What is WHOIS?
WHOIS (pronounced "who is") is a query-response protocol used to look up information about registered domain names, IP addresses, and autonomous system numbers. When you perform a WHOIS lookup on a domain like example.com, the protocol returns a record containing details about who registered the domain, when it was created, when it expires, and which name servers it points to.
The WHOIS protocol dates back to the early days of the internet. It was first specified in RFC 812 in 1982, created by Ken Harrenstien and Vic White at the Network Information Center (NIC) at Stanford Research Institute. At the time, the internet was a small network of researchers and institutions, and knowing who was behind each connected system was straightforward and necessary for coordination.
As the internet grew through the 1990s and domain name registrations exploded, WHOIS became a critical tool for transparency and accountability. The Internet Corporation for Assigned Names and Numbers (ICANN), which oversees the global domain name system, requires domain registrars to collect and publish registrant information through the WHOIS protocol as part of their accreditation agreements.
Today, WHOIS remains one of the most widely used tools for investigating domain ownership, though its role has evolved significantly. Privacy regulations, proxy services, and the newer RDAP protocol have changed what information is available and how it is accessed. Despite these changes, understanding WHOIS is essential for anyone involved in domain management, cybersecurity, brand protection, or web development.
How Does a WHOIS Lookup Work?
When you query a domain name, a multi-step process happens behind the scenes to retrieve the registration data. Understanding this process helps explain why different lookup tools sometimes return different results.
The Query Process
A traditional WHOIS lookup operates over TCP port 43. The client sends a plain-text query (the domain name) to a WHOIS server, which responds with a plain-text record. The process typically follows these steps:
- Query initiation — You enter a domain name into a WHOIS lookup tool (like WHOIS Wolf) or run the
whoiscommand in a terminal. - Root WHOIS server — The query first reaches the appropriate root WHOIS server based on the top-level domain (TLD). For .com domains, this is Verisign's WHOIS server at
whois.verisign-grs.com. - Thin vs. thick WHOIS — The root server returns either a complete record (thick WHOIS) or a referral to the registrar's WHOIS server (thin WHOIS). The .com and .net registries transitioned from thin to thick WHOIS in 2019, meaning Verisign now holds the full records.
- Registrar WHOIS server — If using thin WHOIS, a second query goes to the registrar (e.g., GoDaddy, Namecheap, Cloudflare) to retrieve the complete registration details.
- Response — The full WHOIS record is returned as unstructured plain text, which the tool parses and displays to you.
Modern replacement: RDAP (Registration Data Access Protocol) is gradually replacing WHOIS. RDAP uses HTTPS and returns structured JSON data, making it more reliable and easier to parse programmatically. ICANN has mandated that all gTLD registries and registrars support RDAP, though WHOIS continues to operate in parallel.
Command Line WHOIS
On most Unix, Linux, and macOS systems, WHOIS lookups can be performed directly from the terminal:
whois example.com
# Query a specific WHOIS server
whois -h whois.verisign-grs.com example.com
# Lookup an IP address
whois 8.8.8.8
On Windows, there is no built-in WHOIS command, but Microsoft provides a Sysinternals Whois utility, or you can use web-based tools like WHOIS Wolf for a more user-friendly experience with parsed and highlighted results.
What Information Does WHOIS Reveal?
A complete WHOIS record contains several categories of information about a domain registration. While the exact fields vary by registrar and TLD, most records include the following data points:
Domain Information
- Domain Name — The fully qualified domain name (e.g., example.com)
- Registry Domain ID — A unique identifier assigned by the registry
- Registrar — The company through which the domain was registered (e.g., GoDaddy, Namecheap, Cloudflare Registrar)
- Registrar WHOIS Server — The URL of the registrar's WHOIS server
- Registrar URL — The registrar's website
- Registrar IANA ID — The registrar's unique IANA-assigned identifier
Date Information
- Creation Date — When the domain was first registered. This is permanent and never changes, even through transfers.
- Updated Date — The last time any change was made to the WHOIS record, including renewals, contact updates, or DNS changes.
- Expiration Date — When the domain registration expires. If not renewed, the domain enters a grace period and eventually becomes available for registration by others.
Name Servers
WHOIS records list the authoritative name servers for the domain. These DNS servers are responsible for translating the domain name into IP addresses. Common name servers include those from hosting providers (e.g., ns1.cloudflare.com), registrars, or custom name servers set up by the domain owner.
Registrant Contact Information
Historically, this was the most sought-after section of a WHOIS record, revealing the domain owner's identity:
- Registrant Name — The individual or company that owns the domain
- Registrant Organization — The company or organization name
- Registrant Email — Contact email address
- Registrant Phone — Contact phone number
- Registrant Address — Street address, city, state/province, postal code, and country
WHOIS records also include separate contact sections for the Admin Contact (administrative management), Tech Contact (technical operations), and sometimes a Billing Contact. In practice, these often contain the same information as the registrant contact.
Important: Since 2018, most registrant contact details are redacted due to GDPR compliance and privacy protection services. You will commonly see "REDACTED FOR PRIVACY" or the proxy service's information instead of the actual owner's details.
Domain Status Codes
Every WHOIS record includes one or more EPP (Extensible Provisioning Protocol) status codes that indicate the current state of the domain. These codes are critical for understanding whether a domain can be transferred, deleted, or modified. We cover these in detail in the next section.
Understanding Domain Status Codes
Domain status codes, officially known as EPP status codes, are flags set by registries and registrars to control what actions can be performed on a domain. Understanding these codes is essential for domain administrators, buyers, and security professionals.
Status codes beginning with "client" are set by the registrar at the domain owner's request. Codes beginning with "server" are set by the registry and take precedence over client-level codes.
| Status Code | Meaning |
|---|---|
ok |
The domain is in a normal state with no pending operations or restrictions. This is the default status when no other flags are set. |
clientTransferProhibited |
The registrar has locked the domain to prevent unauthorized transfers. This is the most common security status and is enabled by default on most domains. |
clientDeleteProhibited |
Prevents the domain from being deleted by the registrar. Protects against accidental or malicious deletion. |
clientUpdateProhibited |
Prevents changes to the domain's WHOIS information and DNS settings through the registrar. Often used alongside transfer prohibition for maximum security. |
clientHold |
The registrar has suspended the domain's DNS resolution. The domain will not resolve to any IP address. Often applied for non-payment or policy violations. |
serverTransferProhibited |
The registry has locked the domain against transfers. Overrides any client-level settings. Applied to high-value domains or during disputes. |
serverDeleteProhibited |
The registry prevents deletion. Commonly applied to critical infrastructure domains. |
serverHold |
The registry has suspended the domain. Usually indicates a legal order, UDRP (Uniform Domain-Name Dispute-Resolution Policy) action, or registry-level policy enforcement. |
pendingDelete |
The domain has passed through the redemption period and is scheduled for deletion. It will become available for registration again within a few days. |
redemptionPeriod |
The domain was deleted and is in a 30-day redemption window. The original registrant can restore it by paying a redemption fee (typically $80-200). |
pendingTransfer |
A transfer to another registrar has been initiated and is awaiting completion (usually 5-7 days for gTLDs). |
addPeriod |
The domain was recently registered and is within the 5-day Add Grace Period, during which it can be deleted for a full refund. |
autoRenewPeriod |
The domain was auto-renewed and is within the 45-day Auto-Renew Grace Period. The renewal can be reversed during this window. |
Security tip: If you own valuable domains, ensure they have at least clientTransferProhibited, clientDeleteProhibited, and clientUpdateProhibited status codes enabled. This "triple lock" protects against hijacking.
WHOIS Privacy Protection
WHOIS privacy has become one of the most debated topics in internet governance. The tension between transparency (knowing who is behind a website) and privacy (protecting personal data) has shaped the modern WHOIS landscape.
Privacy and Proxy Services
WHOIS privacy protection services (also called domain privacy, WHOIS guard, or proxy registration) replace the registrant's personal contact information in the WHOIS record with the contact details of a proxy service. Instead of seeing "John Smith, 123 Main St, Anytown," you see something like "Contact Privacy Inc., Customer 12345."
Most registrars offer privacy protection, either as a free add-on or for a small annual fee. The registrant still owns and controls the domain, but their identity is shielded from public WHOIS queries. Email sent to the proxy address is typically forwarded to the actual registrant.
GDPR and Its Impact on WHOIS
The most significant change to WHOIS in its 40+ year history came on May 25, 2018, when the European Union's General Data Protection Regulation (GDPR) took effect. GDPR classifies personal information in WHOIS records (names, addresses, phone numbers, emails) as protected personal data.
The consequences were immediate and far-reaching:
- Registrant details redacted by default — Most registrars now automatically redact personal information from WHOIS for all domains, not just those owned by EU residents. It was simpler to apply one policy globally than to determine the residency of each registrant.
- Reduced data collection — Registrars stopped requiring certain data fields that were previously mandatory under ICANN rules.
- Gated access models — ICANN developed the System for Standardized Access/Disclosure (SSAD) to allow vetted parties (law enforcement, trademark holders, cybersecurity researchers) to request non-public WHOIS data through a formal process.
- Tiered access proposed — ICANN has been developing a tiered access system where different categories of requestors get different levels of WHOIS data, though implementation has been slow and contentious.
As a result, performing a WHOIS lookup today often reveals significantly less information than it would have before 2018. Registrar name, registration dates, name servers, and status codes are still public, but personal contact details are typically replaced with "REDACTED FOR PRIVACY" or similar placeholders.
When Privacy Is Not Available
Not all domains can use privacy protection. Some country-code TLDs (ccTLDs) require accurate public WHOIS data by law. Certain registries, particularly those serving regulated industries, mandate full disclosure. Additionally, ICANN rules historically required that registrant information be accurate, and providing false WHOIS data can be grounds for domain cancellation.
WHOIS vs RDAP
The Registration Data Access Protocol (RDAP) is the modern replacement for WHOIS, designed to address the many shortcomings of the decades-old protocol. ICANN has mandated RDAP support for all gTLD registries and registrars, and it is gradually becoming the primary method for accessing domain registration data.
| Feature | WHOIS | RDAP |
|---|---|---|
| Protocol | TCP port 43, plain text | HTTPS (port 443), RESTful API |
| Data Format | Unstructured plain text (varies by server) | Structured JSON with a defined schema |
| Authentication | None (anonymous access only) | Supports OAuth and other auth methods |
| Access Control | All-or-nothing (same data for everyone) | Differentiated access based on user role |
| Internationalization | ASCII only | Full Unicode/UTF-8 support |
| Encryption | None (plain text transmission) | TLS encryption via HTTPS |
| Error Handling | Inconsistent, human-readable text | Standard HTTP status codes with JSON error objects |
| Bootstrapping | Must know the correct WHOIS server | Automatic via IANA bootstrap service |
| Standardization | Loose (RFC 3912), output varies widely | Strict (RFC 7480-7484), consistent output |
Why RDAP Matters
The most significant advantage of RDAP is its support for differentiated access control. Unlike WHOIS, which provides the same data to everyone, RDAP can authenticate users and provide different levels of detail based on who is asking. A law enforcement officer investigating cybercrime could potentially access full registrant details, while a general public query would only see redacted information.
RDAP's structured JSON format also makes it far easier to build reliable tools and integrations. With WHOIS, every registrar formats their output differently, requiring complex parsing logic. RDAP responses follow a defined schema, making automated processing straightforward.
Despite RDAP's advantages, WHOIS is not going away soon. Many tools and workflows still rely on port 43 queries, and the transition is happening gradually. Tools like WHOIS Wolf query both protocols behind the scenes to ensure you get the most complete data available.
Try Our Free WHOIS Lookup Tool
WHOIS Wolf queries both WHOIS and RDAP to give you the most complete domain registration data available. Search any domain instantly.
Look Up a DomainCommon Uses for WHOIS Lookups
WHOIS lookups serve a wide range of purposes across different industries and use cases. Here are the most common reasons people perform domain lookups:
Domain Buying and Selling
Domain investors and businesses use WHOIS to identify the current owner of a domain they want to acquire. Even with privacy protection, the WHOIS record reveals the registrar, which can be used to initiate contact through the registrar's transfer or inquiry processes. The creation date also helps assess a domain's value, as older domains often carry more authority.
Cybersecurity Investigations
Security analysts use WHOIS data extensively during incident response and threat intelligence. When investigating phishing emails, malware distribution, or suspicious websites, the WHOIS record can reveal patterns: domains registered recently, in bulk, or through registrars known for lax enforcement are red flags. Matching registrant details across multiple malicious domains can help attribute attacks to specific threat actors.
Trademark and Brand Protection
Companies monitor WHOIS registrations to detect typosquatting (domains that mimic their brand name) and cybersquatting (domains registered in bad faith to profit from trademark holders). Legal teams use WHOIS data as evidence in UDRP proceedings to reclaim infringing domains.
Checking Domain Availability
Before launching a new business or project, WHOIS lookups reveal whether a desired domain is registered and, if so, when it expires. A domain nearing its expiration date might become available if the owner does not renew it.
Verifying Business Legitimacy
Consumers and businesses use WHOIS to assess the credibility of a website. A domain registered yesterday by an anonymous entity demands more scrutiny than one registered 15 years ago by a known company. WHOIS data helps distinguish legitimate businesses from potential scams.
Law Enforcement
Law enforcement agencies worldwide use WHOIS data to investigate online crime, from fraud and money laundering to child exploitation and terrorism. While GDPR has made direct access to registrant data harder, established legal channels allow law enforcement to request unredacted WHOIS data from registrars.
Network Troubleshooting
System administrators use WHOIS lookups on IP addresses to identify the organization responsible for an IP range, which is essential for reporting abuse, resolving routing issues, or configuring firewall rules.
How to Perform a Free WHOIS Lookup
There are several ways to perform a WHOIS lookup, ranging from web-based tools to command-line utilities.
Using WHOIS Wolf (Web-Based)
The easiest way to perform a WHOIS lookup is through a web-based tool like WHOIS Wolf. Here is how:
- Go to whoiswolf.app
- Enter any domain name in the search box (e.g., "google.com" or "github.io")
- Click Lookup or press Enter
- Review the parsed results, which are organized into clear sections: registrar info, dates, name servers, status codes, and contact details
- Save results to your lookup history for future reference, or add domains to your favorites for quick access
WHOIS Wolf automatically parses the raw WHOIS response into a structured, readable format. Status codes are highlighted with health indicators so you can quickly spot potential issues like expired domains or transfer locks.
Using the Command Line
If you prefer the terminal, here are commands for different operating systems:
whois example.com
# Windows (using Sysinternals)
whois64.exe example.com
# Using RDAP via curl
curl https://rdap.verisign.com/com/v1/domain/example.com | python -m json.tool
The command-line approach returns raw, unformatted text that can be difficult to read. Web-based tools like WHOIS Wolf parse this data into a structured view that is much easier to work with, especially for non-technical users.
Using the WHOIS Wolf API
For developers who need to integrate WHOIS lookups into their applications, WHOIS Wolf provides a RESTful API. You can perform lookups programmatically and receive structured JSON responses that are easy to parse and integrate into your workflows.
Integrate WHOIS Into Your App
Our API returns structured WHOIS data as JSON. Perfect for security tools, domain management platforms, and monitoring systems.
View API DocumentationWHOIS for Different TLDs
Not all top-level domains handle WHOIS the same way. The WHOIS experience varies significantly depending on the TLD of the domain you are looking up.
Generic TLDs (gTLDs)
The most common gTLDs — .com, .net, .org, .info — all have well-established WHOIS services with consistent data formats. Verisign operates the registry for .com and .net, while Public Interest Registry (PIR) handles .org. These registries provide both traditional WHOIS (port 43) and RDAP endpoints.
Newer gTLDs like .app, .dev, .io, .xyz, and hundreds of others introduced through ICANN's new gTLD program also provide full WHOIS and RDAP support, as it is required by their registry agreements with ICANN.
Country-Code TLDs (ccTLDs)
Country-code TLDs operate independently and have their own WHOIS policies, which can differ dramatically:
- .uk (United Kingdom) — Nominet operates the .uk WHOIS with detailed records. Registrant opt-out from public listing is available for individuals.
- .de (Germany) — DENIC provides a web-based WHOIS that restricts automated queries. Port 43 access requires acceptance of terms and has strict rate limits.
- .ca (Canada) — CIRA provides WHOIS with privacy options for individuals but requires organizations to publish their information.
- .au (Australia) — auDA requires registrant details to be publicly available, with limited privacy options.
- .cn (China) — CNNIC operates the .cn WHOIS with access restrictions. Some data may be available only in Chinese.
- .ru (Russia) — The .ru WHOIS provides basic information but registrant details for individuals are typically hidden.
Specialized TLDs
Some TLDs have unique WHOIS characteristics. For example, .gov domains (U.S. government) have their own WHOIS server with verified government organization data. .edu domains (accredited educational institutions) are managed by Educause with detailed institutional information. .mil (U.S. military) does not provide public WHOIS access at all.
Tip: When looking up ccTLD domains, WHOIS Wolf automatically routes your query to the correct regional WHOIS server, handling the complexity of different servers and formats behind the scenes.
Need Bulk Domain Lookups?
Researching hundreds of domains? Our paid plans support batch WHOIS lookups, domain monitoring, and API access for large-scale domain intelligence.
View Pricing PlansFrequently Asked Questions
clientTransferProhibited status code means the domain registrar has locked the domain to prevent unauthorized transfers to another registrar. This is a standard security measure and is enabled by default on most domains. The domain owner can request the registrar to remove this lock when they want to initiate a legitimate transfer. It is one of the most common status codes you will see in WHOIS records.