D
Domain Expiry Watcher

The Complete WHOIS Lookup Guide

Everything you need to know about WHOIS lookups. Covers how WHOIS works, data fields, privacy and GDPR, the RDAP replacement protocol, domain ownership research, WHOIS history, and security uses.

WHOIS is one of the oldest protocols on the internet. Since the 1980s, it has served a simple purpose: answer the question "who is responsible for this domain name?" Type a domain into a WHOIS lookup tool, and you get back the registrant's name, contact information, registration dates, nameservers, and registrar details.

But WHOIS in 2026 is not what it was a decade ago. Privacy regulations have redacted much of the personal data that used to be freely available. A newer protocol called RDAP is gradually replacing WHOIS. And the information you do find requires context to interpret correctly.

This guide covers how WHOIS works, what the data fields mean, how privacy and regulation have changed the landscape, and how to use WHOIS effectively for domain research, security investigations, and ownership verification.

What is WHOIS

WHOIS (pronounced "who is") is a query-response protocol used to look up information about domain name registrations, IP address allocations, and autonomous system numbers. [1] When you perform a WHOIS lookup on a domain name, you are querying a database maintained by the domain's registrar or registry operator.

The protocol was originally defined in RFC 954 in 1985, making it one of the oldest internet protocols still in active use. [1] It predates the World Wide Web, modern DNS, and most of the internet infrastructure we take for granted today.

How a WHOIS lookup works

When you query a domain:

  1. Your WHOIS client connects to the WHOIS server for the top-level domain (TLD). For .com domains, that is Verisign's WHOIS server. For .org, it is PIR (Public Interest Registry).
  2. The TLD's WHOIS server returns basic information and tells you which registrar manages the domain.
  3. Your client then queries the registrar's WHOIS server for the full registration details.
  4. The registrar's server returns all available data about the domain.

This two-step process (called a "thick" vs "thin" WHOIS model) varies by TLD. Some TLDs provide full data at the registry level (thick WHOIS), while others only provide referral information (thin WHOIS) and require a second query to the registrar. [2]

Command-line WHOIS

On macOS and Linux, the whois command is built in:

$ whois example.com

On Windows, you can use third-party tools or web-based lookup services. The command-line tool queries the appropriate WHOIS server automatically based on the TLD.

Web-based WHOIS tools

Numerous websites provide WHOIS lookup interfaces. These include ICANN's own WHOIS lookup (lookup.icann.org), registrar-provided tools, and third-party services. Web tools are convenient but sometimes show incomplete data compared to direct protocol queries.

WHOIS data fields explained

A WHOIS response contains several categories of information. Understanding what each field means helps you interpret the results correctly.

Domain information

  • Domain Name: The domain being queried (e.g., example.com)
  • Registry Domain ID: A unique identifier assigned by the registry
  • Registrar WHOIS Server: The URL of the registrar's WHOIS server for more detailed information
  • Updated Date: When the WHOIS record was last modified (not necessarily when the website content changed)
  • Creation Date: When the domain was first registered. This is the domain's "birthday" and does not change even if ownership transfers. See domain age checker for why this matters.
  • Registry Expiry Date: When the domain registration expires. This is the critical date for domain renewal. See how to check domain expiry for verification methods.

Registrar information

  • Registrar: The company through which the domain was registered (e.g., GoDaddy, Namecheap, Cloudflare). See find domain registrar for how to identify this.
  • Registrar IANA ID: A unique ID assigned to the registrar by IANA
  • Registrar Abuse Contact Email/Phone: Contact information for reporting abuse related to the domain

Registrant information

The registrant is the person or organization that owns the domain. Pre-GDPR, this section typically included:

  • Registrant Name: The individual or organization name
  • Registrant Organization: The company or entity
  • Registrant Street/City/State/Postal Code/Country: Physical address
  • Registrant Phone: Phone number
  • Registrant Email: Email address

Post-GDPR, most of these fields are redacted for individuals. See the privacy section below.

Administrative and technical contacts

Separate from the registrant, WHOIS records can include:

  • Admin Contact: The person authorized to make changes to the domain registration
  • Tech Contact: The person responsible for the domain's technical configuration

In practice, these are often the same as the registrant, and they are subject to the same privacy redactions.

Nameservers

The WHOIS record lists the domain's authoritative nameservers. These tell you which DNS provider is hosting the domain's records:

  • ns1.example-dns.com
  • ns2.example-dns.com

Nameserver information is always visible (not redacted by privacy services) because it is essential for DNS resolution.

Domain status codes

WHOIS records include EPP (Extensible Provisioning Protocol) status codes that indicate the domain's current state:

| Status | Meaning | |--------|---------| | clientTransferProhibited | The registrar has locked the domain against transfers | | serverTransferProhibited | The registry has locked the domain against transfers | | clientDeleteProhibited | The domain cannot be deleted by the registrar | | clientUpdateProhibited | WHOIS data cannot be modified | | ok | Normal status, no restrictions | | pendingDelete | The domain is being deleted and will be available for registration soon | | redemptionPeriod | The domain has expired and is in the redemption period |

Multiple status codes can apply simultaneously. A well-secured domain typically has clientTransferProhibited and clientDeleteProhibited set. See domain registration lifecycle for what these statuses mean in context.

Privacy, GDPR, and redacted WHOIS

The landscape of WHOIS data availability changed dramatically in May 2018 when the European Union's General Data Protection Regulation (GDPR) took effect. [3]

What changed

Before GDPR, WHOIS data for most domains included the registrant's full name, address, phone number, and email address. This information was publicly accessible to anyone who queried it.

GDPR classifies this as personal data and requires a lawful basis for processing and sharing it. Since WHOIS servers make this data available to anyone worldwide, registrars had to choose between GDPR compliance and full WHOIS transparency. They chose compliance.

The result: most registrars now redact personal information from WHOIS responses for domains registered by individuals. You will see entries like:

Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: 
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant Email: Please query the WHOIS server of the owning registrar

What is still visible

Even with GDPR redactions, WHOIS still provides:

  • Domain name and registration dates (creation, expiry, last updated)
  • Registrar name and abuse contact
  • Nameservers
  • Domain status codes
  • Country of the registrant (in many cases)
  • Organization name (for non-individual registrants, in some cases)

WHOIS privacy services

Even before GDPR, many registrants used WHOIS privacy services (also called WHOIS proxy or WHOIS guard). These services replace the registrant's personal information with the privacy service's information in the WHOIS record.

Post-GDPR, privacy is often applied by default. Some registrars still offer paid privacy services for additional protection or for domains in TLDs where GDPR does not apply.

For a discussion of whether dedicated privacy protection is worth paying for, see is domain expiry protection worth it.

Accessing redacted data

Legitimate parties (law enforcement, intellectual property holders, security researchers) can request access to redacted WHOIS data through:

  • ICANN's RDDS (Registration Data Request Service): A process for verified requestors to access full WHOIS data
  • Registrar disclosure processes: Each registrar has its own procedure for handling data requests
  • Legal processes: Court orders and subpoenas can compel registrars to disclose registrant information

For general domain ownership research when WHOIS is redacted, see who owns a domain name.

GDPR applies regardless of where the registrant is located if the registrar operates in or serves EU residents. In practice, most major registrars apply GDPR-level privacy to all domains, not just those owned by EU residents, because it is simpler than maintaining different policies per jurisdiction.

RDAP: The replacement for WHOIS

Registration Data Access Protocol (RDAP) is the modern replacement for WHOIS. It addresses many of WHOIS's technical limitations while providing a framework for differentiated access to registration data. [4]

Why RDAP exists

WHOIS has several fundamental problems:

  • No standardized format. Different WHOIS servers return data in different text formats, making automated parsing unreliable.
  • No authentication. Anyone can query WHOIS data with no way to verify their identity or purpose.
  • No differentiated access. Everyone gets the same data, with no way to provide more data to verified parties and less to anonymous queries.
  • No internationalization. WHOIS was designed for ASCII text and handles non-Latin characters poorly.
  • No encryption. WHOIS queries and responses are transmitted in plaintext.

How RDAP is different

RDAP addresses all of these issues:

  • Standardized JSON format. Responses are structured JSON, making them easy to parse programmatically. [4]
  • HTTP-based. RDAP runs over HTTPS, providing encryption for queries and responses.
  • Authentication support. RDAP supports authenticated access, enabling registrars to provide different levels of data to different queriers.
  • Internationalization. Full Unicode support for non-Latin domain names and registrant information.
  • Differentiated access. Verified law enforcement or IP holders can receive full data while anonymous queries receive redacted data.

Current state of RDAP adoption

ICANN requires all gTLD registrars and registries to support RDAP. [5] Most major registrars now provide RDAP endpoints alongside their traditional WHOIS servers. However, WHOIS is still widely used because:

  • Many existing tools and scripts still use the WHOIS protocol
  • Some ccTLDs have been slower to implement RDAP
  • The transition is gradual; both protocols run in parallel

For domain research, RDAP provides more structured and reliable data. If your tools support it, prefer RDAP over WHOIS.

Domain ownership research

One of the primary uses of WHOIS is investigating who owns or controls a domain. In the post-GDPR era, this requires multiple data sources and techniques.

Starting with WHOIS/RDAP

Even with redacted personal data, a WHOIS lookup reveals:

  • When the domain was registered. Very recent registrations are more likely to be associated with phishing, spam, or speculative registration.
  • When the domain expires. A domain close to expiry with no renewal might be abandoned. See what happens when a domain expires.
  • Which registrar manages it. The registrar can provide a starting point for abuse reports or legal requests.
  • Nameservers. Nameservers can link a domain to a specific hosting provider or DNS service, which may reveal the operator.
  • Organization name. For business domains, the organization field is often not redacted.

Reverse WHOIS lookups

A reverse WHOIS lookup searches the registrant database by name, email, or organization rather than by domain. If you know one domain owned by a person or company, a reverse lookup can reveal other domains they own.

This is useful for:

  • Investigating phishing campaigns (finding all domains registered by the same attacker)
  • Competitive research (discovering all domains owned by a competitor)
  • Brand protection (finding domains that might be infringing on your trademarks)

DNS record analysis

DNS records provide additional ownership signals:

  • A records show the IP address, which can be looked up to find the hosting provider
  • MX records show the email provider, which may indicate the organization
  • TXT records may contain verification strings for Google Workspace, Microsoft 365, or other services, revealing which platforms the domain owner uses
  • SOA records include the administrator's email address

SSL certificate data

The SSL certificate for a domain may include:

  • Organization name (for OV and EV certificates)
  • Geographic information
  • The Certificate Authority that issued it

Certificate Transparency logs provide a historical record of all certificates issued for a domain, which can reveal changes in ownership or hosting.

WHOIS history

WHOIS history services maintain archives of past WHOIS records, allowing you to see how a domain's registration data has changed over time.

What WHOIS history reveals

  • Ownership changes. When the registrant information changed, indicating a domain sale or transfer.
  • Registrar changes. When the domain was transferred between registrars.
  • Nameserver changes. When the DNS provider changed, which might indicate a hosting migration.
  • Expiry and renewal patterns. Whether the domain has ever lapsed or come close to expiry.

See WHOIS history for how to access and interpret historical records.

Use cases for WHOIS history

Domain purchases. Before buying a domain, check its history to ensure it was not previously used for spam, malware, or other activities that might have resulted in search engine penalties or blacklisting.

Security investigations. Track when a compromised domain changed hands or when suspicious DNS changes occurred.

Legal disputes. Establish a timeline of domain ownership for trademark disputes or cybersquatting claims.

SEO due diligence. Check whether a domain you are considering purchasing has a clean history or was previously part of a link network. See buying expired domains and buy expired domains with traffic.

WHOIS history data predating GDPR is more detailed because personal information was not redacted at the time. Post-GDPR historical records reflect the same redactions that apply to current queries. If you need historical registrant data from after May 2018, WHOIS history services may not have it.

Bulk WHOIS lookups

When you need to query WHOIS data for many domains at once, individual lookups become impractical.

When bulk lookups are needed

  • Domain portfolio management. Tracking expiry dates and registrar information for all domains you manage. See bulk domain expiry tracking.
  • Security audits. Investigating a list of suspicious domains for common registration patterns.
  • Brand monitoring. Checking newly registered domains for potential trademark infringement.
  • Vendor verification. Verifying the legitimacy of domains used by vendors or partners. See check website legitimacy.

Bulk lookup approaches

Command-line scripting. Loop through a list of domains and run whois for each. Include a delay between queries (at least 1 to 2 seconds) to avoid rate limiting.

WHOIS API services. Many providers offer APIs that return structured WHOIS data. These are faster and more reliable than parsing raw WHOIS text, and they typically have higher rate limits for paying customers.

RDAP endpoints. RDAP's structured JSON responses are much easier to process in bulk than WHOIS text. Use RDAP endpoints where available for more reliable automated lookups.

Rate limiting and etiquette

WHOIS servers enforce rate limits to prevent abuse. If you exceed the limit, your queries will be blocked (temporarily or permanently). Best practices:

  • Include delays between queries
  • Cache results to avoid redundant lookups
  • Use RDAP endpoints where available (they typically have more generous limits)
  • For very large lookup volumes, use a commercial WHOIS API that handles rate limiting and caching

Using WHOIS for security

WHOIS data is a valuable tool in the security analyst's toolkit for investigating threats and protecting assets.

Phishing investigation

When you receive a phishing email or find a phishing site, WHOIS can reveal:

  • When the domain was registered (phishing domains are usually very new)
  • The registrar used (some registrars are more popular with abusers)
  • Whether the same registrant has other domains (suggesting a campaign)
  • Contact information for reporting abuse

Threat intelligence

Security teams use WHOIS data to:

  • Build profiles of threat actors based on domain registration patterns
  • Identify infrastructure used in attacks
  • Track the evolution of malicious campaigns across domains
  • Correlate domains used in different stages of an attack

Domain monitoring for brand protection

Monitor newly registered domains for names similar to your brand. Typosquatting (registering misspellings of popular domains) and homoglyph attacks (using look-alike characters) are common phishing techniques. Early detection through WHOIS monitoring allows you to take action before the domain is used maliciously.

Verifying domain legitimacy

Before doing business with a new vendor or clicking a link in an email, a quick WHOIS lookup can reveal red flags:

  • Domain registered within the past few days or weeks
  • Registration information that does not match the claimed organization
  • Registrar known for lax abuse policies
  • Domain expiring soon (suggesting temporary or throwaway registration)

See check website legitimacy for a complete verification process.

WHOIS and domain management

For domain portfolio owners, WHOIS data is the public face of your domain management practices.

Keeping WHOIS data accurate

ICANN requires that WHOIS data for gTLDs be accurate. [6] Providing false WHOIS information can result in domain suspension. Even with privacy services, the underlying data you provide to your registrar must be accurate.

Review your WHOIS information annually, especially:

  • Contact email addresses (are they still active?)
  • Organization name (has your company name changed?)
  • Address (have you moved offices?)

WHOIS and domain transfers

When you transfer a domain between registrars, the WHOIS email address on file receives the transfer authorization. If that email is outdated or inaccessible, you cannot authorize the transfer. Keep your WHOIS contact email current and accessible.

After a transfer, WHOIS data typically updates to reflect the new registrar. See how long does a domain transfer take for timeline details.

WHOIS and domain expiry

The WHOIS expiry date is the definitive source for when your domain registration ends. If auto-renewal fails, the domain enters a grace period and eventually a redemption period before becoming available for anyone to register.

Monitoring WHOIS expiry dates for all domains in your portfolio is essential. See domain monitoring explained for a systematic approach.

Looking ahead

WHOIS is in transition. The protocol itself is being replaced by RDAP. Privacy regulations continue to evolve. But the fundamental need to know who is responsible for a domain name is not going away.

For domain owners, the action items are clear: keep your registration data accurate, use privacy services appropriately, and monitor your domains' WHOIS status regularly. For researchers and security professionals, adapt your tools and techniques to work with RDAP and redacted data. And for everyone, understand that WHOIS is just one piece of the domain intelligence puzzle, most useful when combined with DNS data, certificate information, and historical records.

References

[1] J. Daigle, "WHOIS Protocol Specification," RFC 3912, IETF, September 2004. https://datatracker.ietf.org/doc/html/rfc3912

[2] ICANN, "Thick WHOIS Transition Policy for .COM, .NET, and .JOBS," ICANN.org. https://www.icann.org/resources/pages/thick-whois-2016-03-01-en

[3] European Commission, "General Data Protection Regulation (GDPR)," Official Journal of the European Union, 2016. https://gdpr-info.eu/

[4] S. Hollenbeck, A. Newton, "Registration Data Access Protocol (RDAP) Object Tagging," RFC 8521, IETF, November 2018. https://datatracker.ietf.org/doc/html/rfc8521

[5] ICANN, "RDAP Implementation," ICANN.org. https://www.icann.org/rdap

[6] ICANN, "WHOIS Data Reminder Policy," ICANN.org. https://www.icann.org/resources/pages/whois-data-reminder-policy-2003-11-21-en

[7] Verisign, "Domain Name Registration Process." https://www.verisign.com/en_US/domain-names/registration/index.xhtml

[8] IANA, "WHOIS Service," IANA.org. https://www.iana.org/whois

Never lose a domain to missed renewal

Monitor domain expiry dates and WHOIS changes with escalating alerts. Flat pricing for unlimited domains.

Try Domain Expiry Watcher

Related Articles