Whois apnic issue

Question

Using the following code for whois lookups :

public static string LookUp(string ip, string whoisServer){
    string buff = string.Empty;
    string strDomain = ip + "\r\n";
    byte[] arrDomain = Encoding.ASCII.GetBytes(strDomain);
    using (TcpClient tcp = new TcpClient(whoisServer, 43)) {
       using (Stream tcpStream = tcp.GetStream) {
          using (StreamReader objSR = new StreamReader(tcpStream, Encoding.ASCII)) {
            tcpStream.Write(arrDomain, 0, strDomain.Length);
            buff = objSR.ReadToEnd;
          }
       }
    }
    return buff;
   }

works fine (ripe, arin, lacnic, afrinic) except for whois.apnic.net. Using Wireshark I noticed apnic keeps sending identical responses at increasing intervals.

Does anyone know why this is ?

Additionally, why would an IP address assigned to apnic (103.31.186.82) point to Romania with an 'ISP' located in Latvia ?

I have contacted APNIC regarding this issue and hope to hear from them soon. — esjr, Feb 07 '13 at 01:19

score 0 · Answer 1 · answered May 29 '13 at 19:26

0

where your feeding in a \r\n sequence:

string strDomain = ip + "\r\n";

try just feeding in a \n:

string strDomain = ip + "\n";

or just a \r:

string strDomain = ip + "\r";

Some of the whois servers only respond to a line end and/or carriage return on their own rather than the usual paired one, and it does depend on the OS running on the server generally.

It's much the same when processing text files across different platforms, windows machines generally tend to use the double line ending, Linux/Unix variants... vary :-)

Additionally

There are many reasons, but it's likely that the ISP's headquarters / Head offices are located in Latvia and the address in the record used by the query tool you used to give geographical info was the HQ one, while the physical IP link is actually in the geographical area you'd expect.

answered May 29 '13 at 19:26

shawty

5,729
2
37
71

I reopened the case at APNIC after they dropped it. They are testing. I think we tested the \n and \r variations, but will try again. However, I don't quite see how that could result in the observed response : apnic keeps sending identical responses at increasing intervals. I will let you know how it works out and of course green-flag accordingly ;-) – esjr May 30 '13 at 13:11
no worries,best of luck... just one comment though, if the server doesn't correctly detect that the client has finished (EG: because it doesn't detect the correct line ending) then the TCP sub system on the server is very likely to keep re-sending the packet. DOn't forget TCP is a guaranteed delivery protocol, so if the TCB subsystem at either end believes the communication has failed / corrupted or is incomplete, one or both will re-request a resend. NOt saying that's the reason, but it is food for thought. – shawty May 30 '13 at 15:40
The RFC3912 on Whois Protocol Specification is clear: each query should be terminated by CR + LF – Patrick Mevzek Jan 03 '18 at 21:50
@esjr it seems you forgot on your promise to come back and let us know :-) – Patrick Mevzek Jan 03 '18 at 21:51

Whois apnic issue

1 Answers1

Additionally