>_cmd.script

whois

Look up domain registration information

Networking

By CMD Script Team · 4 min read · Last updated

SYNTAX
whois [OPTIONS] DOMAIN

Options

Command options and flags
FlagDescription
-h HOSTQuery a specific WHOIS server instead of the default one chosen automatically
-p PORTConnect to the WHOIS server on a non-default port (default is 43)
-HHide legal disclaimers and boilerplate text often prepended to WHOIS responses
-QQuick lookup: query only the first matching server, skipping the usual referral chase

Distribution compatibility

  • Ubuntu
  • Debian
  • Fedora
  • Arch
  • macOS

What it does

whois queries domain registry and registrar databases to return administrative information about a domain name: the registrar, registration and expiry dates, name servers, domain status codes, and (when not privacy-redacted) registrant contact details. It can also query regional internet registries for information about who an IP address block is allocated to. It's an entirely different data source from DNS — it tells you about ownership and registration, not how a name resolves.

Beginner examples

  • whois example.com — show registration details for a domain
  • whois 93.184.216.34 — show allocation/ownership info for an IP address
  • whois example.org | grep -i "expir" — extract just the expiry date from the output
  • whois example.com | grep -i "name server" — extract the domain's name servers
whois example.com

Advanced examples

  • Check when a domain you rely on is due to expire, to avoid an accidental lapse: whois yourdomain.com | grep -iE "expir|registry expiry"
  • Compare the name servers reported by WHOIS against what DNS actually resolves to, to catch a stale or misconfigured delegation: whois example.com | grep -i "name server" alongside dig NS example.com +short
  • Investigate a suspicious domain during a security review by checking registrar, creation date, and status codes (a very recently created domain with a "clientHold" status is a common phishing red flag).
  • Query a non-default WHOIS server directly when the automatic referral doesn't return useful data: whois -h whois.nic.io example.io
whois suspicious-domain.com | grep -iE "creation date|registrar|status"

Common mistakes

  • Expecting whois to show registrant name/email/phone by default — GDPR-driven privacy redaction means most .com/.org/etc. registrations now show a privacy proxy instead of real contact details.
  • Confusing whois output with DNS records — WHOIS won't tell you a domain's IP address or mail server; use dig/host for that.
  • Assuming a single, universal WHOIS server exists — different TLDs are managed by different registries, and the client has to follow referrals to reach the right one (usually automatic, but not always).
  • Running frequent automated whois queries against many domains without rate limiting — some WHOIS servers throttle or temporarily block clients that query too fast.

Tips

  • Pipe whois output through grep -i to pull just the fields you care about (registrar, expiry, name servers) instead of reading the entire raw response.
  • If a domain's WHOIS output looks sparse or unhelpful, try the registrar's own web-based WHOIS lookup tool — some registries restrict what the command-line protocol returns versus their web interface.
  • For bulk/frequent domain monitoring (like expiry tracking), consider a dedicated RDAP client or API instead of scripting raw whois, since RDAP returns structured JSON and is the modern successor protocol.

Best practices

  • Set a calendar reminder well before a domain's WHOIS-reported expiry date — letting a production domain lapse is a self-inflicted outage that's entirely avoidable.
  • When investigating a domain for security purposes, cross-reference WHOIS creation date/registrar against DNS history and certificate transparency logs rather than trusting WHOIS alone — WHOIS data can be redacted or occasionally inaccurate.
  • Avoid hardcoding a specific WHOIS server in scripts unless you have a proven reason to bypass the referral chain — the default auto-referral logic handles the vast majority of TLDs correctly.

Try it yourself

A simulated shell with a sample home directory — experiment freely, nothing leaves your browser. Type help to list supported commands.

Real-world use cases

  • Verifying who owns a domain and when it expires before an acquisition, migration, or security incident response.
  • Confirming that a newly registered domain's name servers match what you expect after transferring DNS providers.
  • Preliminary reconnaissance during a phishing or abuse investigation — checking registrar, registration date, and status of a suspicious domain.

Common interview questions

  • What's the difference between whois and dig? whois queries registry/registrar databases for domain ownership and administrative info; dig queries DNS servers for resolution records (A, MX, NS, etc.) — entirely different data sources.
  • Why might a whois lookup show little to no registrant contact information? GDPR and similar privacy regulations require registrars to redact personal contact details by default, replacing them with a privacy-proxy service.
  • Can whois be used to look up information about an IP address, not just a domain? Yes — whois <ip> queries the relevant regional internet registry (ARIN, RIPE, APNIC, LACNIC, AFRINIC) for allocation/ownership details of that IP block.

Frequently Asked Questions

Why does whois sometimes return almost no useful information?

Since GDPR and similar privacy regulations took effect, many registrars redact registrant contact details (name, email, phone) by default, showing a privacy-proxy service instead. Registrar, name servers, and expiry dates are usually still visible even when contact info is redacted.

How is whois different from dig or host?

dig and host query DNS servers for records (A, MX, NS, etc.) that resolve names to addresses. whois queries a completely separate system — domain registry/registrar databases — for administrative information: who registered the domain, which registrar manages it, and when it expires.

Can whois look up IP addresses too?

Yes — `whois 8.8.8.8` queries the regional internet registry (ARIN, RIPE, APNIC, etc.) responsible for that IP block, returning ownership and allocation details rather than domain registration data.

Why do I need to specify a WHOIS server manually sometimes?

whois normally auto-detects the right server by asking IANA's root WHOIS server which registry handles a given TLD, then follows the referral. For unusual or newer TLDs this referral chain occasionally fails or points somewhere unhelpful, in which case `-h whois.example-registry.net` lets you query the correct server directly.

Cheat sheet

Download a quick-reference cheat sheet for whois.