Better Whois

2 minute read

whois is a command line tool to look up registration information for domains, things like owner, location, and contact info. WHOIS (all caps) is a protocol for querying databases of domain registration (and other related) information. Each domain registrar is required to maintain a database of the domains they register. I use it fairly often when dealing with spammers and or looking at other security issues. However, it has a few rough edges that need to be rounded off. The whois command takes the domain as argument and spits out some data:

whois stuff-thing.net

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: STUFF-THINGS.NET
   Registrar: NETWORK SOLUTIONS, LLC.
   Sponsoring Registrar IANA ID: 2
   Whois Server: whois.networksolutions.com
   Referral URL: http://networksolutions.com
[...]

There are lots of ways to get this information the browser as well, without the 50+ lines of disclaimers and terms of use, but it’s muscle memory for me.

The first trick for whois is to use a smarter server. By default whois checks WHOIS server for the top-level domain i.e. for apple.com, it check’s with com.whois-servers.net. That server knows about all of the *.com domains, but it doesn’t necessary have detailed information about them. Who holds the details depend on what registrar was used. Getting the details often requires a recursive look up, but, while WHOIS returns the name of the server to query, whois doesn’t support recursion.

Fortunately, someone has built a smart WHOIS server. geektools.com is a proxy that supports the WHOIS protocol, but automatically handles the recursion itself. We can tell whois to use this server with the -h option and make a function:

function whois() { /usr/bin/whois -h geektools.com $@}

One issue down, however my biggest annoyance is the what I tend to be looking up is domains I copied from my browser’s search bar. While no modern browses displays the leading “http://”, the all include it in the cut buffer when the domain is copied (“https://” is normally shown). I copy the domain, paste it on to the command line and have to edit it, usually after I’ve already hit enter. We’ll fix this with a little shell magic.

BASH has a modifier to remove substrings from the front of variables. The form is ${foo#substring} where foo is the variable and substring is what gets removed. So:

foo=http://apple.com
echo ${foo#http://}
apple.com

However, this will not strip a leading https. Fortunately, we can use BASH’s pattern matching to make it more flexible:

foo=http://apple.com
echo ${foo#http?(s)://}
apple.com
foo=https://google.com
echo ${foo#http?(s)://}
google.com

?(s) is BASH speak for “match zero or one occurrence of the given pattern (here s)”. It’s the equivalent of the Regexp /s?/.

With this our function becomes:

function whois() { /usr/bin/whois -h geektools.com ${@##http?(s)://}; }

and our rough edges are gone!

Tags: ,

Updated:

Comments