What is WHOIS?
WHOIS is a protocol for querying domain registration data, including registrant information, registrar details, and key dates. This guide covers the port 43 protocol, why unstructured WHOIS drove adoption of RDAP, thick vs thin registries, data fields, GDPR impact on public data, and investigative uses.
5 min read
What is WHOIS?#
WHOIS is both a query-response protocol and the public service built on it for looking up domain name registration data. It has been in use since the 1980s and remains the most widely known method for answering "who registered this domain?" WHOIS data is a foundational element of threat intelligence and domain investigation workflows. For machine-readable registration data and modern APIs, operators increasingly rely on RDAP, which was designed to address WHOIS's structural limits.
The protocol#
WHOIS operates on TCP port 43. A client opens a connection, sends the domain name as a plain-text query, and receives a plain-text response. There is no structured format, no authentication, and no standard error handling. The response is freeform text that varies by registrar and registry. That simplicity helped early adoption but left little guarantee that two servers would label or format the same facts the same way.
Why WHOIS proved inadequate and how RDAP replaced it#
WHOIS was never a single data model. Responses read like human-oriented blurbs, not records. Parsers inferred field names from context, which introduced inaccuracies when normalizing or comparing data across TLDs and registrars. At scale, teams maintained fragile integrations, fought ambiguous or missing lines, and struggled to handle errors consistently. Operationally, WHOIS was a poor fit for reliable automation, bulk pipelines, or monitoring that needs stable semantics.
Industry work on RDAP (Registration Data Access Protocol) targeted those gaps. RDAP uses predictable JSON objects over HTTPS (and related conventions for discovery, errors, and bootstrapping), so clients can map registration data without bespoke screen scraping. Contract and policy timelines stretched the rollout. ICANN phased in RDAP requirements for gTLDs from the late 2010s, and many ccTLDs and operators followed on their own schedules, so global coverage lagged while port 43 WHOIS stayed familiar and widely reachable. Over time, RDAP deployment matured. Today RDAP is the practical successor for structured access, and many workflows treat WHOIS as legacy even where it still answers on port 43. See RDAP and WHOIS vs RDAP for format and comparison detail.
Thick vs thin registries#
Some domain registries operate as thick registries, meaning they hold and return complete registration data (registrant contact, admin contact, registrar, dates). Others are thin registries; they only hold the registrar of record and name servers, referring clients to the registrar's own WHOIS server for full details. The .com and .net registries were historically thin (requiring a two-step lookup) but transitioned to thick model. Most newer gTLDs and ccTLDs operate as thick registries.
Key data fields#
A WHOIS record typically includes:
- Registrant. The organization or individual that registered the domain (often redacted post-GDPR).
- Registrar. The company through which the domain was registered (e.g., GoDaddy, Namecheap).
- Creation date. When the domain was first registered.
- Expiration date. When the registration expires.
- Updated date. When the record was last modified.
- Name servers. The authoritative DNS servers for the domain.
- Status codes. EPP status codes like
clientTransferProhibitedorserverDeleteProhibitedthat indicate registry-level locks.
GDPR impact#
The EU's General Data Protection Regulation (2018) fundamentally changed what public WHOIS could show. Registrars must limit personal data in responses for registrants covered by GDPR. In practice, most registrars now redact registrant name, email, address, and phone for all domains by default. Anonymous WHOIS (port 43 or equivalent) does not include a way to authenticate and receive fuller contact data in the same query.
Follow-on access to nonpublic registration data is a separate step. Paths include each registrar's disclosure policy, legal or contractual process, RDAP tiered access where a registry implements authenticated responses for approved requestors, and for gTLD names, ICANN's Registration Data Request Service (RDRS), a centralized system where qualified requestors with a legitimate interest (in categories the program defines, such as law enforcement, cybersecurity, intellectual property, and government roles) submit standardized requests to participating registrars. Eligibility, registrar participation, ccTLD coverage, and outcomes still vary, so nothing restores the old public WHOIS snapshot for every domain in one unauthenticated query.
The shift targeted how registration data was published, not the wire format alone. WHOIS and RDAP both became channels where the same privacy rules apply, but the hit to utility landed hardest on the mental model of WHOIS as an open phone book. Fields that analysts once expected in a single query often no longer appear in public output, so the protocol's investigative value dropped even where port 43 or a web form still responds.
Post-2018 records are often limited to registrar identity, registration dates, name servers, and status codes. That remains useful for triage but is far less revealing than pre-GDPR public data. The WHOIS vs RDAP comparison covers how RDAP's tiered access and policy layers relate to the same privacy constraints.
Rate limiting#
WHOIS servers impose rate limits to curb abuse and bulk harvesting. When a client exceeds policy, the server may slow replies, drop connections, or temporarily block the source address. Sustained investigation volume usually means spacing queries, reusing cached answers, or licensing bulk registration data from vendors instead of relying on live port 43 traffic alone.
Investigative uses#
Despite its limitations, WHOIS data supports several investigative workflows central to domain protection:
- Registration timing. A domain registered hours before a phishing campaign is suspicious.
- Registrar patterns. Certain registrars appear disproportionately in abuse campaigns.
- Name server clustering. Domains sharing unusual name servers may belong to the same operator.
- Historical WHOIS. Commercial providers archive WHOIS snapshots, enabling investigators to see past registrant data even if current records are redacted.
WHOIS is often one of the first lookups analysts perform when investigating a suspicious domain. Registration dates, registrar identity, and name server configuration provide immediate context that helps prioritize whether a domain merits deeper investigation through DNS analysis, certificate transparency, and content review. Integrating WHOIS lookups into a domain monitoring workflow ensures this context is captured automatically as new threats surface.
More from Threat intelligence
View allDomain threat intelligence
Domain threat intelligence is the collection and analysis of signals from domain registrations, DNS, certificates, and hosting to detect abuse. This guide covers core data sources, enrichment workflows, and how domain threat intelligence supports incident response.
Malicious domain detection
Malicious domain detection combines registration signals, DNS behavior, content analysis, and reputation feeds to identify domains used for phishing, malware, or fraud. This guide covers detection approaches, scoring models, and false positive management.
What is certificate transparency?
Certificate Transparency (CT) is an ecosystem of public, append-only logs of issued certificates. Originally created to catch rogue certificates after high-profile CA compromises, CT logs have become an important source of threat intelligence for domain and subdomain monitoring.