Port 63: WHOIS++ — The White Pages That Never Were

Port 63 is assigned to WHOIS++, a protocol that tried to build a phone book for the Internet. Not a phone book for domain names or IP addresses, which is what regular WHOIS does on port 43, but a phone book for people. A distributed, searchable, extensible white pages that could help you find a human being on a network that was rapidly becoming too large to navigate by memory.

It was a beautiful idea. It arrived too early, and the Web arrived too fast.

What WHOIS++ Was Supposed to Do

WHOIS++, formally specified in RFC 1835¹, was an extension to the original WHOIS protocol defined in RFC 954². Where WHOIS gave you a simple query-response system for looking up domain registrations, WHOIS++ aimed for something far more ambitious: a distributed directory service that could answer the question "where is this person on the Internet?"

The protocol ran on port 63 over both TCP and UDP. Its IANA service name is whoispp, because the original name whois++ contained special characters that modern service discovery mechanisms like DNS SRV records cannot handle³.

WHOIS++ added capabilities that the original WHOIS protocol desperately lacked:

• Boolean operators for structured queries, so you could search with actual precision
• A distributed indexing service where servers could generate "centroid" data structures and route queries to each other, forming a mesh of interconnected directories
• Support for multiple languages and character sets, addressing internationalization problems that the ASCII-only original WHOIS could never touch
• Extensible data models that could describe any kind of information, not just domain registrations

The vision was that WHOIS++ servers would form a mesh across the Internet. When you queried one server and it didn't have your answer, it would refer you to another server that might. The client would traverse this mesh, following referrals until it found what you were looking for⁴.

The Story

The WHOIS++ effort was born at the 24th IETF meeting in Boston, Massachusetts, during what RFC 1835 describes as "an intensive brainstorming session"¹. The people in the room included Peter Deutsch, Alan Emtage, Jim Fullton, Joan Gargano, Brad Passwaters, Simon Spero, and Chris Weider.

These were not random attendees. Peter Deutsch was the president of BUNYIP Information Systems and a co-developer of Archie, one of the first tools for searching the Internet⁵. Alan Emtage was Archie's original creator. These were people who had already built one system for finding things on a network that was growing faster than anyone could track, and they knew the next problem was finding people, not just files.

The brainstorming session started from a clear premise: don't try to rebuild X.500, the heavyweight OSI directory standard that was technically impressive and practically unusable. Instead, take the simple WHOIS model that already worked and extend it carefully. As Deutsch later described it: "Would it be appropriate to look at enhancing the simple WHOIS model?"⁵

By August 1995, the specification was published as RFC 1835, authored by Peter Deutsch, Rickard Schoultz of KTHNOC (the Swedish networking operations center), Patrik Faltstrom, and Chris Weider, all from BUNYIP Information Systems or the Nordic networking community¹. Two companion RFCs followed in February 1996: RFC 1913 describing the index service architecture⁶, and RFC 1914 explaining how to interact with a WHOIS++ mesh⁷.

Three RFCs. A port assignment. A distributed architecture. And then, silence.

What Happened

WHOIS++ was a 1995 answer to a 1993 question, and by 1995 the question had changed. The World Wide Web was exploding. Search engines were emerging. The problem of "finding people on the Internet" was being solved not by a purpose-built directory protocol, but by web pages, email signatures, and eventually social networks.

The protocol never found widespread deployment. The IETF eventually marked it as Historic⁸, a polite designation meaning "this was a real effort by real people, and it is over."

The search for a better WHOIS continued through other channels. VeriSign later pushed for the CRISP working group, which produced the IRIS protocol. That too faded. Eventually, the WEIRDS working group produced RDAP (Registration Data Access Protocol), which was ratified in 2015 and actually succeeded in modernizing domain registration queries⁹. But RDAP runs on port 443 over HTTPS, not on port 63.

Port 63 remains assigned. The protocol it carries remains Historic.

How It Worked

A WHOIS++ interaction was designed to be human-readable, a deliberate choice to keep the barrier to entry low and debugging easy¹. The protocol used a text-based query syntax with operators like AND, OR, and NOT, and returned structured records with labeled fields.

The distributed mesh was the protocol's most distinctive feature. Each WHOIS++ server maintained "centroid" indexes, summaries of the data held by neighboring servers. When a query arrived that a server couldn't answer locally, it could refer the client to servers whose centroids suggested they might have relevant data. The client, not the server, was responsible for following these referrals and traversing the mesh⁷.

This was a peer-to-peer directory before anyone used that phrase. Every server was both a data source and a routing node. The architecture assumed that the Internet's directory information would be distributed across many organizations, each maintaining their own server with their own data, all linked together through the centroid indexing system.

Security

Port 63 has appeared in some threat databases as a port historically used by malware for command-and-control communication¹⁰. This is not because WHOIS++ itself is dangerous, but because any port with little legitimate traffic makes an attractive channel for malware authors. A connection to port 63 on a modern network is unusual enough to be worth investigating.

The WHOIS++ protocol itself, like the WHOIS protocol it extended, had no provisions for encryption, access control, or authentication. Everything traveled in plaintext. This was typical of mid-1990s protocol design, where the assumption was that the Internet was a cooperative network of trusted participants.

Checking What Is Listening on Port 63

On most modern systems, nothing should be listening on port 63. To check:

# macOS / Linux
sudo lsof -i :63
netstat -an | grep ':63 '

# Windows
netstat -an | findstr :63

If something is listening on port 63 and you didn't put it there, investigate. No major modern software uses this port.

The Quiet Dignity of a Historic Protocol

There is something worth sitting with in the story of port 63. A group of engineers who had already built one of the Internet's first search tools sat down in a conference room in Boston and asked: "How do we help people find each other?" They designed a careful, extensible, distributed answer. They wrote three RFCs. They got a port number. And then the world moved on.

WHOIS++ was not wrong. It was simply outrun by the Web, which solved the "finding people" problem in a way that no protocol designer in 1993 could have anticipated. The Web didn't need a dedicated directory protocol because it turned every web page into a potential directory entry, searchable by general-purpose search engines that hadn't been invented yet.

Port 63 carries a protocol that nobody uses, designed by people who were asking exactly the right question at almost the right time.