Whois Protocol: Streamlined Domain Data Access
By Mian Fahad
Posted on September 20, 2023 | 9 min read
By Mian Fahad
Posted on September 20, 2023 | 9 min read
WHOIS is a query-and-response protocol that retrieves registration data for internet resources including domain names, IP address blocks, and Autonomous System Numbers (ASNs). When you query a domain over WHOIS, you receive structured registration information: who registered it, when, through which registrar, the nameservers assigned, and the current domain status. The protocol communicates over TCP port 43 and is documented in RFC 3912. As of January 28, 2025, ICANN designated RDAP (Registration Data Access Protocol) as the official replacement for gTLD WHOIS services.
WHOIS (pronounced "who is") is a query-and-response protocol for retrieving registration data about internet resources. A WHOIS query returns the owner details, registrar, nameservers, registration and expiration dates, and current status for any queried domain name, IP address block, or Autonomous System Number.
The protocol operates over TCP port 43. It sends a plain-text query to the relevant registry or registrar server and returns a plain-text response. Every registrant who registers a domain name provides contact details (names, addresses, email addresses, phone numbers) that populate the WHOIS record. Since GDPR took effect in 2018, much of this contact data is now redacted for gTLD registrations, though the structural fields (registrar, nameservers, domain status, and key dates) remain public.
The WHOIS concept originated at Stanford's Network Information Center (NIC) in the early 1970s, where Elizabeth Feinler and her team built the first directory for querying ARPANET user information. The 'who' utility on the MIT Incompatible Timesharing System provided a parallel lookup function, and by 1977 the term "WHOIS" had become the common label for this type of directory query.
WHOIS was formally standardized in 1985 under RFC 954, and the current governing specification is RFC 3912, published by the Internet Engineering Task Force (IETF). The protocol was designed for ARPANET administrators and expanded as the domain name system grew to serve registrars, law enforcement, and security researchers.
In 1998, ICANN assumed oversight of the protocol. In 2016, ICANN formalized gTLD Registration Directory Service obligations under its contractual framework, requiring all accredited registrars to operate WHOIS services and provide public access to registration data.
ICANN itself does not keep domain registration details. Instead, all data resides in individual registrar or registry databases.
In 2007, ICANN introduced the Registrar Data Escrow (RDE) program. This program aims to increase the security of registrant information in case of registrar failure. As part of this initiative, registrars must regularly deposit backup copies of their registration data. They do this with designated escrow agents, such as Iron Mountain.
The Whois escrow service at Iron Mountain follows strict technical procedures. Registrars submit encrypted and compressed data files. This ensures the security and integrity of the information.
This escrow serves as a retrievable database in case of catastrophic failure or registrar disputes. Since there's no single Domain WHOIS database, records may vary based on retrieval methods or sources.
The domain registration record has different sections. Each section serve a specific purpose and refer to various parties or components linked to the domain name. These sections provide information about different aspects of the domain.
Domain status provide the current state of the domain within the registration system. They are instructions from the registry or registrar. They can vary between registries. They explain the different stages of domain life cycle.
The registrar field is vital in gTLD registration records. But, it can be tricky to identify the registrar's actual name. Some registrars have multiple names or use different names for their operations (DBA), leading to confusion. Additionally, some registrars use their website URL as the name, which might not match their official corporate name.
Nameservers are fundamental components in domain registration records. They link domain names to websites. But, they may differ in format and accuracy.
Typically, each record requires at least two nameservers, though some domains may have more. But, Domain registration data might has forged nameservers information.
In the Registrant section, only the name and postal address are necessary. But, WHOIS domain data may include extra details like email and phone numbers. This extra detail might not be accurate.
In Administrative and Other Contact Blocks, most fields are usually necessary. This ensures the accurate provision of contact information. ICANN requires making contact information for domain owners and managers publicly available. This includes mailing addresses, phone numbers, and email addresses, which raises privacy concerns.
Some domain registrars offer WHOIS privacy services. In these cases, they display their contact information instead of the registrant's. Yet, there is no absolute guarantee of this privacy. Legal requirements may need the release of private information.
WHOIS lookup data models are primarily of two types:
These two data models determine how registries and registrars handle WHOIS data. Their format can vary based on the policies and practices of individual domain registries and registrars.
WHOIS provides insights into online threats and strengthens the digital defenses.
Domain registration data acts as a foundational element for threat intelligence. Cyber-security specialists unveil details about domain ownership, registration, and historical data. This helps them to analyze and understand the origins of online threats.
Cyber-security experts leverage WHOIS to identify and flag potentially malicious domains. They examine registration details, patterns, and anomalies. This helps them identify domains linked to cyber threats.
Domain registration data allows for a quick incident response after any cyber-attack.Forensics teams use historical WHOIS data to trace domain ownership changes over time, identify responsible entities, and build evidentiary records for legal proceedings.
WHOIS aids in tracking and attributing cyber threat actors. Cyber-security experts uncover ownership details of domains involved in malicious activities. This helps them create profiles of threat actors and enhance attribution efforts in cyber-security.
Ongoing domain reputation assessment benefits from automated domain monitoring, which tracks WHOIS record changes and flags newly registered domains matching known threat patterns.
WHOIS was designed in an era before data privacy regulation. Its original architecture made full registrant contact information (names, addresses, phone numbers, email addresses) publicly accessible to any user who performed a query.
The General Data Protection Regulation (GDPR), which took effect in May 2018, changed this for gTLD registrations. Registrars and registries operating in or serving European Union residents faced direct liability risk for publishing personal data in a globally accessible, unauthenticated directory. ICANN issued a Temporary Specification for gTLD Registration Data that required registrars to redact personal data fields from public WHOIS responses. That temporary measure has since been incorporated into ongoing policy through ICANN's Registration Data Policy.
A public WHOIS or RDAP query for most gTLD domains now returns:
Registrant name, address, phone number, and direct email address are typically redacted for natural persons. Organizations may choose to publish their contact data, but natural person registrants are protected by default.
ICANN operates the Registration Data Request Service (RDRS), a standardized mechanism for authorized parties (law enforcement, intellectual property rights holders, security researchers) to request access to non-public gTLD registration data. Requests go through a formal disclosure process managed by the registrar, who evaluates the legal basis for disclosure under applicable privacy law.
Some registrars offer WHOIS privacy protection services, where the registrar's contact details appear in the public WHOIS record in place of the registrant's personal information. This is distinct from GDPR redaction: privacy protection is a voluntary service a registrant subscribes to, while GDPR redaction is a compliance obligation the registrar applies automatically. The two mechanisms can coexist.
A Domain Name lookup, often called WHOIS, retrieves detailed domain registration data. This includes essential information about the domain owner. Distinguishing between a Domain Name lookup and a Domain Name Server (DNS) lookup is essential. WHOIS gives domain registration information, while a DNS lookup finds the IP address linked to a specific Domain Name.
For over four decades, WHOIS was the primary mechanism for accessing domain registration data. The IETF and ICANN have since recognized its structural limitations and designated RDAP as its replacement for gTLD registration data access.
WHOIS limitations that drove the transition:
RDAP (Registration Data Access Protocol) was developed by the IETF to address each of these limitations. ICANN designated January 28, 2025 as the date after which gTLD WHOIS services are permitted to sunset. RDAP is now the official protocol for gTLD registration data access.
| Feature | WHOIS | RDAP |
|---|---|---|
| Transport | TCP port 43, plain text | HTTPS (encrypted) |
| Response format | Unstructured plain text | Structured JSON |
| Authentication | None | Supported (differentiated access) |
| Internationalization | ASCII only | Full Unicode support |
| Referral mechanism | None standardized | Defined bootstrap mechanism |
| Privacy support | Not designed for redaction | Built-in support for GDPR-compliant redaction |
| Current status (gTLDs) | Permitted to sunset from Jan 28, 2025 | Designated ICANN standard |
RDAP responses are structured JSON objects containing standardized fields: domain name, nameservers, registrar, registration and expiration events, entity objects for registrant and registrar contacts (with GDPR-compliant redaction applied where required), and domain status codes. Because the format is standardized, any RDAP client can parse responses from any RDAP-compliant server without custom logic.
Not all domain types have completed the RDAP transition. Country-code TLDs (ccTLDs) are governed independently of ICANN's gTLD framework and may continue to rely on WHOIS. For research requiring data across both gTLD and ccTLD registrations, tools and APIs that normalize both WHOIS and RDAP responses into a single structured format remain the most practical access method.
WHOIS and RDAP data are foundational for domain research, threat intelligence, brand protection, and incident response. But querying multiple registries and registrars directly (each with its own response format, rate limits, and authentication requirements) creates real operational friction.
The WhoisFreaks WHOIS API normalizes WHOIS and RDAP responses across millions of domains into a single structured format, with historical record access, bulk lookup support, and real-time data. Use it to make faster, better-informed decisions about domain assets, threat attribution, and online presence.
Discover essential insights on DNS poisoning and learn practical steps to safeguard your online presence. Read the article for vital protection tips.
9 min read
Learn how a DNS flooder can threaten your network security and discover practical measures to protect your systems. Read more to safeguard your network.
9 min read
Discover the essential role of DNS servers in internet functionality and learn how they enhance your online experience. Read the article for insights.
11 min read