Want to learn more?
Learn what WHOIS records contain and how to use them for domain research.
Read the guideInvestigating Suspicious Domains?
Our security team performs threat intelligence and domain analysis as part of comprehensive risk assessments.
What Is WHOIS Lookup
A WHOIS lookup queries public registration databases to retrieve ownership and administrative information about domain names, IP addresses, and autonomous system numbers. The WHOIS protocol (RFC 3912) provides transparency into who controls internet resources—essential for cybersecurity investigations, domain management, legal proceedings, and technical troubleshooting.
Every domain name and IP address block has registration records maintained by registrars and Regional Internet Registries. WHOIS lookups reveal the registrant's contact information (where available), registration and expiration dates, name servers, registrar details, and domain status codes. This information is fundamental for incident response, abuse reporting, trademark enforcement, and due diligence.
How WHOIS Works
WHOIS data is distributed across multiple databases maintained by different authorities:
Domain WHOIS is maintained by domain registrars (GoDaddy, Namecheap, Cloudflare) and registries (.com/.net by Verisign, .org by PIR):
| Field | Description | Example |
|---|---|---|
| Registrar | Company managing the registration | Cloudflare, Inc. |
| Registrant | Domain owner (often privacy-protected) | REDACTED FOR PRIVACY |
| Admin/Tech Contact | Administrative contacts | May be same as registrant |
| Creation Date | When the domain was registered | 2020-01-15 |
| Expiration Date | When registration expires | 2026-01-15 |
| Updated Date | Last modification date | 2025-06-01 |
| Name Servers | DNS servers for the domain | ns1.cloudflare.com |
| Status | Domain status codes | clientTransferProhibited |
IP WHOIS is maintained by Regional Internet Registries (RIRs):
| Registry | Region | Database |
|---|---|---|
| ARIN | North America | whois.arin.net |
| RIPE NCC | Europe, Middle East, Central Asia | whois.ripe.net |
| APNIC | Asia Pacific | whois.apnic.net |
| LACNIC | Latin America, Caribbean | whois.lacnic.net |
| AFRINIC | Africa | whois.afrinic.net |
RDAP (Registration Data Access Protocol) is the modern replacement for WHOIS, offering structured JSON responses, standardized access control, and internationalization support.
Common Use Cases
- Incident response: Identify who owns a domain or IP address involved in a security incident for abuse reporting
- Threat intelligence: Investigate attacker infrastructure by examining domain registration patterns and hosting providers
- Domain management: Monitor expiration dates and verify DNS configuration for your organization's domains
- Legal and compliance: Support trademark disputes, DMCA takedowns, and law enforcement investigations
- Due diligence: Verify the legitimacy and history of domains before business transactions or partnerships
Best Practices
- Use RDAP when available — RDAP provides structured, machine-readable output and is the successor to WHOIS
- Check multiple data sources — WHOIS data may be cached; query the authoritative registrar or RIR directly for current information
- Account for privacy protection — GDPR caused most registrars to redact personal information; use registrar abuse contacts for legitimate inquiries
- Monitor your own domains — Set up alerts for WHOIS changes to detect unauthorized modifications to your domain records
- Respect rate limits — WHOIS servers implement rate limiting; excessive queries may result in IP blocks
References & Citations
- Leslie Daigle. (2004). RFC 3912: WHOIS Protocol Specification. Retrieved from https://www.rfc-editor.org/rfc/rfc3912 (accessed January 2025)
- Andy Newton & Scott Ellacott. (2015). RFC 7482: RDAP Query Format. Retrieved from https://www.rfc-editor.org/rfc/rfc7482 (accessed January 2025)
Note: These citations are provided for informational and educational purposes. Always verify information with the original sources and consult with qualified professionals for specific advice related to your situation.
Frequently Asked Questions
Common questions about the WHOIS Lookup
WHOIS is a public database query protocol revealing domain registration details: registrar, registration/expiration dates, nameservers, registrant contact information (often redacted), and domain status. Created in 1982, WHOIS helps verify domain ownership, investigate cyber threats, enforce intellectual property rights, and research domain history. ICANN requires registrars to provide WHOIS access for all gTLDs.
GDPR (2018) forced registrars to redact personal data in WHOIS for EU registrants. Most registrars now redact all registrants' data by default. Domain privacy services replace owner details with proxy information. This protects privacy but complicates legitimate investigations. Legitimate requesters can use ICANN's Registration Data Access Protocol (RDAP) or contact registrars for non-public data with valid justification.
WHOIS helps identify: domain age (new domains are higher risk), registrar patterns (certain registrars popular with attackers), nameserver infrastructure (cloud provider or suspicious host), registration patterns (bulk registrations), and historical ownership changes. Combine with other intelligence: SSL certificates, DNS records, IP reputation, passive DNS history. Tools like DomainTools provide enhanced WHOIS with historical data and risk scoring.
Domain privacy replaces public WHOIS contact information with the privacy service's details, protecting against spam, identity theft, and harassment. Recommended for personal domains and small businesses. However, it may complicate trademark disputes, reduce trust for commercial sites, and doesn't hide technical nameserver information. Some countries (Canada) restrict privacy services. Weigh privacy benefits against transparency needs for your use case.
Common statuses: clientTransferProhibited (locked against transfers), clientUpdateProhibited (can't modify), clientDeleteProhibited (can't delete), pendingTransfer (transfer in progress), redemptionPeriod (recently deleted, recoverable), autoRenewPeriod (auto-renewing). "Client" indicates registrar-level locks; "server" indicates registry-level. Multiple statuses can apply. Check status to understand domain security posture and transferability. Lock domains to prevent unauthorized transfers.
Registration date indicates domain age; older domains are generally more trustworthy. Updated date shows recent changes (ownership transfer, nameserver changes—investigate if suspicious). Expiration date reveals abandonment risk; recently expired domains may be squatted. Look for patterns: domains registered in bulk (same day/registrar), frequent ownership changes, or expiration within days (possible disposable malicious infrastructure).
RDAP (Registration Data Access Protocol) is the modern successor to WHOIS: JSON-based, RESTful API, standardized responses, better internationalization support, authentication/authorization capabilities. RDAP enables controlled access to registration data post-GDPR. Most registries now support RDAP alongside WHOIS. For automated queries and modern applications, prefer RDAP; for quick manual lookups, WHOIS remains simpler and more universal.
Monitor: domain registration patterns matching your brand (typosquatting), newly registered similar domains, WHOIS changes to your domains (unauthorized transfers), SSL certificate issuance (Certificate Transparency logs), DNS changes, expired competitor domains (potential squatting). Use services like DomainTools, SecurityTrails, or VirusTotal for monitoring. Implement DPMA (Domain Protected Marks List) for trademark protection in new gTLDs.