Have you tried recently to register a domain name that hasn’t already been taken? Pretty difficult, isn’t it. With over 350 million registered names and counting, it can be a daunting task to get an original website registered, let alone noticed.
But how do these web hosters, et al. know what websites are out there and who, in fact, owns them? How do they track such a large and ever-expanding field? That, in a layman’s nutshell, is Whois.
Developed during the Reagan era, Whois was designed to enable as much transparency as possible in the domain name space. It’s objective is to provide an accurate, secure, public-facing and free way to query information for any registered domain out there. It is an effective and necessary tool to identify trademark infringements as well as hacker activity such as spamming, fraud and cracking, etc.
In order for this to occur, every time a person or an organization registers a domain name, certain pre-requisite details must be included: name, valid mailing address, email(s), valid phone number, city, postal/zip code, state/province, and country. Additionally, this information must be available for three categories - registrar, technical, and administrative. Once you’ve met these registration criteria, you are now in the Whois database, like it or not.
From there, Whois data is stored in two different ways, the thin model and the thick model; kinda like diet coke and regular coke - half the calories, half the taste. The “thin” model, as the name suggests, provides limited information, namely registrar name, domain registration dates and name servers used. In order to access more data, additional queries have to be done. Conversely, the “thick” model expands the domain’s details by including registrar, technical and administrative data.
The good news is, usually when a single Whois query is performed, the default is the thick model, as it’s the faster method and only requires one query per domain search.
Some Basic Ways to use Whois
There are myriad ways for querying a Whois database and some don’t even require manual commands from a terminal. Perhaps the most common method is by using the ‘whois’ command. Essentially all Unix and Linux operating systems include the Whois client, by simply running “whois domain.com”. This will work for most of the common web extensions, like .com, .net, .org, .info, .io, etc., although sometimes you will have to query registrars directly and ask for additional Whois information.
But it’s not exactly easy; while the whois command does a lot of heavy lifting for you, it is still not perfect. It is based on a lot of "rule of thumb" hacks, as Whois protocol itself is far from being robust, covering only client-server communication (assuming you’ve found a target Whois server). That leaves the discovery part to developers of Whois utility (whois command for *nix systems). Performing an effective (or even usable) Whois query on a domain requires knowing the correct, authoritative Whois server to use. In other words, you need to know which exact server stores the information about the domain you want to search.
Now in order to find the applicable one, you have to “ask” companies that register and store TLDs (top-level domain - like .com et al.), such as Domain.com, Bluehost and Namecheap. They, in turn, will give you access to a smaller registrar server, which gives you access to an even smaller one, until eventually you get to the server that either has the data you seek, or not. It’s kind of like trying to extract a single grain of pepper from a pepper mill whilst wearing a blindfold. And for this privilege, you usually have to fork out money. On top of that, there is currently no standard or regulation for ascertaining the responsible WHOIS server for a DNS domain.
While various free open source examples can still be found, most modern Whois applications implement command line flags, and many default servers are preconfigured and/or proprietary. I know, right?
If you want to have a go at it yourself, this may help your quest. Popular web-based Whois queries may be conducted from ARIN, RIPE and APNIC. The records of each of these registries are cross-referenced, so that an ARIN query for a record which belongs to RIPE, for example, will return a placeholder pointing to the RIPE Whois server. This lets you know that the detailed information resides on the RIPE server. I hope that helps some and I wish you luck. It can be done.
Whois and InfoSec/OSINT
As well as being a known tool to journalists for discovering the source of circulation across the Internet, Whois is also very useful for InfoSec investigations and forensics as well as your own or your organization’s or cyber serial evangelist’s (insert newest catch phrase here) DNS and domain practices, such as:
- Tracking down and isolating domain crack attempts, phishing and spamming attacks.
- Prevention of online fraud to financial institutions and general login-based interfaces used on web services.
- Pinpointing abusive activities from domain names wrongfully using registered company names and/or products, or promoting trademarks illegally.
- Searching for websites promoting abusive material such as child pornography and abuse, illegal drugs and weapons markets, hatred, violence, racial and social discrimination, etc.
- An overarching attempt to keep the Internet as secure, safe and transparent as possible.
While Whois is undeniably an important tool for investigating infringements like spam and phishing, there are more than a few detractors out there who feel that it infringes on the right to free speech and anonymity.
In fact, the Whois requirements actually are in direct conflict with the recently passed GDPR (General Data Protection Regulation). This is because when first conceived, the reach of the internet was not fully understood, therefore Whois was simply not written with an international audience in mind. This might impact the usability or usefulness of Whois in countries outside the USA in the very near future.
Taking it a step further, on 24 June 2013, the Expert Working Group (EWG) of the Internet Corporation for Assigned Names and Numbers (ICANN) actually recommended that Whois should be scrapped altogether and replaced with a system that keeps information veiled from most internet users - only disclosing certain information for "permissible purposes" which are listed as: domain-name research, sales and purchasing, regulatory enforcement, personal data protection, legal actions, and abuse mitigation.
This, naturally, enables undesirable actors such as spammers, direct marketers, identity thieves or other attackers to loot the directory for personal information about these people. To counter this, some domain registrars offer private registrations (where the contact information of the registrar is shown instead of the customer's), rate-limiting systems, such as CAPTCHA, and have limited the amount of search queries per user IP address, mitigating some, but by no means all, of the risks.
Referral Whois (RWhois). Touted as an upgrade of the original Whois, RWhois extends the concepts of Whois in a scalable, orderly way, designed to create “tree-like” architecture where one could connect to any RWhois server, request a look-up and be automatically redirected to the correct server(s). It also aims to be fuelled by even smaller local internet registries, in theory providing more refined and in-depth information about IP address assignment. However, while the technical functionality is in place, adoption of the RWhois by the general populace has been weak. Resistance may be futile, but old habits still die hard.
Whois, albeit dated, is still a powerful tool to help you protect your interests. If the whole process seems overwhelming, a great alternative is to seek reputable third-party vendors to handle the task for you. The return is worth the investment...
Some source material kindly provided by Whois Wikipedia article. Please donate generously.