From Wikipedia, the free encyclopedia


WHOIS is a TCP-based query/response protocol which is widely used for querying an official database in order to determine the owner of a domain name, an IP address, or an autonomous system number on the Internet. WHOIS lookups were traditionally made using a command line interface, but a number of simplified web-based tools now exist for looking up domain ownership details from different databases. Web-based WHOIS clients still rely on the WHOIS protocol to connect to a WHOIS server and do lookups, and command-line WHOIS clients are still quite widely used by system administrators.

The WHOIS system originated as a method that system administrators could use to look up information to contact other IP address or domain name administrators (almost like a "white pages"). The use of the data that is returned from query responses has evolved from those origins into a variety of uses, both altruistic (such as a Certificate Authority validating the registration for ecommerce https) and nefarious (such as bulk unsolicited email campaigns). Due to the potential vulnerability of WHOIS information to improper manipulation, the legal owner of the domain is considered to be whoever controls the domain's username/passwords, billing options and administrative features.

WHOIS has a sister protocol standard called RWhois. 'WHOIS' is not an acronym; rather, it is pronounced "who is".

Thin and thick lookups

There are two ways that WHOIS information may be stored: "thick" or "thin".

  • Thick: one WHOIS server stores the complete WHOIS information from all the registrars for the particular set of data (so that one WHOIS server can respond with WHOIS information on all .org domains, for example).

  • Thin: one WHOIS server stores only the name of the WHOIS server of the registrar of a domain, which in turn has the full details on the data being looked up (such as the .com WHOIS servers, which refer the WHOIS query to the registrar that the domain was registered from).

The thick model usually ensures consistent data and slightly faster lookups (since only one WHOIS server needs to be contacted). If a registrar goes out of business, a thick registry contains all important information (if the registrant entered correct data, and privacy features were not used to obscure the data) and ownership can be retained. But with a thin registry, the contact information may not be available (unless adequately escrowed) and it may be difficult for the rightful registrant to retain control of the domain.

If a WHOIS client does not he WHOIS client understood how to deal with this situation, it would display the full information from the registrar. Unfortunately, there is no standard in the WHOIS protocol for determining how to distinguish the thin model from the thick model.

Exact implementation of which records are stored varies between domain name registries. Some top-level domains, including .com and .net, operate a thin WHOIS, allowing the various domain registrars the ability to maintain their own customers' data. Other registries, including .org, operate a thick model.


Data Returned

Normally the contact information of the individual owner is returned. However, some registrars offer "private registration", in which case the contact information of the registrar is shown instead.

Some registry operators are "wholesale"; they typically sell .com and other domain names to a large number of "retail" registrars, who in turn sell them to consumers. For private registration, only the identity of the wholesale registrar may be returned. In this case, the identity of the individual as well as the "retail registrar" may be hidden.

(No reference on ICAAN rules regarding 1) whether the retail or wholesale registrar is considered to be the owner, and 2) which registrar is returned on a WHOIS.)

Below is an example of WHOIS data returned for an individual owner. This is the result of a WHOIS query on wikipedia.org:

Domain ID:D51687756-LROR
Created On:13-Jan-2001 00:12:14 UTC
Last Updated On:01-Mar-2006 12:39:33 UTC
Expiration Date:13-Jan-2015 00:12:14 UTC
Sponsoring Registrar:Go Daddy Software, Inc. (R91-LROR)
Registrant ID:GODA-09495921
Registrant Name:Wikimedia Foundation
Registrant Organization:Wikimedia Foundation Inc.
Registrant Street1:204 37th Ave N, #330
Registrant Street2:
Registrant Street3:
Registrant City:St. Petersburg
Registrant State/Province:Florida
Registrant Postal Code:33704
Registrant Country:US
Registrant Phone:+1.7272310101
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:noc@wikimedia.org
Admin ID:GODA-29495921
Admin Name:Jimmy Wales
Admin Organization:Wikimedia Foundation
Admin Street1:204 37th Ave. N. #330
Admin Street2:
Admin Street3:
Admin City:St. Petersburg
Admin State/Province:Florida
Admin Postal Code:33704
Admin Country:US
Admin Phone:+1.7276441636
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:jwales@bomis.com
Tech ID:GODA-19495921
Tech Name:Jason Richey
Tech Organization:Wikimedia Foundation
Tech Street1:19589 Oneida Rd.
Tech Street2:
Tech Street3:
Tech City:Apple Valley
Tech State/Province:California
Tech Postal Code:92307
Tech Country:US
Tech Phone:+1.7604869194
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:jasonr@bomis.com

Querying Regional Internet Registries

Whois servers belonging to Regional Internet Registries(RIR) can be queried to determine the Internet Service Provider responsible for a particular IP address.

These servers are:

ARIN - whois.arin.net
RIPE NCC - whois.ripe.net
APNIC - whois.apnic.net
LACNIC - whois.lacnic.net
AFRINIC - whois.afrinic.net

The records of each of these registries are cross-referenced, so that a query to ARIN for a record which belongs to RIPE will return a placeholder pointing to the RIPE whois server. This lets the whois user making the query know that the detailed information resides on the RIPE server.

Determining whois server by domain name

Appropriate whois server can be determined by top level domain name using whois-servers.net service. This service provides DNS aliases of whois servers.

Example: com.whois-servers.net, net.whois-servers.net, info.whois-servers.net, <your-country-code>.whois-servers.net

This service is used by GNU whois utility.


When the Internet was emerging out of the ARPANET, there was only one organization that handled all domain registrations, which was DARPA itself. The process of registration was established in RFC 920. WHOIS was standardized in the early 1980s to look-up domains, people and other resources related to domain and number registrations. Because all registration was done by one organization in that time, one centralized server was used for WHOIS queries. This made looking-up information very easy.

Early WHOIS servers were highly permissive and would allow wild-card searches. You could do a WHOIS lookup on a person's last name and get all the individual people who had a registered handle. You could do a query on a keyword and see all registered domains containing that keyword. You could even query a given administrative contact and see all domains they were associated with. Due to the advent of the commercialized Internet, multiple registrars and unethical spammers, such permissive searching is no longer available.

Responsibility of domain registration remained with DARPA as the ARPANET became the Internet during the 1980s. UUNet began offering domain registration service, however they simply handled the paperwork which they forwarded to DARPA's Network Information Center (NIC). Then the National Science Foundation directed that management of Internet domain registration would be handled by commercial, 3rd party entities. InterNIC was formed in 1993 under contract with the NSF, consisting of Network Solutions, Inc., General Atomics, and AT&T. General Atomics' contract was cancelled after several years due to performance issues.

On December 1, 1999, management of the top-level domains (TLDs) .com, .net, and .org was turned over to ICANN. At the time these popular TLDs were switched to a thin WHOIS model. Existing WHOIS clients stopped working at that time. A month later it had self-detecting CGI support so that the same program could operate a web-based WHOIS lookup, and an external TLD table to support multiple whois servers based on the TLD of the request. This eventually became the model of the modern whois client.

By 2005, there were many more generic top-level domains than there had been in the early 1980s. There are also many, many more country-code top-level domains. This has led to a complex network of domain name registrars and registrar associations, especially as the management of Internet infrastructure has become more internationalized. As such, performing a WHOIS query on a domain requires knowing the correct, authoritative WHOIS server to use. Tools to do WHOIS proxy searches have become common. Also, there is a command-line whois client called jwhois which uses a configuration file to map domain names and network blocks to their appropriate registrars.

In 2004, an IETF committee was formed to standardize a whole new way to look-up information on domain names and network numbers. The current working name for this proposed new standard is Cross Registry Information Service Protocol (CRISP).

Querying WHOIS servers

Command-line clients

Originally the only method by which a WHOIS server could be contacted was to use a command line interface text client. In most cases this was on a Unix or Unix-like platform. The WHOIS client software was (and still is) distributed as open source. Various commercial Unix implementations may use their own implementations (for example, Sun Solaris 7 has a WHOIS client authored by Sun).

A WHOIS command line client typically has options to choose which host to connect to for whois queries, with a default whois server being compiled in. Additional options may allow control of what port to connect on, displaying additional debugging data, or changing recursion/referral behavior.

Like most TCP/IP client/server applications, a WHOIS client takes the user input and then opens an IP socket to its destination server. The WHOIS protocol is used to establish a connection on the appropriate port and send the query. The client waits for a response from the server, which it then either returns to the end-user or uses to make additional queries. .

The source package of GNU whois command-line client can be downloaded from Free Software Directory now. An imported version of this one to MS-Windows can be acquired from SourceForge.

 Graphical clients

The term "graphical client" may be a bit of a misnomer for a WHOIS client, since all the data to be derived from a WHOIS server is plain text, and the protocol is a relatively static one. There is not much interaction to do with a WHOIS server. In this context, the term "graphical client" is taken to mean a WHOIS client that runs as an application on a GUI OS and uses the OS's standard GUI for user interaction.

Web-based clients

With the advent of the World Wide Web and especially the loosening up of the Network Solutions monopoly, looking up WHOIS information via the web has become quite common. Most early web-based WHOIS clients were merely front-ends to a command-line client, where the resulting output just got displayed on a webpage with little, if any, clean-up or formatting.

Nowadays, web based WHOIS clients usually perform the WHOIS queries directly and then format the results for display. Many such clients are proprietary, authored by domain name registrars.

The need for web-based clients came from the fact that command-line WHOIS clients largely existed only in the Unix and large computing worlds. Microsoft Windows and Macintosh computers had no WHOIS clients, so registrars had to find a way to provide access to WHOIS data for potential customers. Many end-users still rely on such clients, even though command line and graphical clients exist now for most home PC platforms.

Perl modules

CPAN has several Perl modules available that work with WHOIS servers. Many of them are not current and do not fully function with the current (2005) WHOIS server infrastructure. However, there is still much useful functionality to derive including looking up AS numbers and registrant contacts.


  • Privacy: Registrant's contact details, such as address and telephone number, are made easily accessible to anyone over the internet for most top-level domains. Although some registrars offer private registrations (where the contact information of the registrar is shown), under ICANN rules the registrar or "private registration" company is then legal owner (lessor) of the domain.

  • Ownership may be obscured: In the case of private registration, it may be difficult for an owner to confirm his or her ownership. See section "Accuracy of information".

  • False registrations: The privacy services mentioned above are often abused by people involved in illegal activity, who use them in the knowledge that it makes it extremely difficult for entities (even law-enforcement officers) outside of their registrar's legal jurisdiction to obtain their contact details. The fact that some registrars are uncooperative when notified of illegal activity makes this situation somewhat worse.

  • Inaccuracy of information: Some registrars are not sufficiently careful to ensure the accuracy of contact details listed in the WHOIS.

  • Obsolescence: most of the information stored in a WHOIS server, is subject to change later in time. For instance, the owner may change his (geographical) address. Since the email address used to administrate the domain often remains valid, the owner may not bother to update his address with the registrar.

  • History: when a domain record is updated (moved, sold), the previous information is not archived but overwritten. A few WHOIS servers, however, do automatically monitor and cache the records for domains which were queried through their interface, making the WHOIS history partially available.

  • Spam: Spammers often harvest plain-text email addresses from WHOIS requests. This means that both WHOIS servers and websites offering WHOIS lookups have resorted to special systems (such as Captcha, where users have to type in letters or numbers from a picture) and rate-limiting systems.

  • Internationalization: The WHOIS protocol was not written with an international audience in mind. A WHOIS server cannot tell which text encoding it is using for either the requests or replies, and the servers were originally all simply using US-ASCII, although this cannot be assumed anymore with international servers. This obviously will impact the usability of the WHOIS protocol in countries outside the USA, especially as internationalized domain names are falling into wider use. A user can (and possibly will have to due to this limitation) use punycode, but this leads to conversion problems as the punycode system is not easy for a regular user to grasp.

  • Lack of WHOIS server lists: There is no central list of WHOIS servers. Therefore, people writing WHOIS tools need to find their own list of WHOIS servers, and different WHOIS tools may contact different WHOIS servers.

  • Different registrars' WHOIS servers return results in different formats, making automation of parsing WHOIS data difficult. While such automation has many legitimate uses (primarily for ISPs), it also lends itself to use by spammers and other people acting unethically.

Accuracy of Information

In cases where the individual's identity is public, an owner can easily confirm his or her ownership of a domain by sending a WHOIS request.

In the case of "private registration," confirming ownership may be more difficult. If an owner has purchased a domain name and wants to verify that the "retailer" has indeed completed the registration process, three steps may be required: 1) perform a WHOIS and confirm that the name is at least registered with ICANN, 2) determine the name of the wholesale registrar, and 3) contact the wholesaler and obtain the name of the retail registrar. This provides some confidence that the retailer actually purchased the name for the individual. But if the registrar goes out of business, such as the failure of RegisterFly in 2007, the rightful owners of domains with privacy-protected registrations may have difficulty retaining domain administration. The end user of "private registration" can attempt to protect themselves by using a registrar that places customer data in escrow with a third party.

ICANN requires that each domain name registrant be given the opportunity to correct any inaccurate contact data associated with a domain. For this reason, the registrar is required to periodically send the owner the contact information on record for verification. (No reference for ICAAN rules on verification.)

Law and policy

WHOIS has generated policy issues in the United States federal government. As noted above, WHOIS creates a privacy issue which is also tied to free speech and anonymous speech. However, WHOIS is an important tool for law enforcement officers investigating violations like spam and phishing to track down the owners of domain names. Law enforcement officers become frustrated when WHOIS records are filled with rubbish. As a result, law enforcement agencies have sought to make WHOIS records both open and verified:

  • The Federal Trade Commission has testified about how inaccurate WHOIS records thwart their investigations.

  • There have been congressional hearings that have touched on the importance of WHOIS in 2006, 2002, and 2001.

  • The Fraudulent Online Identity Sanctions Act "make it a violation of trademark and copyright law if a person knowingly provided, or caused to be provided, materially false contact information in making, maintaining, or renewing the registration of a domain name used in connection with the violation," where the latter "violation" refers to a prior violation of trademark or copyright law. The act does not make the submission of false WHOIS data illegal in itself, only if used to shield oneself from prosecution for crimes committed using that domain name.