Passive DNS Replication WHOIS Server

Passive DNS replication data can be obtain from a special WHOIS server.


This WHOIS server does not support handles in the usual sense. Instead, the server attempts to parse the passed query string to determine its type.

If the -q is specified, an alternate query syntax is used (see below).


The WHOIS server supports the following query options:

Alternate query syntax

If the -q is specified, non-options are not treated as handles, but parsed as query string. Query strings have the following form:


The first part specifies the data set. It is either a record type name (A, CNAME etc.) or the special values ANY and domain. The second part chooses the field in the data set to search, for the key given in the third part. The data and field parts are case-insensitive, but the key is case-sensitive.

Below the supported search fields are listed for each record type. If not stated otherwise, the key is a domain name. With the exception of the dname+ variants, all queries only return records of the indicated type.

The ANY data set supports the fields listed below.

The domain data set can be used to obtain concise lists of domain names. These fields are supported:

The index which serves as a basis for domain.prefix and ANY.domain.prefix queries is partial. Domains which start with an IPv4 address are not included it in it. For example, the query domain.prefix=1. will not return the domain name

Output formats

The WHOIS server supports multiple output formats.

List-based output format

In the list-based output format, the result set is returned as a plain text file, and each line contains exactly one data item. Lines starting with "% ERROR:" are error messages.

This output format is used automatically if the result set contains only one field, or if the -l is specified. In this case, only the name field of the output is returned.

Table-based output format

The -t option requests a table-based output format. If neither the -F and -L options are specified, the column layout is as follows:

If the -F (show time of first occurrence) or -L (show time of last occurrence) options are specified, the corresponding column is prepended as the first column. If both options are given, the first column contains the time of the first sighting, and the second column contains the time of the last sighting. All times are given in UTC (+0000, also known as GMT) and in ISO 8601 notation (where the "T" separator has been replaced by a space character).

Lines starting with "% ERROR:" are error messages.

Record-oriented output format

The record-oriented output format mimics the output format of the RIPE WHOIS server software. This format is the default output format, unless special queries are used, or another output format is explicitly requested.

Records consist of fields, and multiple records are separated by a blank line. A field contains a field name (at the beginning of the line), which is a string that consists of lowercase letters, digits and hyphens ("-"). The field name is separated from the field value by the two-character string ": " (colon, space). The field value extends to the end of the line.

The following fields are present in all records:

Depending on the resource record type, further fields are available. The order of fields is only significant for fields with the same field name.

Additional field names may be added at a later time. The format is explicitly designed to be extensible.

As usual, lines starting with "% ERROR:" are error messages. Additional information may be relayed using "% " comments.

Source Address Information

If you include the -S option, the WHOIS server returns source address information in its output. In table-based output mode, the source address is included as an additional column between the time stamps (if any) and the actual data. The column is empty if no source address information for this particular record is available. In record-oriented output format, source address information is included in the source field (if it is available).

In both modes, the server may return the same DNS record multiple times, once for each source address (and another record without source address information). The time stamps in the record without source address information do not necessarily describe a superset of the other records.

The DNS protocol does not provide a clear indicator which data in a DNS response is authoritative and which is cached. In order to avoid cluttering the output, the server returns a source address only if it assumes that it claimed to be authoritative for that record. The rules are as follows.

These rules are necessary because some name servers (notably BIND in mixed caching/authoritative mode) return non-authoritative data in the answer and authority section, and still set the AA bit. As a result, many caching name servers appear to be authoritative for some records unless heuristics are applied to detect these special cases.


The examples below assume a UNIX shell. You might have to use different quoting if your WHOIS client is different. The space character after the quote "'" is intended to force the WHOIS client to treat the whole argument as a non-option argument.

$ whois -h whois ' -t -q'
(some domains omitted, to conserve space)

This first example shows how to perform a substring query. The -t option requests table-based output, and the -q option switches to alternate query syntax. If we had used any.domain.suffix instead of domain.suffix, real records would have been returned.

$ whois -h whois ' -t -q'   A

This query just returns the A record.

$ whois -h whois ' -t -q a.address='   A      A A   A
$ whois -h whois ' -t -q a.address+='   A      A A    CNAME   CNAME   A
$ whois -h whois ' -t'   A      A A    CNAME   CNAME   A      A      NS      NS      PTR
(some records omitted)

The first of these queries just returns A records, based on the IP address. The second query also includes CNAME records ( does not use CNAME-to-CNAME records, so you will not see them in these examples, but in "+" (or closure) mode, CNAME references are followed recursively). The third query (which is equivalent to an ANY.address query in alternate syntax) also reveals some PTR-like records.


Florian Weimer
Home Blog (DE) Blog (EN) Impressum RSS Feeds