steampipe plugin install whois

Table: whois_domain - Query Whois Domains using SQL

Whois is a protocol that is used to query databases that store the registered users or assignees of an Internet resource, such as a domain name or an IP address block. It provides information related to the registration and ownership of a domain name. This includes details about the registrant, administrative, billing and technical contacts.

Table Usage Guide

The whois_domain table provides insights into domain names within the Whois protocol. As a security analyst, explore domain-specific details through this table, including registration, ownership, and associated metadata. Utilize it to uncover information about domains, such as their registrant details, administrative contacts, and the status of the domain.

Important Notes

  • It's not practical to list all domains in the world, so this table requires a domain qualifier to be passed in the where or join clause for all queries.

Examples

Basic whois info

select
domain,
expiration_date
from
whois_domain
where
domain = 'steampipe.io';
select
domain,
expiration_date
from
whois_domain
where
domain = 'steampipe.io';

Days until expiration

select
domain,
expiration_date,
date_part('day', expiration_date - current_date) as days_until_expiration
from
whois_domain
where
domain = 'steampipe.io';
select
domain,
expiration_date,
julianday(expiration_date) - julianday(date('now')) as days_until_expiration
from
whois_domain
where
domain = 'steampipe.io';

Get name server information

select
domain,
name_servers
from
whois_domain
where
domain = 'steampipe.io';
select
domain,
name_servers
from
whois_domain
where
domain = 'steampipe.io';

Check domain status codes

Commonly used protections:

select
domain,
client_delete_prohibited,
client_transfer_prohibited,
client_update_prohibited,
server_delete_prohibited,
server_transfer_prohibited,
server_update_prohibited
from
whois_domain
where
domain = 'steampipe.io';
select
domain,
client_delete_prohibited,
client_transfer_prohibited,
client_update_prohibited,
server_delete_prohibited,
server_transfer_prohibited,
server_update_prohibited
from
whois_domain
where
domain = 'steampipe.io';

Check for any EPP status code:

select
domain,
status,
status ? 'pendingtransfer' as pending_transfer
from
whois_domain
where
domain = 'steampipe.io';
select
domain,
status,
json_extract(status, '$.pendingtransfer') as pending_transfer
from
whois_domain
where
domain = 'steampipe.io';

Contact information

select
domain,
jsonb_pretty(admin) as admin,
jsonb_pretty(billing) as billing,
jsonb_pretty(registrant) as registrant,
jsonb_pretty(technical) as technical
from
whois_domain
where
domain = 'steampipe.io';
select
domain,
admin,
billing,
registrant,
technical
from
whois_domain
where
domain = 'steampipe.io';

Registrar managing the domain

select
domain,
registrar ->> 'name' as registrar
from
whois_domain
where
domain = 'steampipe.io';
select
domain,
json_extract(registrar, '$.name') as registrar
from
whois_domain
where
domain = 'steampipe.io';

Working with multiple domains

select
domain,
expiration_date
from
whois_domain
where
domain in (
'github.com',
'google.com',
'steampipe.io',
'yahoo.com'
);
select
domain,
expiration_date
from
whois_domain
where
domain in (
'github.com',
'google.com',
'steampipe.io',
'yahoo.com'
);

Implementation notes

  • Automatically retries with backoff. WHOIS servers are fussy with throttling.
  • May return partial results, some WHOIS servers return domain info but throttle / skip contact information.

Schema for whois_domain

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form, e.g. connection_name.
adminjsonbAdministrative contact information.
billingjsonbBilling contact information.
client_delete_prohibitedbooleanThis status code tells your domain's registry to reject requests to delete the domain.
client_transfer_prohibitedbooleanThis status code tells your domain's registry to reject requests to transfer the domain from your current registrar to another.
client_update_prohibitedbooleanThis status code tells your domain's registry to reject requests to update the domain.
created_datetimestamp with time zoneDate when the domain was first registered.
dns_secbooleanTrue if the domain has enabled DNSSEC.
domaintext=Domain name the WHOIS information relates to.
domain_extensiontextExtension of the domain.
domain_idtextUnique identifier for the domain.
domain_punycodetextPunycode ASCII variation of the Unicode domain name.
expiration_datetimestamp with time zoneExpiration date for the domain.
name_serversjsonbList of name servers for the domain.
registrantjsonbRegistrant contact information.
registrarjsonbRegistrar contact information.
server_delete_prohibitedbooleanThis status code prevents your domain from being deleted. clientdeleteprohibited is more commonly used.
server_transfer_prohibitedbooleanThis status code prevents your domain from being transferred from your current registrar to another. clienttransferprohibited is more commonly used.
server_update_prohibitedbooleanThis status code locks your domain preventing it from being updated. clientupdateprohibited is more commonly used.
statusjsonbExtensible Provisioning Protocol (EPP) status codes set on the domain. Common status codes (e.g. client_transfer_prohibited) are also elevated to column level. A full list is available at https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en
technicaljsonbTechnical contact information.
updated_datetimestamp with time zoneLast date when the domain record was updated.
whois_servertextWHOIS server that manages the domain.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- whois

You can pass the configuration to the command with the --config argument:

steampipe_export_whois --config '<your_config>' whois_domain