14Z
Registrant Organization: Wikimedia Foundation, Inc.
Registrant Street: 149 New Montgomery Street
..etc...
Admin Name: Domain Admin
Admin Organization: Wikimedia Foundation, Inc.
Tech City: San Francisco
..etc...
Name Server: NS0.WIKIMEDIA.ORG
..etc...

What happen if you don't query the right Whois Server ?

$ telnet whois.pir.org 43
google.com

TLD "com" is not supported

$ telnet whois.gandi.net 43
wikipedia.org

Not found

$ telnet whois.verisign-grs.com 43
afnic.fr

No match for "AFNIC.FR".

Quick summary of previous slides

How to know what Whois server to ask for a particular domain ?

Before the large amount of TLD, there was few "static" lists available of names of Whois servers (listening on port 43).

I'm not aware of an official list of such whois server.. but this can be extracted from IANA data.

What the ICANN documents say ?

https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en#3.3.1

3.3.1 At its expense, Registrar shall provide an interactive web page and, with respect to any gTLD operating a "thin" registry, a port 43 Whois service (each accessible via both IPv4 and IPv6) providing free public query-based access to up-to-date (i.e., updated at least daily) data concerning all active Registered Names sponsored by Registrar in any gTLD.

What the ICANN documents say ?

http://newgtlds.icann.org/en/applicants/agb/agreement-approved-20nov13-en.pdf

Until ICANN requires a different protocol, Registry Operator will operate a WHOIS service available via port 43 in accordance with RFC 3912, and a web-­‐based Directory Service at providing free public query-­‐based access ...

So web whois must be on:

whois.nic.TLD

The "IANA List" way

$ telnet whois.iana.org 43
> com
whois:        whois.verisign-grs.com
> org
whois:        whois.pir.org
> bzh
whois:        whois-bzh.nic.fr
> ninja
whois:        whois.unitedtld.com
> bnpparibas
whois:        whois.afilias-srs.net
> porn
whois:        whois.afilias-srs.net
> paris
whois:        whois-paris.nic.fr

IANA also provide information on their web site.

Exemple .paris

$ telnet whois-paris.nic.fr 43
> bienvenue.paris
Domain Name: bienvenue.paris
Domain ID: DOM000000021725-PARIS
Updated Date: 2015-05-04T15:15:06Z
Creation Date: 2014-06-03T13:05:37Z
Registry Expiry Date: 2016-06-03T13:05:37Z
Registrant Name: Domain Administrator
Registrant Organization: VILLE DE PARIS
Registrant Street: 4, rue Lobau
Registrant City: Paris
Registrant Postal Code: 75004
Registrant Country: FR
Registrant Phone: +33.143476538
Registrant Email: villedeparis@netnames.fr
etc...

Root Zone Database

http://www.iana.org/domains/root/db

The Root Zone Database represents the delegation details of top-level domains [...] Much of this data is also available via the WHOIS protocol at whois.iana.org.

1275 .tld in March 2016

$ cat db | grep "domain tld" | awk -F ">." '{print $3}' | awk -F "<" '{print $1}' > toto

$ for i in `cat toto` ; do  echo "" >> out &&   echo -n -e "$i " >> out && echo "$i" | nc whois.iana.org 43 | grep "^whois:" >> out     ; done

975 .tld returned a Whois Server data (300 missing)

For fun

.佛山               whois.ngtld.cn
.慈善               whois.nic.wang
.集团               whois.gtld.knet.cn
.在线               whois.afilias-srs.net
.한국               whois.kr
.点看               whois.nic.xn--3pxu8k
.คอม               whois.nic.xn--42c2d9a
.八卦               whois.nic.xn--45q11c
.公益               whois.conac.cn
.公司               whois.ngtld.cn
.移动               whois.afilias.net
.我爱你             whois.gtld.knet.cn
.москва            whois.nic.xn--80adxhks
.қаз               whois.nic.kz
.онлайн            whois.online.rs.corenic.net
.сайт              whois.site.rs.corenic.net
.срб               whois.rnids.rs
.бел               whois.cctld.by

Some domains with missing Whois server running on port 43 (IANA March 2016)

.axa    (neustar)
.bloomberg (verisign)
.cisco (neustar)
.dell (neustar)
.gucci (neustar)
.hotmail (verisign)
.hsbc   (neustar)
.kinder  (neustar)
.maif (verisign)
.microsoft (verisign)
.skype (neustar)
.windows (verisign)

But ok web Directory Service at whois.nic.TLD

Whois client (command line)

$ whois --verbose pik.bzh
Using server whois.nic.bzh.
Query string: pik.bzh

Domain Name: pik.bzh
Domain ID: DOM000000000091-BZH
Updated Date: 2015-12-03T14:48:14Z
Creation Date: 2014-06-19T12:49:09Z
Registry Expiry Date: 2016-06-19T12:49:09Z
Sponsoring Registrar: Registry Operations
Sponsoring Registrar IANA ID: 9999
Domain Status: ok  https://icann.org/epp#ok
Registrant ID: DL100-BZH
Registrant Name: David LESVENAN
Registrant Organization: Association www.bzh
Registrant Street: 140, boulevard de Creac h Gwen
Registrant City: Quimper
...

No need to specify a WHOIS server.

But does not found everything by default:

$ whois --verbose corsica

No whois server is known for this kind of object.

But it exists:

$ whois --verbose corsica -h whois-corsica.nic.fr
Using server whois-corsica.nic.fr.
Query string: corsica
Domain Name: corsica
Domain ID: DOM000000000001-CORSICA
Updated Date: 2015-01-16T09:07:22Z
Registry Expiry Date: 2114-01-16T08:57:45Z
Sponsoring Registrar: Registry Operations
Registrant ID: RC100-CORSICA
Registrant Name: Registry Contact
Registrant Street: immeuble le Stephenson

It's possible to update the whois.conf configuration file to add more Whois Servers

whois.conf - alternative WHOIS servers list for whois client.

This file contains a list of WHOIS servers which can augment or override the built-in list of the client.

It's a plain text file in ASCII encoding. Each line consists of two fields: a pattern to match WHOIS object identifier and a corresponding WHOIS server domain name.

EXAMPLE
       \.nz$             nz.whois-servers.net
       # Hangul Korean TLD
       \.xn--3e0b707e$   whois.kr

Update whois.conf

http://superuser.com/questions/758647/how-to-whois-new-tlds

https://github.com/roycewilliams/iana-whois-conf

This is an ugly hack to harvest the official list of WHOIS servers from IANA for all TLDs, and build a unified whois.conf.

Improve performances: http://stackoverflow.com/questions/7577615/parallel-wget-in-bash

$ egrep "/domains/root/db/.*.html" db | cut -d\" -f4 > out
$ for i in `cat out`; do echo "https://www.iana.org"$i >> out2 ; done 
$ cat out2 | xargs -n 1 -P 8 wget -q
$ ls /tmp/*.html | wc -l
1273
$ ./build-whois.sh > out3
$ wc -l out3
990 out3
$ 

+15 more in web pages compared to whois server ?

Note: May be useful to remove the .com and .net created so Whois client can "folow" automaticaly to the "deleguation" Whois server

By default:

$ whois dot.corsica
No whois server is known for this kind of object.

With the update /etc/whois.conf (that contain whois-corsica.nic.fr )

$ whois dot.corsica
Domain Name: dot.corsica
Domain ID: DOM000000229850-CORSICA
Creation Date: 2015-09-04T09:07:28Z
Registry Expiry Date: 2017-09-04T09:07:29Z
Sponsoring Registrar: Gandi SAS
Sponsoring Registrar IANA ID: 81
Registrant Name: Eric Ferrari
Registrant Organization: Collectivite Territoriale de Corse
Registrant Street: 22, cours Grandval - B.P. 215
Registrant City: Ajaccio

Searching in Whois Servers more than Domain names

It's possible to seach for some other "data"

While originally used to provide "white pages" services and information about registered domain names, current deployments cover a much broader range of information services.

AS search

$ telnet whois.iana.org 43
> AS12322
refer:        whois.ripe.net
as-block:     12288-12454
organisation: Assigned by RIPE NCC

Redirection to another WHOIS server that will have more informations

$ telnet whois.ripe.net 43
> AS12322

% Information related to 'AS12322'
% Abuse contact for 'AS12322' is 'abuse@proxad.net'
aut-num:        AS12322
as-name:        PROXAD
descr:          Free SAS
org-type:       LIR
address:        Free SAS
address:        8 rue de la Ville l'Eveque
address:        75008 Paris
...
export:         to AS112 announce AS-PROXAD
export:         to AS174 announce AS-PROXAD
.....

Search of IPs

$ telnet whois.iana.org 43
> 185.53.179.9
refer:        whois.ripe.net
inetnum:      185.0.0.0 - 185.255.255.255
organisation: RIPE NCC
status:       ALLOCATED
whois:        whois.ripe.net
changed:      2011-02

Here we have again a "redirection" to another Whois Server to get more informations

$ telnet whois.ripe.net 43
> 185.53.179.9
inetnum:        185.53.176.0 - 185.53.179.255
netname:        DE-TEAMINTERNET-20140411
descr:          Team Internet AG
country:        DE
org:            ORG-TIA27-RIPE
...
ddress:        Team Internet AG
address:        Liebherrstr. 22
address:        80538
address:        Muenchen
address:        GERMANY
phone:          +4989416146013
...

Reverse lookup

Links provided by Loïc into the last meeting:

http://viewdns.info/reversewhois/
https://whoisology.com/
https://www.whoisxmlapi.com/reverse-whois.php

Reverse lookup

I'm not aware of "official" Reverse WHOIS lookup database.

Process seems to be:

Whoisology

The publicly viewable data on Whoisology is updated approximately 4 times a year. Information contained in the quarterly updates is from the 3-4 month period before the release.

ViewDNS.info

A number of tools provided by ViewDNS.info require significant amounts of backend data. A large proportion of this data has been built in house by ViewDNS.info.

Whois Web sites limitations

In addition to have no idea what most of Whois web site do with submitted data, they don't all manage properly all .TLDs

Some exemples...

whois.com

pik.bzh

Invalid domain name... We are unable to perform a lookup for pik.bzh. It appears to be an invalid or an unsupported domain extension.

http://www.whois.com/whois/pik.bzh

whois.net

dot.corsica

dotcorsica.com is already registered

Mmm.. Yes.. But not what I requested !!! :)

Who.is

nic.arte

ERROR
Invalid Domain Name: nic.arte. 
Please double check your input

https://who.is/whois/nic.arte

There is one Web Whois I like

It's as I would have build it myself: https://gWhois.org

  • Performs a live Whois lookup. No caching of old data!
  • Performs an authoritative Whois lookup. GWhois.org starts straight at the root (IANA.org) and then traverses down to the registry and registrar as needed.
  • Supports all existing top level domain names (TLD's).
  • Supports Internationalized Domain Names (IDN's)!

https://gWhois.org it's in addition:

  • If you entered a domain name, only the TLD (e.g. .com) of the domain name is recorded. Other than that, GWhois.org does not hold on to any information you enter
  • GWhois.org cannot and does not engage in domain name front running.
  • Search engines are instructed not to index or cache Whois data
  • GWhois.org is ad-free & hosting costs are paid for out-of-pocket.

--> Donate :)

Conclusion

Questions...

?