Products APIs Data Feeds Web Tools Domain Research & Monitoring Enterprise Packages AI Deep Research
WHOIS / WHOIS History
WHOIS / WHOIS History

Provide current and historical ownership information on domains / IPs. Identify all connections between domains, registrants, registrars, and DNS servers.

DNS / DNS History
DNS / DNS History

Look into all current and historical DNS / IP connections between domains and A, MX, NS, and other records. Monitor suspicious changes to DNS records.

IP Geolocation / IP Netblocks
IP Geolocation / IP Netblocks

Get detailed context on an IP address, including its user’s geolocation, time zone, connected domains, connection type, IP range, ASN, and other network ownership details.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Access our web-based solution to dig into and monitor all domain events of interest.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Get access to a web-based enterprise-grade solution to search and monitor domain registrations and ownership details for branded terms, fuzzy matches, registrants of interest, and more.

Research
Monitoring
White-Label
Predictive Threat Intelligence Feeds
Predictive Threat Intelligence Feeds

Predictive threat intelligence is your best first line of defense. Subscribe to the feeds to strengthen your cybersecurity posture. Contact us today for more information.

WhoisXML API Internet Infrastructure
Internet Infrastructure

Unlock integrated intelligence on Internet properties and their ownership, infrastructure, and other attributes.

Enterprise API Packages
Enterprise API Packages

Our complete set of domain, IP, and DNS intelligence available via API calls as an annual subscription with predictable pricing.

Security Intelligence (SI) Suite
Security Intelligence (SI) Suite

Offers complete access to WHOIS, IP, DNS, and subdomain data for product enrichment, threat hunting and more.

MCP Server
MCP Server

Talk to our APIs using LLMs. Connect your preferred LLM to WhoisXML API and simply chat about WHOIS, DNS, threat intelligence, and more.

Jake AI
Jake AI

I’m your Domain Intelligence Assistant. I make it easy to explore WHOIS, DNS, and threat data from WhoisXML API — I’m cloud-based, fast, and always ready to help.

Discover what you really pay for when buying commercial Internet intelligence data.

Download now
×
Contact Us
Read other articles Download PDF

The WHOIS Command on Windows, Linux, and macOS Explained

This post breaks down the whois command — how it works, how to use it, the data points it provides, the parameters you can use with it, and its limitations. We also suggest some tools and techniques that can help you work around the tool’s limitations.

TL;DR: What You Need to Know About The WHOIS Command 

The whois command is a command-line lookup tool used to query public WHOIS databases. 

It provides information about the registration and ownership of an internet resource, such as a domain name, IP address, or Autonomous System Number (ASN). It’s available on Windows, macOS, and Linux, and its output  —  a WHOIS record  —  includes details such as the domain registrar, registrant, registration and expiration dates, nameservers, and contact information.

Using the tool is as simple as opening the Terminal or command line and typing 

whois example.com
the WHOIS command in action
The WHOIS command in action (on macOS)

However, it’s worth noting that the Windows whois command, as well as the Linux/Unix/macOS options (even though they have more flags and parameters), have some limitations. The table below summarizes those limitations and our recommended solutions. 

LimitationsWorkaround
There’s no standardized data format for the output, as each registry and registrar has its own format.Use the WHOIS API  —  WHOIS data across all TLDs is already parsed and normalized. It also supports RDAP.
The command isn't built for bulk queries.Use Bulk WHOIS API to query up to 500,000 domains at once.
If used too frequently for programmatic lookups, your requests will likely be rate-limited or blocked by registries to prevent abuse.Use the WHOIS API for a more stable and reliable access to domain registration data. 
Due to privacy regulations, the contact information in most WHOIS records is often hidden.Use the WHOIS History API to see unredacted domain ownership data from before GDPR.

What Does the WHOIS Command Do?

When you use the whois command prompt on Windows or other operating systems, it tells the tool to connect to the correct WHOIS server for the target domain name’s top-level domain (TLD) or the relevant Regional Internet Registry (RIR) like ARIN or RIPE for IP addresses. It uses the legacy WHOIS protocol over TCP port 43 to do this. In contrast, the newer Registration Data Access Protocol (RDAP) is a separate system that provides the same type of registration data in a standardized, machine-readable format over HTTPS, but it requires dedicated RDAP clients or API calls rather than the traditional whois command.

Once the correct server is identified, the command then sends the query (e.g., whois example.com). If available, a WHOIS record is returned. For domains, the record contains registration details found in the table below.

Type of InformationDescription
Domain nameThe queried resource
RegistrarThe company managing the registration
RegistrantThe organization or person who registered it (often redacted now)
Relevant datesThe domain’s creation, last updated, and expiration dates
NameserversThe DNS infrastructure serving the domain
Status codesRegistrar and registry restrictions, such as clientTransferProhibited
Contact detailsEmail address and phone number of the registrant, administrative, technical, and abuse contacts (often hidden now)

On the other hand, the WHOIS record of IP addresses and ASNs contains the allocation details (which IP block it belongs to), the owning organization (e.g., an ISP), and contact information for abuse and security issues.

However, WHOIS records are not standardized, and this results in various challenges for both human users and automated systems:

  • Different formats across registries: Each registry or registrar can decide how to present the data. For example, dates may be written in different formats, fields may appear in a different order, or some fields may be omitted entirely.
  • Inconsistent field names: A registrant’s email might be labeled as “Registrant Email,” “Email,” or not shown at all, depending on the server. This makes it difficult to parse such variations programmatically.
  • Varying levels of detail: Some WHOIS servers provide rich data including multiple contacts and technical details, while others return only the bare minimum (sometimes just the domain name and registrar).
  • Localization issues: Records may include data in different languages or encodings, which complicates automated processing and global interoperability.
  • Unclear or missing error handling: If a query cannot be resolved, servers often return unstructured error text or no response at all, leaving the client unable to redirect properly.

For casual users, this inconsistency makes WHOIS results confusing and hard to compare. For researchers, businesses, and security teams, it complicates large-scale analysis and automation. These challenges are one of the main reasons the industry moved toward RDAP as a replacement for the WHOIS protocol.

How to Use the WHOIS Command

Using the WHOIS command on Windows

To start using the  Windows whois command, make sure that you have the WHOIS utility installed — you may need to download it from the Microsoft Sysinternals page. While the basic whois command works on Windows with this utility, the tool is somewhat limited since only the -v and -nobanner flags are available.

The Windows Sysinternals whois command accepts only 2 parameters
The Windows Sysinternals whois command accepts only two parameters

There’s also a more flexible tool that requires you to install a Linux subsystem for Windows (WSL), which allows you to use other commands available on Linux-based systems. To do that, run the following PowerShell command in the command line:

wsl --install

When you have the Linux subsystem downloaded, you’ll essentially be operating under Linux.

Using the WHOIS Command on Linux

Whether it’s a Linux/Unix distribution or a Linux subsystem for Windows, you can install whois on it using this prompt:

sudo apt update && sudo apt install whois -y

After that, you can start using the whois command. Here’s a sample output for the query

whois google.com
The whois command from the WSL works differently that the Windows Sysinternals one
The WHOIS command from the WSL works differently that the Windows Sysinternals one

The output is similar to that of Windows’ Sysinternals, as you can see below. However, the whois command for Linux (and for WSL) accepts a wider variety of different parameters and is more flexible as a result. We’ll look into the different flags you can use later in this article.

Output from the Windows Sysinternals' WHOIS utility
Output from the Windows Sysinternals' WHOIS utility

Using the WHOIS command on macOS

On macOS devices, setup is easier because the whois command is built in. But the query is the same  —  whois [domain name].

Output of the WHOIS command on macOS
Output of the WHOIS command on macOS

WHOIS Command Parameters 

As previously mentioned, the whois command on Linux is more flexible than on Windows since you can customize and refine your queries using various flags and arguments.

We tested each flag in the table below, but note that their exact behavior can vary slightly between different WHOIS client implementations (e.g., on Debian, macOS, or FreeBSD) and WHOIS databases (e.g. RIPE, ARIN, etc.)

Single-Letter FlagExample commandFunction
-Hwhois -H example.comHide legal disclaimers from the output.
-h [HOST]whois -h whois.iana.org example.comConnect to a specific WHOIS server to get information.
-p [PORT]whois -p 43 example.comConnect to a specific port number on the server.
-Iwhois -I example.comFollow the official chain of referrals to find information.
-lwhois -l 193.0.0.0Find the network range that’s one level broader than the address.
-Lwhois -L 193.0.0.0Find all of the network ranges broader than the address.
-mwhois -m 193.0.0.0Find all one-level more specific objects related to the query.
-Mwhois -M 193.0.0.0Find all objects that are more specific than your query.
-cwhois -c 193.0.0.0Find the smallest network range with a maintenance attribute.
-xwhois -x example.comReturn only results that are an exact match for your query.
-bwhois -b 193.0.0.0Return a brief list of IP ranges and abuse contact information.
-Bwhois -B example.comShow all objects in the results, including email addresses.
-Gwhois -G example.comShows what changed after a database update.
-dwhois -d 8.8.8.8Return DNS reverse delegation objects related to the query.
-i [ATTR]whois -i person,mnt-by "RIPE-NCC-HM-MNT"Perform a reverse search based on a specific attribute.
-T [TYPE]whois -T person SMITHOnly return objects of a specific type.
-Kwhois -K example.comReturn only the primary identifying keys for objects.
-rwhois -r example.comDo not automatically find contact information for the record.
-Rwhois -R example.comShow the local copy of the domain object first.
-awhois -a example.comSearch all of the mirrored databases for the query.
-s [SOURCE]whois -s RIPE example.comSearch a specific mirrored database for information.
-t [TYPE]whois -t personRequest a basic template for a specific object type.
-v [TYPE]whois -v personRequest a verbose template for a specific object type.
-qwhois -q versionQuery the server for information on its version., or any other parameters.

Understanding the WHOIS Command Output

The format of the whois command output is not standardized, so it can differ significantly depending on the registry and registrar. Let's break down a typical WHOIS record for google[.]com to understand the different sections.

The whois command from the WSL works differently that the Windows Sysinternals one
The output of the WHOIS command for google.com

Registrar and Registry Information

Data PointDescription
Registry Domain ID: 2138514_DOMAIN_COM-VRSNA unique identifier for the domain in the .com registry.
WHOIS Server: whois.markmonitor.comThe server that provided the record.
Registrar URL: http://www.markmonitor.comThe registrar’s website.
Registrar: MarkMonitor, Inc.The name of the company that manages the registration.
Registrar IANA ID: 292The registrar’s official ID assigned by the ICANN.
Registrar Abuse Contact Email: abusecomplaints@markmonitor.comThe email to which abuse reports (e.g., spam and fraud) should be sent.
Registrar Abuse Contact Phone: +1.2086851750Abuse hotline phone number.


Key Dates

Data PointDescription
Updated Date: 2019-09-09T15:39:04ZThe last time the registrar updated this record (e.g., when Google renewed or modified it).
Creation Date: 1997-09-15T04:00:00ZWhen the domain was first registered —  google[.]com has existed since 1997
Registry Expiry Date: 2028-09-14T04:00:00ZWhen the current registration will expire (unless renewed).

Domain Status Codes

The Extensible Provisioning Protocol (EPP) status codes indicate the status and restrictions of the domain and are defined by the Internet Corporation for Assigned Names and Numbers (ICANN). We have a detailed video explaining these codes. For google[.]com, the assigned statuses are from both the registrar (client status codes) and registry (server status codes), and as of the time of writing, these codes  are:

  • clientDeleteProhibited: Prevents the domain from being accidentally or fraudulently deleted.
  • clientTransferProhibited: Stops the domain from being transferred to another registrar without Google’s permission.
  • clientUpdateProhibited: Blocks any attempts to update the domain's records, protecting them from unauthorized changes.
  • serverDeleteProhibited: The registry has locked the domain, preventing it from being deleted by anyone.
  • serverTransferProhibited: The domain cannot be transferred to another registrar.
  • serverUpdateProhibited: Any updates to the domain’s record are not allowed by the registry. 

Registrant Details

This part of the WHOIS record identifies the owner and associated contacts. 

Data PointDescription
Registrant Organization: Google LLCThe organization that owns the domain.
Registrant Country: USThe registrant’s country.
Registrant and Tech Email: Select Request Email Form at https://domains.markmonitor.com/whois/google.comThe registrant email is hidden via MarkMonitor’s WHOIS Privacy Service. Instead of exposing addresses, it directs to a web form.

Name Servers (DNS Infrastructure)

This section lists the authoritative DNS servers for the domain, which are responsible for translating the domain name into an IP address. Google[.]com’s name servers are:

  • ns1.google[.]com
  • ns2.google[.]com
  • ns3.google[.]com
  • ns4.google[.]com

Security

The WHOIS record indicates if the domain is signed with Domain Name System Security Extensions (DNSSEC), a security protocol designed to prevent DNS spoofing. Google’s domain is not signed with DNSSEC, but the company has other security measures in place. 

Administrative Notes

At the end of the WHOIS record is a link where issues with the WHOIS data can be reported (URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/).

The date and timestamp when the WHOIS database was last updated are also included. When we did the lookup for google[.]com, the timestamp was 2025-09-07T23:18:55+0000.

Limitations of the WHOIS Command

As you’ve seen above, the whois command gives useful information about a domain or IP address. The -i flag even lets you do a reverse search on an attribute, which helps identify all domains or IP addresses associated with a specific entity.

However, it is not always straightforward and often very limited, and we have encountered its limitations while testing it on different systems. We detail these restrictions below.

No Standardized Data Format

WHOIS was not designed with a universal schema. That means the output for WHOIS lookups varies widely between different registries and registrars, making it difficult to automatically parse the data consistently. You’ve already seen a sample of a .com WHOIS record above, so let’s take a look at the output for a few other TLDs:

  • .uk
What WHOIS outputs for .uk domains
What WHOIS outputs for .uk domains
  • .top
What WHOIS outputs for .top domains
What WHOIS outputs for .top domains
  • .org
What WHOIS outputs for .org domains
What WHOIS outputs for .org domains
  • .de
What WHOIS outputs for .de domains
What WHOIS outputs for .de domains

The lack of standardization makes WHOIS unreliable for automated data retrieval and parsing. A more modern alternative is the Registration Data Access Protocol (RDAP), which provides standardized JSON data. Our WHOIS API and related products support this protocol and even have a protocol selector feature that lets users choose between WHOIS and RDAP.

Inefficient Bulk WHOIS Lookups 

While you can query multiple resources at once, performing bulk lookups with the whois command can get messy because many WHOIS servers implement rate limiting to prevent abuse. Sending too many requests over a short period can lead to your IP address being temporarily blocked.

Bulk WHOIS limitations
WHOIS not working because of rate limiting

If you need the WHOIS records of many domain names, you can use the Bulk WHOIS API, which lets you look up up to 500,000 domains per query. 

Automated Queries Are Not Allowed

Using the whois command programmatically is prohibited. In fact, it’s included in the legal disclaimer attached to the command’s WHOIS record output. 

The WHOIS command does not allow automated usage
The WHOIS command does not allow automated usage

If you're building a tool that needs consistent access to WHOIS data, you are not allowed to directly query WHOIS servers with the command-line tool, so instead, you could use the WHOIS API. The API provides a more stable and reliable way to retrieve this information, especially for programmatic use. It delivers data in JSON or XML formats which are also much easier to programmatically parse than the raw text output that the whois command provides. 

WHOIS Data is Often Redacted

Most WHOIS records for individual registrants now redact personal contact information for privacy reasons, a practice that became widespread around 2018 when the General Data Protection Regulation (GDPR) was implemented. This is a limitation that all WHOIS service providers face, since redaction is at the registrar level. 

However, there is a way to see WHOIS data  —  at least the record before redaction  — particularly if it was publicly available before, and that’s through WHOIS History. This service lets you look up the historical domain registration details of any domain. 

The current WHOIS data of bbc[.]com, for example, is heavily redacted.  You can view key dates, registrar name, WHOIS server, name servers, and status codes, but only the registrant country is publicly available among all registrant contact details. This has been the case since 2018.

The current WHOIS record for bbc.com
The current WHOIS record for bbc.com doesn't show much data

But when you browse through the domain’s history, you’ll see that in 2017 (and record updates before that), those registrant fields were filled out with a person’s name, the organization’s email address, and phone number. 

A historical WHOIS record for bbc.com has the now missing data
A historical WHOIS record for bbc.com has the now missing data

Conclusion

The whois command is a quick and easy way to get registration and ownership details of any domain name. It can also provide information on IP addresses and ASNs. With different flags, you can adjust to fetch information from specific sources or even run reverse lookups. 

However, it works differently on Windows, macOS, and Linux (and requires installation on some of those systems). If something that you’ve read in this article and decided to try doesn’t work, probably, the implementation of the whois command in your operating system is to blame.

It also has its limitations: 

  • Non-standardized output
  • Rate limiting
  • Limited bulk lookups
  • Data redacted due to privacy reasons

To overcome these limitations, you can use more advanced tools like our WHOIS API, Bulk WHOIS API, and the WHOIS History products.

Read other articles Download PDF
Try our WhoisXML API for free
Get started