Whois
Whois
Whois is a passive reconnaissance tool used to gather public registration data about domain names, IP addresses, and ASNs. It queries public WHOIS databases to retrieve ownership, administrative contacts, creation/expiry dates, and registrar details — all without touching the target server directly. Whois is essential in early recon phases for identifying ownership chains, domain infrastructure, and legal responsibility.
Common Options
Query Types
| Option | Description |
|---|---|
[DOMAIN] |
Lookup WHOIS data for a domain name (e.g. example.com)
|
[IP] |
Retrieve WHOIS info for an IP address (e.g. 8.8.8.8)
|
[ASN] |
Query information for an Autonomous System Number (e.g. AS13335)
|
Server & Control
| Option | Description |
|---|---|
-h [HOST] |
Use a specific WHOIS server (e.g. whois.arin.net)
|
-p [PORT] |
Connect to a custom port on the WHOIS server |
--no-recursion |
Disable following referral WHOIS servers |
Output Handling
| Option | Description |
|---|---|
-B |
Suppress legal disclaimers (Debian variant) |
--verbose |
Print verbose output (implementation‑dependent) |
--raw |
Output the unprocessed server response |
Examples
Basic Domain Lookup
whois example.com# Shows registrar, contact info, creation/expiry dates, etc.
IP Address Lookup
whois 1.1.1.1# Shows IP range owner (e.g. Cloudflare), ASN, and network details
Autonomous System Lookup
whois AS13335# Displays info about the AS number, usually held by ISPs or CDNs
Query Specific WHOIS Server
whois -h whois.arin.net 8.8.8.8# Directs the query to ARIN for North American IP info
Suppress Legal Info
whois -B example.com# Suppresses legal disclaimers in output (Debian variant)
Disable Referral Recursion
whois --no-recursion example.com# Prevents follow‑up lookups to second‑level registrars