Lesson 88: whois Command
In this lesson, you'll learn how to use the whois command to look up information about registered domain names and IP address blocks in Linux.
The whois command is a TCP-based client that communicates with WHOIS servers (also called registry databases) on port 43.
These servers maintain authoritative registration records for every publicly registered domain and IP address block on the Internet.
When you run whois, your system queries the appropriate Regional Internet Registry (RIR) or domain registrar's WHOIS server and returns the raw registration record in human-readable format.
For sysadmins, whois is a first-line tool for investigating suspicious traffic, verifying IP ownership before firewall decisions, checking domain expiry dates, and identifying abuse contacts when dealing with spam or attacks originating from a specific network.
Installation
The whois client is not pre-installed on many Linux distributions. Install it with the appropriate command for your distribution:
sudo apt install whois # Debian/Ubuntu
Or:
sudo dnf install whois # Fedora/RHEL 9+
Or:
sudo yum install whois # RHEL/CentOS 7/8
Syntax
whois [OPTIONS] OBJECT
Where OBJECT is a domain name, IP address, ASN, or network block.
Options
| Option | Description |
|---|---|
-h <host> |
Query a specific WHOIS server instead of the default |
-p <port> |
Connect to the specified port (default: 43) |
-a |
Search all databases |
-r |
Disable recursive lookups |
-R |
Force recursive lookups |
-B |
Disable filtering of WHOIS output |
-H |
Suppress legal disclaimers in output |
-v |
Enable verbose output |
--verbose |
Alias for -v |
Understanding Regional Internet Registries (RIRs)
Before diving into examples, it helps to know that the internet's IP address space is managed by five Regional Internet Registries each responsible for a geographic region:
| Registry | Region | WHOIS Server |
|---|---|---|
| ARIN | North America | whois.arin.net |
| RIPE NCC | Europe, Middle East, Central Asia | whois.ripe.net |
| APNIC | Asia Pacific | whois.apnic.net |
| LACNIC | Latin America and Caribbean | whois.lacnic.net |
| AFRINIC | Africa | whois.afrinic.net |
The whois client automatically determines the correct RIR to query based on the IP address or domain you provide. You only need to specify a server manually (-h) in edge cases.
1. Look Up an IP Address
whois 216.58.206.46
NetRange: 216.58.192.0 - 216.58.223.255
CIDR: 216.58.192.0/19
NetName: GOOGLE
NetHandle: NET-216-58-192-0-1
NetType: Direct Allocation
OriginAS: AS15169
Organization: Google LLC (GOGL)
RegDate: 2012-01-27
Updated: 2012-01-27
OrgName: Google LLC
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US
OrgAbuseEmail: [email protected]
OrgAbusePhone: +1-650-253-0000
The key fields to focus on for sysadmin work:
| Field | What It Means |
|---|---|
NetRange |
The full IP block this address belongs to |
CIDR |
The network block in CIDR notation |
Organization |
Who owns this IP block |
OriginAS |
The Autonomous System Number (ASN) announcing this block |
Country |
Where the organization is registered |
OrgAbuseEmail |
Where to send abuse reports for traffic from this block |
whois on the source IP immediately tells you the owning organization and their abuse contact the two things you need to either report the activity or decide whether to block the entire network range.