whois
Look up domain registration information
By CMD Script Team · 4 min read · Last updated
whois [OPTIONS] DOMAINOptions
| Flag | Description |
|---|---|
-h HOST | Query a specific WHOIS server instead of the default one chosen automatically |
-p PORT | Connect to the WHOIS server on a non-default port (default is 43) |
-H | Hide legal disclaimers and boilerplate text often prepended to WHOIS responses |
-Q | Quick lookup: query only the first matching server, skipping the usual referral chase |
Distribution compatibility
- Ubuntu
- Debian
- Fedora
- Arch
- macOS
What it does
whois queries domain registry and registrar databases to return administrative
information about a domain name: the registrar, registration and expiry dates, name
servers, domain status codes, and (when not privacy-redacted) registrant contact
details. It can also query regional internet registries for information about who an IP
address block is allocated to. It's an entirely different data source from DNS — it
tells you about ownership and registration, not how a name resolves.
Beginner examples
whois example.com— show registration details for a domainwhois 93.184.216.34— show allocation/ownership info for an IP addresswhois example.org | grep -i "expir"— extract just the expiry date from the outputwhois example.com | grep -i "name server"— extract the domain's name servers
whois example.com
Advanced examples
- Check when a domain you rely on is due to expire, to avoid an accidental lapse:
whois yourdomain.com | grep -iE "expir|registry expiry" - Compare the name servers reported by WHOIS against what DNS actually resolves to, to
catch a stale or misconfigured delegation:
whois example.com | grep -i "name server"alongsidedig NS example.com +short - Investigate a suspicious domain during a security review by checking registrar, creation date, and status codes (a very recently created domain with a "clientHold" status is a common phishing red flag).
- Query a non-default WHOIS server directly when the automatic referral doesn't return
useful data:
whois -h whois.nic.io example.io
whois suspicious-domain.com | grep -iE "creation date|registrar|status"
Common mistakes
- Expecting
whoisto show registrant name/email/phone by default — GDPR-driven privacy redaction means most.com/.org/etc. registrations now show a privacy proxy instead of real contact details. - Confusing
whoisoutput with DNS records — WHOIS won't tell you a domain's IP address or mail server; usedig/hostfor that. - Assuming a single, universal WHOIS server exists — different TLDs are managed by different registries, and the client has to follow referrals to reach the right one (usually automatic, but not always).
- Running frequent automated
whoisqueries against many domains without rate limiting — some WHOIS servers throttle or temporarily block clients that query too fast.
Tips
- Pipe
whoisoutput throughgrep -ito pull just the fields you care about (registrar, expiry, name servers) instead of reading the entire raw response. - If a domain's WHOIS output looks sparse or unhelpful, try the registrar's own web-based WHOIS lookup tool — some registries restrict what the command-line protocol returns versus their web interface.
- For bulk/frequent domain monitoring (like expiry tracking), consider a dedicated RDAP
client or API instead of scripting raw
whois, since RDAP returns structured JSON and is the modern successor protocol.
Best practices
- Set a calendar reminder well before a domain's WHOIS-reported expiry date — letting a production domain lapse is a self-inflicted outage that's entirely avoidable.
- When investigating a domain for security purposes, cross-reference WHOIS creation date/registrar against DNS history and certificate transparency logs rather than trusting WHOIS alone — WHOIS data can be redacted or occasionally inaccurate.
- Avoid hardcoding a specific WHOIS server in scripts unless you have a proven reason to bypass the referral chain — the default auto-referral logic handles the vast majority of TLDs correctly.
Try it yourself
A simulated shell with a sample home directory — experiment freely, nothing leaves your browser. Type help to list supported commands.
Real-world use cases
- Verifying who owns a domain and when it expires before an acquisition, migration, or security incident response.
- Confirming that a newly registered domain's name servers match what you expect after transferring DNS providers.
- Preliminary reconnaissance during a phishing or abuse investigation — checking registrar, registration date, and status of a suspicious domain.
Common interview questions
- What's the difference between whois and dig? whois queries registry/registrar databases for domain ownership and administrative info; dig queries DNS servers for resolution records (A, MX, NS, etc.) — entirely different data sources.
- Why might a whois lookup show little to no registrant contact information? GDPR and similar privacy regulations require registrars to redact personal contact details by default, replacing them with a privacy-proxy service.
- Can whois be used to look up information about an IP address, not just a domain?
Yes —
whois <ip>queries the relevant regional internet registry (ARIN, RIPE, APNIC, LACNIC, AFRINIC) for allocation/ownership details of that IP block.
Frequently Asked Questions
Why does whois sometimes return almost no useful information?
Since GDPR and similar privacy regulations took effect, many registrars redact registrant contact details (name, email, phone) by default, showing a privacy-proxy service instead. Registrar, name servers, and expiry dates are usually still visible even when contact info is redacted.
How is whois different from dig or host?
dig and host query DNS servers for records (A, MX, NS, etc.) that resolve names to addresses. whois queries a completely separate system — domain registry/registrar databases — for administrative information: who registered the domain, which registrar manages it, and when it expires.
Can whois look up IP addresses too?
Yes — `whois 8.8.8.8` queries the regional internet registry (ARIN, RIPE, APNIC, etc.) responsible for that IP block, returning ownership and allocation details rather than domain registration data.
Why do I need to specify a WHOIS server manually sometimes?
whois normally auto-detects the right server by asking IANA's root WHOIS server which registry handles a given TLD, then follows the referral. For unusual or newer TLDs this referral chain occasionally fails or points somewhere unhelpful, in which case `-h whois.example-registry.net` lets you query the correct server directly.
Cheat sheet
Download a quick-reference cheat sheet for whois.