WHOIS is a network protocol that queries databases containing registered ownership information for domain names and IP addresses. Whether you need to verify domain registration details, investigate suspicious network activity, or identify the organization behind an IP address, WHOIS provides quick access to this publicly available data. Most Ubuntu systems do not include the whois package by default, so this guide walks through the installation process. By the end, you will have a working WHOIS installation and know how to query domain and IP information directly from the terminal.
Update Ubuntu Before Whois Installation
Before installing any software, ensure your package database is current. Running an update prevents version conflicts and ensures you receive the latest available package version. To begin, open your terminal and run the following commands:
sudo apt update
sudo apt upgradeThe first command refreshes your package index from the repositories, while the second upgrades any outdated packages on your system. Once these commands complete, you can proceed with the installation.
Install Whois on Ubuntu via APT Command
With your system updated, you can now install the whois package using APT. Since Ubuntu’s default repositories include this package, you do not need any additional configuration:
sudo apt install whoisAfter the installation completes, verify that whois is accessible by checking its version:
whois --versionVersion 5.5.22. Report bugs to <md+whois@linux.it>.
If you see version information similar to the output above, the installation completed successfully. Note that the exact version number may vary depending on your Ubuntu release.
Whois Command Examples
Now that whois is installed, you can query domain and IP registration information. The following section demonstrates several practical examples to help you get started with common use cases.
Query Domain Information
To retrieve registration details for a domain name, use the following command:
whois example.comReplace example.com with the domain you want to query. The output includes the registrar name, registration and expiration dates, nameservers, and contact information when available. For example, querying a domain returns output similar to:
Domain Name: EXAMPLE.COM Registry Domain ID: 2624032002_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.registrar.com Registrar URL: http://www.registrar.com Updated Date: 2025-07-05T11:59:36Z Creation Date: 2021-07-03T08:58:15Z Registry Expiry Date: 2026-07-03T08:58:15Z Registrar: Example Registrar, Inc. Domain Status: ok https://icann.org/epp#ok Name Server: NS1.EXAMPLE.COM Name Server: NS2.EXAMPLE.COM DNSSEC: signedDelegation
You can use this information to verify domain ownership, check when a domain expires, or identify which registrar manages the domain.
Query IP Address Information
In addition to domains, WHOIS can retrieve ownership information for IP addresses. For example, to query Google’s public DNS server:
whois 8.8.8.8NetRange: 8.8.8.0 - 8.8.8.255 CIDR: 8.8.8.0/24 NetName: GOGL Organization: Google LLC (GOGL) RegDate: 2023-12-28 Updated: 2023-12-28
The output shows the network range, organization name, and registration details. As a result, network administrators find this data particularly helpful when investigating traffic sources, and security professionals rely on it when researching suspicious IP addresses.
Query a Specific TLD Server
Sometimes you need to query a specific WHOIS server directly, particularly for country-code top-level domains (ccTLDs) that use dedicated servers. In such cases, use the -h flag followed by the server hostname:
whois -h whois.nic.co example.coIn this example, the query goes directly to the .co domain registry server. Replace both the server address and domain name as needed for your query. This approach is useful when the default WHOIS server returns incomplete information or when querying less common TLDs.
View All Available Options
To see all available WHOIS command options and flags, run the following:
whois --helpUsage: whois [OPTION]... OBJECT...
-h HOST, --host HOST connect to server HOST
-p PORT, --port PORT connect to PORT
-I query whois.iana.org and follow its referral
-H hide legal disclaimers
--verbose explain what is being done
--no-recursion disable recursion from registry to registrar servers
--help display this help and exit
--version output version information and exit
The help output lists all available flags, including options to hide legal disclaimers (-H), enable verbose output, and disable recursive queries. For more detailed documentation, you can also consult the man page with man whois. Additionally, if you work with DNS tools frequently, consider exploring the nslookup command on Linux for additional domain investigation capabilities.
Common Use Cases for Whois
Beyond basic domain lookups, WHOIS serves as a versatile tool for network administrators, security professionals, and researchers alike. As a result, understanding these practical use cases helps you get significantly more value from the utility in your daily work.
Security Investigations
Security teams frequently use WHOIS to investigate suspicious activity. When analyzing phishing emails, malware, or unauthorized access attempts, you can trace the origin of malicious domains and IP addresses. For instance, if your firewall logs show repeated connection attempts from an unknown IP, a quick WHOIS query reveals the owning organization and helps determine whether the traffic is legitimate:
whois 8.8.8.8NetRange: 8.8.8.0 - 8.8.8.255 CIDR: 8.8.8.0/24 NetName: GOGL NetHandle: NET-8-8-8-0-2 Parent: NET8 (NET-8-0-0-0-0) NetType: Direct Allocation Organization: Google LLC (GOGL) RegDate: 2023-12-28 Updated: 2023-12-28
In this example, the output immediately identifies Google LLC as the owner of this IP range. More importantly, the registration date, organization name, and network block details provide valuable context for threat assessment. Furthermore, correlating multiple suspicious domains through WHOIS data often reveals patterns, such as domains registered on the same date or through the same registrar, which can indicate coordinated malicious campaigns.
Abuse Contact Discovery
When you need to report spam, phishing, or other malicious activity, WHOIS provides the abuse contact email for the responsible organization. Since most WHOIS records include an abuse contact field, you can use this information to file complaints directly with the hosting provider or domain registrar:
whois example.com | grep -i abuseRegistrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.6613102107
Once you have this contact information, you can report violations and request takedowns of malicious content. Consequently, this approach is particularly effective for dealing with phishing sites that impersonate legitimate businesses, as registrars are required to investigate abuse complaints.
Domain Expiration Monitoring
WHOIS queries reveal domain expiration dates, which serves two important purposes. First, you can monitor your own domains to ensure renewals happen on time. Second, you can track domains you wish to acquire when they become available. To check a domain’s expiration date, use grep to filter the relevant lines:
whois linuxcapable.com | grep -i "expiry\|expiration"Registry Expiry Date: 2026-07-03T08:58:15Z Registrar Registration Expiration Date: 2026-07-03T08:58:15.00Z
As shown above, the output displays both registry and registrar expiration dates. For ongoing monitoring, you can integrate this command into a cron job with email notifications. As a result, you gain automated domain monitoring without relying on third-party services or paid subscription tools.
ASN and Network Block Lookups
Network engineers use WHOIS to query Autonomous System Numbers (ASNs) when analyzing BGP routing, investigating peering relationships, or troubleshooting network connectivity issues. In essence, an ASN identifies a network operator and their routing policies. To query an ASN, prefix the number with “AS”:
whois AS15169ASNumber: 15169 ASName: GOOGLE ASHandle: AS15169 RegDate: 2000-03-30 Updated: 2012-02-24 OrgName: Google LLC OrgId: GOGL Address: 1600 Amphitheatre Parkway City: Mountain View
This output confirms that AS15169 belongs to Google LLC and shows when the ASN was originally registered. Therefore, this information proves useful when diagnosing routing problems, understanding traffic paths, or verifying which organization controls a specific network range.
Legal and Trademark Research
Legal professionals and brand protection teams also use WHOIS to investigate potential trademark infringement and domain squatting. By examining registration dates, registrant information, and historical WHOIS records, you can build evidence for legal proceedings. For example, a domain registered after your trademark filing that uses your brand name suggests potential infringement:
whois suspicious-brandname.comAlthough privacy services may obscure registrant details, the registration date and registrar information still provide useful starting points. Specifically, this data supports legal action under ICANN’s Uniform Domain-Name Dispute-Resolution Policy (UDRP), which allows trademark holders to challenge domain registrations made in bad faith.
Remove Whois
If you no longer need whois, you can remove it using the following command:
sudo apt remove --purge whoisNext, clean up any orphaned dependencies that were installed alongside whois:
sudo apt autoremove -yFinally, verify the removal by checking that the whois command is no longer available:
which whoisIf the command returns no output (an empty line), you successfully removed whois and no longer have it on your system.
Conclusion
You now have WHOIS installed on Ubuntu and can query domain registration details, IP address ownership, and network block information directly from the terminal. For ongoing use, combine WHOIS queries with other network tools like nslookup and dig for comprehensive domain investigation, or integrate WHOIS into scripts for automated monitoring of domain expiration dates.