What Is WHOIS? Domain Registration Explained

The Origins of WHOIS

WHOIS (pronounced "who is") is a query-and-response protocol that dates back to the early days of ARPANET. When the internet was a small research network, maintaining a directory of every connected system was straightforward — a single text file listed every hostname, IP address, and responsible person. As the network grew, this directory became distributed, but the principle remained: there should be a publicly accessible record of who is responsible for every domain and IP block.

Today, WHOIS is governed by ICANN (the Internet Corporation for Assigned Names and Numbers) for generic top-level domains (.com, .net, .org) and by individual registry operators for country-code domains (.uk, .my, .de). The protocol itself is simple — port 43, plain text, minimal structure — but the ecosystem around it has grown increasingly complex.

What's in a WHOIS Record?

A WHOIS record contains several categories of information about a registered domain. The exact fields vary by registrar and TLD, but most records include:

• Domain Name: The registered domain (e.g., example.com).
• Registrar: The company where the domain was registered (GoDaddy, Namecheap, Cloudflare, etc.).
• Registrant Contact: Name, organization, email, phone, and address of the domain owner. This is the most sensitive field.
• Admin Contact: Often the same as registrant, but can be a different person responsible for administrative decisions.
• Technical Contact: The person or team handling DNS and server configuration.
• Creation Date: When the domain was first registered. Useful for assessing credibility — a domain registered last week claiming to be an established bank is suspicious.
• Expiry Date: When the domain registration lapses. Many businesses have lost their domains by missing this date.
• Name Servers: The DNS servers that resolve the domain. Shows which DNS provider is in use (Cloudflare, Route53, etc.).
• Domain Status: Codes indicating the domain's state — clientTransferProhibited prevents unauthorized transfers, serverHold means the registry has suspended the domain.
• DNSSEC: Whether DNS Security Extensions are enabled, adding a cryptographic layer to DNS responses.

WHOIS Privacy and GDPR Impact

Historically, all registrant contact details were publicly visible in WHOIS. Anyone could look up a domain and find the owner's name, address, phone number, and email. This was a goldmine for spammers, scammers, and doxxers.

The EU's General Data Protection Regulation (GDPR), which took effect in May 2018, fundamentally changed this. ICANN was forced to redact personal data from WHOIS output for registrants in the European Economic Area. In practice, most registrars extended this redaction globally to simplify compliance.

Today, most WHOIS records show redacted contact information — often just a privacy email like [email protected] that forwards to the real owner. This is separate from paid WHOIS privacy services (offered by most registrars), which replace your details with proxy information even for domains registered outside GDPR jurisdictions.

If you need to contact a domain owner for legitimate reasons (security disclosure, copyright issue, business inquiry), use the privacy proxy email. If the domain has no contact information at all, ICANN provides a Registrant Verification process through accredited registrars.

WHOIS for Security Research

WHOIS is an essential tool in security investigations and threat intelligence. Here's how professionals use it:

• Threat Attribution: When analyzing a phishing domain, WHOIS data can reveal connections to other malicious domains registered with the same email or registrar. Even with privacy redaction, the registrar and creation date provide valuable context.
• Infrastructure Mapping: Security teams map adversary infrastructure by correlating WHOIS records across domains. Shared registrars, similar naming patterns, and overlapping name servers all help identify campaigns.
• Brand Protection: Companies monitor WHOIS for domains that mimic their brand (typosquatting, homograph attacks). Early detection allows takedown requests before the domain is used for phishing.
• Due Diligence: Before doing business with an unknown company, checking their domain's WHOIS record can reveal red flags — recent registration, offshore registrar, or history of domain drops and re-registrations.
• Incident Response: If a server on your network is communicating with a suspicious domain, WHOIS provides the first pivot — who registered it, when, and through which registrar.

Understanding Domain Status Codes

WHOIS records include status codes (also called EPP status codes) that control what operations can be performed on a domain. Understanding these is critical for domain management:

• clientTransferProhibited — The most important status. Prevents the domain from being transferred to another registrar without explicit unlock. Should always be enabled unless you're actively transferring.
• clientUpdateProhibited — Locks all changes to the domain record. Useful for high-value domains that shouldn't change.
• serverDeleteProhibited — Prevents accidental deletion. Combined with transfer lock, this provides maximum protection.
• serverHold — The registry has suspended the domain, usually due to abuse, legal dispute, or non-payment. The domain will not resolve.
• clientRenewProhibited — Prevents automatic renewal. Rarely used intentionally; usually indicates a billing issue.
• addPeriod / autoRenewPeriod — Grace periods after initial registration or renewal during which the domain can still be refunded.
• redemptionPeriod — The domain has expired and been deleted, but the original owner can still recover it by paying a redemption fee (often $80-200). Lasts 30 days.
• pendingDelete — After the redemption period, the domain enters a 5-day pending delete phase before becoming available for new registration.

How to Perform a WHOIS Lookup

The simplest method is a web-based WHOIS tool. Our WHOIS Lookup retrieves the full record for any domain in real-time, with parsed and formatted output.

For command-line users, the whois utility is available on most systems:

• whois example.com — Basic lookup
• whois -h whois.verisign-grs.com example.com — Query a specific registry directly
• whois 8.8.8.8 — Reverse WHOIS on an IP address (returns the owning organization and netblock)

For bulk lookups or automated monitoring, RDAP (Registration Data Access Protocol) is replacing WHOIS. RDAP provides structured JSON output, supports authentication for non-public data, and is required for all gTLDs. Most modern WHOIS tools query RDAP behind the scenes.

Common WHOIS Problems

• Thick vs Thin WHOIS: For most TLDs (.com, .net), the registry stores only basic information, and the registrar holds the full record. A WHOIS query first hits the registry, then redirects to the registrar — sometimes this chain breaks, showing incomplete data.
• Rate Limiting: WHOIS servers limit queries to prevent abuse. Automated lookups without throttling will get blocked. Use RDAP for programmatic access.
• Stale Data: Registrants who don't update their WHOIS information after changing email addresses or hosting providers create outdated records. This can cause problems during domain transfers or disputes.
• Proxy Services: Some privacy services make it nearly impossible to reach the actual domain owner. If you have a legitimate grievance, the registrar's abuse contact is your fallback.