10

Whenever you use WHOIS command doesn't return any usefully information. I usually have to go to Godaddy, Dnsstuff or other services to get the data. I understand the reason is mostly due to spamming.

I was just wondering how other services get this data. Do they use different type of WHOIS command? Also confused about some of the data generated data from WHOIS command is just spam. Example doing whois google.com geneates spam website such as GOOGLE.COM.ZZZZZZ.THE.BEST.WEBHOSTING.AT.WWW.FATUCH.COM. Where is this data come from?

Exmaple:

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

GOOGLE.COM.ZZZZZZ.THE.BEST.WEBHOSTING.AT.WWW.FATUCH.COM
GOOGLE.COM.WORDT.DOOR.VEEL.WHTERS.GEBRUIKT.SERVERTJE.NET
GOOGLE.COM.UY
GOOGLE.COM.UA
GOOGLE.COM.TW
GOOGLE.COM.TR
GOOGLE.COM.SA
GOOGLE.COM.PE
GOOGLE.COM.MX
GOOGLE.COM.DO
GOOGLE.COM.CO
GOOGLE.COM.CN
GOOGLE.COM.BR
GOOGLE.COM.AU
GOOGLE.COM.AR
GOOGLE.COM.AFRICANBATS.ORG
GOOGLE.COM

To single out one record, look it up with "xxx", where xxx is one of the
of the records displayed above. If the records are the same, look them up
with "=xxx" to receive a full display for each record.

>>> Last update of whois database: Wed, 30 Mar 2011 03:07:59 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Max Thomson
  • 171
  • 2
  • 5

4 Answers4

10

The short answer to your question, assuming you are using the debian/ubuntu whois library, is to use

$ whois -h whois.crsnic.net "domain google.com"

Here's the long answer.

The .COM TLD is a Thin WHOIS. When you peform a WHOIS query, the WHOIS tool first sends a WHOIS query to Verisign (hostname whois.crsnic.net) and extract the referral from the the response.

By default, when you query Verisign from the domain example.com, Whois performs a very broad search of the string "example.com" in several different objects including the domain name, the registrar name and the nameservers.

You can refine the query by specifying a keyword, as described in the Verisign documentation. http://registrar.verisign-grs.com/whois/iframe/help.html?ppath=www.verisigninc.com/products-and-services/domain-name-services/whois&

The command above does exactly what I explained. Instead of google.com it sends to Verisign the full query "domain google.com". You have to explicitly pass the -h flag because Whois attempts to guess the hostname to query from the query, but it will fail because it won't recognize the query "domain google.com" as a valid domain.

Here's the result of the command.

$ whois -h whois.crsnic.net "domain google.com"

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: GOOGLE.COM
   Registrar: MARKMONITOR INC.
   Whois Server: whois.markmonitor.com
   Referral URL: http://www.markmonitor.com
   Name Server: NS1.GOOGLE.COM
   Name Server: NS2.GOOGLE.COM
   Name Server: NS3.GOOGLE.COM
   Name Server: NS4.GOOGLE.COM
   Status: clientDeleteProhibited
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Status: serverDeleteProhibited
   Status: serverTransferProhibited
   Status: serverUpdateProhibited
   Updated Date: 15-sep-2010
   Creation Date: 15-sep-1997
   Expiration Date: 14-sep-2011

>>> Last update of whois database: Wed, 30 Mar 2011 08:50:16 UTC <<<

NOTICE: The expiration date displayed in this record is the date the 
registrar's sponsorship of the domain name registration in the registry is 
currently set to expire. This date does not necessarily reflect the expiration 
date of the domain name registrant's agreement with the sponsoring 
registrar.  Users may consult the sponsoring registrar's Whois database to 
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois 
database through the use of electronic processes that are high-volume and 
automated except as reasonably necessary to register domain names or 
modify existing registrations; the Data in VeriSign Global Registry 
Services' ("VeriSign") Whois database is provided by VeriSign for 
information purposes only, and to assist persons in obtaining information 
about or related to a domain name registration record. VeriSign does not 
guarantee its accuracy. By submitting a Whois query, you agree to abide 
by the following terms of use: You agree that you may use this Data only 
for lawful purposes and that under no circumstances will you use this Data 
to: (1) allow, enable, or otherwise support the transmission of mass 
unsolicited, commercial advertising or solicitations via e-mail, telephone, 
or facsimile; or (2) enable high volume, automated, electronic processes 
that apply to VeriSign (or its computer systems). The compilation, 
repackaging, dissemination or other use of this Data is expressly 
prohibited without the prior written consent of VeriSign. You agree not to 
use electronic processes that are automated and high-volume to access or 
query the Whois database except as reasonably necessary to register 
domain names or modify existing registrations. VeriSign reserves the right 
to restrict your access to the Whois database in its sole discretion to ensure 
operational stability.  VeriSign may restrict or terminate your access to the 
Whois database for failure to abide by these terms of use. VeriSign 
reserves the right to modify these terms at any time. 

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Simone Carletti
  • 1,494
  • 3
  • 15
  • 30
  • 1
    Currently, the authoritative whois server for .COM domain names is [whois.verisign-grs.com](http://www.iana.org/domains/root/db/com.html). So the command should be updated to: `whois -h whois.verisign-grs.com "domain google.com"` – iglvzx Jun 05 '14 at 11:20
3

You're asking for all record types, rather than just domain records. From whois help

By default, WHOIS performs a very broad search, looking in all record types for matches to your query in these fields: domain name, nameserver name, nameserver IP address, and registrar names. Use keywords to narrow the search.

The following keywords restrict a search to a certain TYPE of field in the database: domain Finds a domain record. Find out domain name, registrar name, whois server and URL, Nameserver name and IP Addresses, and updated date.

There are two possible fixes:

1. Set the domain option explicitly:

 whois "domain google.com"

2. Use a whois host that only returns 'domain" results

whois -h geektools.com google.com 

See Why there's junk in your whois results, and how you can get rid of it for more info.

mikemaccana
  • 3,070
  • 5
  • 24
  • 29
1

When you request WHOIS info for google.com, it searches for "google.com" in all records, not anchoring the pattern to the end as you expect.

And it depends on the WHOIS client and which servers it is configured to use. I did some research a couple years ago about setting up an internal WHOIS service (I work at a university, so we have lots of little fiefdoms and lots of networks) and from what I could tell, there was very little consistent structure in the data formats, so clients have to employ lots of heuristics to figure out referrals and such. My guess is that dnsstuff and godaddy just have probably more tuned heuristics. So you might just try a different client.

Wil Cooley
  • 361
  • 3
  • 10
0

Do a whois query with an equal sign at beginning just before domain name. What you see is just pure vanity nameservers created at the registry, as a useless prank (no technical consequences).

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42