What is RDAP?

RDAP (Registration Data Access Protocol) is the modern, standards-based replacement for WHOIS. This guide covers RDAP's HTTP/JSON design, bootstrapping mechanism, access control model, and advantages over WHOIS for domain investigations.

3 min read

What is RDAP?#

RDAP (Registration Data Access Protocol) is the modern, standards-based protocol for querying domain, IP, and ASN registration data. Developed by the IETF and published in 2015, RDAP was designed to address WHOIS's longstanding limitations (inconsistent formatting, lack of authentication, and no support for internationalized data). It is now the preferred protocol for registration lookups in threat intelligence workflows.

How it differs from WHOIS#

Where WHOIS uses a raw TCP connection on port 43 and returns freeform text, RDAP is built on HTTP and returns structured JSON. This means responses have a predictable schema, can be parsed reliably by machines, and carry standard HTTP features like content negotiation, caching, and authentication. For a detailed side-by-side comparison, see WHOIS vs RDAP.

Bootstrapping#

One of RDAP's key design features is bootstrapping, the process of finding the correct RDAP server for a given query. IANA publishes bootstrap registries (JSON files mapping TLDs and IP ranges to their authoritative RDAP servers) so clients can automatically determine where to send a query without hardcoding server addresses. This is a significant improvement over WHOIS, where finding the right server often required manual configuration or registry-specific knowledge.

Structured responses#

RDAP responses follow a defined JSON structure with standardized object types for domains, name servers, entities (contacts), and IP networks. Each object includes links for related resources (enabling cross-referencing between registries), events (creation, expiration, last update), status codes, and remarks. Because the format is standardized, tools can parse responses from different registries without per-registrar formatting logic.

Access control model#

RDAP includes built-in support for differentiated access. Registries can serve different levels of detail based on the requester's identity, for example, returning full contact information to authenticated law enforcement or verified security researchers while showing redacted data to anonymous queries. This is RDAP's answer to GDPR compliance. Instead of blanket redaction, registries can implement tiered access that provides more data to authorized parties.

In practice, adoption of tiered access varies. Many registries currently return the same redacted data to all requesters, but the protocol supports finer-grained controls as policies mature.

Current adoption status#

ICANN required all gTLD registries and registrars to implement RDAP by 2019. Most gTLDs now have functioning RDAP endpoints. ccTLD adoption is less consistent, some ccTLDs have deployed RDAP alongside WHOIS, while others have not yet implemented it. For day-to-day investigations, RDAP is the preferred query method for gTLDs, with WHOIS as a fallback for ccTLDs and legacy systems.

Advantages over WHOIS#

  • Standardized format. No per-registrar parsing logic required.
  • Referencing and linking. Responses include links to related objects across registries.
  • Internationalization. Native support for non-ASCII characters and contact data.
  • Authentication. HTTP-based auth enables tiered access controls.
  • Extensibility. New data fields can be added via RDAP extensions without breaking existing clients.

RDAP in domain investigations#

RDAP provides the same registration data as WHOIS, registrar, dates, name servers, status, but in a structured, machine-readable format that integrates cleanly into automated enrichment workflows. For domain monitoring pipelines, RDAP reduces parsing errors, supports programmatic access, and positions teams to benefit from tiered access as registries expand their authorization models.

More from Threat intelligence

View all

Domain threat intelligence

Domain threat intelligence is the collection and analysis of signals from domain registrations, DNS, certificates, and hosting to detect abuse. This guide covers core data sources, enrichment workflows, and how domain threat intelligence supports incident response.

Malicious domain detection

Malicious domain detection combines registration signals, DNS behavior, content analysis, and reputation feeds to identify domains used for phishing, malware, or fraud. This guide covers detection approaches, scoring models, and false positive management.

What is certificate transparency?

Certificate Transparency (CT) is an ecosystem of public, append-only logs of issued certificates. Originally created to catch rogue certificates after high-profile CA compromises, CT logs have become an important source of threat intelligence for domain and subdomain monitoring.

Put what you learn into practice

Monitor typosquats, investigate infrastructure, and move from reading to detection with continuous domain coverage built for security teams.

Start free trialExplore features