WHOIS Lookup: Find Domain Owner & Registration Info
Real scenario: You receive a suspicious phishing email sent from [email protected]. Before you report it, you want to know: who registered this domain, when, and through which registrar? A WHOIS lookup answers all of that in under five seconds — even after GDPR redacted most personal data from public records.
Key Takeaways
- ▸WHOIS reveals registrar, creation date, expiry date, nameservers, and domain status codes — even with GDPR redaction in place.
- ▸As of January 28, 2025, ICANN officially sunset legacy WHOIS for gTLDs and replaced it with RDAP — which returns structured JSON instead of plain text.
- ▸Personal registrant data (name, email, address) is redacted for most .com/.net/.org domains since GDPR took effect in 2018; ccTLDs like .uk and .de have their own rules.
- ▸The
whoisCLI command still works on Linux/macOS; on Windows use Sysinternals or RDAP via curl. - ▸WhoisXML API maintains a database of 681 million domain records with 5 billion historic WHOIS snapshots — useful for threat intelligence and bulk analysis.
What Is WHOIS?
WHOIS is a query-and-response protocol, first defined in RFC 812 in 1982, that lets you retrieve registration data for a domain name, IP address, or autonomous system number (ASN). It operates over TCP port 43, sending a domain name in plain text and receiving a plain-text response from the authoritative registry or registrar.
Every domain registrar must maintain WHOIS data as part of their ICANN accreditation agreement. This creates a globally distributed system: whois.verisign-grs.com is authoritative for .com, whois.pir.org for .org, and so on. When you run a WHOIS lookup through a web tool or CLI, it typically queries the appropriate registry first, then redirects to the specific registrar's WHOIS server for full details.
The protocol has two major limitations that prompted its replacement: responses are unstructured free text (no standard field names), and it has no authentication mechanism — everyone gets the same data regardless of their identity or purpose. RDAP, finalized in RFC 7480 in 2015, solved both problems.
What Data Does a WHOIS Record Contain?
Even with post-GDPR redaction, a standard WHOIS record for a .com domain contains more useful data than most people realize. Here's a real-world example annotated with what each field means:
$ whois github.com
Domain Name: GITHUB.COM
Registry Domain ID: 1264483280_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2024-09-07T09:10:44Z # Last record modification
Creation Date: 2007-01-26T04:39:17Z # Domain was registered Jan 2007
Registry Expiry Date: 2026-01-26T04:39:17Z # CRITICAL for monitoring
Registrar: MarkMonitor Inc. # Registrar (not host)
Registrar IANA ID: 292
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.2086851750
Domain Status: clientTransferProhibited # Locked against transfers
Domain Status: clientUpdateProhibited
Domain Status: clientDeleteProhibited
Domain Status: serverTransferProhibited # Registry-level lock (high-value domain)
Name Server: DNS1.P08.NSONE.NET # Who handles DNS for this domain
Name Server: DNS2.P08.NSONE.NET
Name Server: DNS3.P08.NSONE.NET
Name Server: DNS4.P08.NSONE.NET
DNSSEC: unsigned # No DNSSEC signing
# Registrant fields — redacted post-GDPR:
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: GitHub, Inc. # Company names sometimes remain
Registrant Email: Please query the RDDS service of the Registrar
of Record for information on how to contact
the Registrant, Admin, or Tech contactNotice that even with privacy protection active, you can still determine: the exact registrar, when the domain was created (Jan 2007 — before GitHub launched publicly), when it expires, which DNS provider they use (NS1), and all domain status lock codes. This is enough data for domain monitoring, competitive intelligence, and most abuse investigations.
GDPR's Impact: What Got Redacted and When
Before May 25, 2018, a WHOIS record for a privately registered .com domain would display the registrant's full name, mailing address, phone number, and email address publicly. GDPR changed that permanently.
ICANN responded with the Temporary Specification for gTLD Registration Data, which required registrars to redact personally identifiable information (PII) from public WHOIS responses unless registrants explicitly opted in to public display. "Temporary" turned out to be permanent — as of 2026, ICANN's Registration Data Policy mandates redaction with a tiered access model still being finalized.
| WHOIS Field | Pre-GDPR (before May 2018) | Post-GDPR (current) |
|---|---|---|
| Registrant Name | Visible (full name) | Redacted |
| Registrant Email | Visible (direct email) | Replaced with contact form URL |
| Registrant Phone | Visible | Redacted |
| Registrant Address | Visible | Redacted |
| Registrant Organization | Visible | Often still visible (company name) |
| Registrar Name | Always visible | Always visible |
| Creation / Expiry Dates | Always visible | Always visible |
| Nameservers | Always visible | Always visible |
| Domain Status Codes | Always visible | Always visible |
Country-code TLDs (ccTLDs) operate under their own rules. .uk domains via Nominet have shown minimal public data for years. .de (DENIC) requires member agreement for lookups. .us domains still require public registrant data due to Nexus requirements, making them a useful data source for researchers.
RDAP: The Modern Replacement for WHOIS
On January 28, 2025, ICANN officially sunset the legacy WHOIS protocol for generic TLDs, mandating the Registration Data Access Protocol (RDAP) as the authoritative source for gTLD registration data. Legacy WHOIS still works at many registrars, but it's no longer a requirement.
RDAP's three main improvements over WHOIS:
- Structured JSON output — machine-readable, no text parsing heuristics needed
- HTTPS transport — encrypted, authenticated, not cleartext TCP port 43
- Tiered access — authenticated requests (law enforcement, registrars) can receive non-redacted data; public requests see the same redacted view as WHOIS
# Query RDAP directly — returns clean JSON
curl -s https://rdap.org/domain/github.com | jq '{
name: .ldhName,
status: .status,
registrar: .entities[0].vcardArray[1][1][3],
created: .events[] | select(.eventAction == "registration") | .eventDate,
expires: .events[] | select(.eventAction == "expiration") | .eventDate,
nameservers: [.nameservers[].ldhName]
}'
# Output:
# {
# "name": "GITHUB.COM",
# "status": ["client transfer prohibited", "server transfer prohibited"],
# "created": "2007-01-26T04:39:17Z",
# "expires": "2026-01-26T04:39:17Z",
# "nameservers": ["DNS1.P08.NSONE.NET", "DNS2.P08.NSONE.NET", ...]
# }
# RDAP bootstrap — find the correct RDAP server for any TLD
# IANA maintains the authoritative bootstrap registry:
curl -s https://data.iana.org/rdap/dns.json | jq '.services[] |
select(.[0][] == "com") | .[1]'
# ["https://rdap.verisign.com/com/v1/"]
# ICANN's own lookup (web UI):
# https://lookup.icann.org/For programmatic access at scale, WhoisXML API maintains a dataset of 681 million domain name records and over 5 billion historic WHOIS snapshots — useful for threat intelligence pipelines that need to correlate newly registered domains against known malicious patterns. In March 2026 alone, they catalogued 8.9 million newly registered domains.
Running WHOIS from the Command Line
The whois command is installed by default on most Linux distributions and macOS. It sends your query to the appropriate WHOIS server and displays the raw response.
# Basic domain lookup
whois example.com
# IP address lookup (shows ASN, routing, abuse contact)
whois 8.8.8.8
# Returns: Google LLC, AS15169, network range 8.8.8.0/24
# ASN lookup
whois AS15169
# Query a specific WHOIS server directly
whois -h whois.verisign-grs.com example.com
# Filter output to just expiry date (Linux)
whois example.com | grep -i "expiry|expiration"
# macOS: same syntax, uses different server selection
whois example.com
# Windows: whois.exe from Microsoft Sysinternals
# https://learn.microsoft.com/en-us/sysinternals/downloads/whois
whois.exe example.com
# Bulk lookup via shell loop (rate-limit to avoid blocks)
for domain in github.com stripe.com vercel.com; do
echo "=== $domain ==="
whois "$domain" | grep -E "Creation|Expiry|Registrar:"
sleep 2 # Respect rate limits
donePython: Programmatic WHOIS Lookup
# pip install python-whois
import whois
import json
def lookup_domain(domain: str) -> dict:
w = whois.whois(domain)
return {
"domain": w.domain_name,
"registrar": w.registrar,
"creation_date": str(w.creation_date),
"expiration_date": str(w.expiration_date),
"nameservers": w.name_servers,
"status": w.status,
}
result = lookup_domain("github.com")
print(json.dumps(result, indent=2))
# Output:
# {
# "domain": "GITHUB.COM",
# "registrar": "MarkMonitor, Inc.",
# "creation_date": "2007-01-26 04:39:17",
# "expiration_date": "2026-01-26 04:39:17",
# "nameservers": ["DNS1.P08.NSONE.NET", "DNS2.P08.NSONE.NET"],
# "status": ["clientTransferProhibited", "clientUpdateProhibited"]
# }
# RDAP alternative (no library needed, HTTPS, returns clean JSON)
import urllib.request
def rdap_lookup(domain: str) -> dict:
url = f"https://rdap.org/domain/{domain}"
with urllib.request.urlopen(url) as r:
data = json.loads(r.read())
dates = {e["eventAction"]: e["eventDate"] for e in data.get("events", [])}
return {
"name": data.get("ldhName"),
"status": data.get("status", []),
"created": dates.get("registration"),
"expires": dates.get("expiration"),
"nameservers": [ns["ldhName"] for ns in data.get("nameservers", [])],
}
print(rdap_lookup("stripe.com"))Domain Status Codes Decoded
Domain status codes follow the Extensible Provisioning Protocol (EPP) standard defined in RFC 5731. These codes control what operations can be performed on the domain and indicate its lifecycle state. Misreading these is a common source of confusion when transferring domains.
| Status Code | Meaning | Action Required? |
|---|---|---|
| clientTransferProhibited | Registrar lock — prevents unauthorized transfers | Normal — no action needed |
| serverTransferProhibited | Registry lock — highest security tier (common for premium domains) | Normal for important domains |
| clientDeleteProhibited | Cannot be deleted by registrar | Normal |
| clientHold | Domain is suspended — DNS not resolving | Contact registrar immediately |
| pendingTransfer | Transfer initiated, waiting for approval (5-day window) | Check email for approval request |
| redemptionPeriod | Expired; 30-day window to restore (costly) | Renew immediately — restoration fee applies |
| pendingDelete | 5-day countdown before deletion, then available to anyone | Domain is gone — monitor for re-registration |
Security and Threat Intelligence Use Cases
WHOIS data is foundational for several security workflows, even in its GDPR-redacted form:
Phishing Domain Detection
Phishing domains are almost always newly registered — attackers don't buy aged domains because they cost more. A domain with a creation date within the last 30 days, privacy protection enabled, and a nameserver pointing to a bulletproof hosting provider is a strong signal. WhoisXML API catalogued 2.1 million domains registered with malicious intent in March 2026 alone, out of 8.9 million total new registrations.
# Automated phishing signal check
import whois
from datetime import datetime, timedelta, timezone
def phishing_signals(domain: str) -> list[str]:
signals = []
try:
w = whois.whois(domain)
except Exception:
return ["WHOIS lookup failed — possible DNS blocking"]
# Signal 1: Recently registered (< 30 days)
created = w.creation_date
if isinstance(created, list):
created = created[0]
if created and (datetime.now(timezone.utc) - created.replace(tzinfo=timezone.utc)) < timedelta(days=30):
signals.append(f"Newly registered ({created.date()})")
# Signal 2: Expiry within 1 year (minimum registration)
expiry = w.expiration_date
if isinstance(expiry, list):
expiry = expiry[0]
if expiry and created:
if (expiry.replace(tzinfo=timezone.utc) - created.replace(tzinfo=timezone.utc)).days < 400:
signals.append("Minimum 1-year registration (not committed long-term)")
# Signal 3: Known bullet-proof nameserver patterns
suspicious_ns = ["namecheap", "privacyprotect", "whoisguard"]
ns_list = [ns.lower() for ns in (w.name_servers or [])]
for ns in ns_list:
if any(s in ns for s in suspicious_ns):
signals.append(f"Privacy-focused NS: {ns}")
return signals
print(phishing_signals("paypa1-secure.com"))
# ["Newly registered (2026-04-01)", "Minimum 1-year registration", ...]Domain Expiry Monitoring
Domain hijacking often happens when a company forgets to renew a domain. The expiry date in WHOIS is always public. Security teams monitor competitor and partner domains for upcoming expirations, and attackers do the same. Learn more about how DNS records work to understand what changes when a domain expires and gets re-registered by a bad actor.
IP Address WHOIS vs Domain WHOIS
Running whois 8.8.8.8 queries a completely different set of databases than domain WHOIS. IP WHOIS is handled by the five Regional Internet Registries (RIRs):
- ARIN — North America (arin.net)
- RIPE NCC — Europe, Middle East, Central Asia (ripe.net)
- APNIC — Asia-Pacific (apnic.net)
- LACNIC — Latin America and Caribbean (lacnic.net)
- AFRINIC — Africa (afrinic.net)
IP WHOIS is not subject to GDPR redaction in the same way — it shows network block owner, ASN, country, and abuse contact. This data is used for IP geolocation enrichment and spam filtering. An IP's WHOIS record shows the organization that owns the IP block, not necessarily who is using it — a server on AWS will show Amazon.com, not your application.
$ whois 8.8.8.8
# RDAP equivalent (ARIN):
NetRange: 8.8.8.0 - 8.8.8.255
CIDR: 8.8.8.0/24
NetName: LVLT-GOGL-8-8-8
Organization: Google LLC (GOGL)
Country: US
RegDate: 2014-03-14
Updated: 2014-03-14
OrgAbuseEmail: [email protected]
OrgTechEmail: [email protected]
# Query RDAP for IP:
curl -s https://rdap.arin.net/registry/ip/8.8.8.8 | jq '.name, .handle'
# "LVLT-GOGL-8-8-8"
# "NET-8-8-8-0-1"WHOIS Lookup Tools Compared
| Tool | Type | Best For | Limitation |
|---|---|---|---|
| whois CLI | Command-line | Quick terminal lookups, scripting | Plain text, no parsing |
| rdap.org API | HTTPS / JSON | Programmatic use, structured data | Rate limited for heavy use |
| lookup.icann.org | Web UI | Authoritative, official source | Web only, not scriptable easily |
| whois.com | Web UI | Non-technical users, quick checks | May show stale cached data |
| WhoisXML API | Paid API | Bulk lookups, threat intelligence, historic data | Paid; 681M records but gaps exist |
| python-whois | Python library | Automation, parsing, pipeline integration | Parser breaks on unusual registrar formats |
For most developers, the combination of the whois CLI for quick checks and https://rdap.org/domain/{domain} for scripted lookups covers 95% of use cases. The RDAP JSON response is easy to parse — use our JSON Formatter to explore the full RDAP response structure.
Frequently Asked Questions
What information does a WHOIS lookup show?
A WHOIS lookup shows registrar name, registration date, expiry date, last-updated date, nameservers, and domain status codes. Personal registrant data (name, email, address) is redacted for most gTLD domains post-GDPR unless the owner opted into public display. Company names sometimes remain visible.
Why does WHOIS say "Redacted for Privacy"?
After GDPR took effect in May 2018, ICANN required registrars to hide personally identifiable information from public WHOIS. Fields like name, address, email, and phone are replaced with "Redacted for Privacy." The registrar must still provide a contact form to reach the owner.
What is the difference between WHOIS and RDAP?
WHOIS (RFC 3912) returns unstructured plain text over TCP port 43. RDAP (RFC 7480) is its modern replacement — structured JSON over HTTPS, with authentication support for tiered access. As of January 2025, ICANN sunset legacy WHOIS for gTLDs in favor of RDAP.
How do I run a WHOIS lookup from the command line?
On Linux/macOS run `whois example.com`. For structured JSON via RDAP: `curl https://rdap.org/domain/example.com | jq .`. On Windows use Sysinternals whois.exe. The `dig` command is separate — it queries DNS records, not registration data.
Can I find out who owns a domain if registration is private?
Not directly through public WHOIS. For legitimate legal or abuse reasons, submit a request via the contact form in the WHOIS record. Law enforcement can request non-public data via ICANN's SSAD process, though this remains slow as of 2026.
How do I check when a domain expires?
The expiry date is always in public WHOIS records even with privacy protection active. Run `whois example.com` and look for "Registry Expiry Date". Most registrars send email reminders 90, 60, and 30 days before expiry.
What are WHOIS domain status codes?
EPP status codes control what operations can be performed: clientTransferProhibited (registrar lock), serverTransferProhibited (registry lock), clientHold (suspended), redemptionPeriod (expired, 30-day recovery window), pendingDelete (5 days until available for re-registration). Most live domains show clientTransferProhibited.
Parse and Explore RDAP JSON Responses
RDAP returns structured JSON — paste the output into our JSON Formatter to explore the full response tree, validate structure, and extract the fields you need. Pair it with the URL Encoder/Decoder for working with internationalized domain names (IDNs) in RDAP queries.
Open JSON Formatter