Contents: introduction, usage, DWIM, history.
rxwhois needs RxSock.dll and RexxUtil.dll available from IBM for OS/2, or equivalent libraries for other operating systems. It also works with ooREXX under Windows, just rename the script to rxwhois.rex.
At the moment rxwhois supports local codepage 437, OS/2 850 (858), OS/2 1004 (windows-1252), Latin-1 (819), Latin-9 (923), KOI8-R (878), and (in theory) MAC Roman. Queries are translated to UTF-8, replies are translated to your local codepage. UTF-8 is important for IDNs (Internationalized Domain Names). Adding more codepages should be easy, otherwise you can hire me ;-)
IPv6 won't work, because RxSock.dll doesn't know it, and I couldn't test it. Where necessary rxwhois tries to interpret a word of four numbers separated by dots like 127.0.0.2 as IPv4, other words with dots like www.purl.net are interpreted as FQDN (Fully Qualified Domain Name). This trick is not used if a whois server for the query is specified, see below.
rxwhois -h host:port query
That's the traditional way to send a query (one line) to a host (whois server). The default port is 43, see also RfC 3912. Almost all other rxwhois options are just shorthands:
rxwhois TLD | => rxwhois -h whois.iana.org TLD |
rxwhois -a domain | => rxwhois -h whois.abuse.net domain |
rxwhois -c query | => rxwhois -h whois.cyberabuse.org query |
rxwhois -d domain | => rxwhois -h whois.denic.de -Tdn,ace domain |
rxwhois -i host ... | => rxwhois IP(name) ... or rxwhois name(IP) ... |
rxwhois -j query | => rxwhois -h whois.nic.ad.jp query /e |
rxwhois -n query | => rxwhois -h whois.networksolutions.com query |
rxwhois -r query | => rxwhois -h whois.ripe.net -B query |
rxwhois -t query | => rxwhois -h whois.thur.de query |
rxwhois -a | => test supported DNSBLs (see below) |
rxwhois * | => test supported and disabled whois servers |
rxwhois -a domain tests all RFCI RHSBLs, and the multi zone of surbl.org. before asking abuse.net for an abuse address. RHSBLs (Right Hand Side Block Lists) are a special form of DNSBLs, a domain is listed if domain.RHSBL has an "IP".
Example:
host example.tld.postmaster.rfc-ignorant.org = 127.0.0.2
rxwhois -a without arguments checks all supported DNSBLs using the test entry example.tld for RFCI zones, or the test IP 127.0.0.2 for other DNSBLs. An IP is listed if <reverse IP>.DNSBL has an "IP". The DNSBL query format for IPs is derived from the .in-addr.arpa zone.
Example:
host 2.0.0.127.bl.spamcop.net = 127.0.0.2
rxwhois IP checks all supported DNSBLs (excl. RFCI RHSBLs) for the given IP, at the moment:
*.virbl.dnsbl.bit.nl | *.cbl.abuseat.org | *.ix.dnsbl.manitu.net |
*.bl.spamcop.net | *.multi.surbl.org | *.psbl.surriel.com |
*.combined.njabl.org | *.list.dsbl.org | *.zen.spamhaus.org |
Please note that some of these DNSBLs do not yet support important features documented in the DNSBL Internet Draft. BLs listing IP 127.0.0.1 or domain localhost, or BLs returning IP 127.0.0.1 as result, or DNSBLs not supporting a "listed" test entry for IP 127.0.0.2, are disqualified as far as rxwhois is concerned.
Ideally RHSBLs could offer a "listed" test entry for domain test, but admittedly that's not yet the case for the RFCI lists. For more info see RFC 2606 or its proposed update 2606bis.
The fun starts if you try rxwhois query without any option, it's a DWIM (Do What I Mean) interface. If the first word is an IP see above, other words are ignored. If it's a TLD (Top Level Domain) whois.iana.org gets the query. If it contains a dot but is no IP, it's handled as FQDN. If a whois server or rwhois server (port 4321) for the TLD or SLD of this FQDN is known and not disabled, it gets the query. If an URL is known it's only displayed - this covers odd cases like reserved TLDs or some ISO 3166 country codes without TLDs.
Finally if the first word of the query contains a hyphen it could be a "NIC handle", and if a corresponding whois server is known it gets the query. This list is far from complete, and it does not work for cases like JP (no hyphen, use rxwhois -j) or -SA (use rxwhois -h saudinic.net.sa PERSON any-SA):
rxwhois any-AFRINIC | => rxwhois -h whois.afrinic.net any-AFRINIC |
rxwhois any-ARIN | => rxwhois -h whois.arin.net any-ARIN |
rxwhois any-AP | => rxwhois -h whois.apnic.net any-AP |
rxwhois any-AU | => rxwhois -h whois.aunic.net any-AU |
rxwhois any-CKNIC | => rxwhois -h whois.nic.ck any-CKNIC |
rxwhois any-CZ | => rxwhois -h whois.nic.cz any-CZ |
rxwhois any-DK | => rxwhois -h whois.nic.dk any-DK |
rxwhois any-FRNIC | => rxwhois -h whois.nic.fr any-FRNIC |
rxwhois any-HST | => rxwhois -h whois.networksolutions.com any-HST |
rxwhois any-ITNIC | => rxwhois -h whois.nic.it any-ITNIC |
rxwhois any-LACNIC | => rxwhois -h whois.lacnic.net any-LACNIC |
rxwhois any-NICAT | => rxwhois -h whois.nic.at any-NICAT |
rxwhois any-NICIR | => rxwhois -h whois.nic.ir any-NICIR |
rxwhois any-NORID | => rxwhois -h whois.norid.no any-NORID |
rxwhois any-RIPE | => rxwhois -h whois.ripe.net any-RIPE |
rxwhois any-RIPN | => rxwhois -h whois.ripn.net any-RIPN |
For the latest minor updates see the
rxwhois.cmd source. Version history:
2.1 ,
2.0 , 1.9 , 1.8 ,
1.7 , 1.6 , 1.5 ,
1.4 , 1.3 , 1.2 ,
1.1 , 1.0 , 0.9 ,
0.8 , 0.7 , 0.6 ,
0.5 , 0.4 , 0.3 .
consolidated minor updates 2.0.1 up to 2.0.6, especially: - removed relays.ordb.org ORDB DNSBL closed 2006-12-18 - removed combined-hib.dnsiplists.completewhois.com - replaced DNSBL sbl-xbl.spamhaus by zen.spamhaus.org - added 11 IDN test TLDs xn--... (started 2007-10-15) - fixed bug where TLD A-label was parsed as NIC handle - added temporary test option -k for the Cyril IDN TLD - replaced UTF-8 procedures version 0.5 by 0.8, please add or fix missing codepages in procedure UTF.8( CP ) - added CHCP() emulating OS/2 SysQueryProcessCodePage() - replaced whois.ainic.ai by whois.ai - replaced www.nic.cd by whois.nic.cd - replaced whois.mynic.net.my by whois1.mynic.net.my - replaced whois.nic.tk by whois.dot.tk - enabled whois.nic.gp - enabled whois.nic.ki - added jobswhois.verisign-grs.com for sTLD .jobs - added whois.adamsnames.com for ccTLD .gd - added whois.nic.ly again for ccTLD .ly - added whois.iam.net.ma for ccTLD .ma - disabled whois.nplus.gf new for ccTLD .gf - disabled whois.registry.gy new for ccTLD .gy - disabled whois.nic.gw (unknown host listed by IANA) - disabled whois.fj \/ no change - the servers exist - disabled whois.nic.mq /\ but don't know themselves (?) - removed whois.nic.af (unknown host) - removed whois.sanet.ge (unknown host) - disabled whois.nic.bi (ECONNREFUSED) - disabled whois.mdnet.md (ETIMEDOUT) - disabled whois.uprr.pr (ETIMEDOUT) - updated proto-TLD .cs (IANA now reserves .me and .rs) - added whois.nic.tel for new gTLD .tel - added provisional entries for new ccTLDs .mf and .bl
consolidated minor updates 1.9.1 up to 1.9.4, especially: - minor fix in <http://purl.net/xyzzy/src/utf-8.cmd> 0.5 - replaced DEnglish gibberish "resp." in two comments - added placeholders for ME (Montenegro) and RS (Serbia) - enabled whois.nic.kz (KZ) - enabled whois.ainic.ai (AI) - enabled whois.nic.af (AF) - added whois.nic.ci (CI) handle data on demand - added whois.mdnet.md (MD) - added whois2.afilias-grs.net (GI) source: IANA - added whois.dotmobiregistry.net (MOBI) source: IANA - removed whois.idnic.net.id (ID) host not found - removed whois.cctld.nc (NC) host not found - removed whois.lydomains.com (this was always dubious) - removed rwhois.ibl.bm:4321 (BM) get rid of old rwhois - replaced whois.aero (AERO) new name, source IANA - replaced whois.register.bg (BG) was whois.digsys.bg - replaced whois.nic.dm (DM) was whois.nic.cx - replaced whois.nic.gs (GS) was whois.gs - replaced whois.nic.la (LA) was whois2.afilias - replaced whois.dot.tk (TK) was whois.nic.tk - replaced whois.nic.tl (TL) was whois.domains.tl - replaced www.nic.cd (CD) was whois.nic.cd - replaced whois.website.ws (WS) was www.nic.ws - disabled whois.nic.ki (KI) added (a cocca bogey) - disabled whois.nic.gp (GP) added \/ does not yet - disabled whois.nic.mq (MQ) added /\ know itself - disabled whois.pn (PN) added, does not work - disabled whois.belizenic.bz (BZ) - removed Web sites for TL and TP (broken certificates) - removed opm.blitzed.org (five months too late, sorry)
consolidated minor updates 1.8.1 up to 1.8.8, especially: - added whois.grnet.gr (GR) - enabled whois.nic-se.se (SE), ignorant but usable - removed whois.register.sr (SR) - replaced whois.hkirc.net.hk : whois.hkdnr.net.hk - replaced whois.ncst.ernet.in : whois.inregistry.net - replaced whois.nic.nl : whois.domain-registry.nl - replaced www.rau.edu.uy : www.nic.org.uy - replaced whois.tv : whois.nic.tv - replaced whois.nic.uz : whois.cctld.uz - replaced whois.samoanic.ws : whois.tld.ws - replaced whois.educause.net : whois.educause.edu - replaced whois.nic.pr : whois.uprr.pr - added www.nic.bj (BJ) handle data on demand - added whois.kenic.or.ke (KE) - added whois.ati.tn (TN) disabled (Web access) - removed whois.au.com (AU.COM) use normal COM whois - enabled whois.ac.za (AC.ZA) for any domain.AC.ZA - enabled whois.nic.lv (LV) - disabled whois.nic.kz (KZ) - replaced whois.co.ug : www.ug - replaced rwhois.nic.ve:4321 : whois.nic.ve (disabled) - enabled whois.nic.ve (VE) test e.g. yahoo.co.ve - disabled whois.idnic.net.id (ID) nothing but timeouts - disabled whois.nic.?? for ccTLDs AF, CX, DM, NF, TL, TP - enabled whois.nic.cx (CX) working CoCCA TLD NIC - replaced whois.nic.dm : whois.nic.cx (CoCCA) - replaced whois.nic.nf : whois.nic.cx (CoCCA) - replaced whois.nic.tl : whois.domains.tl (CoCCA) - replaced whois.nic.tp : whois.domains.tl (CoCCA) - added whois.nic.mu (MU) working CoCCA TLD NIC - disabled whois.nic.mn (MN) expects SLD in query - kept whois.thnic.net (TH) test e.g. thnic.co.th - replaced whois.uaenic.ae : whois.nic.ae - replaced webhost1.capital.hm : whois.registry.hm - replaced whois.inregistry.net: whois.registry.in - replaced www.nic.org.uy : nic.uy - replaced whois.tld.ws : www.nic.ws - added whois.nic.mg (MG) disabled, source IANA - disabled whois.channelisles.net (GG+JE) no contact data - enabled whois.nic.io (IO) test e.g. hosting.io - enabled whois.nic.tm (TM) test e.g. hosting.tm - improved CHECK() to display any working disabled server - replaced DNSBL dnsbl.njabl.org by combined.njabl.org - added DNSBL ix.dnsbl.manitu.net - added DNSBL virbl.dnsbl.bit.nl <http://virbl.bit.nl> - added dummy entries for new gTLDs .asia and .mobi - added whois.eu (EU) - added whois.cat (CAT) - added whois.nic.travel (TRAVEL) - disabled whois.ainic.ai (AI) - replaced 170.224.17.227 (LA) : whois2.afilias-grs.net - added whois2.afilias-grs.net for ccTLDs HN, SC, VC
consolidated minor updates 1.7.1 up to 1.7.8, especially: - xmas edition for Jeff Chan, support 127.0.c.d (16 bits) - added .nato as former gTLD (sorry, yet no reference) - added whois.nic.af (AF), whois.nic.cd (CD) - added whois.nic.pr (PR) - updated whois.nic.tf (TF), so now it really is NIC.FR - disabled whois.bgnic.bg (BG), whois.mynic.net.my (MY) - disabled whois.nic.la (LA), rwhois.ibl.bm:4321 (BM) - disabled whois.registry.hm (HM) - removed nic.fm (FM), that used to be a whois server - removed whois.tdnet.td (TD), unknown host - kept whois.rau.edu.uy (UY), maybe use nic.uy later - replaced whois.hkdnr.net.hk by whois.hkirc.net.hk (HK) - replaced linux.lisse.na by whois.na-nic.com.na (NA) - ccTLDs AX, CS, EH, GB, KP, TL marked as "unknown whois" - added whois.afrinic.net for any-AFRINIC handle - added whois.ficora.fi (FI), source jwhois.conf 1.107 - disabled whois.ficora.fi (FI), whois.nic-se.se (SE) - added whois.CoCCA.cx for TLD .tl (not yet available) - added http://www.nic.??/whois.jsp for CX, DM, NF, TP - replaced whois.bgnic.bg by whois.digsys.bg (BG) - replaced whois.neulevel.biz by whois.nic.biz (BIZ) - kept whois.nic.ad.jp, maybe use whois.jprs.jp later - updated whois.nic.fr => whois.nic.?? for WF, YT - enabled whois.mynic.net.my (MY) - enabled whois.registrypro.pro (PRO) - enabled whois.nic.mn (MN), query without TLD .mn works - removed http://whois.kn under construction by VeriSign - removed http://www.sudanic.sd or http://www.sudatel.sd - added webhost1.capital.hm (HM): hm.whois-servers.net - replaced disabled whois.nic.la by [170.224.17.227] (LA) - updated TLDs .eu, .jobs, and .travel (almost official) - removed option -z (whois.cymru.com) added to IP output - removed wadb.isipp.com (dubious test result 127.0.0.1) - disabled whois.nic.lv (LV), whois.nic.mn (MN) - disabled whois.nic.pr (PR) - enabled CoCCA whois servers AF, CX, DM, NF, TL (+TP) - -i shows IHOST( x ) error directly as "unknown host x" - -a shows IHOST( IHOST( ??.whois-servers.net )) for TLDs - -r shows unfiltered RIPE -B output, -Tdomain removed
consolidated minor updates 1.6.1 up to 1.6.9, especially: - replace URIBL sc. by multi.surbl.org (sc=2, ws=4, ph=8) - DNSBL.SORBS.NET banned after abuse (removed from DNSBL) - removed whois.ripe.net for TLD .gr (known rfc-ignorant) - option -d as shorthand for -h whois.denic.de -Tdn,ace - option -z as shorthand for -h whois.cymru.com IP - not yet implemented: <reverse-IP>.zz.countries.nerd.dk - enabled: whois.nic.bi - added: whois.nic.pm (instead of alias of whois.nic.fr) - added: <reverse IP>.psbl.surriel.com to tested DNSBLs - added: <reverse IP>.wadb.isipp.com (withdrawn accred.) - removed whois.nic.mil (known rfc-ignorant TLD like gov) - removed <reverse IP>.ipwhois.rfc-ignorant.org - removed dubious nslookup -q=soa <reverse IP> added <rev. IP>.combined-hib.dnsiplists.completewhois.com
consolidated minor updates 1.5.1 up to 1.5.7, especially: - added <reverse IP>.sc.surbl.org http://www.surbl.org - added RHSBL sc.surbl.org to 5 RFCI zones (option -a) - UTF-8 query support added for codepage 437, 850, 1004 removed : dev.null.dk from DNSBLs (zone is now empty) enabled : whois.denic.de (normal answers still useless) enabled : whois.tv (.tv), whois.lydomains.com (.ly again) replaced: whois.nic.pro by disabled whois.registrypro.pro replaced: whois.nic.kg by disabled whois.domain.kg replaced: whois.pa by disabled whois.nic.pa removed : whois.nic.cd whois.nic.mm whois.sonic.net added : whois.fj (disabled, replaces whois.usp.ac.fj) added : whois.tdnet.td (a.k.a. www.nic.td, disabled) added : whois.mynic.net.my (use option #h for help) added : whois.nic.so (dummy, whois.sonic.net is a fake) added : whois.nic.la whois.nic.ht whois.ni nic.fm disabled: whois.nic.cx whois.nic.ht whois.ni nic.fm disabled: whois.nic.uz, whois.uz, www.reg.uz are dubious disabled: whois.nic.gov (useless answers, known ignorant) kept : whois.nic.mil (server doesn't work: 2004-06-06) checked jwhois 1.100 and whoislist 1.21 (found new .la)
consolidated minor updates 1.4.1 up to 1.4.7, especially: - added new bogusmx.rfc-ignorant.org zone to option -a - added <reverse IP>.sbl-xbl.spamhaus.org (incl. trojans) - option -c as shorthand for -h whois.cyberabuse.org disabled whois.denic.de (the default options are useless) option -d (RIPE) does not yet support DENIC's new syntax option -t for xy.de uses -h whois.denic.de -Tace,dn xy.de
option -j as shorthand for -h whois.nic.ad.jp QUERY /e added <reverse IP>.cbl.abuseat.org |test with 127.0.0.2 |
consolidated minor updates 1.2.1 up to 1.2.5, especially: - modified comment for country code .CS (this is no TLD) - replaced *.relays.osirusoft.com by *.dnsbl.sorbs.net option -i added: GetHostByAddr(x) resp. GetHostByName(x) enabled : whois.ainic.ai whois.idnic.net.id disabled: whois.nic.cd whois.nic.tm whois.nic.pro removed : whois.io whois.nic.tj
reenabled working whois.amnic.net (.am), whois.nic.sh reenabled whois.nic.tk, whois.nic.net.sb, whois.gs disabled whois.usp.ac.fj, whois.nic.tj, whois.cctld.nc yet no URL for disabled .fj, .mm, .nc, .pw, .tj, and .uz replaced whois.isnet.is by whois.isnic.is replaced registry.co.ug by whois.co.ug replaced whois.domainz.net.nz by whois.srs.net.nz replaced www.nic.pro by whois.nic.pro replaced whois.adamsnames.tc by whois.ms, .tc, .tf, .vg still dubious who handles TLD .tf (adamsnames or FRNIC) ? added whois.co.za for SLD .co.za (no answer => disabled) added support for host:port (default whois port is 43) port example: `rxwhois -h example.com:80 HEAD / HTTP/1.0` added rwhois.nic.ve:4321 (disabled, does not know itself) added rwhois.ibl.bm:4321, rwhois.org.za:4321 (.org.za) gopher://rwhois.example:4321/?query may work in browsers added handles -AP, -AU, -CKNIC, -CZ, -DK, -LACNIC, -NICIR not yet supported: handle ???-SA => query PERSON ???-SA support for handles not automatically tested by option * option -a without domain (full RFCI whois check) improved more reserved ISO 3166 country codes: FX, WG, WL, WV, YV.
replaced slow relays.visi.com RBL check by list.dsbl.org kept linux.lisse.na (maybe use whois.na-nic.com.na later) syntax error if no socket available corrected trailing blanks in query confused some servers, stripped
option -r removed: RFCI checks integrated into option -a check <reverse IP>.dnsbl.njabl.org |test with 127.0.0.2 | kept: whois.nic.ac (.ac) often unavailable, try again... removed unknown hosts whois.nic.td and whois.lydomains.ly removed whois.centralnic.net and its ??.com + ??.net SLDs removed whois.edu.cn and SLD .edu.cn, use TLD .cn server replaced whois.uz by whois.nic.uz (bad answer, but alive) added whois.nic.net.sb (disabled), whois.nic.tm added whois.nic.fr for TLDs .wf and .yt, see also TLD .pm
option -d as shorthand for -h whois.ripe.net -T domain not yet implemented: CHECK( ) whois.ripe.net "%error:101" support some well-known NIC handles in procedure ALIAS() IP OPT => `nslookup q=soa <reverse IP>.in-addr.arpa OPT` added TLD .local as dummy (used by e.g. Apple Rendezvous) replaced whois.crsnic.net by whois.pir.org (for TLD .org) replaced whois.nic.fr (.tf) by whois.adamsnames.tc again added: whois.au.com (SLD .au.com), registry.co.ug (.ug) added: whois.ripe.net for TLDs .fo, .gl, .gm, .gr, .mc, added: whois.ripe.net for TLDs .sk, .sm, .va not added: whois.ripe.net TLDs .ad, .ba, .cy, .hr, .jo, not added: whois.ripe.net TLDs .md, .tn, .yu not added: whois.ausregistry.net.au (.net.au), TLD works not added: pgebrehiwot.iat.cnr.it (.ng), no route to host disabled: whois.nic.?? for TLDs .ac, .ad, .ai, .am, .bi, disabled: whois.nic.?? for TLDs .do, .ge, .gi, .id, .io, disabled: whois.nic.?? for TLDs .kg, .kn, .kz, .lk, .mm, disabled: whois.nic.?? for TLDs .mn, .pa, .pe, .ph, .pw, disabled: whois.nic.?? for TLDs .sh, .td, .tk, .tv, .uz, disabled: whois.nic.?? for TLDs .vu disabled: whois.idnic.net.id (doesn't answer any queries) disabled: whois.adamsnames.tc, whois.gs (YES NO nonsense) disabled: whois.edu.cn (for SLD .edu.cn, apparently down) disabled: whois.nic.pw (bogus whois, doesn't know itself) disabled: www.nic.pro (bogus whois, doesn't know itself) kept: whois.samoanic.ws (.ws) does not show abuse contact kept: whois.register.sr (.sr) does not show abuse contact kept: whois.nic.cd (.cd) often unavailable, try again... kept: http://www.prdomain.pr/domain/whois.asp (erroneous) not yet implemented: whois.nic.at for ENUM .3.4.e164.arpa
simplified RBL-lookup with procedure GHOST, removed BLOCK checked many ISO 3166-1 codes (interesting: TL, EH, KP) added whois.nic.dk again (.dk), whois.lydomains.ly (.ly) added whois.uaenic.ae (.ae), whois.register.sr (.sr) added linux.lisse.na (.na), www.rau.edu.uy (.uy) added whois.centralnic.net SLDs (many ??.com and ??.net), added whois.ja.net SLDs (ac.uk, gov.uk), added SLD edu.cn unsupported: rwhois.ibl.bm:4321, rwhois.reacciun.ve:4321 not used: whois.nplus.gf (.gf), whois.uk.co (SLD .uk.co) replaced whois.frd.ac.za (.za) by whois.ac.za (.ac.za)
added SLD support for .e164.arpa (used for phone numbers) check <reverse IP>.opm.blitzed.org using 127.1.0.? (1..7)
added info based on <URL:http://www.norid.no/domreg.html> option -r to check abuse.rfc-ignorant.org (etc.) entries
check <reverse IP>.relays.visi.com |test with 127.0.0.2 | check <reverse IP>.relays.ordb.org |test with 127.0.0.2 | option -n as shorthand for -h whois.networksolutions.com added www.nic.pro, whois.nic.us, and http://www.nic.tk
check <reverse IP>.bl.spamcop.net |test with 127.0.0.2 | check <reverse IP>.relays.osirusoft.com check <reverse IP>.ipwhois.rfc-ignorant.org check <reverse IP>.dev.null.dk
option -a as shorthand for -h whois.abuse.net option -t as shorthand for -h whois.thur.de