Quick take: whois domain.com looks up domain registration details — registrar, expiry date, and nameservers. whois 1.2.3.4 looks up which organization owns an IP range. Install with sudo apt install whois.
Introduction
The whois command queries the WHOIS database — a distributed registry that stores registration information for domains and IP address blocks. For infrastructure engineers, it is a quick way to identify unknown IPs, verify domain ownership, check expiry dates before certificate renewal, or trace suspicious traffic back to its source organization.
Every registered domain and IP block has a WHOIS record. The quality and privacy of that data varies by registrar and registry, but the core facts — registrar, nameservers, and expiry — are usually available.
Install whois
# Ubuntu / Debian
sudo apt install whois
# RHEL / CentOS / Rocky
sudo dnf install whois
# macOS
brew install whois
# Verify
whois --versionSyntax
whois [OPTIONS] domain_or_ipwhois connects to the appropriate WHOIS server for the domain's TLD or the IP's regional registry (ARIN for North America, RIPE for Europe, APNIC for Asia-Pacific) and returns the raw record.
Domain Lookup
# Look up a domain
whois example.com
# Look up a domain's nameservers only
whois example.com | grep -i "name server"
# Check expiry date
whois example.com | grep -i "expir"
# Check registrar
whois example.com | grep -i "registrar"
# Look up a .sa domain (Saudi Arabia ccTLD)
whois example.saSample key fields from a domain whois output:
Domain Name: EXAMPLE.COM
Registrar: GoDaddy.com, LLC
Registrar WHOIS Server: whois.godaddy.com
Creation Date: 1995-08-14T04:00:00Z
Registry Expiry Date: 2026-08-13T04:00:00Z
Updated Date: 2024-08-14T07:01:00Z
Name Server: A.IANA-SERVERS.NET
Name Server: B.IANA-SERVERS.NET
DNSSEC: signedDelegationIP Address Lookup
# Look up an IP address
whois 8.8.8.8
# Look up your own public IP
whois $(curl -s ifconfig.me)
# Find the organization owning an IP
whois 185.220.101.5 | grep -i "org\|country\|descr"
# Look up an IP block range
whois 192.168.1.0/24IP lookups are valuable for security investigations — identifying whether an attacking IP belongs to a cloud provider, a hosting company, or a known bad actor's block.
Common Options
| Option | Description |
|---|---|
| -h host | Query a specific WHOIS server |
| -p port | Use a non-standard port (default 43) |
| -I | Use IANA WHOIS server (finds the right referral server) |
| -a | Use ARIN (North American IP registry) |
| -r | Use RIPE (European IP registry) |
Practical Uses for Sysadmins
Verify domain expiry before SSL renewal:
whois yourdomain.com | grep -i expirSSL certificate renewal depends on domain ownership — if the domain expires first, the cert renewal fails. Check both expiry dates.
Identify the owner of a suspicious IP in your logs:
# Extract and look up an attacking IP
sudo lastb | awk '{print $3}' | sort | uniq -c | sort -rn | head -5
# Then for each top IP:
whois 185.220.101.5 | grep -E "OrgName|Country|NetRange|descr"Verify nameservers for a domain you are migrating:
whois newdomain.com | grep -i "name server"
# Compare with dig
dig NS newdomain.comFind the abuse contact for a spamming IP:
whois 1.2.3.4 | grep -i "abuse\|email"whois vs dig
whois answers: Who owns this domain or IP? When does the domain expire? Who is the registrar? It queries registration databases.
dig answers: What IP does this domain resolve to? What is the MX record? What nameservers are authoritative? It queries DNS servers.
You need both. A domain can be registered (whois returns data) but have broken DNS (dig returns NXDOMAIN). A domain can have correct DNS but be expired (whois shows past expiry). Check both when troubleshooting.
Final Thoughts
whois is a simple but essential tool for any engineer working with domains, IPs, or network security. Combine it with dig and nslookup for a complete DNS and domain registration toolkit. In security contexts, it is one of the first tools to reach for when investigating an unknown IP address or suspicious traffic source.
FAQ: whois Command in Linux
How do I check who owns a domain with whois?+
Run whois domain.com. The output shows the registrar, registration date, expiry date, and nameservers. Registrant contact details may be redacted by privacy protection depending on the registrar.
How do I look up an IP address with whois?+
Run whois 8.8.8.8 (or any IP address). The output shows the IP block record, the owner organization, and the address range. This identifies which company or ISP owns a specific IP.
How do I install whois on Ubuntu?+
Run sudo apt install whois. On RHEL/CentOS, use sudo dnf install whois. The package name is the same on most distributions.
What is the difference between whois and dig?+
whois queries the domain registration database to find ownership, registrar, and expiry information. dig queries DNS servers for DNS records (A, MX, CNAME, NS). They answer different questions: whois is about registration; dig is about DNS resolution.
Can I use whois to check if a domain is available?+
Yes — if whois returns 'No match' or 'Domain not found', the domain is likely unregistered. However, always verify with a registrar before attempting to purchase, as WHOIS lookups can be incomplete for some TLDs.
Need help with Linux servers or infrastructure?
Work directly with Muhammad Irfan Aslam for Linux, Ubuntu, Docker, DevOps, cloud, CI/CD, or infrastructure support.
Hire Me for Support