Passive DNS replication data can be obtain from a special WHOIS server.
This WHOIS server does not support handles in the usual sense. Instead, the server attempts to parse the passed query string to determine its type.
First, the string is parsed as an IP version 4 address. If successful, it is treated as a an IP address.
Next, the string is parsed as an IP version 4 prefix.
The remaining query strings are treated as domain names.
If the -q
is specified, an alternate query syntax is used (see below).
The WHOIS server supports the following query options:
-d
: Treat the query string as a domain name, even if it looks like an IP address or prefix. (This is currently a no-op, it is provided for backwards compatibility only.)
-F
and -L
: Include the time stamp of the first or last observed occurrence of the record (see below).
-S
: include source address information
-l
(with a numeric argument): Set an upper bound for the number of records to return. The default limit is 1000, to prevent accidental database overload.
-q
: Switch to alternate query syntax (see below).
-Q
: Do not display any banners (server version, copyright notice). Implied by the -t
option.
-t
: Activate table-based output (see below).
If the -q
is specified, non-options are not treated as handles, but parsed as query string. Query strings have the following form:
set.field=key
The first part specifies the data set. It is either a record type name (A
, CNAME
etc.) or the special values ANY
and domain
. The second part chooses the field in the data set to search, for the key given in the third part. The data and field parts are case-insensitive, but the key is case-sensitive.
Below the supported search fields are listed for each record type. If not stated otherwise, the key is a domain name. With the exception of the dname+
variants, all queries only return records of the indicated type.
A.name
, A.address
(search for records pointing to an IPv4 address), A.prefix
(search for records with addresses in an IPv4 prefix); the A.address+
and A.prefix+
variants also include CNAME records pointing to the returned A records
AAAA.name
, AAAA.address
, AAAA.prefix
, AAAA.address+
, AAAA.prefix+
are like the A
queries, but they work with AAAA records and IPv6 address and prefixes
CNAME.name
, CNAME.dname
, CNAME.dname+
(like CNAME.dname
, but recursively add more CNAME records)
DNAME.name
, DNAME.dname
MX.name
, MX.dname
NAPTR.name
NS.name
, NS.dname
PTR.name
, PTR.dname
RP.name
, RP.mbox
, RP.txt
SOA.name
, SOA.primary
, SOA.hostmaster
SRV.name
, SRV.target
TXT.name
The ANY
data set supports the fields listed below.
ANY.address
: Treat the key as an IP address and return A records that reference to this address, and other records which include a literal reference to this IP address.
ANY.prefix
: Treat the key as an IP prefix and return A records that reference to this address. Also return records which have an embedded address within this prefix.
ANY.domain
: Treat the key as a domain name and return records that match the domain.
ANY.domain.prefix
, ANY.domain.suffix
: Similar to ANY.domain
, but interpret the key as a prefix or suffix, respectively.
ANY.ANY
: This is the same as the default, handle-like mode. The key is parsed, and all possible types are used in sequence.
The domain data set can be used to obtain concise lists of domain names. These fields are supported:
domain.prefix
: Return a list of domains which have the indicated key as prefix.
domain.suffix
: Return a list of domains which have the indicated key as suffix.
The index which serves as a basis for domain.prefix
and ANY.domain.prefix
queries is partial. Domains which start with an IPv4 address are not included it in it. For example, the query domain.prefix=1.
will not return the domain name 1.2.0.192.dnsbl.example.net
.
The WHOIS server supports multiple output formats.
In the list-based output format, the result set is returned as a plain text file, and each line contains exactly one data item. Lines starting with "% ERROR:" are error messages.
This output format is used automatically if the result set contains only one field, or if the -l
is specified. In this case, only the name field of the output is returned.
The -t
option requests a table-based output format. If neither the -F
and -L
options are specified, the column layout is as follows:
The first column contains the name of the resource record.
The second column contains the resource record type (A
, MX
, and so on).
The third and subsequent columns contain the data portion of the resource record.
If the -F
(show time of first occurrence) or -L
(show time of last occurrence) options are specified, the corresponding column is prepended as the first column. If both options are given, the first column contains the time of the first sighting, and the second column contains the time of the last sighting. All times are given in UTC (+0000, also known as GMT) and in ISO 8601 notation (where the "T" separator has been replaced by a space character).
Lines starting with "% ERROR:" are error messages.
The record-oriented output format mimics the output format of the RIPE WHOIS server software. This format is the default output format, unless special queries are used, or another output format is explicitly requested.
Records consist of fields, and multiple records are separated by a blank line. A field contains a field name (at the beginning of the line), which is a string that consists of lowercase letters, digits and hyphens ("-"). The field name is separated from the field value by the two-character string ": " (colon, space). The field value extends to the end of the line.
The following fields are present in all records:
rr-name
contains the domain name of the record.
rr-type
is the type of the resource record (A
, MX
, and so on).
seen-first
describes the time at which the record was encountered for the first time (ISO 8601 format, UTC).
seen-last
describes the time at which the record was encountered the last time (ISO 8601 format, UTC).
Depending on the resource record type, further fields are available. The order of fields is only significant for fields with the same field name.
Additional field names may be added at a later time. The format is explicitly designed to be extensible.
As usual, lines starting with "% ERROR:" are error messages. Additional information may be relayed using "% " comments.
If you include the -S
option, the WHOIS server returns source address information in its output. In table-based output mode, the source address is included as an additional column between the time stamps (if any) and the actual data. The column is empty if no source address information for this particular record is available. In record-oriented output format, source address information is included in the source
field (if it is available).
In both modes, the server may return the same DNS record multiple times, once for each source address (and another record without source address information). The time stamps in the record without source address information do not necessarily describe a superset of the other records.
The DNS protocol does not provide a clear indicator which data in a DNS response is authoritative and which is cached. In order to avoid cluttering the output, the server returns a source address only if it assumes that it claimed to be authoritative for that record. The rules are as follows.
If the AA bit is not set in the response, no records are authoritative. If the AA bit is set, the next rules apply.
A record in the answer section of a record is authoritative if its name matches the name in the question.
The records in the authority section are authoritative if the answer section does not contain a CNAME or DNAME record.
A record in an additional section is never considered authoritative.
These rules are necessary because some name servers (notably BIND in mixed caching/authoritative mode) return non-authoritative data in the answer and authority section, and still set the AA bit. As a result, many caching name servers appear to be authoritative for some records unless heuristics are applied to detect these special cases.
The examples below assume a UNIX shell. You might have to use different quoting if your WHOIS client is different. The space character after the quote "'" is intended to force the WHOIS client to treat the whole argument as a non-option argument.
$ whois -h whois ' -t -q domain.suffix=enyo.de' enyo.de x-1.enyo.de ext1.enyo.de deneb.enyo.de (some domains omitted, to conserve space) senyo.de $
This first example shows how to perform a substring query. The -t
option requests table-based output, and the -q
option switches to alternate query syntax. If we had used any.domain.suffix
instead of domain.suffix
, real records would have been returned.
$ whois -h whois ' -t -q a.name=albireo.enyo.de' albireo.enyo.de A 212.9.189.169 $
This query just returns the A record.
$ whois -h whois ' -t -q a.address=212.9.189.169' lists.enyo.de A 212.9.189.169 subversion.enyo.de A 212.9.189.169 albireo.enyo.de A 212.9.189.169 proxy.enyo.de A 212.9.189.169 $ whois -h whois ' -t -q a.address+=212.9.189.169' lists.enyo.de A 212.9.189.169 subversion.enyo.de A 212.9.189.169 albireo.enyo.de A 212.9.189.169 cups.enyo.de CNAME albireo.enyo.de proxy.enyo.de CNAME albireo.enyo.de proxy.enyo.de A 212.9.189.169 $ whois -h whois ' -t 212.9.189.169' lists.enyo.de A 212.9.189.169 subversion.enyo.de A 212.9.189.169 albireo.enyo.de A 212.9.189.169 cups.enyo.de CNAME albireo.enyo.de proxy.enyo.de CNAME albireo.enyo.de proxy.enyo.de A 212.9.189.169 169.189.9.212.orbs.dorkslayers.com A 127.0.0.2 169.189.9.212.in-addr.arpa NS ext1.enyo.de 169.189.9.212.in-addr.arpa NS ns.enyo.de 169.189.9.212.in-addr.arpa PTR albireo.enyo.de (some records omitted) $
The first of these queries just returns A records, based on the IP address. The second query also includes CNAME records (enyo.de
does not use CNAME-to-CNAME records, so you will not see them in these examples, but in "+" (or closure) mode, CNAME references are followed recursively). The third query (which is equivalent to an ANY.address
query in alternate syntax) also reveals some PTR-like records.
2004-10-20: Draft version published.
2004-12-31: Document version 0.2 of the WHOIS server.
2005-01-24: The described query syntax is stable.
2005-03-25: AAAA records are now supported. Note that the index behind domain.prefix
queries is only partial.
2005-04-15: DNAME, TXT and RP records are supported.
2005-04-24: The -S
option (include source addresses) was added. Corrected the names of the seen-first
and seen-last
fields.
2014-01-20: Fixes for typographical errors.