Dive into WHOIS protocol

By | February 13, 2020

WHOIS is a TCP-based query/response protocol which is used to get information about registered domain names, domain name servers, registrar, creation and paid till date. Also it may contain data about domain owner and/or owner’s contact requisites. Default tcp port of WHOIS protocol is 43. The WHOIS client send a text request to the WHOIS server, the request is terminated with CFLF (0xd,0xa) symbols. WHOIS server replies in human-readable format. WHOIS data are distributed in independent databases. If you know whois servers which contains information about requested domain it is possible to query information using telnet session. The example below sends request about russianmafia.ru domain to whois.nic.ru server:

# telnet whois.nic.ru 43
Connected to whois.nic.ru.
Escape character is ‘^]’.
nserver: ns1.whc.ca
nserver: ns2.whc.ca
nserver: ns3.whc.ca
person: Private person
registrar: RU-CENTER-RU
created: 2004.05.20
paid-till: 2020.05.20
source: RU-CENTER

>>> Last update of WHOIS database: 2020.02.12T17:45:13Z <<< Connection closed by foreign host.

But better install whois tool:

# yum install jwhois

whois tool automatically finds whois server with appropriate whois database and sends request to that server:

# whois wordchaos.com
[Querying whois.verisign-grs.com]
Registry Domain ID: 1620877211_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2019-12-12T03:06:47Z
Creation Date: 2010-10-18T02:40:49Z
Registry Expiry Date: 2021-10-18T02:40:49Z
Registrar: NameCheap, Inc.
Registrar IANA ID: 1068
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: NS1.WHC.CA
Name Server: NS2.WHC.CA
Name Server: NS3.WHC.CA
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2020-02-12T18:10:44Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars.

How to find right whois server by TLD (top level domain) name. Method 1, send whois request to whois.iana.org server, for example for TLD tv:

# whois –host whois.iana.org tv | grep whois:
whois:   tvwhois.verisign-grs.com

Method 2. It is possible to get the same using DNS protocol. Add TLD prefix tv to whois-servers.net fqdn and query for canonical name:

# nslookup -query-cname tv.whois-servers.net
*** Invalid option: query-cname
Server: nbsp;nbsp;
Address: nbsp;nbsp;nbsp;

Non-authoritative answer:
tv.whois-servers.net nbsp;nbsp;canonical name = tvwhois.verisign-grs.com.
Name: tvwhois.verisign-grs.com
Name: tvwhois.verisign-grs.com
Name: tvwhois.verisign-grs.com

Example of c# whois client in .Net core:

using System;
using System.Text;
using System.Net.Sockets;
namespace whois
   class Program
      const string whois_servers = “whois-servers.net”;
      static void Main(string[] args)
         if(args.Length == 0)
            Console.WriteLine(“Please specify domain name as an argument”);
         // Get TLD part
         char[] dotSeparator = {‘.’};
         string[] levelDomains = args[0].Split(dotSeparator);
         string tld = levelDomains[levelDomains.Length – 1];
         string whoIsServer = tld + ‘.’ + whois_servers;
            TcpClient tcpClient = new TcpClient();
            tcpClient.ReceiveTimeout = 10000;
            tcpClient.SendTimeout = 10000;
            tcpClient.Connect(whoIsServer, 43);
            NetworkStream nws = tcpClient.GetStream();
            byte[] request = Encoding.ASCII.GetBytes(args[0]);
            byte[] requestNew = new byte[request.Length + 2];
            Array.Copy(request, requestNew, request.Length);
            requestNew[request.Length] = 0xd;
            requestNew[request.Length] = 0xa;
            nws.Write(requestNew, 0, requestNew.Length);
            Byte[] response = new Byte[8192];
            int responseSize = nws.Read(response, 0, 8192);
            Console.WriteLine(Encoding.ASCII.GetString(response, 0, responseSize));
         catch (Exception ex)

c# whois client output

Leave a Reply

Your email address will not be published. Required fields are marked *