Why there's junk in your whois results, and how you can get rid of it

Whois is a great tool, but with these tips even more useful.

July 12, 2021
We're Expedited Security. We help SAAS applications prevent and recover from attack, overcome regulatory or integration security requirements or just stop "weird" traffic before it becomes a problem.

If you've ever used the whois tool to look up a popular domain, you'll be familiar with results like this:

After all the junk, you'll notice the final line is the one you care about:


So where does the junk come from? First things first: nobody has been hacked. whois, by default, looks up any domain or host that matches what you provide on the command line - and often returns the subdomain results before the top level ones. Whether that's a bug or feature depends on who you talk to.

So lovely people, who own other domains, make fake whois entries for hosts including microsoft.com somewhere in their name. Modern registrars don't let people fill their own whois with these kinds of entries, so most of these junk entries are pretty old.

The whois manual won't help

The man page for whois on OS X 10.10 merely mentions the name (the thing you're asking of the server) contain different types of data, 'such as domain names and IP addresses`. What it doesn't tell you is there is now a well accepted format for name to let you explicitly state the type of results you care about.

You can find out about this from the whois servers themselves - also using the whois command, by setting the name option to help:

whois help

Returns a bunch of useful stuff including:

By default, WHOIS performs a very broad search, looking in all record types for matches to your query in these fields: domain name, nameserver name, nameserver IP address, and registrar names. Use keywords to narrow the search.

The following keywords restrict a search to a certain TYPE of field in the database: domain Finds a domain record. Find out domain name, registrar name, whois server and URL, Nameserver name and IP Addresses, and updated date.

Boom. keywords allow us to explicitly set the type of records we want, focusing only on a specific domain.

The fix: explictly ask the server for domain results only.

So the solution - which works with nearly all whois servers - is to set the name option to "domain somedomain" explicitly. The quotes are so the shell treats it as a single argument.

whois "domain microsoft.com"

You can also add the bash function below to your ~/.bash_profile and will be there for you every time you start a login shell.

function quick-whois () {
     command whois "domain ${1}"

Alternative fix: use a whois server with tighter results

You can also explicitly set a whois server that focuses on domain results rather than hostnames. geektools.com for example, appears to do this - we say 'appears to' because whois -h geektools.com help returns:

No WHOIS help is provided. If you don't know what it is then why are you using it?

Thanks geektools. Anyway, using the -h option will override the normal whois server and since the geektools server only returns domain results, you won't see any junk either:

whois -h geektools.com microsoft.com

In my own ~/.bash_profile I actually overwrite the normal whois command so it always calls the geektools server:

function whois () {
    command whois -h geektools.com $@

Note the command bit - since the bash function has the same name as the whois command, command stops the function from trying to call itself recursively.


Results looks like:

Domain Name: microsoft.com
Registry Registrant ID:
Registrant Name: Domain Administrator
Registrant Organization: Microsoft Corporation
Registrant Street: One Microsoft Way,
Registrant City: Redmond
Registrant State/Province: WA
Registrant Postal Code: 98052

Which certainly makes for more pleasant reading. On that note: if you're concerned about whois being this bad: so are ICANN and the IETF - and they're making progress towards a replacement.