steampipe plugin install whoissteampipe plugin install whois

Table: whois_domain - Query Whois Domains using SQL

Whois is a protocol that is used to query databases that store the registered users or assignees of an Internet resource, such as a domain name or an IP address block. It provides information related to the registration and ownership of a domain name. This includes details about the registrant, administrative, billing and technical contacts.

Table Usage Guide

The whois_domain table provides insights into domain names within the Whois protocol. As a security analyst, explore domain-specific details through this table, including registration, ownership, and associated metadata. Utilize it to uncover information about domains, such as their registrant details, administrative contacts, and the status of the domain.

Important Notes

It's not practical to list all domains in the world, so this table requires a domain qualifier to be passed in the where or join clause for all queries.

Examples

Basic whois info

select
  domain,
  expiration_date
from
  whois_domain
where
  domain = 'steampipe.io';

select
  domain,
  expiration_date
from
  whois_domain
where
  domain = 'steampipe.io';

Days until expiration

select
  domain,
  expiration_date,
  date_part('day', expiration_date - current_date) as days_until_expiration
from
  whois_domain
where
  domain = 'steampipe.io';

select
  domain,
  expiration_date,
  julianday(expiration_date) - julianday(date('now')) as days_until_expiration
from
  whois_domain
where
  domain = 'steampipe.io';

Get name server information

select
  domain,
  name_servers
from
  whois_domain
where
  domain = 'steampipe.io';

select
  domain,
  name_servers
from
  whois_domain
where
  domain = 'steampipe.io';

Check domain status codes

Commonly used protections:

select
  domain,
  client_delete_prohibited,
  client_transfer_prohibited,
  client_update_prohibited,
  server_delete_prohibited,
  server_transfer_prohibited,
  server_update_prohibited
from
  whois_domain
where
  domain = 'steampipe.io';

select
  domain,
  client_delete_prohibited,
  client_transfer_prohibited,
  client_update_prohibited,
  server_delete_prohibited,
  server_transfer_prohibited,
  server_update_prohibited
from
  whois_domain
where
  domain = 'steampipe.io';

Check for any EPP status code:

select
  domain,
  status,
  status ? 'pendingtransfer' as pending_transfer
from
  whois_domain
where
  domain = 'steampipe.io';

select
  domain,
  status,
  json_extract(status, '$.pendingtransfer') as pending_transfer
from
  whois_domain
where
  domain = 'steampipe.io';

Contact information

select
  domain,
  jsonb_pretty(admin) as admin,
  jsonb_pretty(billing) as billing,
  jsonb_pretty(registrant) as registrant,
  jsonb_pretty(technical) as technical
from
  whois_domain
where
  domain = 'steampipe.io';

select
  domain,
  admin,
  billing,
  registrant,
  technical
from
  whois_domain
where
  domain = 'steampipe.io';

Registrar managing the domain

select
  domain,
  registrar ->> 'name' as registrar
from
  whois_domain
where
  domain = 'steampipe.io';

select
  domain,
  json_extract(registrar, '$.name') as registrar
from
  whois_domain
where
  domain = 'steampipe.io';

Working with multiple domains

select
  domain,
  expiration_date
from
  whois_domain
where
  domain in (
    'github.com',
    'google.com',
    'steampipe.io',
    'yahoo.com'
  );

select
  domain,
  expiration_date
from
  whois_domain
where
  domain in (
    'github.com',
    'google.com',
    'steampipe.io',
    'yahoo.com'
  );

Implementation notes

Automatically retries with backoff. WHOIS servers are fussy with throttling.
May return partial results, some WHOIS servers return domain info but throttle / skip contact information.

Schema for whois_domain

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form, e.g. connection_name.
admin	jsonb		Administrative contact information.
billing	jsonb		Billing contact information.
client_delete_prohibited	boolean		This status code tells your domain's registry to reject requests to delete the domain.
client_transfer_prohibited	boolean		This status code tells your domain's registry to reject requests to transfer the domain from your current registrar to another.
client_update_prohibited	boolean		This status code tells your domain's registry to reject requests to update the domain.
created_date	timestamp with time zone		Date when the domain was first registered.
dns_sec	boolean		True if the domain has enabled DNSSEC.
domain	text	=	Domain name the WHOIS information relates to.
domain_extension	text		Extension of the domain.
domain_id	text		Unique identifier for the domain.
domain_punycode	text		Punycode ASCII variation of the Unicode domain name.
expiration_date	timestamp with time zone		Expiration date for the domain.
name_servers	jsonb		List of name servers for the domain.
registrant	jsonb		Registrant contact information.
registrar	jsonb		Registrar contact information.
server_delete_prohibited	boolean		This status code prevents your domain from being deleted. clientdeleteprohibited is more commonly used.
server_transfer_prohibited	boolean		This status code prevents your domain from being transferred from your current registrar to another. clienttransferprohibited is more commonly used.
server_update_prohibited	boolean		This status code locks your domain preventing it from being updated. clientupdateprohibited is more commonly used.
status	jsonb		Extensible Provisioning Protocol (EPP) status codes set on the domain. Common status codes (e.g. client_transfer_prohibited) are also elevated to column level. A full list is available at https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en
technical	jsonb		Technical contact information.
updated_date	timestamp with time zone		Last date when the domain record was updated.
whois_server	text		WHOIS server that manages the domain.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- whois

You can pass the configuration to the command with the --config argument:

steampipe_export_whois --config '<your_config>' whois_domain