When you want to know "who owns this website?", "when does this domain expire?", or "which organization does this IP address belong to?" — WHOIS is the tool that answers those questions. WHOIS (pronounced "who is") is one of the internet's oldest query protocols, operating since 1982, and remains a fundamental tool for domain management, security investigations, and digital forensics.
1. What Is WHOIS?
WHOIS is a TCP-based query/response protocol (RFC 3912) used to look up registration information for domain names, IP addresses, and autonomous systems (AS). Its design is simple: send a query string to a WHOIS server, and the server returns plain-text registration data.
WHOIS data comes from databases maintained by domain registries and registrars. The system uses a distributed architecture:
- ICANN: Oversees policy for global top-level domains (gTLDs) like .com and .org
- Regional Internet Registries (RIRs): APNIC (Asia-Pacific), ARIN (North America), RIPE NCC (Europe) maintain IP address allocation records
- Country-code TLD (ccTLD) authorities: Manage WHOIS data for their respective domains (e.g., .uk, .de, .tw)
WHOIS was originally designed by Elizabeth Feinler in the late 1970s for ARPANET to track users and hosts on the network. It was formally standardized as RFC 812 in 1982 — over 40 years ago and still going strong.
2. What Information Does WHOIS Reveal?
A complete domain WHOIS record typically contains the following fields:
| Field | Description | Example |
|---|---|---|
| Domain Name | The queried domain | example.com |
| Registrar | Domain registrar company | GoDaddy, Namecheap |
| Creation Date | Date domain was first registered | 1995-08-14T04:00:00Z |
| Updated Date | Date of last update | 2023-08-13T07:18:12Z |
| Registry Expiry Date | Domain expiration date | 2024-08-13T04:00:00Z |
| Name Servers | DNS server addresses | ns1.example.com |
| Domain Status | EPP status codes | clientTransferProhibited |
| Registrant | Domain owner info (may be redacted) | Privacy Protected |
2.1 Domain Status Codes Explained
WHOIS status codes are standardized by ICANN. Common ones include:
- clientTransferProhibited: Prevents transfer to another registrar (most common; protects against domain hijacking)
- clientUpdateProhibited: Prevents updates to domain information
- clientDeleteProhibited: Prevents domain deletion
- pendingDelete: Domain is pending deletion after expiry
- redemptionPeriod: 30-day window after expiry where owner can reclaim (at a premium)
- serverHold: Suspended by registry, often due to policy violations or legal orders
3. Reading a WHOIS Record
Here is a typical WHOIS query response (using example.com for illustration):
Domain Name: EXAMPLE.COM
Registry Domain ID: 2138514_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.iana.org
Registrar URL: http://res-dom.iana.org
Updated Date: 2023-08-14T07:18:12Z
Creation Date: 1995-08-14T04:00:00Z
Registry Expiry Date: 2024-08-13T04:00:00Z
Registrar: RESERVED-Internet Assigned Numbers Authority
Domain Status: clientDeleteProhibited
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Name Server: A.IANA-SERVERS.NET
Name Server: B.IANA-SERVERS.NET
DNSSEC: signedDelegationData is presented as key-value pairs. Field names vary slightly between registries, but the core information is consistent.
4. Common Use Cases
4.1 Domain Expiry Monitoring
Domain expiry is the root cause of many internet disasters — well-known companies have lost their websites temporarily after forgetting to renew, only to find competitors swooping in. WHOIS lets you check expiry dates and set up reminder workflows.
In 2003, Microsoft failed to renew hotmail.co.uk, briefly taking the site offline. In 2018, the US government's Pay.gov experienced an outage due to domain expiry. Regular expiry monitoring is basic operational hygiene for any organization.
4.2 Domain Squatting Detection
Competitors may register domains similar to your brand (typosquatting like "exmaple.com" or "example-shop.com"). Regular WHOIS monitoring helps detect such registrations early, enabling timely legal action or defensive registrations.
4.3 Security Investigations & Phishing Tracking
Security researchers rely on WHOIS as a first stop when investigating phishing or malicious domains:
- Check the creation date — newly registered domains are a common phishing indicator
- Track other domains registered under the same registrar account or contact details
- Compare Name Servers to find related attack infrastructure
4.4 IP Address Attribution
IP WHOIS queries (directed at RIRs) reveal the organization or ISP that owns an IP block, the geographic region of the IP, and abuse contact information for reporting DDoS sources or spam.
# Command-line WHOIS queries
whois example.com # Query domain
whois 8.8.8.8 # Query IP address (Google DNS)
whois AS15169 # Query autonomous system (Google)5. WHOIS Limitations: GDPR & Privacy Redaction
The biggest shift in WHOIS history came in May 2018 when the EU's General Data Protection Regulation (GDPR) took effect, requiring protection of domain registrant personal data. Since then, most gTLD WHOIS records have been heavily redacted:
| Before GDPR | After GDPR |
|---|---|
| Registrant's real name | Privacy Protected / Redacted for Privacy |
| Registrant's email address | Proxy email or completely removed |
| Registrant's phone number | Removed |
| Registrant's postal address | Removed or country-only |
Technical domain information — expiry date, Name Servers, creation date, and status codes — is generally not affected by privacy redaction and remains publicly queryable. Law enforcement can obtain full registrant details via legal process from registrars.
6. WHOIS vs RDAP: The Next-Generation Protocol
Traditional WHOIS has known weaknesses: unstructured plain-text output, inconsistent formats across registries, and no encryption. IETF addressed this with RDAP (Registration Data Access Protocol), standardized in 2015:
| Feature | WHOIS | RDAP |
|---|---|---|
| Data Format | Plain text (inconsistent) | JSON (standardized) |
| Transport | TCP Port 43 (cleartext) | HTTPS (encrypted) |
| Programmatic Access | Requires text parsing | Direct JSON parsing |
| Internationalization | Limited (ASCII-focused) | Full Unicode support |
| ICANN Mandate | Being phased out | Required for gTLDs since 2019 |
# RDAP queries (use in browser or curl)
https://rdap.verisign.com/com/v1/domain/example.com
https://rdap.apnic.net/ip/1.1.1.1
# Via IANA Bootstrap (auto-routes to correct server)
https://rdap.org/domain/example.com
https://rdap.org/ip/8.8.8.87. Quick Decision Guide
7.1 ✅ Checking domain availability → WHOIS lookup
Before purchasing a domain, use WHOIS to confirm whether it's registered, who owns it, and whether it's expiring soon (potentially up for drop-catching).
7.2 ✅ Monitoring your own domains → Set expiry alerts
Set reminders at 60, 30, and 7 days before expiry. Enable auto-renewal as a safety net, but verify your payment method stays valid.
7.3 ✅ Security incident response → WHOIS + Passive DNS
Combine WHOIS registration data with passive DNS history to reconstruct an attacker's full infrastructure picture.
7.4 ✅ Reporting abuse → IP WHOIS for Abuse Contact
When hit by spam or DDoS, use IP WHOIS to find the hosting provider's abuse contact email and file a complaint ticket.
7.5 ❌ Finding domain owner's personal info → Not reliable post-GDPR
Since 2018, personal registrant details are largely redacted. You'll need legal channels to obtain this information.
8. FAQ
8.1 Is WHOIS free to use?
Basic WHOIS queries are completely free via the command-line whois tool or any online WHOIS service. Commercial services offering bulk queries, historical records, or monitoring features may charge a fee.
8.2 Is WHOIS data real-time?
Domain data typically syncs to WHOIS servers within minutes to hours of an update. DNS propagation (NS record changes) takes 24–48 hours globally — this is a separate process from WHOIS data updates.
8.3 Why does my domain show "Privacy Protected"?
Your registrar has enabled WHOIS privacy protection, substituting your real contact information with proxy data. This is normal and recommended — it prevents spam and harassment. Most registrars offer this service free or at minimal cost.
8.4 Is RDAP more accurate than WHOIS?
RDAP provides more structured, standardized data with HTTPS encryption — it's the future. But for core data (expiry dates, Name Servers), the content difference is minimal today. For programmatic use, RDAP's JSON format is clearly superior to WHOIS plain text.
9. Summary
WHOIS is a cornerstone of internet transparency — making domain and IP ownership queryable and providing the foundation for network accountability. Despite GDPR privacy redaction limiting personal data visibility, WHOIS remains highly practical for domain expiry monitoring, security investigations, and IP attribution. Understanding how WHOIS works and where its limits lie helps you use this 40-year-old protocol more effectively in modern domain management and cybersecurity workflows.