D
Domain Expiry Watcher

What Is WHOIS? Plain-English Guide

What WHOIS is, how it works, what information it shows, and why it matters for domain management, security, and research.

WHOIS is a public database that stores information about who registered a domain name and when. When you run a WHOIS lookup on any domain, you get details like the registrant's name and contact information (unless privacy protection is enabled), the registrar that manages the domain, the dates it was created and when it expires, and the name servers it uses.

The system has been around since the early days of the internet, originally as a simple directory so network operators could look up who was responsible for a given domain or IP address. Today it serves a much broader audience: security researchers, law enforcement, domain buyers, business owners, and anyone who wants to know what is behind a domain name.

How WHOIS Works

WHOIS is not one central database. It is a distributed system where each domain registry and registrar maintains its own WHOIS server containing records for the domains they manage.

When you run a WHOIS query:

  1. Your query goes to a WHOIS client (a web tool or command-line program).
  2. The client contacts the appropriate WHOIS server for the domain's TLD. For .com domains, that is Verisign's WHOIS server.
  3. The TLD server returns a "thin" record with basic information and the domain's registrar.
  4. The client then contacts the registrar's WHOIS server for the "thick" record with full details.
  5. The registrar's server returns the complete WHOIS record.

This two-step process (TLD server, then registrar server) is why WHOIS lookups sometimes show both a "Registry WHOIS" and a "Registrar WHOIS" section.

Running a WHOIS Lookup

Web tools. Visit any WHOIS lookup service (whois.domaintools.com, who.is, icann.org/lookup) and enter a domain name.

Command line. On macOS or Linux:

whois example.com

On Windows, install a WHOIS tool or use a web-based service.

For a broader guide to domain research, see domain lookup guide.

What WHOIS Shows

A WHOIS record contains several sections of data.

Registrant Information

The registrant is the person or organization that registered the domain. The WHOIS record includes:

  • Name: The registrant's name or organization name.
  • Organization: The company or entity (if applicable).
  • Street address: Physical mailing address.
  • Email: Contact email address.
  • Phone: Contact phone number.

If WHOIS privacy (also called proxy protection or domain privacy) is enabled, these fields show the privacy service's information instead of the actual registrant's details. For example, instead of "John Smith, 123 Main St," you might see "WhoisGuard Protected, Panama."

Registrar Information

The registrar is the company where the domain is registered. This section shows which registrar manages the domain and how to contact them. This is always visible, even when privacy protection is enabled.

Important Dates

  • Creation date: When the domain was first registered. A domain created in 2005 has been around for over 20 years. A domain created last week is brand new. Age is a rough indicator of establishment.
  • Expiration date: When the current registration period ends. If the owner does not renew by this date, the domain enters the expiration process. See what happens when a domain expires.
  • Updated date: When the WHOIS record was last modified. This changes when DNS settings, contact info, or other registration details are updated.

Name Servers

The name servers handle DNS resolution for the domain. They tell you which DNS provider the domain uses. Common name servers include Cloudflare (ns1.cloudflare.com), AWS Route 53 (ns-xxx.awsdns-xx.com), and registrar-provided DNS.

Domain Status

Status codes indicate the domain's current state. The most common ones:

  • clientTransferProhibited: Locked against unauthorized transfers (normal, desirable).
  • clientDeleteProhibited: Locked against deletion (normal, desirable).
  • ok: No special restrictions or protections (basic state).
  • serverHold: Registry has placed a hold (domain does not resolve).
  • redemptionPeriod: Domain has expired and is in the recovery window.
  • pendingDelete: Domain is about to be released for public registration.

For the full domain lifecycle including these states, see domain grace periods and domain registration lifecycle.

WHOIS Privacy

WHOIS was designed in an era when the internet was smaller and more trusting. Publishing the registrant's name, address, email, and phone number in a public database made sense when domain registrants were mostly institutions and network operators.

Today, millions of individuals and small businesses register domains, and publishing their personal information creates problems:

  • Spam: Exposed email addresses get harvested for junk mail.
  • Harassment: Personal addresses and phone numbers can be used for unwanted contact.
  • Social engineering: Personal details make it easier for attackers to impersonate the domain owner.
  • Identity theft: Combined with other public data, WHOIS information can be a piece of a larger identity theft puzzle.

WHOIS privacy services solve this by replacing your personal information with the privacy service's details. Messages sent to the proxy email address are forwarded to you. Most registrars include WHOIS privacy for free.

RDAP: The WHOIS Successor

RDAP (Registration Data Access Protocol) is the modern replacement for WHOIS. It provides the same information but in a structured format (JSON) that is easier for machines to process. RDAP also supports differentiated access, meaning that different users can get different levels of detail based on their authorization level.

ICANN has required registrars and registries to support RDAP. Over time, RDAP will replace the older WHOIS protocol, though WHOIS tools will continue to work because they query the same underlying data.

Why WHOIS Matters

Domain Management

For domain owners, WHOIS is how you verify that your domain records are correct. Check that your contact information is current, your privacy protection is active, and your domain status codes include the transfer and delete locks you expect. See the domain expiry guide for complete management guidance.

Security

WHOIS helps identify who is behind malicious domains. Security researchers use WHOIS data to trace phishing campaigns, malware distribution networks, and spam operations. Newly registered domains (visible through WHOIS creation dates) are a common indicator of suspicious activity.

Domain Purchases

If you want to buy a domain that someone else owns, WHOIS might provide their contact information. Even with privacy protection, most privacy services forward messages to the registrant. For more on researching domain ownership, see who owns a domain name.

Legal and Compliance

Law enforcement and legal professionals use WHOIS to identify domain owners in investigations, trademark disputes, and UDRP proceedings. ICANN requires that registrant information be reasonably accurate, and providing false WHOIS data can be grounds for domain cancellation.

Monitoring Domain Expiration

WHOIS is the authoritative source for a domain's expiration date. Checking WHOIS periodically tells you when your domains (or domains you are interested in acquiring) are due for renewal. For automated tracking, see our domain expiry guide.

WHOIS data is public by design. Even with privacy protection, key details like the registrar, creation date, expiration date, and name servers are visible. Assume that anyone can see when your domain was registered, when it expires, and which registrar you use.

WHOIS Limitations

Privacy protection hides the owner. If you are trying to find who really owns a domain, privacy protection stops you. You can send a message through the proxy service, but there is no guarantee of a response.

Data can be inaccurate. ICANN requires accurate WHOIS data, but enforcement is imperfect. Some registrants provide fake information. Outdated information is common when people move or change phone numbers.

Rate limiting. WHOIS servers limit how many queries you can make in a given time period. If you are checking many domains, you may get temporarily blocked.

Inconsistent formatting. Because each registrar runs its own WHOIS server, the output format varies. This makes automated parsing more difficult. RDAP addresses this with standardized JSON responses.

Key Takeaways

  • WHOIS is a public database of domain registration information: owner, registrar, dates, name servers, and status.
  • Anyone can run a WHOIS lookup on any domain. It is free and fast.
  • WHOIS privacy hides personal contact details but not registrar, dates, or technical records.
  • WHOIS is used for domain management, security research, domain purchasing, and legal investigations.
  • RDAP is the modern replacement for WHOIS with structured data and better access controls.
  • Check WHOIS regularly to verify your domain records are correct and your expiration dates are tracked. For automated tracking, use a domain expiry monitoring tool.

Track domain expiration automatically

Domain Expiry Watcher monitors WHOIS expiration dates and alerts you before any domain lapses. Simpler than manual lookups.

Try Domain Expiry Watcher

Related Articles