What is WHOIS? Domain Registration Lookup Explained
Every domain name on the internet has a registration record behind it. Learn how WHOIS lets you look up who registered a domain, when it expires, and why GDPR changed everything about domain privacy.
Table of Contents
What is WHOIS?
WHOIS(pronounced "who is") is an internet protocol used to query databases that store the registration information for domain names, IP address blocks, and autonomous systems. Think of it as the public record system for the internet — just as property records tell you who owns a house and when it was purchased, WHOIS records tell you who registered a domain name and when.
When someone registers a domain name like example.com, the registrar (the company providing the registration service, such as GoDaddy, Namecheap, or Cloudflare) is required to collect certain information about the registrant and submit it to the domain registry (the organization responsible for the top-level domain, like Verisign for .com). This data is then made available through WHOIS.
A typical WHOIS record includes:
- The registrar handling the domain registration
- Registration date (when the domain was first created)
- Expiration date (when the registration expires)
- Name servers (which DNS servers answer for the domain)
- Status codes (the domain's current state)
- Registrant contact information (often redacted for privacy)
History of WHOIS — From ARPANET to ICANN
WHOIS is one of the oldest protocols still in active use on the internet. Its origins trace back to the earliest days of computer networking.
RFC 812 — WHOIS Protocol
WHOIS is formally specified in RFC 812 by Ken Harrenstien and Vic White at SRI International. Originally designed so ARPANET system administrators could look up the contact information of other network users and hosts. The protocol uses TCP port 43 and returns plain-text results.
RFC 954 — Updated WHOIS
The protocol is updated to handle the growing internet. WHOIS becomes the standard way to query Domain Name System registration data as domain names start to be widely adopted.
ICANN Founded
The Internet Corporation for Assigned Names and Numbers (ICANN) is created to coordinate the domain name system. ICANN mandates that domain registrars collect and publish WHOIS data as a condition of accreditation.
RFC 3912 — Modern WHOIS Specification
The current WHOIS protocol specification is published. Despite being a "modern" RFC, the protocol remains fundamentally the same: a simple TCP query returning unstructured text — a design that would eventually prove inadequate.
RDAP Standardized
The IETF publishes RFCs 7480–7484, defining the Registration Data Access Protocol (RDAP) as the modern replacement for WHOIS. RDAP uses HTTPS, returns structured JSON, and supports internationalization.
GDPR Transforms WHOIS
The EU General Data Protection Regulation takes effect, forcing registrars to redact personal data from public WHOIS records. This is the single biggest disruption to the WHOIS ecosystem in its 36-year history.
RDAP Becomes Mandatory
ICANN mandates RDAP support for all gTLD registries and registrars. While traditional WHOIS port 43 services remain available, RDAP is now the authoritative source for registration data.
How WHOIS Works
When you perform a WHOIS lookup, a chain of queries happens behind the scenes to find the authoritative source for a domain's registration data.
The WHOIS Query Chain
- 1Client sends a query — You query a domain name (e.g.,
example.com) to a WHOIS server on TCP port 43, or to an RDAP endpoint over HTTPS. - 2TLD registry responds — The registry for the TLD (e.g., Verisign for
.com) returns a "thin" record with the registrar name and referral information. - 3Registrar provides full details — The client follows the referral to the registrar's own WHOIS/RDAP server, which returns the "thick" record with complete registration data, contacts, and status codes.
- 4Data is returned — The combined information is displayed to the user, including registrar details, dates, name servers, status, and (if available) contact entities.
The WHOIS ecosystem involves several distinct organizations at different levels:
| Entity | Role | Examples |
|---|---|---|
| ICANN | Global coordinator — sets policies for domain registration and WHOIS data | N/A (single global body) |
| Registry | Manages the authoritative database for a TLD | Verisign (.com, .net), PIR (.org), Google (.dev, .app) |
| Registrar | Sells domain registrations to end users | GoDaddy, Namecheap, Cloudflare, Google Domains |
| Registrant | The person or organization that registered the domain | You, your company, any domain holder |
| RIR | Regional Internet Registry — manages IP address WHOIS | ARIN, RIPE NCC, APNIC, LACNIC, AFRINIC |
How to Read a WHOIS Record
A WHOIS record contains several categories of information. Here is what each field means and why it matters:
| Field | Description | Example |
|---|---|---|
| Domain Name | The fully qualified domain name being queried | EXAMPLE.COM |
| Registrar | The ICANN-accredited company that processed the registration | Cloudflare, Inc. |
| Creation Date | When the domain was first registered | 1997-09-15T04:00:00Z |
| Updated Date | When the WHOIS record was last modified | 2024-08-14T07:01:44Z |
| Expiry Date | When the registration expires (must be renewed before this) | 2025-08-13T04:00:00Z |
| Name Servers | DNS servers authoritative for the domain | ns1.example.com |
| Domain Status | EPP status codes indicating the domain's state | clientTransferProhibited |
| DNSSEC | Whether DNS Security Extensions are enabled | signedDelegation |
EPP Status Codes Explained
Every domain has one or more EPP (Extensible Provisioning Protocol) status codes that describe its current state. These codes control what operations can be performed on the domain. They fall into two categories: client codes (set by the registrar at the registrant's request) and server codes (set by the registry).
| Status Code | Meaning | Impact |
|---|---|---|
| ok | Domain is active with no pending operations or restrictions | Normal — no restrictions |
| clientTransferProhibited | Registrar has locked transfers — prevents unauthorized domain theft | Security lock — recommended |
| clientDeleteProhibited | Domain cannot be deleted without removing this lock first | Security lock |
| clientUpdateProhibited | WHOIS data and name servers cannot be changed | Security lock |
| serverHold | Set by the registry — domain is excluded from DNS zone | Domain does not resolve |
| pendingDelete | Domain is scheduled for deletion after the redemption period | Cannot be recovered |
| redemptionPeriod | Domain was deleted and is in a 30-day recovery window | Can be restored (with fees) |
| autoRenewPeriod | Domain was auto-renewed and is in a grace period | Can cancel renewal |
For maximum security, important domains should have clientTransferProhibited, clientDeleteProhibited, and clientUpdateProhibited status codes — collectively known as a "registrar lock." High-value domains should also request registry lock (the server* equivalents), which requires manual verification by the registry to modify.
WHOIS vs RDAP — The Modern Replacement
RDAP (Registration Data Access Protocol) was designed by the IETF to address the significant limitations of the legacy WHOIS protocol. Since 2024, ICANN requires all gTLD registries and registrars to support RDAP.
| Feature | WHOIS (Legacy) | RDAP (Modern) |
|---|---|---|
| Protocol | TCP port 43 (plain text) | HTTPS (encrypted, RESTful) |
| Data Format | Unstructured text (varies by server) | Structured JSON (standardized) |
| Internationalization | ASCII only | Full Unicode/IDN support |
| Authentication | None | Supports OAuth 2.0 and access control |
| Bootstrapping | Must know which server to query | IANA bootstrap service auto-routes queries |
| Consistency | Format varies between servers | Standardized across all providers |
| Status | Legacy — still operational | Current standard (ICANN mandated) |
One of the biggest practical advantages of RDAP is its structured JSON output. With legacy WHOIS, every registry and registrar returned data in slightly different text formats, making automated parsing extremely fragile. RDAP solves this completely — every response follows the same JSON schema regardless of the provider.
The Domain Lifecycle
Understanding the domain lifecycle is essential for interpreting WHOIS records correctly. A domain moves through several phases from registration to potential deletion:
- 1Available — The domain is not registered and can be purchased from any registrar at standard pricing.
- 2Active (Registered) — The domain is registered and active. This is the normal state, lasting 1–10 years per registration term. The registrant can renew at any time.
- 3Expired — The registration has expired. Most registrars provide a grace period (typically 0–45 days) where the domain can still be renewed at normal cost.
- 4Redemption Period — After the grace period, the domain enters a 30-day redemption period. It can be restored, but registrars charge a significant redemption fee (often $100–200+).
- 5Pending Delete — After redemption, the domain enters a 5-day pending delete phase. It cannot be recovered and will soon be released for public registration.
- 6Released — The domain is deleted from the registry and becomes available for anyone to register again. Popular expired domains are often caught by drop-catch services within milliseconds.
GDPR and WHOIS Privacy
The General Data Protection Regulation (GDPR), which took effect on May 25, 2018, fundamentally changed the WHOIS landscape. Before GDPR, WHOIS records typically included the registrant's full name, address, phone number, and email address. After GDPR, most of this personal data is redacted from public WHOIS records.
What Changed
- Personal contact data — Names, addresses, phone numbers, and email addresses are replaced with "REDACTED FOR PRIVACY" or similar notices.
- Organization names — May still be visible for registrations made under a company name, depending on the registrar's policies.
- Technical data — Registration dates, expiry dates, name servers, and status codes remain publicly available as they are not considered personal data.
- Anonymized contact — Some registrars provide a web form or anonymized email relay to contact the registrant without revealing their identity.
WHOIS Privacy Protection
Even before GDPR, many registrars offered WHOIS privacy protection(also called "domain privacy" or "proxy service") as an add-on service. This replaces the registrant's contact information with the privacy service's details.
Today, most registrars include WHOIS privacy for free on all domains. Cloudflare, Namecheap, Google Domains, and others enable it by default. The combination of GDPR requirements and free privacy services means that most WHOIS records for individual registrations now show redacted or proxy information.
Real-World Use Cases
Domain Research & Purchasing
Before buying a domain from a third party, WHOIS lookup reveals the registrar, registration history, and expiry date. This helps verify ownership claims, negotiate prices (domain age correlates with value), and determine if a domain might soon become available.
Cybersecurity & Fraud Investigation
Security analysts use WHOIS data to investigate phishing domains, malware distribution sites, and spam campaigns. Key indicators include: very recent registration dates, privacy-protected registrations on suspicious domains, registrars known for lax abuse policies, and name servers associated with malicious infrastructure.
Trademark & Brand Protection
Companies monitor WHOIS registrations for domain names that infringe on their trademarks (typosquatting, cybersquatting). WHOIS data helps identify the registrant for legal action under the UDRP (Uniform Domain-Name Dispute-Resolution Policy).
SEO & Competitive Analysis
Domain age (derived from the creation date in WHOIS) is a ranking factor in search engines. SEO professionals use WHOIS data to analyze competitor domains, track domain history, and evaluate the trustworthiness of potential link sources.
DNS Troubleshooting
When a domain is not resolving correctly, WHOIS reveals the authoritative name servers, whether DNSSEC is enabled, and whether any status codes (like serverHold) are preventing resolution. This is a critical first step in DNS debugging.
Expiry Monitoring
Businesses track the expiry dates of their own domains and critical partner domains to prevent accidental lapses. WHOIS-based monitoring tools can alert you weeks before a domain expires, giving time to renew.
Best Practices
✅ For Domain Owners
- • Enable registrar lock — Set
clientTransferProhibitedto prevent unauthorized domain transfers (domain hijacking). - • Use WHOIS privacy — Enable privacy protection to hide personal contact information from public WHOIS records.
- • Set up auto-renewal — Avoid accidental domain expiration by enabling automatic renewal with your registrar.
- • Keep contact info current — Even with privacy enabled, ensure your registrar has your current email. Expiry notices and ICANN verification emails go to this address.
- • Enable DNSSEC — Add DNS Security Extensions to protect against DNS spoofing and cache poisoning attacks.
- • Register for multiple years — Multi-year registrations reduce the risk of accidental lapses and signal domain stability.
✅ For Researchers & Analysts
- • Use RDAP over WHOIS — RDAP returns structured JSON that is reliable to parse. Legacy WHOIS text formats vary unpredictably between providers.
- • Check multiple sources — Registry and registrar WHOIS may show different data. Query both for a complete picture.
- • Look at the full record — Status codes, name server changes, and update dates can reveal more than contact information alone.
- • Respect rate limits — WHOIS/RDAP servers enforce rate limiting. Use caching and batch queries responsibly.
- • Consider historical data — Current WHOIS only shows the present state. Historical WHOIS services can reveal ownership and DNS changes over time.
Look Up a Domain Now
Ready to research a domain? Use our free WHOIS lookup tool to check registration details, name servers, status codes, and more — powered by the modern RDAP protocol with JSON export.
Open WHOIS LookupReferences
- RFC 3912— "WHOIS Protocol Specification" (2004), L. Daigle, IETF
- RFCs 7480–7484 — Registration Data Access Protocol (RDAP) specifications (2015), IETF
- ICANN — WHOIS and RDAP policies, Registrar Accreditation Agreement
- ICANN EPP Status Codes — Official reference for domain status codes at icann.org
- IANA RDAP Bootstrap — Authoritative registry of RDAP endpoints for all TLDs
- GDPR (EU Regulation 2016/679) — General Data Protection Regulation and its impact on WHOIS data publication