When you need to know who owns a domain, when it expires, which registrar handles it, or which organization holds a particular IP block, the whois command is the fastest route. It queries the registry databases that record this information and returns a plain-text response you can scan in a terminal. The output format varies by registry, but the questions you can answer are consistent: registrar, name servers, registration and expiry dates, and contact info (where privacy rules allow).

This guide explains how to use whois in Linux to look up domains, IP addresses, and AS numbers, how to target a specific server, and how to parse the output for the fields you actually care about.

whois Syntax #

The general form is:

whois [OPTIONS] OBJECT

OBJECT is the domain, IP address, or AS number you want information about. With no options, whois picks the right registry automatically based on the type of query.

Install whois #

whois is not always installed by default. On Ubuntu, Debian, and Derivatives:

sudo apt update
sudo apt install whois

On Fedora, RHEL, and Derivatives:

sudo dnf install whois

Confirm it is in place:

whois --version

Version 5.6.6.

The Debian-family whois is an actively maintained client with built-in routing logic that knows which registry to ask for each TLD.

Look Up a Domain #

The most common use is checking a domain:

whois example.com

 Domain Name: EXAMPLE.COM
Registry Domain ID: 2336799_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.iana.org
Registrar URL: http://res-dom.iana.org
Updated Date: 2026-01-16T18:26:50Z
Creation Date: 1995-08-14T04:00:00Z
Registry Expiry Date: 2026-08-13T04:00:00Z
Registrar: RESERVED-Internet Assigned Numbers Authority
Registrar IANA ID: 376
Name Server: ELLIOTT.NS.CLOUDFLARE.COM
Name Server: HERA.NS.CLOUDFLARE.COM
DNSSEC: signedDelegation
...

The fields that matter most for everyday questions are:

• Registrar, the company managing the registration.
• Creation Date and Registry Expiry Date, which tell you how old the domain is and when it needs renewing.
• Name Server, which lists the DNS servers authoritative for the domain.
• DNSSEC, which shows whether the domain is cryptographically signed.

For ccTLDs (.de, .uk, .jp), the format differs because each country runs its own registry. The information is similar; the field names and order change.

Look Up an IP Address #

whois on an IP returns the network allocation, not the domain:

whois 93.184.216.34

inetnum: 93.184.216.0 - 93.184.216.255
netname: EDGECAST-NETBLK-03
descr: NETBLK-03-EU-93-184-216-0-24
country: EU
admin-c: DS7892-RIPE
tech-c: DS7892-RIPE
status: ASSIGNED PA
...

This kind of query is the right tool for “who owns this IP that has been hitting my server” investigations. The output names the network block, maintainer, and abuse contact details when the registry publishes them.

Look Up an AS Number #

Pass an autonomous system number with the AS prefix:

whois AS15169

ASNumber: 15169
ASName: GOOGLE
ASHandle: AS15169
RegDate: 2000-03-30
Updated: 2012-02-24
Ref: https://rdap.arin.net/registry/autnum/15169

AS lookups are useful when you trace a route with mtr or traceroute and want to know which network each hop belongs to.

Pick a Specific WHOIS Server #

The default routing finds the right server for most TLDs, but you can force a query against a specific server with -h:

whois -h whois.arin.net 8.8.8.8

The flag is the right tool for two situations: when the default routing picks the wrong upstream (rare but happens for some legacy TLDs), and when you want to compare answers between regional registries (ARIN, RIPE, APNIC, AFRINIC, LACNIC).

Limit the Recursion #

Most modern whois clients follow a referral chain: query IANA, follow the pointer to the TLD registry, follow the pointer to the registrar, and return the most specific answer. To stop registry-to-registrar recursion, pass --no-recursion:

whois --no-recursion example.com

The flag is most useful when you specifically want the registry data and not the registrar’s slightly different format.

The -H option has a different purpose. It hides legal disclaimers from the output, which can make short lookups easier to read:

whois -H example.com

Filter the Output #

Real whois responses are dozens of lines long with legal disclaimers and template text. To extract one field, pipe through grep:

whois example.com | grep -E "Registrar:|Expiry Date:"

 Registry Expiry Date: 2026-08-13T04:00:00Z
Registrar: RESERVED-Internet Assigned Numbers Authority

For a name-server list:

whois example.com | awk '/Name Server:/ {print $NF}'

ELLIOTT.NS.CLOUDFLARE.COM
HERA.NS.CLOUDFLARE.COM

These short patterns work for monitoring scripts that watch for domain expirations or DNSSEC status changes.

Check Domain Availability #

If the domain is not registered, the response says so explicitly. The exact wording depends on the registry:

whois never-existed-domain-xyzzy.com

No match for domain "NEVER-EXISTED-DOMAIN-XYZZY.COM".

Some registries (notably .io, .co, and several ccTLDs) return an empty or near-empty response for unregistered domains. Two heuristics that work in scripts:

• For .com/.net/.org, grep for No match for or Domain Name: in the output.
• For ccTLDs, grep for Domain not found or check whether the registration fields exist.

Rate Limits and Etiquette #

Registries rate-limit whois queries. Hammering them with a script is the fastest way to get blocked. If you query many domains, add a sleep between calls and cache the result locally. For bulk lookups, use the registry’s RDAP service directly or pay for a commercial WHOIS API.

A simple polite pattern:

while IFS= read -r domain; do
 whois "$domain"
 sleep 2
done < domains.txt

Two seconds between queries is a sane starting point; raise it if you see throttling responses.

Privacy and Redacted Output #

Since GDPR took effect, most TLDs redact personal contact information for individual registrants. The response usually contains placeholders like REDACTED FOR PRIVACY or Data Protected, Not Disclosed. For organizations and legal entities, the contact information often stays visible.

This is not a defect in whois; the underlying registry data is simply less detailed than it used to be. For account-takeover prevention and abuse handling, focus on the registrar field and the abuse contact email, which remain published.

Quick Reference #

Troubleshooting #

whois: command not found
Install the package: sudo apt install whois on Ubuntu, Debian, and Derivatives, or sudo dnf install whois on Fedora, RHEL, and Derivatives. The package is small and adds no significant dependencies.

Output says “fgets: Connection reset by peer”
The registry rate-limited or blocked your IP. Wait a few minutes and retry, slow your script down, or query through a different network.

Response is in a different language or alphabet
Some ccTLD registries return data in the local language. Look for the English section (usually further down), or pipe through iconv if the encoding makes the response unreadable in your terminal.

FAQ #

What is the difference between WHOIS and RDAP?
RDAP (Registration Data Access Protocol) is the modern replacement for WHOIS. It returns structured JSON instead of free-text and supports authentication and access controls. Most registries now serve both, and RDAP is usually the better choice for scripts that need predictable fields.

Why does the data for the same domain look different between two whois runs?
Different clients and servers can follow the referral chain differently. One response may come from the registry, while another may include data from the registrar’s WHOIS server. Use --no-recursion when you want to stop at the registry answer.

Can I run my own WHOIS server?
Yes, but only registrars and registries have authoritative data. Self-hosted WHOIS servers are useful for internal directories (IP allocation in a large network), not for public domain lookups.

Conclusion #

whois is the answer to “who owns this”, whether the “this” is a domain, an IP, or an AS number. The output is plain text, the flags are short, and a handful of grep/awk patterns turn it into a script-friendly data source. For bulk work, slow the queries down and respect the rate limits the registries publish.

For related reading, see our guides on the dig command and the nslookup command .

When a website does not load or email stops arriving, the first thing to check is whether the domain resolves to the correct address. The nslookup command is a quick way to query DNS servers and inspect the records behind a domain name.

nslookup ships with most Linux distributions and works on macOS and Windows as well. It supports both one-off queries from the command line and an interactive mode for running multiple lookups in a row.

This guide explains how to use nslookup with practical examples covering record types, reverse lookups, and troubleshooting.

Syntax #

nslookup [OPTIONS] [NAME] [SERVER]

• NAME — The domain name or IP address to look up.
• SERVER — The DNS server to query. If omitted, nslookup uses the server configured in /etc/resolv.conf.
• OPTIONS — Query options such as -type=MX or -debug.

When called without arguments, nslookup starts in interactive mode.

Installing nslookup #

On most distributions nslookup is already installed. To check, run:

nslookup -version

If the command is not found, install it using your distribution’s package manager.

Install nslookup on Ubuntu, Debian, and Derivatives #

sudo apt update && sudo apt install dnsutils

Install nslookup on Fedora, RHEL, and Derivatives #

sudo dnf install bind-utils

Install nslookup on Arch Linux #

sudo pacman -S bind

The nslookup command is bundled with the same packages that provide dig .

Look Up a Domain Name #

The simplest use is passing a domain name as an argument:

nslookup linux.org

Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: linux.org
Address: 104.26.14.72
Name: linux.org
Address: 104.26.15.72
Name: linux.org
Address: 172.67.73.26

The first two lines show the DNS server that answered the query. Everything under “Non-authoritative answer” is the actual result. In this case, linux.org resolves to three IPv4 addresses.

“Non-authoritative” means the answer came from a resolver’s cache rather than directly from the domain’s authoritative name server.

Query a Specific DNS Server #

By default, nslookup queries the resolver configured in /etc/resolv.conf. To query a different server, add it as the last argument.

For example, to query Google’s public DNS:

nslookup linux.org 8.8.8.8

Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: linux.org
Address: 104.26.14.72
Name: linux.org
Address: 104.26.15.72
Name: linux.org
Address: 172.67.73.26

This is useful when you want to compare results across different resolvers or verify whether a DNS change has propagated to public servers.

Query Record Types #

By default, nslookup returns A (IPv4 address) records. Use the -type option to query other record types.

MX Records (Mail Servers) #

MX records identify the mail servers responsible for receiving email for a domain:

nslookup -type=mx google.com

Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
google.com mail exchanger = 10 smtp.google.com.

The number before the mail server hostname is the priority. A lower number means higher priority.

NS Records (Name Servers) #

NS records show which name servers are authoritative for a domain:

nslookup -type=ns google.com

Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
google.com nameserver = ns1.google.com.
google.com nameserver = ns2.google.com.
google.com nameserver = ns3.google.com.
google.com nameserver = ns4.google.com.

TXT Records #

TXT records store arbitrary text data, commonly used for SPF, DKIM, and domain ownership verification:

nslookup -type=txt google.com

Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
google.com text = "v=spf1 include:_spf.google.com ~all"
google.com text = "facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95"
google.com text = "docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e"

The output may include many entries. The example above shows a subset of the TXT records returned for google.com.

AAAA Records (IPv6) #

AAAA records return the IPv6 address of a domain:

nslookup -type=aaaa google.com

Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: google.com
Address: 2a00:1450:4017:818::200e

SOA Record (Start of Authority) #

The SOA record contains administrative information about the domain, including the primary name server, the responsible email address, and timing parameters for zone transfers:

nslookup -type=soa google.com

Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
google.com
origin = ns1.google.com
mail addr = dns-admin.google.com
serial = 897592583
refresh = 900
retry = 900
expire = 1800
minimum = 60

The serial number increments each time the zone is updated. DNS secondaries use it to decide whether they need a zone transfer.

CNAME Records #

CNAME records point one domain name to another:

nslookup -type=cname www.github.com

If a CNAME record exists, the output shows the canonical name the alias points to. If the domain does not have a CNAME record, nslookup returns No answer.

Run an ANY Query #

To ask the DNS server for an ANY response, use -type=any:

nslookup -type=any google.com

ANY queries do not reliably return every record type for a domain. Many DNS servers return only a subset of records or refuse the query entirely.

Reverse DNS Lookup #

A reverse lookup finds the hostname associated with an IP address. Pass an IP address instead of a domain name:

nslookup 208.118.235.148

148.235.118.208.in-addr.arpa name = ip-208-118-235-148.twdx.net.

Reverse lookups query PTR records. They are useful for verifying that an IP address maps back to the expected hostname, which matters for mail server configuration and security checks.

Interactive Mode #

Running nslookup without arguments starts an interactive session where you can run multiple queries without retyping the command:

nslookup

>

At the > prompt, type a domain name to look it up:

> linux.org
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: linux.org
Address: 104.26.14.72
Name: linux.org
Address: 104.26.15.72

You can change query settings during the session with the set command. For example, to switch to MX record lookups and then query a domain:

> set type=mx
> google.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
google.com mail exchanger = 10 smtp.google.com.

To change the DNS server:

> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53

Type exit to leave interactive mode.

Interactive mode is convenient when you need to test several domains or record types in a row without running separate commands each time.

Debugging DNS Issues #

The -debug option shows the full query and response details, including TTL values and additional sections that nslookup normally hides:

nslookup -debug linux.org

The debug output is verbose, but it is helpful when you need to see TTL values, check whether answers are authoritative, or trace unexpected behavior.

nslookup vs dig #

Both nslookup and dig query DNS servers, but they differ in output and capabilities:

• nslookup produces simpler, more readable output. It also has an interactive mode that is convenient for quick checks.
• dig provides detailed, structured output with sections (QUESTION, ANSWER, AUTHORITY, ADDITIONAL) and supports advanced options like +trace for tracing the full resolution path and +dnssec for verifying DNSSEC signatures.

For quick lookups and basic troubleshooting, nslookup is often faster to type and read. For in-depth DNS debugging, dig gives you more control and detail.

Troubleshooting #

nslookup returns NXDOMAIN
The domain does not exist or is misspelled. Verify the domain name and check that it is registered.

nslookup returns SERVFAIL
The DNS server could not process the query. Try a different resolver to isolate the problem:

nslookup linux.org 1.1.1.1

If public resolvers return the correct answer, the issue is with your configured resolver.

Connection timed out; no servers could be reached
This means nslookup could not contact the DNS server. Check your network connection and verify that /etc/resolv.conf contains a reachable name server. A firewall may also be blocking outbound DNS traffic on port 53.

Non-authoritative answer appears on every query
This is normal. It means the answer came from a resolver’s cache, not directly from the domain’s authoritative server. The result is still valid.

Quick Reference #

For a printable quick reference, see the nslookup cheatsheet .

FAQ #

Can I use nslookup to check DNS propagation?
Yes. Query the same domain against several public DNS servers and compare the results. For example, run nslookup example.com 8.8.8.8, nslookup example.com 1.1.1.1, and nslookup example.com 9.9.9.9. If the answers differ, the change has not fully propagated.

Is nslookup deprecated?
The ISC (the organization behind BIND) once marked nslookup as deprecated in favor of dig, but later reversed that decision. nslookup is actively maintained and included in current BIND releases. It remains a practical tool for quick DNS lookups.

What does “Non-authoritative answer” mean?
It means the response came from a caching resolver, not from one of the domain’s authoritative name servers. The data is still accurate, but it may be slightly behind if a DNS change was made very recently and the cache has not expired yet.

Conclusion #

The nslookup command is a quick way to query DNS records from the command line. Use -type to look up MX, NS, TXT, AAAA, and other record types, and pass a server argument to test against a specific resolver. For deeper DNS debugging, pair it with dig .