WHOIS

WHOIS is an essential protocol in the Domain Name System (DNS) for managing and retrieving domain-related information.

The WHOIS protocol is a request and response protocol that follows the RFC 3912 specification, used to retrieve information about the registration of domain names and IP addresses. WHOIS provides key administrative data such as the domain owner's contact information, the registrar, registration dates, and other relevant details.

Purpose: WHOIS allows users to look up the ownership details of a domain or IP address. This can include contact information, the registrar managing the domain, and the registration status.

Operation: A WHOIS query is initiated by sending a request to a WHOIS server, which listens on TCP port 43. The server responds with detailed information about the domain or IP address requested.

Structure: WHOIS queries are generally formatted in simple text, and the server's response is also text-based, listing information in a readable format.

Data Returned: A typical WHOIS query reveals:

  • Registrar Information: Identifies the company or entity responsible for registering and managing the domain.

  • Registrant Information: Displays the name, organization, address, phone number, and other contact details of the domain owner (unless hidden via a privacy service).

  • Registration Dates: Includes the creation, last update, and expiration dates of the domain.

  • Name Server: Specifies which server to contact to resolve the domain name.

Privacy Considerations

  • To protect privacy, some registrars offer WHOIS privacy services that mask personal details of the domain owner.

  • Many WHOIS services take steps to protect email addresses from being harvested by automated tools, often redacting them to prevent abuse.

  • Many domain registrants subscribe to privacy services to hide their personal information, including email addresses, to avoid spam and protect their privacy.

Implementation: WHOIS is implemented as part of the Domain Name System (DNS) and can be accessed through various WHOIS lookup tools and services online.

While many online services provide WHOIS information, it is generally faster and more efficient to use a local WHOIS client to perform queries directly through port 43.

Usability: The information gathered from WHOIS queries can help uncover new attack vectors, including social engineering or technical attacks. Example: Depending on the scope of the penetration test, attacks could target the email server of the admin user or DNS servers, provided these fall within the test's scope and are owned by the client.

Usage

Command Line

whois [WEBSITE]

Websites

There are various websites that provide WHOIS information and leverage this protocol. Simply search 'WHOIS' on Google. Here are two examples:

Reference

Last updated