tips tools reconnaissance

SecurityTrails Blog · Apr 08 · SecurityTrails team

WHOIS Lookup: The Hidden Key in Domain Infosec Investigations

Reading time: 14 minutes

It encompasses millions of users on the Internet. And it doesn’t matter if you’re a web designer, the owner of a car company, a photographer, a fast food restaurant manager, or any kind of business owner — you’re part of it even if you don’t know it.

As soon as you’ve registered a domain name for your company’s online presence, you’ve entered what’s called the WHOIS database.

Some people think of WHOIS information merely as the data that must be present within any domain name when your registrar requests it. But what they don’t realize is the power behind this data, nor do they understand how the WHOIS service works, its origins, or the infosec implications it has today.

Keep reading to learn more on these topics—and to find out how the WHOIS lookup can empower your daily infosec audits.

What is the WHOIS service?

WHOIS information, also known as WHOIS data or WHOIS details, is a domain owner global database feed of people who register domain names.

Each time you register a domain name you are required to provide identifying and contact information such as:

  • Name
  • Mailing address
  • Email
  • Phone number
  • City
  • Postal code
  • State
  • Country

This information must be available for three types of domain contact: Technical, Administrative and Registrar.

Contrary to what most people think, the WHOIS service is not located in a single independent database, but spread across many registrars and registries around the world.

One of WHOIS data’s main reasons for being is to keep domain name space as transparent as possible, which is why the ICANN (Internet Corporation for Assigned Names and Numbers) upholds its mission to keep the WHOIS database as accurate, secure, free and public as possible for its users.

The WHOIS protocol, therefore, can be accessed by anyone on the Internet to query domain information for any website on the planet.

A brief history of WHOIS information

The origin of the WHOIS database takes us back to 1980, during the time of the famous ARPANET.

Back then, WHOIS service wasn’t at all as modern as it is today, consisting only of an ARPANET users directory to catalog who was connected to the network. This directory only included the contact information of users using ARPANET.

The official WHOIS requirements were documented in RFC 920 and required both technical and administrative information, as shown below:

The official WHOIS requirements

At that time, if you wanted to perform a WHOIS lookup, you would query the central WHOIS database.

Then in 1993, InterNIC was founded by AT&T, Network Solutions Inc. and General Atomics. By default a major security flaw was allowed by some WHOIS servers while permitting users to perform WHOIS wildcard searches. Today, that security flaw is something we call domain enumeration or reverse domain lookup.

WHOIS searches of that type are no longer permitted. If you want to find domain names owned by an individual person or company you must use services like the one we developed here at SecurityTrails, or cross data between WHOIS records while keeping an eye on the ones that share an email address.

With the rise of domain registrations and personal and corporate computer networks connected to the Internet in the mid ’90s, the government, companies and organizations needed a better way to keep the network as transparent as possible. The availability of domain owner information was necessary as a means to fight against trademark, spamming and cracking activities.

In 1999, TLD management was assigned to ICANN, and the old WHOIS clients stopped working as the protocol was renewed and new web-based WHOIS lookups surfaced, thanks to an emerging technology called CGI.

CGI offered a simple way for web servers to execute terminal-based WHOIS queries and return the results in an HTML website. That same year, ICANN introduced the TLD table that would allow support for multiple diverse WHOIS servers depending on the TLD used on the original request, which today is known as the WHOIS client.

Over the past 20 years the domain space has grown tremendously, allowing people to register top level domain names and country-code top level domains, as well as the new modern ICANN-era generic top-level domains (.academy .adult .club .agency .blog, etc).

Unlike in the ’80s, now everybody can register a domain name, even multiple ones, or become a domain registrar if desired.

We can query the WHOIS distributed database across domain registrar and registrar organizations, a far cry from the old days when the query was made against a single database.

And domain internalization, WHOIS protected services, a large number of registrars and WHOIS servers have made WHOIS lookups a little more complex than they used to be.

Types of WHOIS lookup data models

Despite what most people think, WHOIS information is not stored in any single way. There are two different methods of storing WHOIS records on the WHOIS servers:

WHOIS Thin model: this type of WHOIS model answers back with the registrar name, domain registration dates and name servers used.

With the thin model, the WHOIS server stores the name of another WHOIS server that has the full data of the Registrar (as in the case of .com TLD) and other basic data. In order to access all the data, a second query to the server would have to be made.

WHOIS Thick model: the thick WHOIS model expands the information, adding such details as registrar, technical and administrative details.

When you perform a WHOIS lookup, it usually displays all the information about the domain name owner (thick model), as it’s the faster method and only requires a single query.

The purpose of the WHOIS lookup

As we saw before, back in the ARPANET days the WHOIS model was merely a user directory. However, as decades passed, WHOIS information became a lot more personal, including full contact details, making it one of the most useful data-sets available for performing data reconnaissance and intel gathering tasks.

The main goal and functions of the WHOIS lookup have evolved, and today it’s used for a number of reasons, including:

  • Tracking down domain cracking activities, spamming and phishing attacks.
  • For help during federal investigations against websites promoting abusive material such as xenophobia, child abuse, child pornography, illegal drugs market, hatred, violence, racial and social discrimination, etc.
  • Providing ISPs, network operators, security agencies and government law enforcement agencies the information needed to keep the Internet as secure and transparent as possible.
  • Supporting trademark agencies in the investigation of abuse activities from domain names wrongfully using registered company names or products, or promoting trademarks illegally.
  • Prevention of online fraud by helping users to detect phishing attacks against financial institutions and general login-based interfaces used on web services.

How to perform a WHOIS lookup from the terminal

One of the most traditional ways of performing a WHOIS lookup is by using the ‘whois’ command from your terminal.

Most Unix and Linux operating systems include the WHOIS client, allowing you to run a WHOIS query against the database servers.

In order to run a WHOIS query, just open your terminal/console and run:

whois domain.com

This type of WHOIS lookup will work for most traditional TLD extensions such as .com .net .org .info, and for some ccTLD such as .io .us .com.mx, etc. Sometimes WHOIS lookups will not work from the terminal for specific TLDs; in that case you’ll have to query the registrar directly and ask for the required WHOIS information.

WHOIS lookup result

Let’s see what a WHOIS lookup results looks like, and the various parts of information we get from the WHOIS server.

This time, let’s query the famous Bruce Schneier with his domain name schneier.com.

Expected output:

[research@securitytrails.com:~]whois schneier.com
[Querying whois.verisign-grs.com]
[Redirected to whois.networksolutions.com]
[Querying whois.networksolutions.com]
[whois.networksolutions.com]
Domain Name: SCHNEIER.COM
Registry Domain ID: 6701490_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: http://networksolutions.com
Updated Date: 2018-10-24T15:15:16Z
Creation Date: 1999-05-22T03:25:18Z
Registrar Registration Expiration Date: 2024-05-22T03:25:52Z
Registrar: NETWORK SOLUTIONS, LLC.
Registrar IANA ID: 2
Reseller:
Domain Status: ok https://icann.org/epp#ok
Registry Registrant ID:
Registrant Name: Counterpane Systems
Registrant Organization: Counterpane Systems
Registrant Street: 4602 W LAKE HARRIET PKWY
Registrant City: MINNEAPOLIS
Registrant State/Province: MN
Registrant Postal Code: 55410-1922
Registrant Country: US
Registrant Phone: +1.6128231497
Registrant Phone Ext:
Registrant Fax: +1.9999999999
Registrant Fax Ext:
Registrant Email: schneier@schneier.com
Registry Admin ID:
Admin Name: Schneier, Bruce
Admin Organization: Counterpane Systems
Admin Street: 4602 W. Lake Harriet Pkwy.
Admin City: Minneapolis
Admin State/Province: MN
Admin Postal Code: 55410
Admin Country: US
Admin Phone: +1.6128231497
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: schneier@schneier.com
Registry Tech ID:
Tech Name: Schneier, Bruce
Tech Organization: Counterpane Systems
Tech Street: 4602 W. Lake Harriet Pkwy.
Tech City: Minneapolis
Tech State/Province: MN
Tech Postal Code: 55410
Tech Country: US
Tech Phone: +1.6128231497
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: schneier@schneier.com
Name Server: NS1.DREAMHOST.COM
Name Server: NS2.DREAMHOST.COM
Name Server: NS3.DREAMHOST.COM
DNSSEC: unsigned
Registrar Abuse Contact Email: abuse@web.com
Registrar Abuse Contact Phone: +1.8003337680
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2019-04-02T12:26:23Z <<<

WHOIS data obtained from the WHOIS server can be divided into four key areas: domain information, registrar contact, administrative contact and technical contact details.

WHOIS server and registrar details

The first thing that appears in the results is a rundown of the WHOIS servers involved in our query:

[Querying whois.verisign-grs.com]
[Redirected to whois.networksolutions.com]
[Querying whois.networksolutions.com]
[whois.networksolutions.com]

As you see, the original request was against the verifisng-grs.com whois server, and then redirected to the networksolutions.com database server, the one that answered our WHOIS query.

Registry Domain ID: 6701490_DOMAIN_COM-VRSN
Registrar URL: http://networksolutions.com
Here we know it was registered at networksolutions.com, and the registry domain ID is 6701490_DOMAIN_COM-VRSN.
Down below there are more registrar details, such as:
Registrar: NETWORK SOLUTIONS, LLC.
Registrar IANA ID: 2
Registrar Abuse Contact Email: abuse@web.com
Registrar Abuse Contact Phone: +1.8003337680

Domain information

Here we find details such as domain name, update, creation and expiration dates, as well as name servers used.

Domain Name: SCHNEIER.COM
Updated Date: 2018-10-24T15:15:16Z
Creation Date: 1999-05-22T03:25:18Z
Registrar Registration Expiration Date: 2024-05-22T03:25:52Z
Domain Status: ok [https://icann.org/epp#ok][6]
Name Server: NS1.DREAMHOST.COM
Name Server: NS2.DREAMHOST.COM
Name Server: NS3.DREAMHOST.COM
DNSSEC: unsigned

In this case, we discover another useful piece of information, the ‘domain status’, which seems to be OK according to ICANN. This means it’s not considered to be involved with abuse or illegal activity, and can be transferred to any other registrar if needed.

We can also see that he isn’t using DNSSEC (DNSSEC: unsigned).

Registrant contact

This is where registrant details are shown, the registrant being the person or company that registers a domain name. These details include:

Registry Registrant ID:
Registrant Name: Counterpane Systems
Registrant Organization: Counterpane Systems
Registrant Street: 4602 W LAKE HARRIET PKWY
Registrant City: MINNEAPOLIS
Registrant State/Province: MN
Registrant Postal Code: 55410-1922
Registrant Country: US
Registrant Phone: +1.6128231497
Registrant Fax: +1.9999999999
Registrant Email: schneier@schneier.com
Administrative contact

The administrative contact is the person in charge, authorized by the registrant to receive and answer questions regarding the domain name and all of its details. In this case, the administrative contact is Bruce, but he could have assigned another person if needed:

Admin Name: Schneier, Bruce
Admin Organization: Counterpane Systems
Admin Street: 4602 W. Lake Harriet Pkwy.
Admin City: Minneapolis
Admin State/Province: MN
Admin Postal Code: 55410
Admin Country: US
Admin Phone: +1.6128231497
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: schneier@schneier.com

Technical contact

The technical contact is the person responsible for technical details about the domain name. Renewal information and other technical notes will also be redirected to this person’s email.

Tech Name: Schneier, Bruce
Tech Organization: Counterpane Systems
Tech Street: 4602 W. Lake Harriet Pkwy.
Tech City: Minneapolis
Tech State/Province: MN
Tech Postal Code: 55410
Tech Country: US
Tech Phone: +1.6128231497
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: schneier@schneier.com

Now that we’ve explored and examined WHOIS results, let’s move forward into some modern, alternative ways to execute the same task.

A WHOIS query can be launched by using a web-based client from ICANN’s website: https://whois.icann.org/en

Alternative ways of performing a WHOIS lookup

There are many methods of querying a WHOIS database—and some don’t require manual commands from a terminal.

These methods are best suited for integrating WHOIS lookups in your infosec investigations, or in your own domain and DNS applications. They provide faster results by querying not a live WHOIS database server but instead a passive DNS/WHOIS server, one that keeps its information updated in the background. This minimizes time lost from interacting with the live WHOIS worldwide database.

By using a WHOIS lookup API endpoint

Your first option is to useour SecurityTrails API services, and then querying the WHOIS lookup API endpoint. In our case, integration with

popular programming languages such as PHP, Node, Ruby, JavaScript and Python makes it really easy.

In this example we’ll use NodeJS:

var request = require("request");
var options = { method: 'GET',
url: 'https://api.securitytrails.com/v1/domain/scheneier.com/whois',
qs:
{ apikey: YOUR.API.KEY.HERE } };
request(options, function (error, response, body) {
if (error) throw  new Error(error);
console.log(body);
});

The result data will be displayed:

WHOIS lookup API endpoint

Our API also allows you to perform historical WHOIS lookups to examine the difference between different dates. The historical API lookup endpoint can be the starting point if you intend to integrate historical information for WHOIS lookups.

Let’s look at how it’s done in Python:

import requests
url = "https://api.securitytrails.com/v1/history/oracle.com/whois"
querystring = {"apikey":"YOUR.API.KEY.HERE"}
response = requests.request("GET", url, params=querystring)
print(response.text)

By using SurfaceBrowser™ WHOIS lookup features

SurfaceBrowser is our all-in-one domain, DNS and IP cybersecurity platform that will allow you to perform a wide range of OSINT actions, including passive WHOIS lookups against any given domain name in the world.

To run a passive WHOIS lookup with SurfaceBrowser, just follow these steps:

Note: To test this you must have an active SecurityTrails account with the SurfaceBrowser™ feature enabled. If you don’t, book a demo today with our Sales team! Or sign up for a 7-day trial for only $49.

Passive WHOIS lookup with SurfaceBrowser™

Once you do that, you’ll be working with the historical WHOIS lookup interface, where not only will you get the latest WHOIS lookup results, you’ll also be getting results from each and every time the WHOIS information has been altered in any way.

Historical WHOIS timeline

From there you can jump between different dates, finding different WHOIS records for any given time, as you see in this example:

WHOIS records

This is a highly sought-after feature in the cybersecurity industry, as it allows you to see how the records have changed over the years, and correlate the data between DNS and IP historical records.

WHOIS lookup against WHOIS privacy protected domains

You’ve surely noticed that some domain name owners protect their contact and personal information from WHOIS records by enabling so-called ‘WHOIS privacy’ or ‘WHOIS proxy’ services.

Using a WHOIS privacy service will not hide the existence of your domain name, it will only hide your personal details. In this case, the information shown will be provided by the registrar, making domain registration a little bit more “private.”

However, using a domain privacy service doesn’t guarantee you’ll remain hidden in cyberspace. If users perform illegal activities, law enforcement agencies can force your domain registrar to release your true identity, payment details and much more about you and your domain name in order to proceed with their investigation.

If you don’t have a court order but still want to know who’s behind a domain name, there are many ways to explore it, manually—by crossing data between different datasets or by using WHOIS historical records, like the ones we have here at SecurityTrails. Learn m in our previous post WHOIS History: The Importance of WHOIS Records in the Infosec industry.

You can also find the real owner of domain name by exploring associated domains, as seen in our article: How to Find Associated Domains Using SurfaceBrowser™.

Conclusion

WHOIS information plays a critical role in the cybersecurity field, as it can be the starting point for researchers and investigators to fight against fraud, trademark violations, spamming, malware and other illegal activities.

Whether you’re simply a user who needs to know who’s behind a domain name or an infosec researcher performing a deeper investigation, the WHOIS domain tools we’ve shown here will perfectly match your needs and help you correlate information between different security data-sets.


If you want to move one step forward, stop using traditional stand-alone WHOIS lookups, and move to the future of passive historical WHOIS services, grab a free API account today or book a SurfaceBrowser demo with our sales team to access our Passive WHOIS database—with more than 3 billion historical WHOIS records!