How to use command line whois for "spam infected" domains like apple.com?

In short: is there any way to get the full whois-details for domains like apple.com, using the command line on Max OS X?

Running whois on the command line for, for example, apple.com is like searching for all domains that include that phrase. So, thanks to whois-spam, this gets one the following on a Mac or on FreeBSD:

$ whois apple.com

Whois Server Version 2.0
[..]
APPLE.COM.WWW.BEYONDWHOIS.COM
APPLE.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
APPLE.COM.IS.OWN3D.BY.NAKEDJER.COM
APPLE.COM.IS.0WN3D.BY.GULLI.COM
APPLE.COM.BEYONDWHOIS.COM
APPLE.COM.AT.WWW.BEYONDWHOIS.COM
APPLE.COM

To single out one record, look it up with "xxx", where xxx is one of the
of the records displayed above. If the records are the same, look them up
with "=xxx" to receive a full display for each record.

To get some extra info for all these domains, I can run the command for =apple.com, like:

$ whois =apple.com

Whois Server Version 2.0
[..]
   Server Name: APPLE.COM.WWW.BEYONDWHOIS.COM
   IP Address: 203.36.226.2
   Registrar: TUCOWS INC.
   Whois Server: whois.tucows.com
   Referral URL: http://domainhelp.opensrs.net
[..]
   Domain Name: APPLE.COM
   Registrar: MARKMONITOR INC.
   Whois Server: whois.markmonitor.com
   Referral URL: http://www.markmonitor.com
   Name Server: NSERVER.APPLE.COM
   Name Server: NSERVER.ASIA.APPLE.COM
   [..]
   Updated Date: 21-jan-2009
   Creation Date: 19-feb-1987
   Expiration Date: 20-feb-2011

Still, this does not give me the full record, like the one including the contact information:

$ whois -h whois.markmonitor.com apple.com
[..]
    Administrative Contact:
        Apple Inc.
        Apple Inc.
        1 Infinite Loop
         Cupertino CA 95014
        US
[..] 

(On Redhat Linux, jwhois shows only apple.com but without the contact information; on Debian whois version 4.7.20 yields summaries of all domains like above, and additional detailed info for the exact matched domain, apparently by doing an additional query at whois.markmonitor.com for that exact match.)

I even tried to telnet directly, but cannot come up with anything I cannot do using the whois-command, so I guess that is useless:

$ telnet com.whois-servers.net 43
Trying 199.7.55.74...
Connected to whois.verisign-grs.com.
Escape character is '^]'.

apple.com
[..]

So: is there any easier way to get the full details for such domain (for only the exact matched domain), using the command line?

(Thinking that command line whois would soon be banned in favour of captcha-enabled web interfaces, this never bothered me a lot. But still, I'm curious...)


The whois command looks for the string "Whois Server:" in the output and, if found, will issue the same query again to that server. This is what you want, except it only works for the first match. You can use a command like whois "domain apple.com" to get just one match from the default server, but markmonitor (used by apple.com) does not accept that syntax. It would work if you could send "domain apple.com" to the default server, and then apple.com to the second server, like this:

function mywhois {
  whois -h `whois "domain $@" | sed '/^.*Whois Server:/!d;s///'` "$@"
}

However this is specific to these whois servers so will not necessarily work for domains on other whois servers. A robust implementation would probably need to have knowledge of specific query and output formats used by a variety of whois server implementations.


It seems that (at least in September 2009) the following uses GeekTools Whois Proxy, which is quite smart in figuring out which whois-server to use. This also works for other TLDs than com, net and org:

whois -h whois-servers.net apple.com

Or, according to a very old hint at macosxhints.com:

whois -h geektools.com apple.com

I found this by accident: wondering how @mark4o knew about the domain command for the answer above, I eventually found that running whois help gives me the output of some whois-server. As I did not specify any TLD, I then wondered which one replied. I tried telnet whois-servers.net 43, so basically using the bare domain as mentioned in the manual pages:

-h host

     Use the specified host instead of the default variant.  Either a host
     name or an IP address may be specified.

     By default whois constructs the name of a whois server to use from the
     top-level domain (TLD) of the supplied (single) argument, and appending
     ".whois-servers.net".  This effectively allows a suitable whois server
     to be selected automatically for a large number of TLDs.

And here GeekTools Whois Proxy announced itself:

$ telnet whois-servers.net 43
Trying 206.117.161.86...
Connected to whois-servers.net.
Escape character is '^]'.
GeekTools Whois Proxy v5.0.4 Ready.
Checking access for 82.95.xx.xx... ok.

apple.com

Checking server [whois.crsnic.net]

Checking server [whois.markmonitor.com]
Results:
[..]

(In fact, geektools.com is currently 206.117.161.84, so is a different IP than whois-servers.net.)