One of the handiest tools for doing Due Diligence is getting a whois report about a domain name or an IP address. A whois report provides you some basic information of the organization behind a domain name and when the name was registered.In this article I’ll discuss some basic knowledge for reading a whois report. It will give you a method do some research on domain names yourself. After reading this article you’ll know how to get a whois report to do some domain name investigating.

What is a whois report?

Whois is a term referring to a domain name search or look-up feature on a database - typically for Top Level Domain (TLD) name registries. Information such as name availability can be found through a query using the whois protocol (standard). Most Top Level Domain registries maintain their own whois database containing domain name contact information.

A whois report is the result of a whois query. In layman's terms, a whois report shows some information about who registered a domain name and when they did it.  Don’t worry if this definition isn’t clear right now, it will be at the end of this article.

Technically speaking whois is just a protocol to look up contact database information on the internet. You already know the HTTP protocol because your browser is using it right now to watch this page. Other well known protocols are POP3 (to collect email), SMTP (to send email) and the news protocol to read newsgroups with a news reader program. In a similar fashion there are whois programs that can utilize the whois protocol to query a contact database hosted on a whois server to retrieve domain information. Don't worry, it won't get more technical than this and you may forget the specifics as long as you know how to use it. It is like driving a car; you don't have to be a mechanic to do it.

Registrant, registrar and registry

A domain name is a name you type in the address bar of your browser. For instance, forum.websitegear.com is a (third level) domain. The second level domain name in this example is 'websitegear.com'. The top level domain is 'com'. A (second level) domain name is exclusive; once registered no other party may use that identity online in that top level Domain.

When WebsiteGear registered their internet domain name (so they can use it exclusively on the internet) they had to contact an entity (person or company) that can take care of these requests and will act on their behalf. Such a company is called a registrar. The company WebsiteGear is the registrant. The entity actually maintaining this database is called the registry. There are numerous registries and each of them has to maintain a database with the contact data of the registrants that registered a domain name though them.

Getting a whois report

Before I’ll throw a few more definitions at you lets have a look at a whois report first. Open this website in your browser:

    http://dwhois.net

Fill in 'websitegear.com' in the empty field and hit the Whois button. If you did this right you should see a report like this.

Administrative contact, technical contact and billing contact

Contact Records or Contact IDs (sometimes called Agents) are individuals or groups who represent a registrant on matters related to the registrant's domain name(s). There are three types of Contacts: Administrative, Technical, and Billing. The entity listed as the Administrative, Technical, or Billing Contact is an individual or 'role' that is contacted in matters relating to the domain name. They also have the ability to modify information pertaining to a domain name. A contact may be a single person, a company, or organization.

The administrative contact is usually directly connected to the registrant but not always. You can find out through the whois report itself. In our case we'll have to dig a bit futher. If you scroll down on the whois report you'll see it says:

   "For complete domain details go to:
    http://who.godaddy.com/whoischeck.aspx?Domain=WEBSITEGEAR.COM"

So lets do that, open the link http://who.godaddy.com/whoischeck.aspx?Domain=WEBSITEGEAR.COM
You'll have to enter a verification code but if you did that correct it will show you a more detailed whois report like this. As you can see the Administrative contact is at websitegear.com itself.

The technical contact is usually someone from the ISP that the domain was registered through. If there are technical issues with the domain name this is the person to contact. The billing contact is the person designated to receive the invoice for domain name registration and re-registration fees. The billing contact should be in a position to ensure prompt payment of fees. Nowadays the billing contact is hardly used anymore and usually doesn’t provide any extra useful information.

NIC handle

Sometimes a whois report will also show a NIC handle. A NIC Handle is a combination of up to 7 letters or numbers that identifies an entity that registered a domain name. It is a basically an address record of a registrant or registry. This way, if you make a change to the NIC handle (e.g., the e-mail address), all domains using that NIC handle will be updated as well.

You can do whois lookups on handles too, I’ll explain that in more detail in a future article. For now it is sufficient to just know that they exist. Note that they are not always listed in a whois report.

Record dates

In each whois report you’ll find the following date fields:

    Creation Date
    Expiration Date
    Updated Date

The Creation Date tells you when the domain name became active on the internet. If a opportunity tells you they have been active on the internet for two years and the created on record shows the domain was only registered two months ago then you are probably dealing with a scam.

The Expiration Date shows you when a record is about to expire, unless they domain holder prolongs the registration by paying the appropriate fees. Usually a stable company will prolong it’s domain name long before it expires and sometimes they will pay for years in advance. For example, if you’ll look up this field for the domain e-gold.com you’ll find that the expiration date is set on 3 November 2018.

The Updated Date shows you when the last changes were made to the registry information. This is an interesting field because it can tell you if records have been changed since the domain name was registered. If a registrant has altered the contact information after registration it will show here. Be aware though, if a domain name has moved to another server it will also show a changed value here. This field is not necessarily a 'red flag' right away but it should stimulate you to be careful with assuming the whois information is accurate.  See also the chapter Reliability of whois report information below.

Old and new whois lookup

With the new shared registration system model, the nature of the WHOIS server has changed.

The Old Way:
Traditionally, the InterNIC maintained the WHOIS server for .com, .net and .org domain names, and a single query returned full whois data including, registrant, administrative contact, billing contact, technical contact, and nameserver information.

The New Way:
Nowadays the domain registration has been deregulated and there are many registrars that can grant domain names. In this multi-registrar model, each registrar maintains a WHOIS server containing contact and nameserver information for domains registered with them. The InterNIC maintains a central, registry WHOIS server, which simply contains nameserver and registrar information for all .com, .net and .org domains. So from this report you will be pointed to the registrar where you can look up the actual whois report. The output from the registry WHOIS query will indicate the website address and WHOIS server address for domain's registrar of record, where full contact information can be found.

To find out the registrar of record for a domain, consult the registry WHOIS server, at:

    http://www.internic.net/whois.html

We already saw this in the above example of websitegear.com where we found a link to the Go Daddy (the registrar) whois server which holds details on the websitegear.com domain.

Reliability of whois report information

Allright, if you followed me so far you’re in for a small surprise now. A series of contracts, from ICANN* to registrars to registrants, requires that contact data to be complete and accurate, but nonetheless certain registrants fail to properly provide the  required contact information. Or to put it in another way: whois information is not always correct although it should be. That is with exception of the Date fields, they can not be manipulated by anyone else but the maintainer of the database.

You might be tempted to think there was no point in reading all this information. Well.. not quite. False data will tell you almost as much as true data as long as you can identify it as being false. People who have nothing to hide, hide nothing. If they are  hiding information you found a first red flag and most of the times that means you shouldn’t invest money it the associated opportunity.

Where to get a whois report

You could get a whois report using a special program to query whois databases. This is quite handy if you know how to use it properly. A more easy way is to use a script linked to a website to do the lookups. This is what you have been using when you used the website of dwhois.net  Most times the script behind the website automatically finds out which whois database to query (there are quite a few out there) so that takes away some work from you. Usually this method is quite sufficient and it allows for enough options to do thorough searching. For now we’ll stick with this method.

Here are some sites where you can get whois reports:

    http://dwhois.net
    http://www.samspade.org
    http://www.geektools.com/whois.php

You’ll find that some of these sites are protected with a Turing number to prevent automated lookups from other sites. That is not a problem for manual lookups though.

Reporting false whois information

If you found false whois information you can report it to the InterNIC. Sometimes they can take appropriate action to make sure the whois is being corrected. I wouldn’t expect too much of it though, if a domain is registered outside the US I doubt they will do what needs to be done. Whois Data Problem Report:

    http://wdprs.internic.net

This concludes the article on basic knowledge of a whois report.
I hope you found it useful. If you have any questions or remarks please feel free to contact me using the contact form.



*ICANN - The Internet Corporation for Assigned Names and Numbers is a technical coordination body for the Internet. Created in

October 1998 by a broad coalition of the Internet's business, technical, academic, and user communities, ICANN is assuming responsibility for a set of technical functions previously performed under U.S. government contract by IANA and other groups. Specifically, ICANN coordinates the assignment of Internet domain names, IP address numbers, protocol parameter and port numbers that must be globally unique for the Internet to function. In addition, ICANN coordinates the stable operation of the Internet's root server system.

--
Like this info? Please consider sharing it with your friends and associates.