Macos – How to use command line whois for “spam infected” domains like apple.com

command linefreebsdmacosspam-preventionwhois

In short: is there any way to get the full whois-details for domains like apple.com, using the command line on Max OS X?

Running whois on the command line for, for example, apple.com is like searching for all domains that include that phrase. So, thanks to whois-spam, this gets one the following on a Mac or on FreeBSD:

$ whois apple.com

Whois Server Version 2.0
[..]
APPLE.COM.WWW.BEYONDWHOIS.COM
APPLE.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
APPLE.COM.IS.OWN3D.BY.NAKEDJER.COM
APPLE.COM.IS.0WN3D.BY.GULLI.COM
APPLE.COM.BEYONDWHOIS.COM
APPLE.COM.AT.WWW.BEYONDWHOIS.COM
APPLE.COM

To single out one record, look it up with "xxx", where xxx is one of the
of the records displayed above. If the records are the same, look them up
with "=xxx" to receive a full display for each record.

To get some extra info for all these domains, I can run the command for =apple.com, like:

$ whois =apple.com

Whois Server Version 2.0
[..]
   Server Name: APPLE.COM.WWW.BEYONDWHOIS.COM
   IP Address: 203.36.226.2
   Registrar: TUCOWS INC.
   Whois Server: whois.tucows.com
   Referral URL: http://domainhelp.opensrs.net
[..]
   Domain Name: APPLE.COM
   Registrar: MARKMONITOR INC.
   Whois Server: whois.markmonitor.com
   Referral URL: http://www.markmonitor.com
   Name Server: NSERVER.APPLE.COM
   Name Server: NSERVER.ASIA.APPLE.COM
   [..]
   Updated Date: 21-jan-2009
   Creation Date: 19-feb-1987
   Expiration Date: 20-feb-2011

Still, this does not give me the full record, like the one including the contact information:

$ whois -h whois.markmonitor.com apple.com
[..]
    Administrative Contact:
        Apple Inc.
        Apple Inc.
        1 Infinite Loop
         Cupertino CA 95014
        US
[..]

(On Redhat Linux, jwhois shows only apple.com but without the contact information; on Debian whois version 4.7.20 yields summaries of all domains like above, and additional detailed info for the exact matched domain, apparently by doing an additional query at whois.markmonitor.com for that exact match.)

I even tried to telnet directly, but cannot come up with anything I cannot do using the whois-command, so I guess that is useless:

$ telnet com.whois-servers.net 43
Trying 199.7.55.74...
Connected to whois.verisign-grs.com.
Escape character is '^]'.

apple.com
[..]

So: is there any easier way to get the full details for such domain (for only the exact matched domain), using the command line?

(Thinking that command line whois would soon be banned in favour of captcha-enabled web interfaces, this never bothered me a lot. But still, I'm curious…)

Best Answer

The whois command looks for the string "Whois Server:" in the output and, if found, will issue the same query again to that server. This is what you want, except it only works for the first match. You can use a command like whois "domain apple.com" to get just one match from the default server, but markmonitor (used by apple.com) does not accept that syntax. It would work if you could send "domain apple.com" to the default server, and then apple.com to the second server, like this:

function mywhois {
  whois -h `whois "domain $@" | sed '/^.*Whois Server:/!d;s///'` "$@"
}

However this is specific to these whois servers so will not necessarily work for domains on other whois servers. A robust implementation would probably need to have knowledge of specific query and output formats used by a variety of whois server implementations.

The whois command on your Mac is perfectly fine.

You're simply querying a different NICNAME server with each tool. The BSD whois tool in MacOS 10 uses the whois-servers.net. mechanism, and in this case is querying the com.whois-servers.net. NICNAME server, run by Verisign Incorporated. Other people's computers are using a different whois command that probably hardwires whois.networksolutions.com., run by Network Solutions LLC, as the NICNAME server.

What you see is what the different NICNAME servers are actually publishing. This is nothing to do with your client tool at all. People have actually registered all of those. Note what the MacOS manual says about the Network Solutions NICNAME server. You're querying the registry's NICNAME server, and seeing a whole load of registrations made through several different registrars, from MarkMonitor to Tucows. The other people are querying one registrar's NICNAME server, and seeing only the registrations made through that specific registrar.

Run

whois '=google.com'

with the BSD whois tool and you'll receive extended output from the registry's NICNAME server showing where each registrar's individual NICNAME server is. (The output in your question tells you this very trick.) Again, this is a server-side function, and not all NICNAME servers work the same way — as you can see if you try the same trick with the Network Solutions LLC NICNAME server.

One of the reasons that whois commands vary is that the days of there being one place, or even a few places, to go for NICNAME service are long past. You're using one of the more modern whois tools that uses one of two available DNS mechanisms to automatically locate the NICNAME server to use for any given domain name. Other, clunkier and higher-maintenance, whois tools have hardwired NICNAME server names, or configuration files that need regular servicing.

Best Answer

Related Solutions

Linux – Check a list of domains with the WHOIS command

MacOS – Whois command corrupted on mac

The whois command on your Mac is perfectly fine.

Further reading

Related Question