WHOIS (pronounced as the phrase who is) is a query/response protocol that is widely used for querying databases in order to determine the registrant or assignee of Internet resources, such as a domain name, an IP address block, or an autonomous system number. WHOIS lookups were traditionally performed with a command line interface application, and network administrators predominantly still use this method, but many simplified web-based tools exist. WHOIS services are typically communicated using the Transmission Control Protocol (TCP). Servers listen to requests on the well-known port number 43.

The WHOIS system originated as a method for system administrators to obtain contact information for IP address assignments or domain name administrators. The use of the data in the WHOIS system has evolved into a variety of uses, including:

• Supporting the security and stability of the Internet by providing contact points for network operators and administrators, including ISPs, and certified computer incident response teams;
• Determining the registration status of domain names;
• Assisting law enforcement authorities in investigations for enforcing national and international laws, including, for example, countering terrorism-related criminal offenses and in supporting international cooperation procedures. In some countries, specialized non-governmental entities may be involved in this work;
• Assisting in the combating against abusive uses of Information communication technology, such as illegal and other acts motivated by racism, racial discrimination, xenophobia, and related intolerance, hatred, violence, all forms of child abuse, including pedophilia and child pornography, the trafficking in, and exploitation of, human beings.
• Facilitating inquiries and subsequent steps to conduct trademark clearances and to help counter intellectual property infringement, misuse and theft in accordance with applicable national laws and international treaties;
• Contributing to user confidence in the Internet as a reliable and efficient means of information and communication and as an important tool for promoting digital inclusion, e-commerce and other legitimate uses by helping users identify persons or entities responsible for content and services online; and
• Assisting businesses, other organizations and users in combating fraud, complying with relevant laws and safeguarding the interests of the public.

Presently^[when?] ICANN is undertaking a study to determine the uses and abuses of WHOIS information.^{[citation needed]} Other studies that are ongoing concern the accuracy of WHOIS information, and the effectiveness of the processes for reporting inaccurate public WHOIS information.^{[citation needed]}

Due to the potential abuse of WHOIS information, the registrant of a domain is considered to be whoever controls the domain's username/passwords, e-mail address, and administrative features.^{[citation needed]}

WHOIS has a sister protocol called Referral Whois (RWhois).

[edit] History

When the Internet was emerging out of the ARPANET, there was only one organization that handled all domain registrations, which was DARPA itself. The process of registration was established in RFC 920. WHOIS was standardized in the early 1980s to look-up domains, people and other resources related to domain and number registrations. Because all registration was done by one organization in that time, one centralized server was used for WHOIS queries. This made looking-up such information very easy.

Early WHOIS servers were highly permissive and would allow wild-card searches. You could do a WHOIS lookup on a person's last name and get all the individual people who had that name. Someone could do a query on a keyword and see all registered domains containing that keyword. Someone could even query a given administrative contact and see all domains they were associated with. Due to the advent of the commercialized Internet, multiple registrars and unethical spammers, such permissive searching is no longer available.

Responsibility of domain registration remained with DARPA as the ARPANET became the Internet during the 1980s. UUNet began offering domain registration service, however they simply handled the paperwork which they forwarded to DARPA's Network Information Center (NIC). Then the National Science Foundation directed that management of Internet domain registration would be handled by commercial, 3rd party entities. InterNIC was formed in 1993 under contract with the NSF, consisting of Network Solutions, Inc., General Atomics, and AT&T. General Atomics' contract was cancelled after several years due to performance issues.

On December 1, 1999, management of the top-level domains (TLDs) .com, .net, and .org was turned over to ICANN. At the time, these popular TLDs were switched to a thin WHOIS model. Existing WHOIS clients stopped working at that time. A month later, it had self-detecting CGI support so that the same program could operate a web-based WHOIS lookup, and an external TLD table to support multiple WHOIS servers based on the TLD of the request. This eventually became the model of the modern WHOIS client.

By 2005, there were many more generic top-level domains than there had been in the early 1980s. There are also many more country-code top-level domains. This has led to a complex network of domain name registrars and registrar associations, especially as the management of Internet infrastructure which has become more internationalized. As such, performing a WHOIS query on a domain requires knowing the correct, authoritative WHOIS server to use. Tools to do WHOIS proxy searches have become common. Also, there is a command-line whois client called jwhois which uses a configuration file to map domain names and network blocks to their appropriate registrars.

In 2004, an IETF committee was formed to standardize a whole new way to look-up information on domain names and network numbers. The current working name for this proposed new standard is Cross Registry Information Service Protocol (CRISP).

[edit] Technical and software overview

[edit] Thin and thick lookups

WHOIS information can be stored and looked up according to either a "thick" or a "thin" data model:

Thick

one WHOIS server stores the complete WHOIS information from all the registrars for the particular set of data (so that one WHOIS server can respond with WHOIS information on all org domains, for example).

Thin

one WHOIS server stores only the name of the WHOIS server of the registrar of a domain, which in turn has the full details on the data being looked up (such as the .com WHOIS servers, which refer the WHOIS query to the registrar where the domain was registered).

The thick model usually ensures consistent data and slightly faster lookups (since only one WHOIS server needs to be contacted). If a registrar goes out of business, a thick registry contains all important information (if the registrant entered correct data, and privacy features were not used to obscure the data) and registration information can be retained. But with a thin registry, the contact information might not be available (unless adequately escrowed), and it could be difficult for the rightful registrant to retain control of the domain.^[1]

If a WHOIS client did not understand how to deal with this situation, it would display the full information from the registrar. Unfortunately, the WHOIS protocol has no standard for determining how to distinguish the thin model from the thick model.

Specific details of which records are stored vary among domain name registries. Some top-level domains, including .com and .net, operate a thin WHOIS, requiring domain registrars to maintain their own customers' data. Other registries, including .org, operate a thick model.^{[citation needed]}

[edit] Command-line clients

Originally the only method by which a WHOIS server could be contacted was to use a command line interface text client. In most cases this was on a Unix or Unix-like platform. The WHOIS client software was (and still is) distributed as open source. Various commercial Unix implementations may use their own implementations (for example, Sun Solaris 7 has a WHOIS client authored by Sun).

A WHOIS command line client typically has options to choose which host to connect to for whois queries, with a default whois server being compiled in. Additional options may allow control of what port to connect on, displaying additional debugging data, or changing recursion/referral behavior.

Like most TCP/IP client/server applications, a WHOIS client takes the user input and then opens an IP socket to its destination server. The WHOIS protocol is used to establish a connection on the appropriate port and send the query. The client waits for a response from the server, which it then either returns to the end-user or uses to make additional queries. .

The source package of GNU whois command-line client can be downloaded from Free Software Directory. A Windows port of this can be acquired from SourceForge. Windows users also can acquire a WHOIS command-line client from Microsoft as part of its Sysinternals Suite.^[2]

[edit] Graphical clients

The term "graphical client" may be a bit of a misnomer for a WHOIS client, since all the data to be derived from a WHOIS server is plain text, and the protocol is a relatively static one. There is not much interaction to do with a WHOIS server. In this context, the term "graphical client" is taken to mean a WHOIS client that runs as an application on a GUI OS and uses the OS's standard GUI for user interaction.

[edit] Web-based queries

With the advent of the World Wide Web and especially the loosening up of the Network Solutions monopoly, looking up WHOIS information via the web has become quite common. At present, popular web-based WHOIS-queries may be conducted from ARIN,^[3] RIPE^[4] and APNIC.^[5][6] Most early web-based WHOIS clients were merely front-ends to a command-line client, where the resulting output just got displayed on a webpage with little, if any, clean-up or formatting.

Nowadays, web based WHOIS clients usually perform the WHOIS queries directly and then format the results for display. Many such clients are proprietary, authored by domain name registrars.

The need for web-based clients came from the fact that command-line WHOIS clients largely existed only in the Unix and large computing worlds. Microsoft Windows and Macintosh computers had no WHOIS clients, so registrars had to find a way to provide access to WHOIS data for potential customers. Many end-users still rely on such clients, even though command line and graphical clients exist now for most home PC platforms.

There are also many sites not owned by registrars or Internet-related companies. These support most of main TLD and remains free. But most of web-based whois sites are incomplete and do not support all TLD nor IP search.

Some work from a built-in whois-server list and some other try to retrieve the one which fits the TLD you ask for from a live Domain Information Groper query (command line clients do this query in background first).

[edit] Perl modules

CPAN has several Perl modules available that work with WHOIS servers. Many of them are not current and do not fully function with the current (2005) WHOIS server infrastructure. However, there is still much useful functionality to derive including looking up AS numbers and registrant contacts.

[edit] Querying individual Regional Internet Registries directly

WHOIS servers operated by Regional Internet Registries (RIR) can be queried directly to determine the Internet Service Provider responsible for a particular resource. For web-based searches, these server URLs are:

• ARIN: http://ws.arin.net/whois
• RIPE NCC: http://www.ripe.net/whois/
• APNIC: http://whois.apnic.net
• LACNIC: http://whois.lacnic.net
• AfriNIC: http://whois.afrinic.net

The records of each of these registries are cross-referenced, so that a query to ARIN for a record which belongs to RIPE will return a placeholder pointing to the RIPE WHOIS server. This lets the WHOIS user making the query know that the detailed information resides on the RIPE server. In addition to the RIRs servers, commercial services exist, such as the Routing Assets Database used by some large networks (e.g., large Internet providers that acquired other ISPs in several RIR areas).

[edit] Determining the WHOIS server for a domain name

There is currently no standard for determining the responsible WHOIS server for a DNS domain, though two methods are in common use for top-level domains (TLDs):

• Whois-servers.net provides DNS alias records (CNAME) for TLD WHOIS servers of the form <tld>.whois-servers.net.

For example, the alias com.whois-servers.net can be used in place of the WHOIS server name for the com TLD in a command line query:

 whois -h com.whois-servers.net example.com 

The GNU WHOIS utility automatically uses the whois-servers.net service.

• Some TLDs publish a server referral (SRV record) for the WHOIS protocol in their zone, which identifies their WHOIS server. This SRV record is of the format _nicname._tcp.<tld>.

For example, the WHOIS server for nz can be found by querying for the SRV record:

 dig +short _nicname._tcp.nz srv 

which returns the result:

 0 0 43 whois.srs.net.nz. 

[edit] Query example

Normally the contact information of the resources' assignee is returned. However, some registrars offer private registration, in which case the contact information of the registrar is shown instead.

Some registry operators are wholesalers, meaning that they typically sell com and other domain names to a large number of retail registrars, who in turn sell them to consumers. For private registration, only the identity of the wholesale registrar may be returned. In this case, the identity of the individual as well as the "retail registrar" may be hidden.

Below is an example of WHOIS data returned for an individual resource holder. This is the result of a WHOIS query on wikipedia.org:

  Domain ID:  D51687756-LROR  Domain Name:  WIKIPEDIA.ORG  Created On:  13-Jan-2001 00:  12:  14 UTC  Last Updated On:  08-Jun-2007 05:  48:  52 UTC  Expiration Date:  13-Jan-2015 00:  12:  14 UTC  Sponsoring Registrar:  GoDaddy.com, Inc. (R91-LROR)  Status:  CLIENT DELETE PROHIBITED  Status:  CLIENT RENEW PROHIBITED  Status:  CLIENT TRANSFER PROHIBITED  Status:  CLIENT UPDATE PROHIBITED  Registrant ID:  GODA-09495921  Registrant Name:  DNS Admin  Registrant Organization:  Wikimedia Foundation, Inc.  Registrant Street1:  P.O. Box 78350  Registrant Street2:    Registrant Street3:    Registrant City:  San Francisco  Registrant State/Province:  California  Registrant Postal Code:  94107-8350  Registrant Country:  US  Registrant Phone:  +1.4158396885  Registrant Phone Ext.:    Registrant FAX:  +1.4158820495  Registrant FAX Ext.:    Registrant Email:  dns-admin@wikimedia.org  Admin ID:  GODA-29495921  Admin Name:  DNS Admin  Admin Organization:  Wikimedia Foundation, Inc.  Admin Street1:  P.O. Box 78350  Admin Street2:    Admin Street3:    Admin City:  San Francisco  Admin State/Province:  California  Admin Postal Code:  94107-8350  Admin Country:  US  Admin Phone:  +1.4158396885  Admin Phone Ext.:    Admin FAX:  +1.4158820495  Admin FAX Ext.:    Admin Email:  dns-admin@wikimedia.org  Tech ID:  GODA-19495921  Tech Name:  DNS Admin  Tech Organization:  Wikimedia Foundation, Inc.  Tech Street1:  P.O. Box 78350  Tech Street2:    Tech Street3:    Tech City:  San Francisco  Tech State/Province:  California  Tech Postal Code:  94107-8350  Tech Country:  US  Tech Phone:  +1.4158396885  Tech Phone Ext.:    Tech FAX:  +1.4158820495  Tech FAX Ext.:    Tech Email:  dns-admin@wikimedia.org  Name Server:  NS0.WIKIMEDIA.ORG  Name Server:  NS1.WIKIMEDIA.ORG  Name Server:  NS2.WIKIMEDIA.ORG 

[edit] Problems

• Privacy: Registrant's contact details, such as address and telephone number, are easily accessible to anyone for most top-level domains. Although some registrars offer private registrations (where the contact information of the registrar is shown), under ICANN rules the registrar or "private registration" company is then lessor of the domain.^{[citation needed]}
• Registrant may be obscured: In the case of private registration, it may be difficult for a registrant to confirm their registration status. See section "Accuracy of information".
• False registrations: The privacy services mentioned above are often abused by people involved in illegal activity, who use them in the knowledge that it makes it extremely difficult for entities (even law-enforcement officers) outside of their registrar's legal jurisdiction to obtain their contact details. The fact that some registrars are uncooperative when notified of illegal activity makes this situation somewhat worse.
• Inaccuracy of information: Some registrars are not sufficiently careful to ensure the accuracy of contact details listed in the WHOIS. In order to combat this issue, ICANN has threatened to terminate the accreditation of registrars that do not take sufficient action to correct inadequacies.^[7]
• Obsolescence: most of the information stored in a WHOIS server is subject to change later in time. For instance, the registrant may change his (geographical) address. Since the email address used to administer the domain often remains valid, the registrant may not update its address.
• History: when a domain record is updated (moved, sold), the previous information is not archived but overwritten. A few WHOIS servers, however, do automatically monitor and cache the records for domains which were queried through their interface, making the WHOIS history partially available.
• Spam: Spammers often harvest plain-text email addresses from WHOIS requests. This means that both WHOIS servers and websites offering WHOIS lookups have resorted to special systems (such as CAPTCHA, where users have to type in letters or numbers from a picture) and rate-limiting systems.
• Internationalization: The WHOIS protocol was not written with an international audience in mind. A WHOIS server cannot tell which text encoding it is using for either the requests or replies, and the servers were originally all simply using US-ASCII, although this cannot be assumed anymore with international servers. This obviously will impact the usability of the WHOIS protocol in countries outside the USA, especially as internationalized domain names are falling into wider use. A user can (and possibly will have to due to this limitation) use punycode, but this leads to conversion problems as the punycode system is not easy for a regular user to grasp.
• Lack of WHOIS server lists: There is no central list of WHOIS servers. Therefore, people writing WHOIS tools need to find their own list of WHOIS servers, and different WHOIS tools may contact different WHOIS servers.
• Different registrars' WHOIS servers return results in different formats, making automation of parsing WHOIS data difficult. While such automation has many legitimate uses (primarily for ISPs), it also lends itself to use by spammers and other people acting unethically.
• Domain Tasting: Some registrars & web based domain availability checking sites have been harvesting users' domain searches & then register those domains themselves. Usually, these companies test the domains for traffic for about 4–5 days and then cancel the registration.^{[citation needed]}
• Domain name front running: Some registrars, notably Network Solutions have been accused of front running domain names immediately upon WHOIS queries for that domain, effectively locking potential buyers into paying premium second-sale rates to that registrar.^[8]

[edit] Accuracy of information

In cases where the registrant's identity is public, anyone can easily confirm the status of a domain via WHOIS.

In the case of private registrations, ascertaining registration information may be more difficult. If a registrant has acquired a domain name and wants to verify that the registrar has indeed completed the registration process, three steps may be required: 1) perform a WHOIS and confirm that the resource is at least registered with ICANN, 2) determine the name of the wholesale registrar, and 3) contact the wholesaler and obtain the name of the retail registrar. This provides some confidence that the retailer actually registered the name. But if the registrar goes out of business, such as the failure of RegisterFly in 2007, the rightful domain holder with privacy-protected registrations may have difficulty retaining domain administration.^[1] The end user of "private registration" can attempt to protect themselves by using a registrar that places customer data in escrow with a third party.

ICANN requires that each domain name registrant be given the opportunity to correct any inaccurate contact data associated with a domain. For this reason, the registrar is required to periodically send the holder the contact information on record for verification.

[edit] Law and policy

WHOIS has generated policy issues in the United States federal government. As noted above, WHOIS creates a privacy issue which is also tied to free speech and anonymous speech. However, WHOIS is an important tool for law enforcement officers investigating violations like spam and phishing to track down the holders of domain names. Law enforcement officers become frustrated when WHOIS records are filled with rubbish. As a result, law enforcement agencies have sought to make WHOIS records both open and verified:^[9]

• The Federal Trade Commission has testified about how inaccurate WHOIS records thwart their investigations.^[10]
• There have been congressional hearings that have touched on the importance of WHOIS in 2006, 2002, and 2001.^[11]
• The Fraudulent Online Identity Sanctions Act "make it a violation of trademark and copyright law if a person knowingly provided, or caused to be provided, materially false contact information in making, maintaining, or renewing the registration of a domain name used in connection with the violation,"^[12] where the latter "violation" refers to a prior violation of trademark or copyright law. The act does not make the submission of false WHOIS data illegal in itself, only if used to shield oneself from prosecution for crimes committed using that domain name.

[edit] See also

• Domain name registry
• Regional Internet registry
• Routing Policy Specification Language
• Routing Assets Database
• Shared Whois Project

[edit] Request for Comments

• RFC 812 – NICNAME/WHOIS (1982, obsolete)
• RFC 954 – NICNAME/WHOIS (1985, obsolete)
• RFC 3912 – WHOIS protocol specification (2004, current)
• Complete list of RFCs about whois

[edit] References

[edit] External links

• The Internet Corporation for Assigned Names and Numbers
• The Internet Assigned Numbers Authority
• WHOIS web sites at the Open Directory Project