Skip to main content
WHOIS protocol templates allow you to query domain registration information, detect expiring domains, and gather ownership details.

Basic WHOIS query

id: basic-whois

info:
  name: Basic WHOIS Query
  author: pdteam
  severity: info

whois:
  - query: "{{Host}}"
    
    extractors:
      - type: kval
        kval:
          - "expiration date"
          - "registrar"

WHOIS components

Query

query
string
required
Domain name to query. Usually {{Host}} for dynamic inputs.
whois:
  - query: "{{Host}}"
Or specific domain:
whois:
  - query: "example.com"

Server

server
string
Optional WHOIS server to query. If omitted, automatic server discovery is used.
whois:
  - query: "{{Host}}"
    server: "whois.verisign-grs.com"

Example: Domain expiration check

id: domain-expiring

info:
  name: Domain Expiration Check
  author: pdteam
  severity: info
  description: Extracts domain expiration information

whois:
  - query: "{{Host}}"
    
    matchers:
      - type: word
        words:
          - "Registry Expiry Date"
          - "Expiration Date"
        condition: or
    
    extractors:
      - type: kval
        kval:
          - "expiration date"
          - "registry expiry date"

Example: Registrar detection

id: domain-registrar

info:
  name: Domain Registrar Detection
  author: pdteam
  severity: info

whois:
  - query: "{{Host}}"
    
    extractors:
      - type: kval
        name: registrar_info
        kval:
          - "registrar"
          - "registrar url"
          - "registrar abuse contact email"

Example: Domain status check

id: domain-status

info:
  name: Domain Status Check
  author: pdteam
  severity: info
  description: Checks domain status flags

whois:
  - query: "{{Host}}"
    
    matchers:
      - type: word
        words:
          - "clientTransferProhibited"
          - "clientDeleteProhibited"
        condition: or
    
    extractors:
      - type: regex
        name: domain_status
        regex:
          - "Domain Status:\\s*(.+)"
        group: 1

WHOIS extractors

Key-value extractor

Extract specific WHOIS fields: 
extractors:
  - type: kval
    kval:
      - "expiration date"
      - "creation date"
      - "registrar"
      - "name server"

Regex extractor

Extract using patterns: 
extractors:
  - type: regex
    name: nameservers
    regex:
      - "Name Server:\\s*(.+)"
    group: 1

Complete example

id: whois-comprehensive

info:
  name: Comprehensive WHOIS Information
  author: pdteam
  severity: info
  description: Extracts detailed domain registration information

whois:
  - query: "{{Host}}"
    
    extractors:
      - type: kval
        name: registration_info
        kval:
          - "creation date"
          - "expiration date"
          - "updated date"
      
      - type: kval
        name: registrar_info
        kval:
          - "registrar"
          - "registrar url"
      
      - type: regex
        name: nameservers
        regex:
          - "(?i)name server:\\s*(.+)"
        group: 1
      
      - type: kval
        name: status
        kval:
          - "domain status"

Next steps

JavaScript protocol

Custom protocol implementations

Code protocol

Execute code snippets

Build docs developers (and LLMs) love

Get started for freeTalk to us