whois: a practical guide presented by oleksandr berchenko
TRANSCRIPT
Whois: a Practical Guide
presented byOleksandr Berchenko
Hello! :)
Who... who what!?
What is going on here?
"WHOIS (pronounced as the phrase who is) is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name or an IP address block."
http://en.wikipedia.org/wiki/Whois
What is Whois?
ExampleSoftServe Inc. 12800 University Drive, Suite 410 Fort Myers, FL 33907 US Domain name: SOFTSERVEINC.COM
Administrative Contact: Churak, Viktor [email protected] 12800 University Drive, Suite 410 Fort Myers, FL 33907 US +1.2398291234 Technical Contact: Churak, Viktor [email protected] 12800 University Drive, Suite 410 Fort Myers, FL 33907 US +1.2398291234… Registrar of Record: Domain.com Record last updated on 29-Apr-2013. Record expires on 26-Aug-2015. Record created on 26-Aug-2008.
"A WHOIS server listens on TCP port 43 for requests from WHOIS clients. The WHOIS client makes a text request to the WHOIS server, then the WHOIS server replies with text content. All requests are terminated with ASCII CR and then ASCII LF."
RFC 3912
Three Principal Problems• How to find a whois server?
• How to send a request?
• How to parse the result?
Existing Solutions
• How to find a whois server?
• How to send a request?
• How to parse the result?
Unix whois
Basic discovery (whois-servers.net)Minimal hardcode
Minimal hardcode
N/A
Existing Solutions
$ whois google.comGOOGLE.COM.ZZZZZZZZZZZZZZZZZZZZZZZZZZZ.LOVE.AND.TOLERANCE.THE-WONDERBOLTS.COMGOOGLE.COM.ZZZZZZZZZZZZZZZZZZZZZZZZZZ.HAVENDATA.COMGOOGLE.COM.ZZZZZZZZZZZZZ.GET.ONE.MILLION.DOLLARS.AT.WWW.UNIMUNDI.COMGOOGLE.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COMGOOGLE.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM...GOOGLE.COM.AUGOOGLE.COM.ARGOOGLE.COM.ALL.THE.PEOPLE.WHO.SPAM.THE.WHOIS.ARE.SERIOUSLY.ANNOYING.SOMEPONY.COMGOOGLE.COM.AFRICANBATS.ORGGOOGLE.COM.9.THE-WONDERBOLTS.COMGOOGLE.COM.1.THE-WONDERBOLTS.COMGOOGLE.COM
To single out one record, look it up with "xxx", where xxx is one of theof the records displayed above. If the records are the same, look them upwith "=xxx" to receive a full display for each record.
Unix whois
Existing SolutionsUnix whois
$ whois 8.8.8.8Level 3 Communications, Inc. LVLT-ORG-8-8 (NET-8-0-0-0-1) 8.0.0.0 - 8.255.255.255Google Incorporated LVLT-GOOGL-1-8-8-8 (NET-8-8-8-0-1) 8.8.8.0 - 8.8.8.255.
Existing Solutions
• How to find a whois server?
• How to send a request?
• How to parse the result?
jwhois
Crazy hardcode
Some hardcode
Some hardcode
- Web scraping (some hardcode)- GPL-3 License
google.com
8.8.8.8
- Last update was in April, 2011
Existing Solutions
• How to find a whois server?
• How to send a request?
• How to parse the result?
Ruby whois
Paranoid hardcode
Paranoid hardcode
Paranoid hardcode
- Web scraping (paranoid hardcode)- You need Ruby- Updates every 1-2 weeks
? google.com? 8.8.8.8
Is there any better approach?
• How to find a whois server?
• How to send a request?
• How to parse the result?
Smart extensive discoveryMinimal hardcode
Smart "try and catch"Minimal hardcode
Smart parsing algorithmMinimal hardcode
Is there any better approach?
How to find a whois server for a domain?• "whois -h whois.iana.org <top level domain>"
$ whois -h whois.iana.org ua
domain: UA
organisation: Communication Systems Ltdaddress: vul Vavilovykh 18address: Kyiv 04060address: Ukraine...
whois: whois.ua
status: ACTIVEremarks: Registration information: http://hostmaster.ua/
created: 1992-12-01changed: 2012-04-24source: IANA
How to find a whois server for a domain?• whois.nic.<top level domain>• whois.<top level domain>
whois.nic.frwhois.nic.itwhois.biz
whois.registro.br = whois.nic.br
How to find a whois server for a domain?• whois.<second level domain>• whois.nic.<second level domain>
whois.za.netwhois.eu.orgwhois.nic.priv.at
whois.centralnic.com = whois.ae.orgwhois.informika.ru = whois.edu.ru
How to find a whois server for a domain?- cache existing and nonexistent servers
- follow links$ whois -h whois.verisign-grs.com 'domain google.com'
Domain Name: GOOGLE.COMRegistrar: MARKMONITOR INC.
Whois Server: whois.markmonitor.comReferral URL: http://www.markmonitor.comName Server: NS1.GOOGLE.COMName Server: NS2.GOOGLE.COMName Server: NS3.GOOGLE.COM...Updated Date: 20-jul-2011Creation Date: 15-sep-1997Expiration Date: 14-sep-2020
- link to a site as an alternative to web scraping
How to find a whois server for an IP?• whois.arin.net North America• whois.apnic.net Asia & Pacific Ocean• whois.ripe.net Europe & Near East• whois.afrinic.net Africa• whois.lacnic.net Latin America
• whois.iana.org unallocated & reserved
How to find a whois server for an IP?- RIPE and AfriNIC aggresively ban users with too many requests- LACNIC works as a proxy- follow links
add morepictures!
How to send a request?- some servers require their own syntax
- "try and catch" to detect VeriSign servers- "try and catch" to detect Rwhois servers
all VeriSign servers "domain <domain>\r\n"whois.denic.de "-C UTF-8 -T dn,ace <domain>\r\n"whois.arin.org "n + <IP>\r\n“…
Rwhois? What!?
Ok, nevermind :)
That's just an alternate whois protocol, so complicated that nobody actually uses it, except for several freaks.
How to parse the result?- distinguish between valid results and errors
- if ARIN returned several results for IP, choosethe smallest range
- detect Korean and Japanese encodings
Need more details?
My article on habrahabr.ru:http://habrahabr.ru/post/165869/
My email:[email protected]
Questions?