Quick Links

Key Takeaways

  • The whois system contains records that provide information about the ownership of domains and the owners themselves. The Internet Corporation for Assigned Names and Numbers (ICANN) regulates domain name registration and ownership, but the records are held by different companies known as registries.
  • A whois record includes contact information for the registrant (owner) and the registrar (organization that registered the domain name), as well as the registration date, last update, and expiration date.
  • With the Linux whois command, you can perform lookups directly from the command line, which is useful for systems without a graphical user interface or for shell scripts. The command can be installed on Ubuntu, Fedora, and Manjaro using specific commands provided.

A whois lookup will tell you a lot of information about who owns an internet domain. On Linux, you can run whois lookups from the command line. We'll walk you through it.

The whois System

The whois system is a listing of records that contains details about both the ownership of domains and the owners. The Internet Corporation for Assigned Names and Numbers (ICANN) regulates domain name registration and ownership, but the list of records is held by many companies, known as registries.

Anyone can query the list of records. When you do, one of the registries will handle your request and send you details from the appropriate whois record.

Before we go any further, it's important that you're familiar with the following terms:

  • Registry: A company that manages a list containing a set of domain names (there are many of these).
  • Registrant: The legal owner of the domain; it's registered to this person.
  • Registrar: A registrant uses a registrar to make his or her registration.

A whois record contains all the contact information associated with the person, company, or other entity that registered the domain name. Some registrations contain more information than others, and some registries return differing amounts of information.

A typical whois record will contain the following information:

  • The name and contact information of the registrant: The owner of the domain.
  • The name and contact information of the registrar: The organization that registered the domain name.
  • The registration date.
  • When the information was last updated.
  • The expiration date.

You can make whois requests on the web, but, with the Linux whois command, you can perform lookups right from the command line. This is useful if you need to perform a lookup from a computer without a graphical user interface, or if you want to do so from a shell script.

Installing whois

The whois command was already installed on Ubuntu 20.04. If you need to install it on your version of Ubuntu, you can do so with the following command:

sudo apt-get install whois

sudo apt-get install whois in a terminal window

On Fedora, use the command below:

sudo dnf install whois

sudo dnf install whois ina terminal window

And finally, on Manjaro, type the following:

sudo pacman -Syu whois

sudo pacman -Syu whois in a terminal window

Using whois with a Domain Name

You can use the whois command with domain names or Internet Protocol (IP) addresses. A slightly different set of information is returned for each of these.

We'll use a domain name for our first example:

whois cnn.com

whois cnn.com in a terminal window

The response from the whois registry starts with a summary, and then repeats itself with extra information included. We've included an example below with trademark statements and terms of use removed:

        Domain Name: CNN.COM
Registry Domain ID: 3269879_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.corporatedomains.com
Registrar URL: http://www.cscglobal.com/global/web/csc/digital-brand-services.html
Updated Date: 2018-04-10T16:43:38Z
Creation Date: 1993-09-22T04:00:00Z
Registry Expiry Date: 2026-09-21T04:00:00Z
Registrar: CSC Corporate Domains, Inc.
Registrar IANA ID: 299
Registrar Abuse Contact Email: domainabuse@cscglobal.com
Registrar Abuse Contact Phone: 8887802723
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Name Server: NS-1086.AWSDNS-07.ORG
Name Server: NS-1630.AWSDNS-11.CO.UK
Name Server: NS-47.AWSDNS-05.COM
Name Server: NS-576.AWSDNS-08.NET
DNSSEC: unsigned


This is reasonably self-explanatory. We see various details about the registrar and registry, including contact details, registration dates, and so on. There are a few entries in the list that you might not recognize.

The Internet Assigned Numbers Authority (IANA) oversees and coordinates things like top-level Domain Name System zones, IP protocol addressing systems, and the list of registries. This registry is number 299, which is indicated in the listing as "IANA ID: 299."

The "domain status" lines show the state in which the domain is, and it can be in several simultaneously. The states are defined in the Extensible Provisioning Protocol. Some of these are rarely seen, and others are restricted to certain situations, such as legal disputes.

The following states are attached to this registration:

  • clientTransferProhibited: The domain's registry will reject requests to transfer the domain from the current registrar to another.
  • serverDeleteProhibited: The domain cannot be deleted.
  • serverTransferProhibited: The domain cannot be transferred to another registrar.
  • serverUpdateProhibited: The domain cannot be updated

The last three are usually enabled at the registrant's request, or if a legal dispute is in progress. In this case, CNN probably requested these to be enforced to "lock down" the company's domain.

"!DNSSEC" stands for Domain Name System Security Extensions, a scheme that allows a DNS name resolver to cryptographically check that the data it received from the DNS zone is valid and hasn't been tampered with.

The longer part of the response is shown below:

        Domain Name: cnn.com
Registry Domain ID: 3269879_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.corporatedomains.com
Registrar URL: www.cscprotectsbrands.com
Updated Date: 2018-04-10T16:43:38Z
Creation Date: 1993-09-22T04:00:00Z
Registrar Registration Expiration Date: 2026-09-21T04:00:00Z
Registrar: CSC CORPORATE DOMAINS, INC.
Registrar IANA ID: 299
Registrar Abuse Contact Email: domainabuse@cscglobal.com
Registrar Abuse Contact Phone: +1.8887802723
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: serverDeleteProhibited http://www.icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited http://www.icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited http://www.icann.org/epp#serverUpdateProhibited
Registry Registrant ID:
Registrant Name: Domain Name Manager
Registrant Organization: Turner Broadcasting System, Inc.
Registrant Street: One CNN Center
Registrant City: Atlanta
Registrant State/Province: GA
Registrant Postal Code: 30303
Registrant Country: US
Registrant Phone: +1.4048275000
Registrant Phone Ext:
Registrant Fax: +1.4048271995
Registrant Fax Ext:
Registrant Email: tmgroup@turner.com
Registry Admin ID:
Admin Name: Domain Name Manager
Admin Organization: Turner Broadcasting System, Inc.
Admin Street: One CNN Center
Admin City: Atlanta
Admin State/Province: GA
Admin Postal Code: 30303
Admin Country: US
Admin Phone: +1.4048275000
Admin Phone Ext:
Admin Fax: +1.4048271995
Admin Fax Ext:
Admin Email: tmgroup@turner.com
Registry Tech ID:
Tech Name: TBS Server Operations
Tech Organization: Turner Broadcasting System, Inc.
Tech Street: One CNN Center
Tech City: Atlanta
Tech State/Province: GA
Tech Postal Code: 30303
Tech Country: US
Tech Phone: +1.4048275000
Tech Phone Ext:
Tech Fax: +1.4048271593
Tech Fax Ext:
Tech Email: hostmaster@turner.com
Name Server: ns-576.awsdns-08.net
Name Server: ns-1086.awsdns-07.org
Name Server: ns-47.awsdns-05.com
Name Server: ns-1630.awsdns-11.co.uk
DNSSEC: unsigned

This gives us more or less the same information as the summary, with extra sections about the registrant and their contact details for administrative and technical purposes.

The registrant name is given as "Domain Name Manager." Sometimes, for a fee, companies choose to let their registrar register the domain on their behalf under a generic name the registrar maintains for this purpose. That appears to be the case here. However, as the address of the registrant is "1 CCN Center," it's obvious who the registrant is.

Using whois with an IP Address

Using whois with an IP address is just as simple as using it with a domain name. Just specify an IP address after whois, like so:

whois 205.251.242.103

whois 205.251.242.103 in a terminal window

This is the output returned by whois:

        NetRange: 205.251.192.0 - 205.251.255.255
CIDR: 205.251.192.0/18
NetName: AMAZON-05
NetHandle: NET-205-251-192-0-1
Parent: NET205 (NET-205-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS16509, AS39111, AS7224
Organization: Amazon.com, Inc. (AMAZON-4)
RegDate: 2010-08-27
Updated: 2015-09-24
Ref: https://rdap.arin.net/registry/ip/205.251.192.0

OrgName: Amazon.com, Inc.
OrgId: AMAZON-4
Address: 1918 8th Ave
City: SEATTLE
StateProv: WA
PostalCode: 98101-1244
Country: US
RegDate: 1995-01-23
Updated: 2020-03-31
Ref: https://rdap.arin.net/registry/entity/AMAZON-4

OrgAbuseHandle: AEA8-ARIN
OrgAbuseName: Amazon EC2 Abuse
OrgAbusePhone: +1-206-266-4064
OrgAbuseEmail: abuse@amazonaws.com
OrgAbuseRef: https://rdap.arin.net/registry/entity/AEA8-ARIN

OrgNOCHandle: AANO1-ARIN
OrgNOCName: Amazon AWS Network Operations
OrgNOCPhone: +1-206-266-4064
OrgNOCEmail: amzn-noc-contact@amazon.com
OrgNOCRef: https://rdap.arin.net/registry/entity/AANO1-ARIN

OrgRoutingHandle: ADR29-ARIN
OrgRoutingName: AWS Dogfish Routing
OrgRoutingPhone: +1-206-266-4064
OrgRoutingEmail: aws-dogfish-routing-poc@amazon.com
OrgRoutingRef: https://rdap.arin.net/registry/entity/ADR29-ARIN

OrgRoutingHandle: IPROU3-ARIN
OrgRoutingName: IP Routing
OrgRoutingPhone: +1-206-266-4064
OrgRoutingEmail: aws-routing-poc@amazon.com
OrgRoutingRef: https://rdap.arin.net/registry/entity/IPROU3-ARIN

OrgTechHandle: ANO24-ARIN
OrgTechName: Amazon EC2 Network Operations
OrgTechPhone: +1-206-266-4064
OrgTechEmail: amzn-noc-contact@amazon.com
OrgTechRef: https://rdap.arin.net/registry/entity/ANO24-ARIN

RTechHandle: ROLEA19-ARIN
RTechName: Role Account
RTechPhone: +1-206-266-4064
RTechEmail: ipmanagement@amazon.com
RTechRef: https://rdap.arin.net/registry/entity/ROLEA19-ARIN

RAbuseHandle: ROLEA19-ARIN
RAbuseName: Role Account
RAbusePhone: +1-206-266-4064
RAbuseEmail: ipmanagement@amazon.com
RAbuseRef: https://rdap.arin.net/registry/entity/ROLEA19-ARIN

RNOCHandle: ROLEA19-ARIN
RNOCName: Role Account
RNOCPhone: +1-206-266-4064
RNOCEmail: ipmanagement@amazon.com
RNOCRef: https://rdap.arin.net/registry/entity/ROLEA19-ARIN

The first section contains information regarding the organization that owns the IP address we searched for (in this case, one of many owned by Amazon). We're also given some identifiers used to identify Amazon.com, Inc. internally by the registry.

The second section contains the address and name of the registrant, Amazon.com, Inc. The web address in the "Ref:" field contains this information in JavaScript Object Notation (JSON) format.

The other sections contain contact information that allows you to report issues regarding abuse, network operation, traffic routing, and so on.

Using whois in a Script

To use whois in a script, let's assume we have a set of domains for which we need to check the expiration dates. We can accomplish this with a small shell script.

Type this into an editor, and save it as "get-expiry.sh":

        #!/bin/bash

DOMAIN_LIST="howtogeek.com reviewgeek.com lifesavvy.com cloudsavvyit.com"

echo "Expiration dates:"

for domain in $DOMAIN_LIST
do
  echo -n "$domain :: "
  whois $domain | grep 'Expiration' | awk '{print $5}'
done

Set the script to have executable permissions by using the chmod command, as shown below:

chmod +x get-expiry.sh

chmod +x get-expiry.sh in a terminal window

Run the script by calling it by name:

./get-expiry.sh

./get-expiry.sh in a terminal window

The expiration date for each domain is extracted from the response from whois by using grep to find lines that contain the string "Expiration," and using awk to print the fifth item from that line.

Convenience and Automation

Yes, you can also perform whois lookups online. However, having the whois command available in the terminal window and scripts offers convenience, flexibility, and gives you the option to automate some of your workload.

Linux Commands

Files

tar · pv · cat · tac · chmod · grep · diff · sed · ar · man · pushd · popd · fsck · testdisk · seq · fd · pandoc · cd · $PATH · awk · join · jq · fold · uniq · journalctl · tail · stat · ls · fstab · echo · less · chgrp · chown · rev · look · strings · type · rename · zip · unzip · mount · umount · install · fdisk · mkfs · rm · rmdir · rsync · df · gpg · vi · nano · mkdir · du · ln · patch · convert · rclone · shred · srm · scp · gzip · chattr · cut · find · umask · wc · tr

Processes

alias · screen · top · nice · renice · progress · strace · systemd · tmux · chsh · history · at · batch · free · which · dmesg · chfn · usermod · ps · chroot · xargs · tty · pinky · lsof · vmstat · timeout · wall · yes · kill · sleep · sudo · su · time · groupadd · usermod · groups · lshw · shutdown · reboot · halt · poweroff · passwd · lscpu · crontab · date · bg · fg · pidof · nohup · pmap

Networking

netstat · ping · traceroute · ip · ss · whois · fail2ban · bmon · dig · finger · nmap · ftp · curl · wget · who · whoami · w · iptables · ssh-keygen · ufw · arping · firewalld