Why WHOIS

When a cybersecurity expert performs threat intel work, he or she needs to contrast information from different sources to obtain the most detailed picture possible of the scenario he or she is investigating. One of these fundamental tools is the WHOIS service offered by the Regional Internet Registries (RIRs). The term “WHOIS” refers to protocols, services, and data types associated with Internet naming and numbering resources beyond domain names, such as Internet Protocol (IP) addresses, and Autonomous System Numbers (ASNs). The service includes clients, servers, data stores, and data (domain name registration records). Internet operators use WHOIS to identify individuals or entities responsible for the operation of a network resource on the Internet. Over time, it has evolved to serve the need of many different stakeholders, such as domain name registrants, law enforcement agents, intellectual property and trademark owners, businesses and individuals.

WHOIS IP Lookup API endpoint

From now on, if a developer wants to know in detail the existing information about an IP address in the WHOIS database, he or she can do it thanks to a new endpoint in our API called Lookup WHOIS IP address. It queries the information to the right Regional Internet Registry and returns it in JSON format so that it can be properly managed and handled by the client’s applications. If the information for that IP address is cached, the response time will be a few milliseconds, but if it is not cached or has expired then the response time may increase to just over 1 second. This is the main reason why no bulk request endpoint has not been implemented as it exists with other services.

WHOIS IP Lookup example

As usual, we keep our API design pattern simple and straightforward. To get the information of an IP address by calling the WHOIS IP Lookup service, just pass the IP address in the query string. Let’s use the curl command for the examples:

Request:

 
$ curl -i -H "X-Auth-Token: UUID" -X GET "https://api.apility.net/whois/ip/8.8.8.8"

And the object whois:

{
    "whois": {
        "asn_country_code": "US",
        "objects": {
            "ABUSE5250-ARIN": {
                "handle": "ABUSE5250-ARIN",
                "events": [
                    {
                        "action": "last changed",
                        "actor": null,
                        "timestamp": "2017-12-04T10:49:20-05:00"
                    },
                    {
                        "action": "registration",
                        "actor": null,
                        "timestamp": "2015-11-06T15:36:35-05:00"
                    }
                ],
                "roles": [
                    "abuse"
                ],
                "status": [
                    "validated"
                ],
                "contact": {
                    "email": [
                        {
                            "type": null,
                            "value": "network-abuse@google.com"
                        }
                    ],
                    "phone": [
                        {
                            "type": [
                                "work",
                                "voice"
                            ],
                            "value": "+1-650-253-0000"
                        }
                    ],
                    "role": null,
                    "name": "Abuse",
                    "address": [
                        {
                            "type": null,
                            "value": "1600 Amphitheatre Parkway\nMountain View\nCA\n94043\nUnited States"
                        }
                    ],
                    "title": null,
                    "kind": "group"
                },
                "remarks": [
                    {
                        "links": null,
                        "title": "Registration Comments",
                        "description": "Please note that the recommended way to file abuse complaints are located in the following links.\r\n\r\nTo report abuse and illegal activity: https://www.google.com/intl/en_US/goodtoknow/online-safety/reporting-abuse/ \r\n\r\nFor legal requests: http://support.google.com/legal \r\n\r\nRegards,\r\nThe Google Team"
                    }
                ],
                "links": [
                    "https://rdap.arin.net/registry/entity/ABUSE5250-ARIN",
                    "https://whois.arin.net/rest/poc/ABUSE5250-ARIN"
                ],
                "events_actor": null,
                "notices": [
                    {
                        "links": [
                            "https://www.arin.net/whois_tou.html"
                        ],
                        "title": "Terms of Service",
                        "description": "By using the ARIN RDAP/Whois service, you are agreeing to the RDAP/Whois Terms of Use"
                    }
                ],
                "raw": null,
                "entities": null
            },
            "GOGL": {
                "handle": "GOGL",
                "events": [
                    {
                        "action": "last changed",
                        "actor": null,
                        "timestamp": "2017-12-21T13:24:44-05:00"
                    },
                    {
                        "action": "registration",
                        "actor": null,
                        "timestamp": "2000-03-30T00:00:00-05:00"
                    }
                ],
                "roles": [
                    "registrant"
                ],
                "status": null,
                "contact": {
                    "email": null,
                    "phone": null,
                    "role": null,
                    "name": "Google LLC",
                    "address": [
                        {
                            "type": null,
                            "value": "1600 Amphitheatre Parkway\nMountain View\nCA\n94043\nUnited States"
                        }
                    ],
                    "title": null,
                    "kind": "org"
                },
                "remarks": null,
                "links": [
                    "https://rdap.arin.net/registry/entity/GOGL",
                    "https://whois.arin.net/rest/org/GOGL"
                ],
                "events_actor": null,
                "notices": null,
                "raw": null,
                "entities": [
                    "ABUSE5250-ARIN",
                    "ZG39-ARIN"
                ]
            },
            "ZG39-ARIN": {
                "handle": "ZG39-ARIN",
                "events": [
                    {
                        "action": "last changed",
                        "actor": null,
                        "timestamp": "2017-10-17T06:35:04-04:00"
                    },
                    {
                        "action": "registration",
                        "actor": null,
                        "timestamp": "2000-11-30T13:54:08-05:00"
                    }
                ],
                "roles": [
                    "administrative",
                    "technical"
                ],
                "status": [
                    "validated"
                ],
                "contact": {
                    "email": [
                        {
                            "type": null,
                            "value": "arin-contact@google.com"
                        }
                    ],
                    "phone": [
                        {
                            "type": [
                                "work",
                                "voice"
                            ],
                            "value": "+1-650-253-0000"
                        }
                    ],
                    "role": null,
                    "name": "Google LLC",
                    "address": [
                        {
                            "type": null,
                            "value": "1600 Amphitheatre Parkway\nMountain View\nCA\n94043\nUnited States"
                        }
                    ],
                    "title": null,
                    "kind": "group"
                },
                "remarks": null,
                "links": [
                    "https://rdap.arin.net/registry/entity/ZG39-ARIN",
                    "https://whois.arin.net/rest/poc/ZG39-ARIN"
                ],
                "events_actor": null,
                "notices": [
                    {
                        "links": [
                            "https://www.arin.net/whois_tou.html"
                        ],
                        "title": "Terms of Service",
                        "description": "By using the ARIN RDAP/Whois service, you are agreeing to the RDAP/Whois Terms of Use"
                    }
                ],
                "raw": null,
                "entities": null
            }
        },
        "asn_cidr": "8.8.8.0/24",
        "nir": null,
        "entities": [
            "GOGL"
        ],
        "network": {
            "handle": "NET-8-8-8-0-1",
            "status": null,
            "type": null,
            "start_address": "8.8.8.0",
            "end_address": "8.8.8.255",
            "remarks": null,
            "events": [
                {
                    "action": "last changed",
                    "actor": null,
                    "timestamp": "2014-03-14T15:52:05-04:00"
                },
                {
                    "action": "registration",
                    "actor": null,
                    "timestamp": "2014-03-14T15:52:05-04:00"
                }
            ],
            "parent_handle": "NET-8-0-0-0-1",
            "cidr": "8.8.8.0/24",
            "country": null,
            "raw": null,
            "name": "LVLT-GOGL-8-8-8",
            "notices": [
                {
                    "links": [
                        "https://www.arin.net/whois_tou.html"
                    ],
                    "title": "Terms of Service",
                    "description": "By using the ARIN RDAP/Whois service, you are agreeing to the RDAP/Whois Terms of Use"
                }
            ],
            "ip_version": "v4",
            "links": [
                "https://rdap.arin.net/registry/ip/8.8.8.0",
                "https://whois.arin.net/rest/net/NET-8-8-8-0-1",
                "https://rdap.arin.net/registry/ip/8.0.0.0/8"
            ]
        },
        "asn_description": "GOOGLE - Google LLC, US",
        "asn_date": "1992-12-01",
        "query": "8.8.8.8",
        "raw": null,
        "asn_registry": "arin",
        "asn": "15169"
    }
}

The object response contains a complex structure of dictionaries containing the IP address information described in the WHOIS object. Then, developers have to read this object and extract the information of the different objects.

 

The dashboard

The IP address detailed information has been expanded to include all objects in an easily readable format:

Apility IP Details WHOIS

The search engine

In the IP address results page of the search engine now you can also browse the information with full details:

Apility Search Engine WHOIS IP

Conclusions

In order to use this service, you can try it without to register on the platform and obtain an API Key. You are allowed to use it even with an anonymous account, so all you have to do to start using the service is register now!