CertTools Logo
CertTools

whois Commands

Query domain registration information, expiration dates, registrars, and ownership details

Basic Domain Lookups

Basic domain lookup

whois example.com

Shows complete WHOIS record including registrar, creation date, expiration date, name servers, and registrant contact.

Query subdomain (uses parent domain)

whois www.example.com

WHOIS automatically queries the parent domain. Subdomain information is not separately registered.

Query international domain (IDN)

whois münchen.de

Query internationalized domain names with non-ASCII characters. Automatically converts to punycode format.

IP Address Lookups

Query IPv4 address

whois 93.184.216.34

Shows network allocation, organization, abuse contact, and regional internet registry (RIR) information.

Query IPv6 address

whois 2606:2800:220:1:248:1893:25c8:1946

Shows IPv6 network allocation details. Format and available information similar to IPv4 lookups.

Query CIDR block

whois 93.184.216.0/24

Query entire IP network range. Shows allocation details for the network block.

Using Specific WHOIS Servers

Query specific WHOIS server

whois -h whois.verisign-grs.com example.com

Query a specific WHOIS server directly. Useful for getting authoritative data or bypassing rate limits.

Query IANA for IP allocation

whois -h whois.iana.org 8.8.8.8

Query IANA to find which Regional Internet Registry (RIR) manages an IP address range.

Query ARIN for North American IPs

whois -h whois.arin.net 8.8.8.8

American Registry for Internet Numbers manages North American IP allocations.

Query RIPE for European IPs

whois -h whois.ripe.net 8.8.8.8

RIPE NCC manages European, Middle Eastern, and Central Asian IP allocations.

Extracting Specific Information

Check domain expiration date

whois example.com | grep -i "expir"

Extract expiration date to monitor domain renewal deadlines. Critical for certificate validation.

Find registrar information

whois example.com | grep -i "registrar"

Identify which company manages the domain registration. Useful for transfer or support requests.

Check name servers

whois example.com | grep -i "name server"

List authoritative name servers for the domain. Verify DNS provider configuration.

Check domain status

whois example.com | grep -i "status"

Shows EPP status codes like clientTransferProhibited, serverHold, etc. Indicates domain lock status.

Find creation date

whois example.com | grep -i "creation\|created"

Determine when domain was first registered. Useful for assessing domain age and legitimacy.

Check DNSSEC status

whois example.com | grep -i "dnssec"

Verify if DNSSEC is enabled for the domain. Important for security validation.

Privacy and Protection Detection

Detect WHOIS privacy protection

whois example.com | grep -i "privacy\|proxy\|redacted"

Check if domain uses privacy protection service to hide registrant contact information.

Check for GDPR redaction

whois example.com | grep -i "redacted\|gdpr"

Many registrars now redact personal information due to GDPR privacy regulations.

Find abuse contact

whois example.com | grep -i "abuse"

Extract abuse contact email even when other contact info is redacted. Used for reporting issues.

Multiple TLDs and Extensions

Check domain across all TLDs

for tld in com net org; do
  echo "=== $tld ==="
  whois example.$tld | grep -i "expir"
done

Check registration status across multiple top-level domains. Useful for brand protection.

Query country-code TLD

whois example.co.uk

Country-code TLDs often have different WHOIS servers and formats. Some require additional registration.

Query new gTLD

whois example.tech

New generic TLDs (.tech, .app, .dev) have their own WHOIS servers managed by respective registries.

Output Format Options

Display raw WHOIS output

whois example.com

By default, whois shows unformatted output from the WHOIS server. No processing or filtering applied.

Disable recursion (show only initial server)

whois --verbose example.com

Show which WHOIS servers are being queried. Useful for debugging WHOIS lookup chain.

Save output to file

whois example.com > domain_info.txt

Save WHOIS data for record-keeping or comparison. Useful for monitoring domain changes over time.

Automation and Monitoring

Check if domain is available

whois example.com | grep -qi "no match\|not found" && echo "Available" || echo "Registered"

Simple availability check. Note that messages vary by registry and may require adjustment.

Monitor domain expiration

#!/bin/bash
DOMAIN="example.com"
EXPIRY=$(whois $DOMAIN | grep -i "expir" | head -1)
echo "$DOMAIN expires: $EXPIRY"

Basic script to extract and display expiration date. Add to cron for regular monitoring.

Bulk domain lookup

#!/bin/bash
for domain in example.com example.net example.org; do
  echo "=== $domain ==="
  whois $domain | grep -i "expir"
  sleep 2  # Rate limiting
done

Check multiple domains with rate limiting to avoid being blocked by WHOIS servers.

Compare current vs historical data

whois example.com > current.txt
diff previous.txt current.txt

Track changes in domain registration over time. Useful for security monitoring and auditing.

Practical Examples

Pre-certificate validation check

# Verify domain ownership and nameservers before certificate issuance
whois example.com | grep -E "Registrar|Name Server|Expir"

Confirm domain is active and properly configured before requesting SSL/TLS certificate.

Security incident investigation

# Investigate suspicious domain
whois suspicious-domain.com
whois $(dig +short suspicious-domain.com | tail -1)

Look up domain registration and IP allocation to identify potential threats.

Domain transfer preparation

# Check transfer lock status
whois example.com | grep -i "status\|lock\|transfer"

Verify domain is not locked before initiating transfer to new registrar.

Complete domain audit

#!/bin/bash
DOMAIN="example.com"
echo "=== WHOIS Data ==="
whois $DOMAIN | grep -E "Registrar|Expir|Status|Name Server"

echo -e "\n=== DNS Records ==="
host -t A $DOMAIN
host -t NS $DOMAIN

echo -e "\n=== IP WHOIS ==="
IP=$(host -t A $DOMAIN | awk '{print $NF}' | head -1)
whois $IP | grep -E "OrgName|NetRange|abuse"

Comprehensive domain and infrastructure audit combining WHOIS and DNS lookups.

Important Notes

Rate Limiting

WHOIS servers enforce rate limits. Excessive queries may result in temporary IP blocks. Add delays between bulk queries.

GDPR Privacy Changes

Since GDPR (2018), many registrars redact personal contact information. Expect limited registrant details for EU domains.

Different Formats

WHOIS output format varies by registry. Field names and structure differ between .com, .org, country codes, etc.

Accuracy and Freshness

WHOIS data may be cached or delayed. For most current information, query authoritative registry WHOIS servers directly.

Terms of Service

Many WHOIS servers include Terms of Service in output. Commercial use or data mining may be prohibited.

Web Alternatives

For domains with restricted command-line WHOIS access, use web-based WHOIS services or registrar lookup tools.