WHOIS, an exposé

This page covers in detail the purpose of the WHOIS protocol and basic usage of the whois command. The process of domain registration is also covered from a technical point of view.

WHOIS: History and Overview

WHOIS, though not technically related to DNS is an important part of its mythology. WHOIS is a network protocol (TCP/43) used to query a WHOIS database server. Initially this was a system used on ARPANET to exchange contact information about users and hosts on the network. ARPANET users were requested to register their personal information with the NIC. Users could then query the database on the NIC's system with the "nicname" program; e.g., a query for the user "Jim" would return the following output:

   Dyer, Jim K. (JIM)          DYER@SRI-NIC
        SRI International
        Network Information Center
        Telecommunications Sciences Center
        333 Ravenswood Avenue
        Menlo Park, California 94025
        Phone: (415) 859-4775

As the RFC alludes to, WHOIS works like a centralized finger server. Of course no real-time or status information is provided, but the contact information is more complete than typical finger output. [1]

WHOIS: Modern Implementations / Examples

In many ways modern implementations of WHOIS work basically the same, but the data that is being passed has been reengineered for different purposes. NSI gives this definition:

Whois: A searchable database maintained by Network Solutions, which contains information about networks, networking organizations, domain names, and the contacts associated with them for the com, org, net, edu, and ISO 3166 country code top-level domains. Also, the protocol, or set of rules, that describes the application used to access the database. Other organizations have implemented the Whois protocol and maintain separate and distinct Whois databases for their respective domains. [2]

[ Internet Domains ]

WHOIS is now the authoratative system used to identify the registrant of an Internet domain name and/or network block. Today a common usage of WHOIS would be to find out if an Internet domain name is "taken". E.g.,

$ whois wtlug.org
[whois.internic.net]

Whois Server Version 1.3

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: WTLUG.ORG
   Registrar: NETWORK SOLUTIONS, INC.
   Whois Server: whois.networksolutions.com
   Referral URL: http://www.networksolutions.com
   Name Server: ENDOR.ROGUE-SQUAD.COM
   Name Server: BAKURA.ROGUE-SQUAD.COM
   Updated Date: 09-sep-2000


>>> Last update of whois database: Thu, 7 Jun 2001 02:06:16 EDT <<<

The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.

This is the default output using the whois program that installed with my Slackware 7.0 system. Since I didn't specify one, the default WHOIS server "whois.internic.net" was used as shown on the first line of output. My whois program was compiled with "whois.internic.net" as the default server; however, more modern implementations (especially those 1999 and after) will typically have "whois.crsnic.net" compiled as the default server. To use a specific WHOIS server, I simply need to append an @whois.server.com to my query.

By examining the WHOIS output above, we learn several things: the registrar that actually registered wtlug.org, along with that organization's whois server and website, as well as the name servers that are authoratative for the domain and the date this record was last updated. This is the basic information that makes up a domain record in the Shared Registration System, which I will discuss in futher detail later on. To get more information on this domain I need to reissue my query on whois.networksolutions.com like so:

$ whois wtlug.org@whois.networksolutions.com
[whois.networksolutions.com]
The Data in Network Solutions' WHOIS database is provided by Network
Solutions for information purposes, and to assist persons in obtaining
information about or related to a domain name registration record.
Network Solutions does not guarantee its accuracy.  By submitting a
WHOIS query, you agree that you will use this Data only for lawful
purposes and that, under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail
(spam); or  (2) enable high volume, automated, electronic processes
that apply to Network Solutions (or its systems).  Network Solutions
reserves the right to modify these terms at any time.  By submitting
this query, you agree to abide by this policy.

Registrant:
West Texas Linux Users Group (WTLUG-DOM)
   401 Cypress, Suite 610
   Abilene, TX 79601
   US

   Domain Name: WTLUG.ORG

   Administrative Contact, Technical Contact:
      McMurray, Mike  (MM17088)  alien@ALIENATED.ORG
      Alienated Productions
      649 Cowboys Parkway, #2065
      Irving, TX 75063
      (214)532-8835 (FAX) (972)481-5892
   Billing Contact:
      Accounting Dept.  (AD275-ORG)  billing@BITSTREET.NET
      Leapfrog Technologies, LLC
      401 Cypress St.
      Suite 610
      Abilene, TX 79601
      US
      915-675-6850
      Fax- 915-672-1324

   Record last updated on 22-Sep-2000.
   Record expires on 09-Sep-2001.
   Record created on 09-Sep-1998.
   Database last updated on 7-Jun-2001 12:51:00 EDT.

   Domain servers in listed order:

   BAKURA.ROGUE-SQUAD.COM       206.142.132.160
   ENDOR.ROGUE-SQUAD.COM        64.216.57.129

More modern implementations of the whois program are compiled to do recursive WHOIS queries, meaning that they query the SRS first and then automatically run the query against the WHOIS server listed in the output until the registrant is successfully retrieved.

As can be seen from the output above, this query provides all the information any person would need concerning a domain name. This is however only an example of Network Solutions, Inc.'s output, other registrars will output more or less information depending on their organization's policy.

[ Network Blocks ]

As mentioned earlier another function of WHOIS is to look up registrants of network block addresses. The primary source of this information is ARIN.NET:

Querying the ARIN WHOIS database is much like querying for Internet domain names:

$ whois 208.47.125.33@whois.arin.net
[whois.arin.net]
Qwest Communications (NETBLK-NET-QWEST-BLK) NET-QWEST-BLK
                                                   208.44.0.0 - 208.47.255.255
MD Procurement Office (NETBLK-QWEST-208-47-125) QWEST-208-47-125
                                                 208.47.125.0 - 208.47.125.255

To single out one record, look it up with "!xxx", where xxx is the
handle, shown in parenthesis following the name, which comes first.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

As you can see I get information about the organizations responsible for the networks containing the IP address I used in the query. The owner of the most general network block is listed first. This is Qwest Communications, who apparently registered this /14 block with ARIN. The next record shows that Qwest allocated the 208.47.125.0 Class C network to MD Procurement Office. If I want to narrow down my search I'll run:

$ whois qwest-208-47-125@whois.arin.net
[whois.arin.net]
MD Procurement Office (NETBLK-QWEST-208-47-125)
   Bldg. 9840, O'Brian Road
   Ft. Meade, MD 20755
   US

   Netname: QWEST-208-47-125
   Netblock: 208.47.125.0 - 208.47.125.255

   Coordinator:
      Edwards, Monte  (ME190-ARIN)  monte@ncsc.mil
      301-688-5424

   Record last updated on 01-Dec-1999.
   Database last updated on 6-Jun-2001 22:48:03 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

Now I have all the POC information I need, concerning the IP address I queried for initially. Quite a bit of information considering all I started with was an IP Addresss.

On a side note: This seems to be the closest way to relate an IP address to a physical address; however, there are many reasons that the IP address would have little or nothing to do with the physical address listed in this output.

[ whois usage notes ]

Each WHOIS server seems to have its own set of options for doing wildcard matching, single-ing out records, and special keywords. To get more information about options for a particular WHOIS server issue a query for "HELP" or "?".

There are many modern client implementations of WHOIS. Most UNIX- based systems come with a command-line program "whois", which I was using in the examples above. Just about every domain or net block registrar and registry contain web interfaces to their respective WHOIS databases. I will give more information about server implementations in the next section.

It is also important to point out that the WHOIS protocol could be used for much more than domain name/network info. If you know of such an implementation please e-mail me and tell me about it.

WHOIS: Links to WHOIS servers

SRS WHOIS = http://www.verisign-grs.com/whois/
( VeriSign's WHOIS system can be used to query for registrar's and name servers in addition to domain names. )

NSI = http://www.networksolutions.com/cgi-bin/whois/whois
( NSI's WHOIS system also contains contact information for TLDs; one of the more extensive systems available. )

.FM/.AM = http://www.dot.fm/search.html

Domain Names: The Shared Registration System

The Shared Registration System, sometimes referred to as just "the Registry" the SRS or the NSI Registry, is the central authority for domain name information for the .COM, .NET, .ORG and .EDU gTLDs. Access to the database is only given to ICANN-accredited registrars. Examples of ICANN-accredited registrars would include Network Solutions, Inc., Dotster, Inc., and Register.com, Inc. Again the list of registrars is available at http://www.icann.org/registrars/accredited-list.html. ( See also: How to become an ICANN-accredited registrar in 4,078 easy steps... ) [3]

Registrar's communicate with the Registry via the RRP (Registry/Registrar Protocol). RRP protocol (TCP/648) was developed by Network Solutions, Inc. in April of 1999. RFC 2832 lists the following functions of RRP that can be performed by accredited registrars:

- Determine if a domain name has been registered.
- Register a domain name.
- Renew the registration of a domain name.
- Cancel the registration of a domain name.
- Update the name servers of a domain name.
- Transfer a domain name from another registrar.
- Examine the status of domain names that the registrar has registered.
- Modify the status of domain names that the registrar has registered.
- Determine if a name server has been registered.
- Register a name server.
- Update the IP addresses of a name server.
- Delete a name server.
- Examine the status of name servers that the registrar has registered.

If you wish to further experiment with RRP you can download a software development kit here. In addition to the main Registry database most registrars maintain their own WHOIS database that contains varying degrees of POC information.

I'm not totally sure, but my best guess is that .COM, .NET, .ORG, and .EDU zone data is generated from the SRS database. If anyone has accurate information on this process, I would certainly be interested.

Domain Names: Registration

Of course .COM, .NET, and .ORG can be registered by any of the ICANN-approved registrars. See: http://www.icann.org/registrars/accredited-list.html

[ What about .EDU, .INT, .MIL, .GOV, .ARPA ... ? ]

Though fairly undocumented the .EDU domain is maintained in the SRS database, but the only registrar is Network Solutions, Inc. When you go to http://www.nsi.com you are not given options in the gTLD list box for .EDU. I found by just typing in myschool.edu I was taken to a page for registering .EDU domains with a few special instructions, namely that I would have to be a four-year educational institution. I don't think that there will be any other registrars for .EDU domain anytime soon.

Dot-INT domains are just weird. This TLD is governed by IANA and is the only generic TLD I could not find a WHOIS server for. If you happen to be an organization sponsered by an international treaty you can register your .INT name at http://www.iana.org/int-dom/int.htm. Now wouldn't www.unsigned.int be cool?! (more random information on .INT)

Dot-MIL, and .GOV domains are also not included in the SRS and I've included links to their WHOIS servers and registration policies below. These domains may be migrating to .MIL.US and .FED.US before too long, considering only US agencies can register SLDs in these domains.

Dot-ARPA is another interesting TLD and one of the most obvious vestiges of the APRANET. Dot-ARPA is also governed by IANA and only has two SLDs that I could find: in-addr.arpa and e164.arpa. in-addr.arpa is of course the domain used to maintain inverse mappings of IP addresses to names. Also, in-addr.arpa is the only SLD served by the root servers (as far as I could tell). in-addr.arpa is maintained by ARIN. There isn't really a WHOIS database for the .ARPA domain, but ARIN's WHOIS database contains the same logical information.

Note: these commands are functionally equivalent: nslookup 208.47.125.33 and nslookup -q=ptr 33.125.47.208.in-addr.arpa

[ What about .CC, .TV, .WS, .FM, .AM, ... ?]

For different reasons certain countries have opted to allow commercialization of their top-level domain name. This is a list of ccTLDs that have been exploited because of their symbolism in other parts of society.

.CC = Cocos (Keeling) Islands

.TV = Tuvalu

.WS = (Western) Samoa

.FM = Federated States of Micronesia

.AM = Armenia Network Information Center

It was up to each of these countries to give rights to their international TLD to a commercial registrar. This has typically been good for the countries involved, e.g., the .TV corporation must pay Tuvalu a minimum of $4 million per year for the next ten years ... considering only 10,000 people live on the island that's $400 per person for the next ten years!

Note: All two letter as well as some three letter TLDs not specifically assigned to a country have been reserved for future use. [4]

Information on registration for SLDs in the "premium" ccTLDs can be found at www.ccTLD for each name. Dot-FM and .AM are available at http://dot.fm and http://dot.am respectively.

[ What about .US and other ccTLDs? ]

It's been my experience when trying to find information on unusual or uncommon ccTLDs that visiting http://www.ccTLD or http://[www.]nic.ccTLD will lead to the information I'm looking for. If nothing else Network Solutions maintains records in their WHOIS database for many if not all TLDs. Try doing a query for the ccTLD you are looking for, and you should eventually get to contact information for that country's international TLD.

As for .US you can visit http://www.us and learn about how this domain works. Basically, SLDs for .US cannot be registered directly, that is all new registrations would have to be for a 3rd-level, e.g., chicago.il.us. The 3rd-level has to be a county or city (I believe) and the administrative contact for the name must be a county or city official. Sub-domain policies are up to the local government, and essentially any entity can host .US domains.

Domain Names: Misc Questions

[ Is there really going to be any new gTLDs? ]

Of course this is up to ICANN, but if new ones are added it will be the first addition to the gTLDs in over 15 years. Despite all the hype I think .biz and .info are the only ones we'll see anytime soon. Other suggested TLDs are .name, .pro, .aero, .coop, and .museum.

The registry for .biz is NeuLevel. Right now (2001.06.08) NeuLevel is in a process of registering IP (intellectual property) claims that will be used to decide who gets first dibs on certain names. The whole thing is a legal-nightmare-mess right now, and many registrars are trying to offer users the opportunity to "request" or "apply" for a .biz name which can be misleading. Normal registration won't be available until October 1, 2001. For more information check http://www.neulevel.com.

The registry for .info is Afilias, check http://www.afilias.com.

[ What is the oldest second-level domain name in WHOIS? ]

symbolics.com

WHOIS info indicates a creation date of 15-Mar-1985. Wow!

[1] RFC-812 NICNAME/WHOIS
--- http://andrew2.andrew.cmu.edu/rfc/rfc812.html

[2] NSI Glossary - WHOIS
--- http://www.networksolutions.com/cgi-bin/glossary/lookup?term=Whois

[3] VeriSign Global Registry Services
--- http://www.verisign-grs.com/aboutus/faq.html

[4] Generic Top Level Domain Memorandum of Understanding
--- http://www.gtld-mou.org/

What is the shared registry system (SRS)?
--- http://www.inww.com/help/displaytopic.php3?topicid=19

gTLD registries
--- http://www.dnso.icann.org/constituency/gtld/gtld.html