WHOIS

What Is WHOIS?

WHOIS (pronounced "who is") is both a protocol and a database system for looking up domain registration information. The name comes from the question it answers: "Who is responsible for this domain?"

Every domain registration creates a WHOIS record containing:

• Registrant information: Who owns the domain (name, organization, contact details)
• Administrative contact: Who manages the domain administratively
• Technical contact: Who handles technical issues
• Registrar: The company through which the domain was registered
• Registration dates: When the domain was created and when it expires
• Name servers: The DNS servers the domain uses
• Domain status: Current state (active, locked, pending transfer, etc.)

WHOIS was created in the 1980s when the internet was small and transparency was prioritized over privacy. Today, with billions of domains and widespread privacy concerns, much of this information is often redacted or hidden behind privacy services.

What Is a WHOIS Lookup?

A WHOIS lookup is a query to retrieve registration information for a specific domain. You can perform lookups through:

Web-based tools:

• ICANN Lookup (lookup.icann.org)
• Registrar WHOIS pages (GoDaddy, Namecheap, etc.)
• Third-party services (DomainTools, WhoisXML API, who.is)

Command line: On Mac/Linux, type whois example.com in terminal. Windows users can install WHOIS utilities or use web tools.

What you'll see: A typical WHOIS result shows the domain's registrar, creation date, expiration date, name servers, and status codes. Registrant contact information may be visible, redacted (showing "REDACTED FOR PRIVACY"), or replaced with privacy service details.

What Is a WHOIS Database?

The WHOIS database isn't a single centralized system—it's a distributed network of databases maintained by registries and registrars:

Registry WHOIS: Each TLD registry maintains authoritative WHOIS data for domains under their extension. Verisign operates the .com WHOIS database. PIR operates .org. Country registries operate their respective ccTLD databases.

Registrar WHOIS: Registrars maintain detailed records for domains registered through them. Registry WHOIS often provides basic information with referrals to registrar WHOIS for complete details.

Thin vs. thick WHOIS:

• Thick WHOIS: Registry stores complete registrant data (most TLDs now)
• Thin WHOIS: Registry stores minimal data; full details at registrar level (legacy .com and .net used this)

Data flow: When you query WHOIS, the request typically goes to the registry first, which either returns full data (thick) or refers you to the registrar's WHOIS server (thin).

WHOIS Information: What It Contains

A complete WHOIS record includes several data categories:

Domain information:

Domain Name: EXAMPLE.COM
Registry Domain ID: 123456789_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.registrar.com
Updated Date: 2024-01-15T12:00:00Z
Creation Date: 1995-08-14T04:00:00Z
Registry Expiry Date: 2025-08-13T04:00:00Z

Registrar information:

Registrar: Example Registrar, Inc.
Registrar IANA ID: 1234
Registrar Abuse Contact Email: abuse@registrar.com
Registrar Abuse Contact Phone: +1.5555555555

Registrant (owner) information:

Registrant Name: [Often REDACTED]
Registrant Organization: [Often REDACTED]
Registrant Street: [Often REDACTED]
Registrant City: [Often REDACTED]
Registrant Country: US
Registrant Email: [Often REDACTED or proxy email]

Status codes:

Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientDeleteProhibited

Name servers:

Name Server: NS1.EXAMPLE.COM
Name Server: NS2.EXAMPLE.COM

WHOIS Domain Status Codes

Status codes indicate a domain's current state and restrictions:

Client-level statuses (set by registrar):

• clientTransferProhibited – Transfer locked, prevents unauthorized transfers
• clientDeleteProhibited – Cannot be deleted
• clientUpdateProhibited – Cannot modify registration details
• clientHold – Domain doesn't resolve (suspended by registrar)

Server-level statuses (set by registry):

• serverTransferProhibited – Registry-level transfer lock
• serverDeleteProhibited – Registry-level delete protection
• serverHold – Domain doesn't resolve (registry suspension)

Lifecycle statuses:

• ok or active – Normal functioning domain
• pendingTransfer – Transfer in progress
• pendingDelete – Scheduled for deletion
• redemptionPeriod – Expired, awaiting deletion, can still be recovered
• addPeriod – Recently registered, within add grace period

Understanding status codes helps when troubleshooting domain issues or evaluating expired domains for acquisition.

What Is WHOIS Privacy?

WHOIS privacy (also called domain privacy or privacy protection) is a service that hides your personal information from public WHOIS queries.

How it works: Instead of displaying your name, address, email, and phone number, the WHOIS record shows the privacy service's information. Contact attempts route through the privacy provider, which forwards legitimate inquiries while filtering spam.

What gets hidden:

• Registrant name and organization
• Street address, city, state, postal code
• Phone number
• Email address (replaced with proxy email)

What remains visible:

• Domain name and status
• Registrar information
• Registration and expiration dates
• Name servers

Why use WHOIS privacy:

Spam prevention: Exposed email addresses get harvested for spam. Privacy services filter most unwanted contact.

Identity protection: Public home addresses create safety concerns, especially for individuals running websites.

Competitive intelligence: Businesses may not want competitors knowing which domains they own.

Harassment prevention: Public figures, activists, and controversial site owners face targeted harassment without privacy protection.

Cost and availability: Many registrars now include WHOIS privacy free with registration. Others charge $5–15/year. Post-GDPR, most registrars automatically redact personal data for EU residents, making paid privacy less necessary for many users.

WHOIS and GDPR

The EU's General Data Protection Regulation (GDPR), effective May 2018, fundamentally changed WHOIS:

Before GDPR: Full registrant contact information—name, address, email, phone—was publicly visible in WHOIS for most domains.

After GDPR: Registrars began redacting personal data from public WHOIS queries. Most records now show "REDACTED FOR PRIVACY" for individual registrant details, regardless of whether the owner purchased privacy protection.

Global impact: Although GDPR applies to EU residents, most registrars implemented redaction globally rather than maintaining separate systems. This means even non-EU domain owners often see their data protected by default.

What's still accessible:

• Domain registration/expiration dates
• Registrar information
• Name servers
• Abuse contact information
• Technical data needed for internet operation

Tiered access: ICANN has developed systems allowing verified parties (law enforcement, trademark holders, security researchers) to request access to redacted data through formal processes.

WHOIS vs. RDAP

RDAP (Registration Data Access Protocol) is the modern replacement for WHOIS:

Why RDAP is better:

• Consistent, machine-readable format
• Encrypted queries protect privacy
• Authentication enables tiered access (more data for verified users)
• Better support for international characters
• Standardized across all registries

Current status: ICANN mandated RDAP support from registries and registrars starting in 2019. Most "WHOIS lookup" tools now query RDAP behind the scenes while presenting results in familiar formats. WHOIS servers still exist for backward compatibility but are being phased out.

Legitimate Uses of WHOIS

Despite privacy restrictions, WHOIS data serves important purposes:

Trademark enforcement: Brand owners identify who's registering domains that infringe their trademarks, enabling UDRP complaints and legal action.

Security research: Investigators trace malicious domains—phishing sites, malware distribution, spam operations—to identify patterns and actors.

Law enforcement: Police and government agencies investigate cybercrime, fraud, and illegal content through domain ownership records.

Business due diligence: Companies verify domain ownership before acquisitions, partnerships, or aftermarket purchases.

Abuse reporting: When domains host harmful content, WHOIS provides registrar abuse contacts for reporting.

Network troubleshooting: System administrators diagnose DNS issues using WHOIS data about name servers and registration status.

How to Use WHOIS

Finding domain ownership:

1. Go to a WHOIS lookup service (lookup.icann.org, whois.com, your registrar)
2. Enter the domain name
3. Review the results for registrant information (if visible) or privacy service details

Finding expiration dates: Look for "Registry Expiry Date" or "Expiration Date" in WHOIS results. Useful for monitoring domains you might want to acquire when they expire.

Verifying your own records: Check that your WHOIS information is accurate and that privacy protection is active if you purchased it.

Contacting domain owners: If registrant information is hidden, look for the registrar abuse email or use the privacy service's forwarding address.

Checking domain status: Review status codes to understand if a domain is locked, pending transfer, or facing issues.

WHOIS Limitations

Privacy redaction: Post-GDPR, most personal information is hidden. You can see registrar and dates, but owner identity is often obscured.

Accuracy issues: ICANN requires accurate WHOIS data, but enforcement is inconsistent. Some records contain fake or outdated information.

Rate limiting: WHOIS servers restrict query volume to prevent abuse. Bulk lookups require API access through paid services.

Inconsistent formatting: Different registries and registrars format WHOIS responses differently, making automated parsing challenging. RDAP addresses this.

No historical data: WHOIS shows current registration only. Historical ownership requires specialized services like DomainTools that archive records over time.