Every domain on the internet is registered through a registrar — GoDaddy, Namecheap, Google Domains, and thousands of others. When you register a domain, you provide contact information: your name, email, phone number, address.

WHOIS is the system that has historically made most of that information publicly queryable by anyone. Type a domain into a WHOIS lookup and you can find out who registered it, when it was registered, when it expires, which name servers it uses, and who to contact if there's a problem.

Or at least, that's how it used to work before GDPR changed everything.

What a WHOIS Record Contains

A full WHOIS record has several sections:

Domain information:

  • Domain name
  • Registrar (who the domain was purchased through)
  • Registration date
  • Expiration date
  • Last updated date
  • Domain status (active, expired, locked, etc.)

Name servers:

  • Which DNS servers are authoritative for this domain
  • This tells you who's hosting the DNS (Cloudflare, AWS Route 53, your registrar's own DNS, etc.)

Registrant contact:

  • Name, organization, email, phone, and mailing address of the domain owner

Administrative and technical contacts:

  • Sometimes separate from the registrant — the person managing the domain technically vs. the legal owner

Here's a simplified example of what you'd see for a legitimate business:

Command 
Domain Name: EXAMPLE.COM
Registry Domain ID: 2336799_DOMAIN_COM-VRSN
Registrar: Example Registrar, Inc.
Registrar URL: http://www.example-registrar.com
Updated Date: 2023-08-14T07:00:00Z
Creation Date: 1995-08-14T04:00:00Z
Registry Expiry Date: 2024-08-13T04:00:00Z
Registrar Iana ID: 376

Name Server: A.IANA-SERVERS.NET
Name Server: B.IANA-SERVERS.NET

Registrant Name: Internet Assigned Numbers Authority
Registrant Organization: Internet Assigned Numbers Authority
Registrant Email: noc@iana.org

What GDPR Did to WHOIS

In 2018, the GDPR came into effect in Europe and fundamentally changed WHOIS data. Registrars were now legally required to stop exposing personal contact information of individual (non-business) domain owners.

The result: most WHOIS records today look like this for the registrant section:

Command 
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Privacy service provided by Withheld for Privacy ehf
Registrant Email: Please query the RDDS service of the Registrar of Record

This applies globally, not just in Europe — because most major registrars chose to implement privacy protection for all customers rather than try to segment by jurisdiction.

What's still visible after GDPR:

  • The registrar name
  • Registration, update, and expiry dates
  • Domain status flags
  • Name servers
  • The registrar's abuse contact

What's now hidden:

  • Registrant name (for individuals)
  • Registrant email, phone, address (for individuals)

Business registrations are different — companies are not protected as natural persons under GDPR, so business registrant details may still appear.

When WHOIS Data Is Still Revealing

Even with privacy protection, WHOIS records tell you a surprising amount.

Registration date reveals age and credibility. A phishing site impersonating a bank registered yesterday is a red flag no matter how convincing the design. A domain registered in 1998 is almost certainly legitimate infrastructure. The creation date is never hidden.

Expiry dates matter for due diligence. A company's domain expiring in two weeks is a concern. If you're about to sign a contract or make a payment, a quick WHOIS check on the domain in the email address is worth 30 seconds.

Name servers indicate hosting provider. Even without registrant details, the name servers tell you who's hosting the DNS. ns1.cloudflare.com means Cloudflare DNS. awsdns-xx.com means AWS Route 53. This is useful for abuse reporting and for understanding the infrastructure behind a domain.

Registrar abuse contacts. If a domain is being used for spam, phishing, or malware, the registrar's abuse email is always in the WHOIS record. This is the right place to report it.

Pattern matching across registrations. If you're investigating a campaign of phishing domains, they often share characteristics — registered at the same registrar, same name servers, registration dates clustered together. WHOIS data (even redacted) can reveal these patterns.

How to Do a WHOIS Lookup

The easiest method: use the WHOIS tool and type in any domain or IP address.

If you prefer the command line:

Command 
whois example.com

On Windows (if the whois command isn't built in, get it from Sysinternals):

Command 
whois.exe example.com

For IP addresses, WHOIS works differently — it queries the regional internet registry (ARIN for North America, RIPE for Europe, APNIC for Asia-Pacific) for information about who owns the IP block.

Command 
whois 8.8.8.8

This returns the organization that holds that IP range — in this case, Google LLC.

WHOIS for IP Addresses vs. Domains

It's worth understanding that domain WHOIS and IP WHOIS are separate systems managed by different organizations.

Domain WHOIS is managed by ICANN and accessed through registrars. Each registrar maintains its own WHOIS server for domains it manages.

IP WHOIS is managed by Regional Internet Registries:

  • ARIN — North America
  • RIPE NCC — Europe, Middle East, Central Asia
  • APNIC — Asia-Pacific
  • LACNIC — Latin America and the Caribbean
  • AFRINIC — Africa

When you look up an IP, you're querying whichever registry holds that IP block. The information returned includes the organization that holds the block, their abuse contact, and sometimes more granular assignment data.

RDAP: The Modern Replacement

WHOIS is a 1980s protocol running on port 43 — unencrypted, inconsistently formatted, and increasingly being deprecated. Its modern replacement is RDAP (Registration Data Access Protocol), which:

  • Uses HTTPS (encrypted)
  • Returns structured JSON instead of free-form text
  • Supports authentication for accessing non-redacted data (for law enforcement, etc.)
  • Has a standardized format across all registries

Most WHOIS tools (including ours) query both WHOIS and RDAP where available and return whichever gives more data. If you're building something programmatically, RDAP is the right API to use.

ICANN's RDAP endpoint for domains: https://rdap.org/domain/example.com ARIN's RDAP for IPs: https://rdap.arin.net/registry/ip/8.8.8.8

Practical Use Cases

Domain due diligence before a transaction. Before you pay someone for a domain, service, or product, check the domain in the email. Does registration date match when they claim the business was founded? Are they using a burner registrar? Do the name servers look legitimate?

Investigating spam or phishing. Find the registrar's abuse contact and file a report. Most registrars take action on phishing domains within 24-48 hours of a credible abuse report.

Researching a competitor or contact. If you're trying to understand who's behind a business, WHOIS data (especially for older or poorly maintained domains) can surface organization names, contacts, or related domains.

Checking your own domain's expiry. Embarrassingly common problem: domains expire because the owner forgot to renew. A WHOIS lookup on your own domain takes two seconds and tells you exactly when it expires and whether auto-renew is configured at the registrar.

Verifying DNS configuration. The name servers in a WHOIS record should match what you expect. If you've just pointed a domain to a new DNS provider and nothing is working, check WHOIS to confirm the name server update has propagated at the registry level.

What WHOIS Can't Tell You

To avoid misusing WHOIS data, it's worth being clear about its limits:

  • The registrant information may be wrong. People put fake information when registering domains all the time. Historically this was a violation of registrar terms, but enforcement was minimal.
  • The listed owner may not be the actual operator. Parking services, resellers, and brokers often appear as registrants for domains they don't actively use.
  • Privacy-protected WHOIS doesn't mean anonymous. The registrar still has the real registrant data. Law enforcement can subpoena it. Registrars provide it in response to legitimate legal requests.
  • IP WHOIS doesn't tell you who's using an IP right now. It tells you who owns the IP block. That block might be an ISP, and the actual user behind a specific IP on that ISP's network requires a subpoena to the ISP.

The Bottom Line

WHOIS is not the comprehensive directory it once was — GDPR has redacted a lot of the personally identifying information for individual domain owners. But even redacted, a WHOIS record gives you registration dates, name servers, registrar identity, and abuse contacts — which is often exactly what you need for security research, domain due diligence, and abuse reporting.

Run a lookup on any domain or IP with the WHOIS tool. It takes about three seconds and can tell you more about a domain's history than most other single sources of information on the web.