WHOIS Lookup Guide: How to Find Who Owns a Domain and What Information Is Public

What Is WHOIS and Why Does It Exist?

WHOIS is a widely-used query and response protocol that provides lookup access to the databases storing registered users and assignees of internet resources — primarily domain names and IP address blocks. The name "WHOIS" originates from the early days of the ARPANET, when network administrators needed a simple way to look up who was responsible for a given host or domain. The protocol was formally standardized in RFC 912 in 1984 and later updated in RFC 3912 in 2004, but its fundamental purpose has remained the same: to provide transparency and accountability in the domain name system.

When you register a domain name through a registrar like GoDaddy, Namecheap, or Google Domains, you are required to provide contact information including your name, organization, email address, phone number, and physical mailing address. This information is stored in the WHOIS database maintained by the domain's registrar and is — in principle — publicly accessible to anyone who queries it. The requirement to provide accurate contact data is mandated by ICANN (Internet Corporation for Assigned Names and Numbers), the organization that oversees the global domain name system, and is a condition of every domain registration agreement.

WHOIS exists for several critical reasons that benefit the internet ecosystem as a whole. First, it enables network operators and system administrators to contact domain owners when technical issues arise, such as misconfigured DNS records, email delivery problems, or traffic anomalies that suggest a compromise. Without WHOIS, resolving cross-organizational network problems would be significantly more difficult. Second, it allows law enforcement agencies to identify and contact individuals associated with domains used for illegal activities, including phishing, malware distribution, fraud, and intellectual property infringement. Third, it supports intellectual property holders in identifying the owners of domains that may be infringing on their trademarks, enabling them to pursue appropriate legal remedies through the Uniform Domain-Name Dispute-Resolution Policy (UDRP) or court proceedings.

Fourth, WHOIS data supports the security research community by providing a way to correlate domains registered by the same entity, identify patterns in cybercrime campaigns, and track the infrastructure used by threat actors. Security researchers routinely use WHOIS data to map out botnet command-and-control infrastructure, identify registrars commonly abused by spammers, and attribute malicious campaigns to specific threat groups. The availability of this data has been instrumental in takedowns of botnets, phishing operations, and other malicious infrastructure, and its value to the security ecosystem cannot be overstated.

Domain WHOIS vs IP WHOIS

It is important to distinguish between two types of WHOIS data. Domain WHOIS provides information about the registration of a domain name — who registered it, when it was created, when it expires, which registrar holds the record, and which nameservers are authoritative for the domain. IP WHOIS (also called RIR WHOIS) provides information about the allocation of IP address blocks — which organization owns the block, which Regional Internet Registry allocated it, and contact information for the network operations team. While both use the same basic protocol, they query entirely different databases and serve different purposes. Domain WHOIS is managed by individual registrars and registries, while IP WHOIS is managed by the five Regional Internet Registries: ARIN (North America), RIPE NCC (Europe/Middle East), APNIC (Asia-Pacific), LACNIC (Latin America), and AFRINIC (Africa).

How to Read a WHOIS Record

WHOIS records contain a wealth of information, but they can appear cryptic at first glance because the format varies between registrars and registries. Despite these variations, most WHOIS records follow a similar structure with standardized fields. Learning to read and interpret these fields is essential for anyone using WHOIS for security research, domain management, or competitive intelligence.

Below is an annotated example of a typical WHOIS record for a domain, with explanations of each field:

Domain Name: EXAMPLE.COM
  │── The second-level domain being queried

Registry Domain ID: 2336799_DOMAIN_COM-VRSN
  │── Unique identifier assigned by the registry (Verisign for .com)

Registrar WHOIS Server: whois.registrar-example.com
  │── The WHOIS server operated by the registrar
  │   Thick registries store data here; thin registries redirect here

Registrar URL: http://www.registrar-example.com
  │── The registrar's website for domain management

Updated Date: 2023-08-14T07:01:38Z
  │── Last time the domain record was modified
  │   Changes include DNS updates, contact changes, renewals

Creation Date: 1995-08-14T04:00:00Z
  │── Original registration date — useful for assessing domain age
  │   Newly created domains are often suspicious

Registry Expiry Date: 2028-08-13T04:00:00Z
  │── When the domain registration expires
  │   Critical for domain expiration monitoring

Registrar: REGISTRAR-EXAMPLE, LLC
  │── The company through which the domain was registered

Registrar IANA ID: 292
  │── IANA-assigned identifier for the registrar

Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
  │── EPP status codes that control what operations are allowed
  │   clientTransferProhibited = domain is locked against transfer
  │   These are security measures set by the registrant or registrar

Name Server: NS1.EXAMPLE-DNS.COM
Name Server: NS2.EXAMPLE-DNS.COM
  │── Authoritative DNS servers for the domain
  │   Changes here indicate DNS configuration changes

DNSSEC: unsigned
  │── Whether DNSSEC is enabled for the domain
  │   "unsigned" means no DNSSEC validation is configured

Registrant Name: REDACTED FOR PRIVACY
  │── Domain owner's name (redacted due to GDPR/privacy)
  │   Before 2018, this showed the actual registrant name

Registrant Organization: Example Corp
  │── Organization that owns the domain

Registrant Email: Please query the RDDS service for this information
  │── Registrant email (often redacted now)
  │   Previously a primary vector for spam and phishing

Several fields in a WHOIS record are particularly important for security and operational purposes. The creation date helps identify newly registered domains, which are statistically more likely to be malicious — research from Palo Alto Networks shows that newly registered domains are 30 times more likely to be malicious than established domains. The expiry date is critical for ensuring domains are renewed before they lapse, which could allow attackers to register them and take over email, subdomains, and SSL certificates. The name servers reveal which DNS provider is being used, and changes to name servers can indicate a domain takeover or migration. The EPP status codes indicate the security locks applied to the domain, with clientTransferProhibited being the most common and important lock preventing unauthorized domain transfers.

WHOIS Privacy Protection

WHOIS privacy protection (also called domain privacy or WHOIS masking) is a service that replaces your personal contact information in the public WHOIS database with the contact details of a privacy or proxy service. When you register a domain without privacy protection, your name, email address, phone number, and physical address are visible to anyone who performs a WHOIS lookup. This creates significant risks including spam, phishing, identity theft, physical security threats, and unwanted solicitations. WHOIS privacy services address these concerns by acting as an intermediary — the public sees the privacy service's generic contact information, while messages sent to those contacts are forwarded to you privately.

The mechanics of WHOIS privacy are straightforward but important to understand. When you enable privacy protection, your registrar replaces the registrant, administrative, and technical contact fields with information from their privacy service. For example, instead of showing "John Doe, john@example.com, +1-555-0123, 123 Main St", the WHOIS record might show "Domains By Proxy, LLC, example.com@domainsbyproxy.com" as the registrant. Email sent to the proxy address is forwarded to your real email, typically with a time-limited forwarding window (such as 5 days) to prevent long-term spam. Some privacy services also offer postal mail and phone forwarding for an additional fee.

A common concern about WHOIS privacy is whether it affects domain ownership. The short answer is no — you retain full ownership and control of the domain. The privacy service acts as a proxy or agent, not as the owner. The agreement between you and the privacy service explicitly states that you are the beneficial owner of the domain, and the proxy merely represents you in the WHOIS database. If you ever need to prove ownership — for a UDRP proceeding, legal matter, or domain transfer — you can temporarily disable privacy protection to reveal your information, or provide the underlying registration agreement as evidence.

It is worth noting that WHOIS privacy does not make you anonymous from law enforcement or legal proceedings. Privacy services are obligated to comply with valid legal requests, subpoenas, and court orders, and will reveal your information when legally compelled to do so. Additionally, ICANN requires registrars to maintain accurate contact information for all domain registrants, even when privacy protection is enabled. The privacy service knows your real identity, and you are still contractually obligated to provide truthful information to your registrar. WHOIS privacy protects you from casual snooping and spam, not from legitimate legal processes.

GDPR and WHOIS

The European Union's General Data Protection Regulation (GDPR), which took effect on May 25, 2018, has fundamentally transformed the WHOIS system. GDPR classifies WHOIS data — particularly registrant names, email addresses, phone numbers, and physical addresses — as personal data subject to the regulation's strict processing requirements. This means that making this data publicly accessible through WHOIS, without a lawful basis for processing, constitutes a potential GDPR violation for registrars and registries based in the EU or processing data of EU residents.

The impact was immediate and dramatic. Within weeks of GDPR's enforcement date, major registrars including GoDaddy, Tucows, and Namecheap began redacting personal data from their WHOIS outputs. The entries that previously displayed names and contact information now showed "REDACTED FOR PRIVACY," "Data Redacted," or similar placeholder text. ICANN, which had mandated public WHOIS access as part of the Registrar Accreditation Agreement (RAA), found itself in a difficult position — its own contractual requirements were potentially in conflict with European privacy law, and it had no clear mechanism for resolving this tension.

ICANN's response was to develop a framework for a tiered access model for WHOIS data. Under this model, the general public would receive only non-personal WHOIS data (domain status, nameservers, creation and expiry dates), while verified users with a legitimate purpose — such as law enforcement, intellectual property attorneys, and security researchers — could apply for access to the full WHOIS record including personal contact information. As of 2026, this tiered access system is still being refined, and implementation varies significantly between registrars. Some have established their own credentialing processes, while others rely on third-party verification services.

The GDPR-WHOIS conflict has created real challenges for cybersecurity. Security researchers report that the redaction of WHOIS data has made it more difficult to attribute malicious domains to specific threat actors, correlate domains registered by the same entity, and contact domain owners about security issues. A study by the Anti-Phishing Working Group found that the time to respond to phishing attacks increased by 20-30% after WHOIS redaction, as security teams could no longer quickly identify and contact the registrants of malicious domains. However, the privacy benefits are also real — the volume of WHOIS-based spam and harassment has decreased significantly, and individual domain owners have greater control over their personal information.

For organizations that need WHOIS data for legitimate security purposes, there are several options. Registrar-specific access programs allow credentialed users to request full WHOIS data through each registrar's individual process. ICANN's Registration Data Access Request (RDAP) is gradually replacing the traditional WHOIS protocol and supports structured access controls. Commercial threat intelligence platforms like DomainTools, RiskIQ, and Recorded Future maintain historical WHOIS databases and offer access through subscription services. Finally, reverse WHOIS tools allow searching across all domains associated with a particular registrant or email address, which remains invaluable for threat hunting and fraud investigation.

How to Perform a WHOIS Lookup

Performing a WHOIS lookup is straightforward, but the method you choose affects the level of detail you receive and the convenience of the experience. There are three primary approaches: command-line tools, web-based lookup services, and programmatic API access. Each method has its own strengths and trade-offs, and the best choice depends on your technical comfort level and how frequently you need to perform lookups.

Command-Line WHOIS

The most direct method is using the whois command available on Linux, macOS, and Windows (via WSL or third-party tools). The command sends a query to the appropriate WHOIS server and returns the raw record:

# Basic domain WHOIS lookup
whois example.com

# Specify a particular WHOIS server
whois -h whois.verisign-grs.com example.com

# IP address WHOIS lookup (queries RIR databases)
whois 8.8.8.8

# WHOIS with referral following (thick WHOIS)
whois example.com  # Automatically follows referrals to registrar

The command-line approach provides the most complete and unfiltered WHOIS output, but it requires understanding the raw format and may return different results depending on which WHOIS server is queried. For thin WHOIS registries like .com and .net, the initial query to the registry server returns only basic information, and you must follow the referral to the registrar's WHOIS server for complete data. Most modern whois clients handle referral following automatically, but older versions may require manual follow-up queries.

Web-Based WHOIS Lookup

For a more user-friendly experience, use our WHOIS Lookup Tool at ippulsepro.com/whois-lookup. The web-based tool presents the WHOIS data in a structured, easy-to-read format with key fields highlighted and explained. It also handles referral following automatically, aggregating data from both the registry and registrar into a single, comprehensive view. This is the recommended approach for most users, especially those who need to perform occasional lookups without installing command-line tools.

Programmatic WHOIS Access via RDAP

For developers and security teams who need to perform bulk lookups or integrate WHOIS data into automated workflows, the Registration Data Access Protocol (RDAP) is the modern replacement for the WHOIS protocol. RDAP provides structured JSON responses instead of plain text, supports authentication and access control for GDPR compliance, and is being adopted by all major registries and registrars as the standard for registration data access:

# RDAP lookup for a domain (returns JSON)
curl https://rdap.verisign.com/com/v1/domain/example.com

# RDAP lookup for an IP address
curl https://rdap.arin.net/registry/ip/8.8.8.8

Using WHOIS for Cybersecurity

WHOIS data is an indispensable resource for cybersecurity professionals, providing critical intelligence for threat detection, investigation, and response. While GDPR has reduced the availability of personal contact information, the remaining fields — creation dates, name servers, registrars, and domain status codes — still offer valuable signals for identifying and analyzing malicious infrastructure.

Threat intelligence and attribution is one of the most powerful applications of WHOIS data. By analyzing WHOIS records across multiple domains, security researchers can identify clusters of domains registered with the same registrar, using the same name servers, or created within the same timeframe. These correlations often reveal coordinated malicious campaigns. For example, a phishing campaign targeting multiple banks might register domains like "bankofamerica-secure-login.com," "wellsfargo-verify-account.com," and "chase-security-update.com" on the same day, through the same registrar, using the same name servers. WHOIS data makes these connections visible.

Domain age analysis is another crucial technique. Newly registered domains (NRDs) — those created within the last 30 days — are disproportionately used for malicious purposes. Research indicates that while NRDs represent less than 2% of all active domains, they account for over 70% of domains used in phishing attacks. The creation date in WHOIS records enables automated systems to flag NRDs for additional scrutiny, such as enhanced email filtering, browser warnings, or DNS blocking. Many organizations maintain automated feeds of NRDs and use them to preemptively block domains before they can be used in attacks.

Infrastructure mapping uses name server and IP address data from WHOIS records to map the infrastructure supporting malicious campaigns. When a threat actor operates multiple malicious domains, they often use the same hosting provider, name servers, or IP ranges. WHOIS data, combined with passive DNS records, allows researchers to identify the full scope of a threat actor's infrastructure, enabling more comprehensive blocking and takedown actions. This technique has been instrumental in dismantling large-scale botnets and fraud operations.

Brand protection and typo squatting detection leverages WHOIS to identify domains that impersonate or closely resemble legitimate brands. Organizations monitor WHOIS for new registrations containing their brand names, common misspellings, or combined with keywords like "login," "secure," or "verify." When such domains are detected, the organization can take preemptive action through UDRP complaints, cease-and-desist letters, or DNS blocking before the domains are used in phishing or fraud campaigns. Major brands typically monitor thousands of potential typo-squatting variations and use automated WHOIS monitoring services to detect new registrations in real time.

Domain Expiration Monitoring

Domain expiration is a critical but often overlooked security risk. When a domain expires, it becomes available for anyone to register — and if that domain was previously used for email, web services, or subdomain delegations, the new registrant inherits all of the trust and infrastructure associations that were built up over the domain's lifetime. This creates opportunities for domain takeover attacks that can be devastatingly effective.

The risk of domain expiration is not hypothetical. In 2021, a security researcher demonstrated the impact by registering the expired domain previously used by a US military subdomain, gaining the ability to receive military email and potentially access internal systems. In another case, an expired domain that had been used for an organization's MX records was re-registered by a spammer who used it to send fraudulent emails appearing to come from the original organization. The damage from such incidents extends beyond the immediate security breach — it erodes trust, triggers regulatory investigations, and can result in significant financial losses.

The domain lifecycle has several stages that are important to understand for monitoring purposes. After the expiration date passes, the domain enters a grace period (typically 0-45 days, depending on the registrar) during which the original registrant can renew at the normal price. If not renewed, the domain enters redemption period (about 30 days) where renewal is still possible but with a significantly higher fee. After redemption, the domain enters pending delete status (5 days) during which renewal is no longer possible. Finally, the domain is released and becomes available for registration by anyone. The entire process from expiration to availability typically takes 75-80 days, but it can vary by registrar and TLD.

To protect against domain expiration risks, implement the following best practices. First, enable auto-renewal on all critical domains and ensure the payment method on file is current. Auto-renewal is the single most effective safeguard against accidental expiration. Second, set calendar reminders for 90, 60, and 30 days before each domain's expiration date, and review your domain portfolio at each interval. Third, register domains for the maximum term — many registrars offer 10-year registrations, which significantly reduces the frequency of renewal risk. Fourth, use a domain monitoring service like the WHOIS monitoring feature available through IP Pulse Pro, which alerts you to approaching expiration dates, status changes, and unauthorized modifications to your WHOIS records. Fifth, consolidate domains with a single, reliable registrar to simplify management and reduce the risk of missing renewal notices from multiple providers. Finally, implement domain locking with clientTransferProhibited and serverTransferProhibited status codes to prevent unauthorized transfers even if an attacker gains access to your registrar account.

For organizations with large domain portfolios, consider using a Corporate Domain Manager service offered by major registrars. These services provide centralized management, automated renewals, brand monitoring, and dedicated support for enterprise domain portfolios. They also offer enhanced security features such as two-factor authentication for all domain modifications, IP-based access controls, and audit logs for all changes. The cost of these services is negligible compared to the potential damage of a domain expiration incident, making them a worthwhile investment for any organization whose business depends on its online presence.