Using whois/jwhois on Linux

The whois and jwhois commands allow you to retrieve a lot of information on Internet domains–likely a lot more than you might imagine. Here’s how these commands work and how they can be useful.

To get started, you probably already use nslookup to check on domain names. When you do, you’ll see output like this:

$ nslookup networkworld.com
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   networkworld.com
Address: 151.101.2.165
Name:   networkworld.com
Address: 151.101.66.165
Name:   networkworld.com
Address: 151.101.194.165
Name:   networkworld.com
Address: 151.101.130.165

The nslookup command queries name servers, so its output provides IP addresses for the queried domain and verifies the domain name is valid, but whois commands provide extensive details on the domain registration, domain status, responsible organizations, their locations, etc., giving you a lot more insight into domains.

What whois commands do

The whois and the jwhois commands work pretty much the same way. The jwhois command is newer, more configurable, and maybe even faster than whois.  Both query WHOIS servers from the Linux command line. WHOIS services are mainly run by registrars and registries, and they manage a lot of details on each domain registration. WHOIS is itself a query and response protocol that plays a very important role on the Internet.

WHOIS servers are servers set up by a ICANN accredited registrars to acquire and maintain up-to-date information about domains that are registered within it. There appear to be hundreds of such servers scattered around the globe, many for generic domains like .com and .org. but also for a large number of not-so-obvious domain extensions. Here’s a list of what you might find when you look into them:

ac      biz     cn.com  gb      id      li      na      pro     su      uk.com
ad      bj      co      gb.com  ie      london  name    pt      sx      uk.net
ae      bo      co.nl   gb.net  il      lt      nc      pub     sy      ac.uk
aero    br      com     qc.com  im      lu      net     pw      tc      gov.uk
af      br.com  coop    ge      in      lv      nf      qa      tel     us
ag      bt      cx      gg      info    ly      ng      re      tf      us.com
ai      bw      cy      gi      ing     ma      nl      ro      th      uy
al      by      cz      gl      ink     mc      no      rs      tj      uy.com
am      bz      de      gm      int     md      no.com  ru      tk      uz
as      bzh     dk      gov     io      me      nu      sa      tl      va
asia    ca      dm      gr      iq      mg      nz      sa.com  tm      vc
at      cat     dz      gs      ir      mil     om      sb      tn      ve
au      cc      ec      gy      is      mk      ong     sc      to      vg
aw      cd      edu     hamburg it      ml      ooo     se      top     vu
ax      ceo     ee      hiphop  je      mo      org     se.com  tp      wang
az      cf      eg      hk      jobs    mobi    paris   se.net  tr      wf
ba      ch      es      hm      jp      ms      pe      sg      travel  wiki
bar     ci      eu      hn      ke      mt      pf      sh      tw      ws
be      ck      eu.com  host    kg      mu      pics    si      tv      xxx
berlin  cl      eus     hr      ki      museum  pl      sk      tz      xyz
best    cloud   fi      ht      kr      mx      pm      sm      ua      yu
bg      club    fo      hu      kz      my      pr      st      ug      za.com
bi      cn      fr      hu.com  la      mz      press   so      uk

To determine the WHOIS server responsible for any domain, you can run commands like these:

$ whois uushenandoah.org | head -2
[Querying whois.pir.org]                
[whois.pir.org]
$ whois networkworld.com | head -2
[Querying whois.verisign-grs.com]       
[Redirected to whois.markmonitor.com]
$ whois amazon.com | head -2
[Querying whois.verisign-grs.com]       
[Redirected to.com whois.markmonitor.com]
$ whois info.pr | head -2
[Querying whois.nic.pr]                 
[whois.nic.pr]

The pr domain shown in the last example above is, as you might have guessed, in Puerto Rico.

If you were to look up information on NetworkWorld.com, you would see something like what you see below–and this is just the first 25 lines of the 82 available for display. You can see that considerable detail is provided.

$ whois networkworld.com | head -25
[Querying whois.verisign-grs.com]
[Redirected to whois.markmonitor.com]
[Querying whois.markmonitor.com]
[whois.markmonitor.com]
Domain Name: networkworld.com
Registry Domain ID: 293248_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2021-06-24T09:04:42+0000
Creation Date: 1995-07-27T07:00:00+0000
Registrar Registration Expiration Date: 2022-07-25T07:00:00+0000
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895770
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Registrant Organization: International Data Group, Inc.
Registrant State/Province: MA
Admin Country: US
Admin Email: Select Request Email Form at https://domains.markmonitor.com/whois/networkworld.com
Tech Organization: Network World, Inc.
Tech State/Province: MA
Tech Country: US

This is all public information. Case is unimportant; Querying networkworld.com, NetworkWorld.CoM or NETWORKWORLD.COM will yield the same results.

The whois and jwhois commands search WHOIS servers for whatever domain you inquire about. If you mistype the domain name, you can expect to see a message like this:

$ whois networkwhirled.com | head -4
[Querying whois.verisign-grs.com]
[whois.verisign-grs.com]
No match for domain "NETWORKWHIRLED.COM".    
>>> Last update of whois database:  2021-12-05T19:46:37+0000 
The last update date and time illustrate how frequently updates are made. More than likely, it will display the current date.
NOTE: The terms of use in whois command output includes a warning that users are not authorized to run high-volume electronic processes and that you can only use the data provided for lawful purposes. Limits might be imposed if you make too many queries in a single day.
whois or jwhois?
Which command will be available on your system depends on your system.
On my Fedora, /usr/bin/whois is a symbolic link to /etc/alternatives/whois,which symbolically links to /usr/bin/jwhois. So, I can use either command, but either way I'm running jwhois.
$ which whois
/usr/bin/whois
$ ls -l /usr/bin/whois
lrwxrwxrwx. 1 root root 23 Oct 19  2020 /usr/bin/whois -> /etc/alternatives/whois
$ ls -l /etc/alternatives/whois
lrwxrwxrwx. 1 root root 15 Oct 19  2020 /etc/alternatives/whois -> /usr/bin/jwhois

My Linux Mint system uses only whois.
$ which whois
/usr/bin/whois
$ ls -l /usr/bin/whois
-rwxr-xr-x 1 root root 160480 Feb 16  2020 /usr/bin/whois
$ which jwhois
$             
In addition, I had to install whois on Linux Mint using the command below since it wasn't initially available.
$ sudo apt install whois

Wrap-Up
For more details on how DNS and how it works try:
What DNS is and how does it work
For a list of WHOIS servers, visit this site:
WHOIS servers