whois network
who owns that domain? one command, no sketchy lookup sites.
The whois man page is barely 100 lines long. The command itself is equally simple. You type whois and a domain, and it tells you who registered it, when it expires, and which nameservers it uses.
You wanted to know who owns a domain. So you Googled “whois lookup.” You clicked the first result. It was a site called something like “whoisdomaintools.info” with a design that hasn’t been updated since 2009. You typed the domain. You clicked “Lookup.” The site showed you results surrounded by ads for “Buy this domain!” and “Domain monitoring services!” and “Is this domain available? Check now!” It tried to upsell you three times before showing the actual registration data.
Then you noticed the site was tracking you with seventeen cookies and you realized you just gave a random web service the domain you were researching, which — if you were doing any kind of competitive analysis, threat hunting, or incident response — is information you probably didn’t want to share.
whois queries the registrar database directly. No ads. No tracking. No cookies. No sketchy web intermediary.
Unless you’re running Windows then wtf none of this applies to you. But hey, come to the dark side, go install WSL2 and you can follow along. We’ll wait. Impatiently.
If you’re lazy like me (all sysadmins are!) then click here for the whois cheat sheet.
Look up a domain
whois example.com
Returns everything the registrar has on record: registrant info, registration date, expiration date, nameservers, registrar name, status codes, and more.
The output is verbose. The important parts are:
Domain Name: EXAMPLE.COM
Registrar: ICANN
Creation Date: 1995-08-14
Expiry Date: 2025-08-13
Name Server: A.IANA-SERVERS.NET
Name Server: B.IANA-SERVERS.NET
Status: clientDeleteProhibited
That tells you the domain was registered in 1995, expires in 2025, uses IANA’s nameservers, and has protections against unauthorized deletion.
Check when a domain expires
whois example.com | grep -i expir
Expiry Date: 2025-08-13T04:00:00Z
One line. The expiration date. This is how you check if a domain you depend on is about to lapse — before it disappears and someone else registers it. Set a calendar reminder. Don’t rely on your registrar’s renewal emails making it past your spam filter.
Find the registrar
whois example.com | grep -i registrar
Registrar: Example Registrar, Inc.
Registrar URL: http://www.example-registrar.com
Registrar IANA ID: 9999
Who manages this domain? Useful when you need to contact someone about a domain — abuse reports, transfer requests, or figuring out which account holds a domain your company registered in 2012 and nobody remembers who set it up.
Check nameservers
whois example.com | grep -i "name server"
Name Server: NS1.CLOUDFLARE.COM
Name Server: NS2.CLOUDFLARE.COM
What nameservers is the domain using? This tells you where DNS is managed — Cloudflare, AWS Route 53, GoDaddy, your registrar’s default nameservers. For cross-referencing with dig when debugging DNS issues.
Check domain status codes
The status codes tell you what can and can’t be done with the domain:
| Status | What it means |
|---|---|
clientDeleteProhibited |
Can’t be deleted without registrar action. |
clientTransferProhibited |
Can’t be transferred to another registrar. |
clientUpdateProhibited |
DNS records can’t be changed at registry level. |
serverHold |
Domain is suspended by the registry. Not resolving. |
redemptionPeriod |
Domain expired and is in a grace period before release. |
pendingDelete |
Domain is about to be released for registration. |
If you see serverHold, the domain is effectively dead until the registry lifts the hold. If you see redemptionPeriod, someone forgot to renew and has a limited window to recover it.
Look up an IP address
whois 8.8.8.8
Returns the organization that owns the IP block, their contact info, and the network range. This is how you find out who owns a mystery IP that keeps showing up in your logs.
NetRange: 8.8.8.0 - 8.8.8.255
CIDR: 8.8.8.0/24
NetName: LVLT-GOGL-8-8-8
Organization: Google LLC
That’s Google’s public DNS. If the IP in your logs belongs to a cloud provider, a hosting company, or a suspicious network, whois tells you who to contact.
Look up an AS number
whois AS15169
AS (Autonomous System) numbers identify networks on the internet. AS15169 is Google. This is useful in threat intelligence and network analysis — when you need to know who operates a network block and how it’s routed.
Privacy protection
Many domain registrations now use privacy protection (WHOIS privacy or “redacted for privacy”). Instead of the registrant’s name and address, you’ll see:
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Privacy service provided by Withheld for Privacy ehf
This is normal and expected. GDPR accelerated this — most registrars now enable privacy by default. The registrar still has the real info; it’s just not publicly visible.
For domains without privacy protection, you can see the registrant’s name, organization, email, and sometimes phone number and address. Don’t use this to harass people.
The flags that actually matter
whois is simple — it barely has flags. The useful stuff is in how you filter the output.
| Command | What it does |
|---|---|
whois domain.com |
Full domain lookup. |
whois IP |
IP address ownership lookup. |
whois ASN |
AS number lookup. |
whois -h SERVER domain |
Query a specific WHOIS server. |
| grep -i expir |
Extract expiration date. |
| grep -i registrar |
Extract registrar info. |
| grep -i "name server" |
Extract nameservers. |
| grep -i status |
Extract domain status codes. |
“But I use a web-based—”
We talked about this.
“DomainTools has detailed history.” DomainTools is genuinely useful for historical WHOIS data, reverse lookups, and domain intelligence. It’s also a paid service. For current registration data, whois domain.com gives you the same information for free, instantly, without an account.
“I use who.is because it’s pretty.” who.is reformats the WHOIS data into a clean web interface. It’s fine. It’s also adding a step between you and the data — your query goes through their servers, gets parsed, rendered with ads, and returned to you slower than the direct lookup would have taken.
“ICANN Lookup is the official tool.” ICANN’s web-based WHOIS lookup (lookup.icann.org) is legitimate and ad-free. But it’s still a web interface that requires a browser, a page load, and a form submission. whois is one command. And it works when you’re SSH’d into a server doing incident response at 3 AM.
“I don’t need WHOIS, I just manage my own domains.” Until a phishing domain pops up that looks suspiciously like yours. Or a customer reports a suspicious email from “your” domain that isn’t actually yours. Or you need to figure out when a competitor registered a domain. WHOIS is a research tool, not just a domain management tool.
whois cheat sheet
You made it. Or you skipped straight here. Either way, no judgment. Copy and paste these. Pin them. Tattoo them on your forearm. Whatever works.
| What you’re doing | Command |
|---|---|
| Full domain lookup | whois example.com |
| Check expiration | whois example.com | grep -i expir |
| Find the registrar | whois example.com | grep -i registrar |
| Check nameservers | whois example.com | grep -i "name server" |
| Domain status | whois example.com | grep -i status |
| IP address ownership | whois 8.8.8.8 |
| AS number lookup | whois AS15169 |
The one command:
whois domain.com— who registered it, when it expires, and where it’s pointed. Three questions answered in one second.