Whois: a Practical Guide

presented byOleksandr Berchenko

Hello! :)

Who... who what!?

What is going on here?

"WHOIS (pronounced as the phrase who is) is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name or an IP address block."

http://en.wikipedia.org/wiki/Whois

What is Whois?

ExampleSoftServe Inc. 12800 University Drive, Suite 410 Fort Myers, FL 33907 US Domain name: SOFTSERVEINC.COM

Administrative Contact: Churak, Viktor domains@softserveinc.com 12800 University Drive, Suite 410 Fort Myers, FL 33907 US +1.2398291234 Technical Contact: Churak, Viktor domains@softserveinc.com 12800 University Drive, Suite 410 Fort Myers, FL 33907 US +1.2398291234… Registrar of Record: Domain.com Record last updated on 29-Apr-2013. Record expires on 26-Aug-2015. Record created on 26-Aug-2008.

"A WHOIS server listens on TCP port 43 for requests from WHOIS clients. The WHOIS client makes a text request to the WHOIS server, then the WHOIS server replies with text content. All requests are terminated with ASCII CR and then ASCII LF."

RFC 3912

Three Principal Problems• How to find a whois server?

• How to send a request?

• How to parse the result?

Existing Solutions

• How to find a whois server?

• How to send a request?

• How to parse the result?

Unix whois

Basic discovery (whois-servers.net)Minimal hardcode

Minimal hardcode

N/A

Existing Solutions

$ whois google.comGOOGLE.COM.ZZZZZZZZZZZZZZZZZZZZZZZZZZZ.LOVE.AND.TOLERANCE.THE-WONDERBOLTS.COMGOOGLE.COM.ZZZZZZZZZZZZZZZZZZZZZZZZZZ.HAVENDATA.COMGOOGLE.COM.ZZZZZZZZZZZZZ.GET.ONE.MILLION.DOLLARS.AT.WWW.UNIMUNDI.COMGOOGLE.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COMGOOGLE.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM...GOOGLE.COM.AUGOOGLE.COM.ARGOOGLE.COM.ALL.THE.PEOPLE.WHO.SPAM.THE.WHOIS.ARE.SERIOUSLY.ANNOYING.SOMEPONY.COMGOOGLE.COM.AFRICANBATS.ORGGOOGLE.COM.9.THE-WONDERBOLTS.COMGOOGLE.COM.1.THE-WONDERBOLTS.COMGOOGLE.COM

To single out one record, look it up with "xxx", where xxx is one of theof the records displayed above. If the records are the same, look them upwith "=xxx" to receive a full display for each record.

Unix whois

Existing SolutionsUnix whois

$ whois 8.8.8.8Level 3 Communications, Inc. LVLT-ORG-8-8 (NET-8-0-0-0-1) 8.0.0.0 - 8.255.255.255Google Incorporated LVLT-GOOGL-1-8-8-8 (NET-8-8-8-0-1) 8.8.8.0 - 8.8.8.255.

Existing Solutions

• How to find a whois server?

• How to send a request?

• How to parse the result?

jwhois

Crazy hardcode

Some hardcode

Some hardcode

- Web scraping (some hardcode)- GPL-3 License

google.com

8.8.8.8

- Last update was in April, 2011

Existing Solutions

• How to find a whois server?

• How to send a request?

• How to parse the result?

Ruby whois

Paranoid hardcode

Paranoid hardcode

Paranoid hardcode

- Web scraping (paranoid hardcode)- You need Ruby- Updates every 1-2 weeks

? google.com? 8.8.8.8

Is there any better approach?

• How to find a whois server?

• How to send a request?

• How to parse the result?

Smart extensive discoveryMinimal hardcode

Smart "try and catch"Minimal hardcode

Smart parsing algorithmMinimal hardcode

Is there any better approach?

How to find a whois server for a domain?• "whois -h whois.iana.org <top level domain>"

$ whois -h whois.iana.org ua

domain: UA

organisation: Communication Systems Ltdaddress: vul Vavilovykh 18address: Kyiv 04060address: Ukraine...

whois: whois.ua

status: ACTIVEremarks: Registration information: http://hostmaster.ua/

created: 1992-12-01changed: 2012-04-24source: IANA

How to find a whois server for a domain?• whois.nic.<top level domain>• whois.<top level domain>

whois.nic.frwhois.nic.itwhois.biz

whois.registro.br = whois.nic.br

How to find a whois server for a domain?• whois.<second level domain>• whois.nic.<second level domain>

whois.za.netwhois.eu.orgwhois.nic.priv.at

whois.centralnic.com = whois.ae.orgwhois.informika.ru = whois.edu.ru

How to find a whois server for a domain?- cache existing and nonexistent servers

- follow links$ whois -h whois.verisign-grs.com 'domain google.com'

Domain Name: GOOGLE.COMRegistrar: MARKMONITOR INC.

Whois Server: whois.markmonitor.comReferral URL: http://www.markmonitor.comName Server: NS1.GOOGLE.COMName Server: NS2.GOOGLE.COMName Server: NS3.GOOGLE.COM...Updated Date: 20-jul-2011Creation Date: 15-sep-1997Expiration Date: 14-sep-2020

- link to a site as an alternative to web scraping

How to find a whois server for an IP?• whois.arin.net North America• whois.apnic.net Asia & Pacific Ocean• whois.ripe.net Europe & Near East• whois.afrinic.net Africa• whois.lacnic.net Latin America

• whois.iana.org unallocated & reserved

How to find a whois server for an IP?- RIPE and AfriNIC aggresively ban users with too many requests- LACNIC works as a proxy- follow links

add morepictures!

How to send a request?- some servers require their own syntax

- "try and catch" to detect VeriSign servers- "try and catch" to detect Rwhois servers

all VeriSign servers "domain <domain>\r\n"whois.denic.de "-C UTF-8 -T dn,ace <domain>\r\n"whois.arin.org "n + <IP>\r\n“…

Rwhois? What!?

Ok, nevermind :)

That's just an alternate whois protocol, so complicated that nobody actually uses it, except for several freaks.

How to parse the result?- distinguish between valid results and errors

- if ARIN returned several results for IP, choosethe smallest range

- detect Korean and Japanese encodings

Need more details?

My article on habrahabr.ru:http://habrahabr.ru/post/165869/

My email:ober@softserveinc.com

Questions?