What Is WHOIS?
WHOIS is a query-and-response protocol used to look up registration information for domain names, IP addresses, and autonomous systems. It was originally defined in RFC 812 in 1982 and is maintained today by regional internet registries (RIRs) and domain registrars. WHOIS records reveal who registered a resource, when, and often contact details. Query any domain or IP with our WHOIS lookup tool.
What a WHOIS Record Contains
| Field | Description | Example |
|---|---|---|
| Registrant | Organization or person who registered the domain | Example Corp / Privacy Proxy Inc |
| Registrar | Company through which the domain was registered | Namecheap, GoDaddy, Cloudflare |
| Creation date | When the domain was first registered | 2010-03-15 |
| Expiry date | When the registration expires | 2026-03-15 |
| Name servers | DNS servers authoritative for the domain | ns1.example.com, ns2.example.com |
| Registrant email | Contact email (often redacted under GDPR) | [email protected] or redacted |
| RDAP URL | Modern replacement for WHOIS - Structured JSON format | rdap.verisign.com |
WHOIS for IP Addresses
IP WHOIS (also called RDAP for IPs) reveals which organization controls a block of IP addresses, the ISP or hosting provider name, the country of registration, and the abuse contact for reporting misuse. It does not reveal the identity of individual subscribers - Only the ISP that owns the IP block. Use our IP lookup tool for a richer view that combines WHOIS, geolocation, and ASN data.
WHOIS Privacy and GDPR
- Since GDPR took effect in 2018, most European domain registrars and many global ones now redact personal registrant data from public WHOIS records.
- WHOIS privacy (proxy registration) services replace your personal details with the registrar's information for a small annual fee.
- Law enforcement and verified security researchers can request unredacted data through formal channels.
- ICANN's RDAP protocol is gradually replacing legacy WHOIS with a structured, policy-aware format that handles privacy rules per jurisdiction.
How to Run a WHOIS Lookup
| Step | Action |
|---|---|
| 1 | Enter a domain (example.com) or IP address into the WHOIS lookup tool |
| 2 | For domains: read registrar, creation/expiry dates, status codes, and nameservers - For IPs: read the owning organization, network range, and abuse contact |
| 3 | On the command line, whois example.com works out of the box on macOS and Linux (Windows users can use RDAP in a browser: https://rdap.org/domain/example.com) |
| 4 | Cross-reference with a DNS lookup - Registration data tells you who owns the name; DNS tells you where it currently points |
Reading the red flags
Three fields do most of the investigative work. A creation date of days or weeks ago is the classic phishing-site signature - Legitimate brands have years of history. Status codes like clientTransferProhibited are normal protection, while pendingDelete or redemptionPeriod mean the domain is dying. And mismatched nameservers (a "bank" hosted on a free DNS service) rarely accompany honest operations. None of these signals is conclusive alone, but together with the page itself they catch the large majority of throwaway scam domains before any harm is done.
WHOIS vs RDAP
| Property | WHOIS (1982) | RDAP (RFC 7480, 2015) |
|---|---|---|
| Format | Free-form text, varies per registry | Structured JSON, consistent schema |
| Transport | Plain TCP port 43, unencrypted | HTTPS |
| Redirects | None - You must find the right server | Built-in referral to the authoritative source |
| Privacy handling | All-or-nothing | Tiered access per jurisdiction and requester |
| Status | Being phased out; ICANN sunset the WHOIS requirement for gTLDs in January 2025 | The authoritative protocol going forward |
What WHOIS Is Used For in Practice
- Verifying a website's age and ownership before trusting it with money or credentials.
- Finding the abuse contact for an IP that is attacking or spamming you - Every allocation lists one.
- Checking whether a domain you want is truly available, and when a squatted one expires.
- Security research: clustering malicious domains by shared registration details.
- Confirming who operates the network behind an IP - Pair it with an ASN lookup for the routing-level view.
What This Means for You
WHOIS works in both directions. Outward, it is one of the fastest legitimacy checks on the internet: thirty seconds tells you whether that "established store" was registered last Tuesday. Inward, it is worth knowing what your own footprint says - Run your domain through the lookup tool and see whether your home address is published; if it is, your registrar's privacy option fixes it in minutes. Your IP's WHOIS record, by contrast, only ever exposes your ISP, never you - Which you can confirm by looking up the address shown on the homepage.
Frequently Asked Questions
Can WHOIS tell me who owns an IP address?
It tells you which organization the address block is allocated to - The ISP, hosting company, or enterprise - Plus the registration country and an abuse contact. It never identifies the individual subscriber using the IP; only the ISP can make that connection, and only under legal process.
Why does a WHOIS result say "redacted for privacy"?
Since GDPR took effect in 2018, registrars redact personal registrant fields by default, and many owners additionally use proxy registration services. The technical fields - Registrar, dates, status, nameservers - Remain public, and those carry most of the investigative value anyway.
Is WHOIS being shut down?
The protocol is being retired, not the data. ICANN formally sunset the port-43 WHOIS obligation for generic TLDs in January 2025 in favour of RDAP, which serves the same registration data over HTTPS in structured JSON. Lookup tools simply query RDAP behind the scenes now.