Provide CIDR block from whois?

[datamattsson]

Thank you for this excellent service! What about adding whois info the discovered IP address? The use case is to create a AWS security groups dynamically based on where you're at. The CIDR field is what's needed ultimately.

[mpolden]

Sure. Are there any freely available whois databases? Feel free to make a pull request.

[swtch1]

Hi, I'd like to help but I'm a bit confused by the question. A whois query gives contact and registrar information, status, dates, name servers, etc.

I can get whois information from the whoapi if I know what I'm looking for. I ran a query there on google.com and found no mention of the word CIDR or an IP address or netmask. The same results on whois.net. Can you point to something specific I can pull?

Here are the API results from whoapi:

{
"status": "0",
"whois_server": "whois.markmonitor.com",
"status_desc": "Successfully processed",
"limit_hit": false,
"registered": true,
"whois_raw": "Domain Name: google.com\nRegistry Domain ID: 2138514_DOMAIN_COM-VRSN\nRegistrar WHOIS Server: whois.markmonitor.com\nRegistrar URL: http://www.markmonitor.com\nUpdated Date: 2017-09-07T08:50:36-0700\nCreation Date: 1997-09-15T00:00:00-0700\nRegistrar Registration Expiration Date: 2020-09-13T21:00:00-0700\nRegistrar: MarkMonitor, Inc.\nRegistrar IANA ID: 292\nRegistrar Abuse Contact Email: abusecomplaints@markmonitor.com\nRegistrar Abuse Contact Phone: +1.2083895740\nDomain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)\nDomain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)\nDomain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)\nDomain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)\nDomain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)\nDomain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)\nRegistry Registrant ID: \nRegistrant Name: DNS Admin\nRegistrant Organization: Google Inc.\nRegistrant Street: 1600 Amphitheatre Parkway, \nRegistrant City: Mountain View\nRegistrant State/Province: CA\nRegistrant Postal Code: 94043\nRegistrant Country: US\nRegistrant Phone: +1.6502530000\nRegistrant Phone Ext: \nRegistrant Fax: +1.6502530001\nRegistrant Fax Ext: \nRegistrant Email: dns-admin@google.com\nRegistry Admin ID: \nAdmin Name: DNS Admin\nAdmin Organization: Google Inc.\nAdmin Street: 1600 Amphitheatre Parkway, \nAdmin City: Mountain View\nAdmin State/Province: CA\nAdmin Postal Code: 94043\nAdmin Country: US\nAdmin Phone: +1.6502530000\nAdmin Phone Ext: \nAdmin Fax: +1.6502530001\nAdmin Fax Ext: \nAdmin Email: dns-admin@google.com\nRegistry Tech ID: \nTech Name: DNS Admin\nTech Organization: Google Inc.\nTech Street: 1600 Amphitheatre Parkway, \nTech City: Mountain View\nTech State/Province: CA\nTech Postal Code: 94043\nTech Country: US\nTech Phone: +1.6502530000\nTech Phone Ext: \nTech Fax: +1.6502530001\nTech Fax Ext: \nTech Email: dns-admin@google.com\nName Server: ns4.google.com\nName Server: ns3.google.com\nName Server: ns1.google.com\nName Server: ns2.google.com\nDNSSEC: unsigned\nURL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/\n>>> Last update of WHOIS database: 2017-12-20T12:26:11-0800 <<<\n\nThe Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com for\ninformation purposes, and to assist persons in obtaining information about or\nrelated to a domain name registration record. MarkMonitor.com does not guarantee\nits accuracy. By submitting a WHOIS query, you agree that you will use this Data\nonly for lawful purposes and that, under no circumstances will you use this Data to:\n (1) allow, enable, or otherwise support the transmission of mass unsolicited,\n commercial advertising or solicitations via e-mail (spam); or\n (2) enable high volume, automated, electronic processes that apply to\n MarkMonitor.com (or its systems).\nMarkMonitor.com reserves the right to modify these terms at any time.\nBy submitting this query, you agree to abide by this policy.\n\nMarkMonitor is the Global Leader in Online Brand Protection.\n\nMarkMonitor Domain Management(TM)\nMarkMonitor Brand Protection(TM)\nMarkMonitor AntiPiracy(TM)\nMarkMonitor AntiFraud(TM)\nProfessional and Managed Services\n\nVisit MarkMonitor at http://www.markmonitor.com\nContact us at +1.8007459229\nIn Europe, at +44.02032062220\n\nFor more information on Whois status codes, please visit\n https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en\n--\n",
"disclaimer": "",
"premium": false,
"generic_whois": true,
"date_created": "1997-09-15 04:00:00",
"date_expires": "2020-09-14 04:00:00",
"date_updated": "2017-09-07 15:50:36",
"domain_status": [
"clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited",
"clientTransferProhibited https://icann.org/epp#clientTransferProhibited",
"clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited",
"serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited",
"serverTransferProhibited https://icann.org/epp#serverTransferProhibited",
"serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited",
"clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited",
"clientTransferProhibited https://icann.org/epp#clientTransferProhibited",
"clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited",
"serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited",
"serverTransferProhibited https://icann.org/epp#serverTransferProhibited",
"serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited"
],
"nameservers": [
"NS1.GOOGLE.COM",
"NS2.GOOGLE.COM",
"NS3.GOOGLE.COM",
"NS4.GOOGLE.COM"
],
"emails": [
"dns-admin@google.com",
"abusecomplaints@markmonitor.com"
],
"whois_raw_parent": " Domain Name: GOOGLE.COM\n Registry Domain ID: 2138514_DOMAIN_COM-VRSN\n Registrar WHOIS Server: whois.markmonitor.com\n Registrar URL: http://www.markmonitor.com\n Updated Date: 2011-07-20T16:55:31Z\n Creation Date: 1997-09-15T04:00:00Z\n Registry Expiry Date: 2020-09-14T04:00:00Z\n Registrar: MarkMonitor Inc.\n Registrar IANA ID: 292\n Registrar Abuse Contact Email: abusecomplaints@markmonitor.com\n Registrar Abuse Contact Phone: +1.2083895740\n Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited\n Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\n Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited\n Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited\n Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited\n Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited\n Name Server: NS1.GOOGLE.COM\n Name Server: NS2.GOOGLE.COM\n Name Server: NS3.GOOGLE.COM\n Name Server: NS4.GOOGLE.COM\n DNSSEC: unsigned\n URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/\n>>> Last update of whois database: 2017-12-20T20:34:07Z <<<\n\nFor more information on Whois status codes, please visit https://icann.org/epp\n\nNOTICE: The expiration date displayed in this record is the date the\nregistrar's sponsorship of the domain name registration in the registry is\ncurrently set to expire. This date does not necessarily reflect the expiration\ndate of the domain name registrant's agreement with the sponsoring\nregistrar. Users may consult the sponsoring registrar's Whois database to\nview the registrar's reported date of expiration for this registration.\n\nTERMS OF USE: You are not authorized to access or query our Whois\ndatabase through the use of electronic processes that are high-volume and\nautomated except as reasonably necessary to register domain names or\nmodify existing registrations; the Data in VeriSign Global Registry\nServices' ("VeriSign") Whois database is provided by VeriSign for\ninformation purposes only, and to assist persons in obtaining information\nabout or related to a domain name registration record. VeriSign does not\nguarantee its accuracy. By submitting a Whois query, you agree to abide\nby the following terms of use: You agree that you may use this Data only\nfor lawful purposes and that under no circumstances will you use this Data\nto: (1) allow, enable, or otherwise support the transmission of mass\nunsolicited, commercial advertising or solicitations via e-mail, telephone,\nor facsimile; or (2) enable high volume, automated, electronic processes\nthat apply to VeriSign (or its computer systems). The compilation,\nrepackaging, dissemination or other use of this Data is expressly\nprohibited without the prior written consent of VeriSign. You agree not to\nuse electronic processes that are automated and high-volume to access or\nquery the Whois database except as reasonably necessary to register\ndomain names or modify existing registrations. VeriSign reserves the right\nto restrict your access to the Whois database in its sole discretion to ensure\noperational stability. VeriSign may restrict or terminate your access to the\nWhois database for failure to abide by these terms of use. VeriSign\nreserves the right to modify these terms at any time.\n\nThe Registry database contains ONLY .COM, .NET, .EDU domains and\nRegistrars.\n",
"whois_name": "Markmonitor",
"contacts": [
{
"type": "registrar",
"name": "",
"organization": "MarkMonitor, Inc.",
"phone": "+1.2083895740",
"email": "abusecomplaints@markmonitor.com",
"full_address": ""
},
{
"type": "registrant",
"name": "DNS Admin",
"organization": "Google Inc.",
"street": "1600 Amphitheatre Parkway,",
"city": "Mountain View",
"zipcode": "94043",
"state": "CA",
"country": "US",
"phone": "+1.6502530000",
"fax": "+1.6502530001",
"email": "dns-admin@google.com",
"full_address": "1600 Amphitheatre Parkway,, Mountain View, 94043, CA, US"
},
{
"type": "admin",
"name": "DNS Admin",
"organization": "Google Inc.",
"street": "1600 Amphitheatre Parkway,",
"city": "Mountain View",
"zipcode": "94043",
"state": "CA",
"country": "US",
"phone": "+1.6502530000",
"fax": "+1.6502530001",
"email": "dns-admin@google.com",
"full_address": "1600 Amphitheatre Parkway,, Mountain View, 94043, CA, US"
},
{
"type": "tech",
"name": "DNS Admin",
"organization": "Google Inc.",
"street": "1600 Amphitheatre Parkway,",
"city": "Mountain View",
"zipcode": "94043",
"state": "CA",
"country": "US",
"phone": "+1.6502530000",
"fax": "+1.6502530001",
"email": "dns-admin@google.com",
"full_address": "1600 Amphitheatre Parkway,, Mountain View, 94043, CA, US"
}
],
"domain_name": "google.com",
"_cached": true,
"_cached_datetime": "2017-12-20 20:34:16",
"requests_available": 496
}

[mpolden]

If you request WHOIS for an IP address you get information about the the network the IP belongs to, e.g. subnet, AS, owner etc. I think that's what he meant by CIDR.

[visualblind]

I'm actually interested in this as well and might take a whack at doing this. Martin, I believe he meant IP to AS/ASN information as well. Although there is rDNS that people seem to forget about. The following links contain a crapload of ASN related data, with complete ASN databases available for free download:

https://www.team-cymru.org/IP-ASN-mapping.html
https://iptoasn.com/ (a working IP to ASN lookup tool)
https://www.ultratools.com/tools/asnInfo (a working IP to ASN lookup tool)
http://www.cidr-report.org/as2.0/

Another idea is a function to perform an rDNS lookup on the visitor IP address, if a record exists, if that record is not a generic ISP record, then perform regular WHOIS database lookup on the domain name returned.

I run http://ipconfig.io/ so thanks, Martin.

[swtch1]

Yeah, I haven't had time since looking at it initially. See what you can do, I may not get time for another week or so.

[Aleks1977]

А могу я по номеру телефона вычислить владельца???