Skip to main content

Whois and Rwhois

WHOIS (pronounced as the phrase who is) is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format. The WHOIS protocol is documented in RFC 3912


When the Internet was emerging out of the ARPANET, there was only one organization that handled all domain registrations, which was DARPA itself. The process of registration was established in RFC 920. WHOIS was standardized in the early 1980s to look up domains, people and other resources related to domain and number registrations. As all registration was done by one organization at that time, one centralized server was used for WHOIS queries. This made looking up such information very easy.

Responsibility of domain registration remained with DARPA as the ARPANET became the Internet during the 1980s. UUNET began offering domain registration service; however they simply handled the paperwork which they forwarded to the DARPA Network Information Center (NIC). Then the National Science Foundation directed that management of Internet domain registration would be handled by commercial, third-party entities. InterNIC was formed in 1993 under contract with the NSF, consisting of Network Solutions, Inc., General Atomics and AT&T. The General Atomics contract was canceled after several years due to performance issues.

20th century WHOIS servers were highly permissive and would allow wild-card searches. A WHOIS query of a person's last name would yield all individuals with that name. A query with a given keyword returned all registered domains containing that keyword. A query for a given administrative contact returned all domains the administrator was associated with. Since the advent of the commercialized Internet, multiple registrars and unethical spammers, such permissive searching is no longer available.

On December 1, 1999, management of the top-level domains (TLDs) com, net, and org was assigned to ICANN. At the time, these TLDs were converted to a thin WHOIS model. Existing WHOIS clients stopped working at that time. A month later, it had self-detecting Common Gateway Interface support so that the same program could operate a web-based WHOIS lookup, and an external TLD table to support multiple WHOIS servers based on the TLD of the request. This eventually became the model of the modern WHOIS client.

By 2005, there were many more generic top-level domains than there had been in the early 1980s. There are also many more country-code top-level domains. This has led to a complex network of domain name registrars and registrar associations, especially as the management of Internet infrastructure has become more internationalized. As such, performing a WHOIS query on a domain requires knowing the correct, authoritative WHOIS server to use. Tools to do WHOIS proxy searches have become common.


In 2003, an IETF committee was formed to create a new standard for looking up information on domain names and network numbers Cross Registry Information Service Protocol (CRISP). Between January 2005 and July 2006, the working name for this proposed new standard was Internet Registry Information Service (IRIS) The initial IETF Proposed Standards RFCs for IRIS are:

  • 3981 - Newton, A.; Sanz, M. (January 2005). IRIS: The Internet Registry Information Service (IRIS) Core Protocol. IETF. STD 8. RFC 3981. Retrieved June 01, 2015.
  • 3982 - Newton, A.; Sanz, M. (January 2005). IRIS: A Domain Registry (dreg) Type for the Internet Registry Information Service (IRIS). IETF. RFC 3982. Retrieved June 01, 2015.
  • 3983 - Newton, A.; Sanz, M. (January 2005). Using the Internet Registry Information Service (IRIS) over the Blocks Extensible Exchange Protocol (BEEP). IETF. RFC 3983. Retrieved June 01, 2015.
  • 4992 - Newton, A. (August 2007). XML Pipelining with Chunks for the Internet Registry Information Service. IETF. RFC 4992. Retrieved June 01, 2015.

The status of RFCs this group worked on can be found on the IETF Tools site

As of March 2009, the CRISP IETF Working Group concluded, after a final RFC 5144 was published by the group  Newton, Andrew; Sanz, Marcos (February 2008). A Domain Availability Check (DCHK) Registry Type for the Internet Registry Information Service (IRIS). IETF. RFC 5144. Retrieved 1 June 2015..

Note: The IETF CRISP working group is not to be confused with the Number Resource Organization's (NRO) Team of the same name "Consolidated RIR IANA Stewardship Proposal Team" (CRISP Team).


Main article: Registration Data Access Protocol

In 2013, the IETF acknowledged that IRIS had not been a successful replacement for WHOIS. The primary technical reason for that appeared to be the complexity of IRIS. Further, non-technical reasons were deemed to lie in areas upon which the IETF does not pass judgment. Meanwhile, ARIN and RIPE NCC managed to serve WHOIS data via RESTful web services. The charter (drafted in February 2012) provided for separate specifications, for number registries first and for name registries to follow. The working group produced five proposed standard documents:

  • 7480 - Newton, Andrew; Ellacott, Byron; Kong, Ning (March 2015). HTTP Usage in the Registration Data Access Protocol (RDAP). IETF. RFC 7480. Retrieved July 08, 2015.
  • 7481 - Hollenbeck, Scott; Kong, Ning (March 2015). Security Services for the Registration Data Access Protocol (RDAP). IETF. RFC 7481. Retrieved July 08, 2015.
  • 7482 - Newton, Andrew; Hollenbeck, Scott (March 2015). Registration Data Access Protocol (RDAP) Query Format. IETF. RFC 7482. Retrieved July 08, 2015.
  • 7483 - Newton, Andrew; Hollenbeck, Scott (March 2015). JSON Responses for the Registration Data Access Protocol (RDAP). IETF. RFC 7483. Retrieved July 08, 2015.
  • 7484 - Blanchet, Marc (March 2015). Finding the Authoritative Registration Data (RDAP) Service. IETF. RFC 7484. Retrieved July 08, 2015.

and an informational document:

  • 7485 - Zhou, L.; Kong, N.; Shen, S.; Sheng, S.; Servin, A. (March 2015). Inventory and Analysis of WHOIS Registration Objects. IETF. RFC 7485. Retrieved July 08, 2015.


The WHOIS protocol had its origin in the ARPANET NICNAME protocol and was based on the NAME/FINGER Protocol, described in RFC 742 (1977). The NICNAME/WHOIS protocol was first described in RFC 812 in 1982 by Ken Harrenstien and Vic White of the Network Information Center at SRI International.

WHOIS was originally implemented on the Network Control Program (NCP) but found its major use when the TCP/IP suite was standardized across the ARPANET and later the Internet.

The protocol specification is the following (original quote):

Connect to the service host TCP: service port 43 decimal NCP: ICP to socket 43 decimal, establishing two 8-bit connections Send a single "command line", ending with <CRLF>. Receive information in response to the command line. The server closes its connections as soon as the output is finished. 

The command line server query is normally a single name specification. i.e. the name of a resource. However, servers accept a query, consisting of only the question mark (?) to return a description of acceptable command line formats. Substitution or wild-card formats also exist, e.g., appending a full-stop (period) to the query name returns all entries beginning with the query name.

On the modern Internet, WHOIS services are typically communicated using the Transmission Control Protocol (TCP). Servers listen to requests on the well-known port number 43. Clients are simple applications that establish a communications channel to the server, transmit a text record with the name of the resource to be queried and await the response in form of a sequence of text records found in the database. This simplicity of the protocol also permits an application, and a command line interface user, to query a WHOIS server using the Telnet protocol.


WHOIS lookups were traditionally performed with a command line interface application, but now many alternative web-based tools exist. WHOIS has a sister protocol called Referral Whois (RWhois).

A WHOIS database consists of a set of text records for each resource. These text records consists of various items of information about the resource itself, and any associated information of assignees, registrants, administrative information, such as creation and expiration dates.

Two data models exist for storing resource information in a WHOIS database, the thick and the thin model.

Thin and thick lookups

WHOIS information can be stored and looked up according to either a thick or a thin data model:

ThickA Thick WHOIS server stores the complete WHOIS information from all the registrars for the particular set of data (so that one WHOIS server can respond with WHOIS information on all .org domains, for example).ThinA Thin WHOIS server stores only the name of the WHOIS server of the registrar of a domain, which in turn has the full details on the data being looked up (such as the .com WHOIS servers, which refer the WHOIS query to the registrar where the domain was registered).

The thick model usually ensures consistent data and slightly faster queries, since only one WHOIS server needs to be contacted. If a registrar goes out of business, a thick registry contains all important information (if the registrant entered correct data, and privacy features were not used to obscure the data) and registration information can be retained. But with a thin registry, the contact information might not be available, and it could be difficult for the rightful registrant to retain control of the domain.

If a WHOIS client did not understand how to deal with this situation, it would display the full information from the registrar. Unfortunately, the WHOIS protocol has no standard for determining how to distinguish the thin model from the thick model.

Specific details of which records are stored vary among domain name registries. Some top-level domains, including com and net, operate a thin WHOIS, requiring domain registrars to maintain their own customers' data. The other global top-level registries, including org, operate a thick model. Each country-code top-level registry has its own national rules.


The first applications written for the WHOIS information system were command line interface tools for Unix and Unix-like operating systems (i.e. Solaris, Linux etc.). WHOIS client and server software is distributed as free open-source software and binary distributions are included with all Unix-like systems. Various commercial Unix implementations may use a proprietary implementations (for example, Solaris 7).

A WHOIS command line client passes a phrase given as an argument directly to the WHOIS server. Various free open source examples can still be found on However, most modern WHOIS tools implement command line flags or options, such as the -h option to access a specific server host, but default servers are preconfigured. Additional options may allow control of the port number to connect on, displaying additional debugging data, or changing recursion/referral behavior.

Like most TCP/IP client-server applications, a WHOIS client takes the user input and then opens an Internet socket to its destination server. The WHOIS protocol manages the transmission of the query and reception of results.


With the advent of the World Wide Web and especially the loosening up of the Network Solutions monopoly, looking up WHOIS information via the web has become quite common. At present, popular web-based WHOIS-queries may be conducted from ARIN, RIPE and APNIC. Most early web-based WHOIS clients were merely front-ends to a command-line client, where the resulting output just gets displayed on a web page with little, if any, clean-up or formatting.

Currently, web based WHOIS clients usually perform the WHOIS queries directly and then format the results for display. Many such clients are proprietary, authored by domain name registrars.

The need for web-based clients came from the fact that command-line WHOIS clients largely existed only in the Unix and large computing worlds. Microsoft Windows and Macintosh computers had no WHOIS clients installed by default, so registrars had to find a way to provide access to WHOIS data for potential customers. Many end-users still rely on such clients, even though command line and graphical clients exist now for most home PC platforms. Microsoft provides the Sysinternals Suite that includes a whois client at no cost.

There are also many sites not owned by registrars or Internet-related companies. These support most of main TLD and remain free. But most of web-based whois sites are incomplete and do not support all TLD nor IP search.

Some work from a built-in WHOIS server list and some other try to retrieve the one which fits the TLD you ask for from a live Domain Information Groper query (command line clients do this query in background first).

CPAN has several Perl modules available that work with WHOIS servers. Many of them are not current and do not fully function with the current (2005) WHOIS server infrastructure. However, there is still much useful functionality to derive including looking up AS numbers and registrant contacts.


Regional Internet registries


Regional Internet Registries

WHOIS servers operated by Regional Internet Registries (RIR) can be queried directly to determine the Internet Service Provider responsible for a particular resource.

The records of each of these registries are cross-referenced, so that a query to ARIN for a record which belongs to RIPE will return a place-holder pointing to the RIPE WHOIS server. This lets the WHOIS user making the query know that the detailed information resides on the RIPE server. In addition to the RIRs servers, commercial services exist, such as the Routing Assets Database used by some large networks (e.g., large Internet providers that acquired other ISPs in several RIR areas).

Server discovery

There is currently no standard for determining the responsible WHOIS server for a DNS domain, though a number of methods are in common use for top-level domains (TLDs). Some WHOIS lookups require searching the procuring domain registrar to display domain owner details.

Example: WHOIS "" via any 3rd party WHOIS lookup service ( ) will reveal as the registrar of the domain, and require a search of's website WHOIS to reveal the owner.

Source: Wikipedia