In 1982, Elizabeth Feinler's group at the Stanford Research Institute Network Information Center needed a way to look up who was responsible for a given network resource. The solution was a simple text-based query-response protocol that would later be formalized as WHOIS in RFC 812 and updated in RFC 3912. Four decades later, this protocol -- designed for a few hundred host records on ARPANET -- remains the primary mechanism through which billions of domain registration records are queried every year. It was never intended to handle privacy regulations, internationalized domain names, or the sheer scale of the modern namespace. And yet, understanding how to read WHOIS data remains one of the most practical skills in domain intelligence.
A WHOIS lookup queries a registration database and returns whatever the registrar and registry choose to expose about a domain's ownership and configuration. The output is plain text with no formal schema, which means field names, formatting, and data availability vary across registrars. Despite this inconsistency, the information revealed by a WHOIS record -- even a heavily redacted one -- can answer fundamental questions: when was a domain registered, who controls its DNS, which registrar manages it, and whether it is locked, expired, or pending deletion.
What a WHOIS Record Contains
A complete WHOIS record is divided into several sections, though the exact formatting depends on the registry and registrar. Some fields are almost always present regardless of privacy settings, while others are increasingly redacted. Understanding which fields survive redaction -- and what each one tells you -- is the foundation of practical WHOIS analysis.
Registrar and Registry Information
Every WHOIS record identifies the registrar (the company through which the domain was purchased, such as Namecheap, GoDaddy, or Cloudflare Registrar) and the registry (the organization that operates the TLD, such as Verisign for .com or Donuts for many new gTLDs). The registrar's WHOIS server URL and abuse contact are typically included. This information is always public because it is essential for operational accountability. When investigating a suspicious domain, the registrar identity alone can be informative: certain registrars are disproportionately favored by threat actors due to lenient verification, while others are popular with enterprises for their security features.
Registrant, Admin, and Tech Contacts
Historically, WHOIS records included full contact details for three roles: the registrant (domain owner), the administrative contact, and the technical contact. Each section could contain a name, organization, street address, email, phone, and fax number. Since 2018, these fields are usually redacted for domains with European registrants or registrars that apply privacy protections globally. You will typically see "REDACTED FOR PRIVACY" or a privacy proxy organization name like "Withheld for Privacy ehf" or "Contact Privacy Inc." The registrant organization field is sometimes still visible when the registrant is a company rather than an individual, depending on the registrar's interpretation of data protection rules.
Dates: Creation, Update, and Expiry
Three dates appear in virtually every WHOIS record and remain visible even under maximum privacy settings. The creation date tells you when the domain was first registered in its current registration period. The updated date reflects the last time the WHOIS record was modified, which could be a contact change, a DNS update, a registrar transfer, or simply an auto-renewal. The expiry date indicates when the registration will lapse if not renewed. These dates are deceptively simple. A creation date of 1997 on a .com suggests a long-established presence, but only if you also check WHOIS history to confirm the domain was not dropped and re-registered. An expiry date two weeks away on a domain serving production traffic is an immediate red flag.
Nameservers
The nameserver entries in a WHOIS record identify which DNS servers are authoritative for the domain. These are always public because they are operationally necessary for DNS resolution. Nameservers reveal hosting infrastructure: ns1.cloudflare.com points to Cloudflare, ns-cloud-a1.googledomains.com points to Google Cloud DNS, dns1.registrar-servers.com points to Namecheap's default hosting. Shared nameservers across multiple domains can indicate common ownership or infrastructure, which is a key signal in both brand protection and threat investigation.
Status Codes
The domain status field contains one or more EPP (Extensible Provisioning Protocol) status codes that describe the current operational state and any restrictions on the domain. These codes are among the most useful fields in a WHOIS record and are always visible. A domain with clientTransferProhibited is locked against unauthorized transfers. A domain in redemptionPeriod has been deleted by its registrar and is in a grace period before release. We will cover these in detail in a dedicated section below.
WHOIS Privacy and GDPR: Why Most Records Are Redacted
Before May 2018, a WHOIS lookup on most domains would return the registrant's full name, organization, street address, email, and phone number. The European Union's General Data Protection Regulation changed that. ICANN, the organization that coordinates global domain name policy, issued a Temporary Specification requiring registrars to redact personal data from public WHOIS output for domains with registrants in GDPR jurisdictions. In practice, most major registrars extended this redaction globally rather than implementing jurisdiction-specific logic.
The result is that the majority of WHOIS records queried in 2026 show redacted contact fields. But "redacted" does not mean "empty." A redacted WHOIS record still exposes the registrar name and abuse contact, all three dates (creation, update, expiry), nameserver entries, EPP status codes, and DNSSEC delegation status. For many investigative and operational purposes, these fields are more reliable and more consistently formatted than contact information ever was.
Privacy and proxy services predate GDPR. Companies like Domains By Proxy (owned by GoDaddy) and Withheld for Privacy ehf have offered WHOIS masking for years. Under these arrangements, the proxy organization's contact details replace the actual registrant's details in the public record. The registrar still holds the real registrant data and can disclose it in response to valid legal process such as a court order or UDRP complaint. ICANN's System for Standardized Access/Disclosure (SSAD) was designed to provide a formal channel for requesting non-public registration data, but adoption has been slow due to cost and procedural complexity.
How to Read WHOIS Status Codes
EPP status codes are the most technically precise field in a WHOIS record. Each code describes a specific restriction or state applied to the domain by either the registrar (client-level codes) or the registry (server-level codes). A healthy, actively managed domain typically shows clientTransferProhibited at minimum, meaning the registrar has locked it against unauthorized transfers. Enterprise domains often add clientDeleteProhibited and clientUpdateProhibited for full registry lock.
The distinction between client and server prefixes matters. A clientHold status means the registrar has suspended the domain, usually due to a billing dispute or abuse complaint. A serverHold means the registry itself has intervened, often because of a law enforcement request or a policy violation. Both remove the domain from DNS resolution, but they indicate different escalation paths for resolution.
Essential EPP Status Codes
- ok -- The domain has no pending operations or restrictions. This is the default state and is removed when any other status is applied.
- clientTransferProhibited -- The registrar has locked the domain against transfer to another registrar. This is standard practice and indicates active management.
- clientDeleteProhibited -- The registrar has locked the domain against deletion. Common on high-value domains where accidental deletion would be catastrophic.
- clientUpdateProhibited -- The registrar has locked the domain against contact or nameserver changes. Part of a full registry lock configuration.
- serverTransferProhibited -- The registry has locked the domain against transfer. Applied during disputes, the first 60 days after registration, or as part of a registry lock service.
- serverHold -- The registry has removed the domain from DNS. The domain will not resolve. This often indicates a legal hold, policy violation, or law enforcement action.
- clientHold -- The registrar has removed the domain from DNS. Common reasons include non-payment, abuse complaints, or registrant verification failures.
- pendingDelete -- The domain is scheduled for deletion and will be released for general registration. No changes can be made. This follows the redemption period.
- redemptionPeriod -- The domain has been deleted by the registrar and is in a 30-day grace period. The original registrant can restore it (usually for a fee) but no one else can register it yet.
- pendingTransfer -- A registrar transfer has been initiated and is awaiting approval or the five-day auto-approval window.
- autoRenewPeriod -- The domain has been auto-renewed by the registry and the registrar has a grace period (typically 45 days) to cancel the renewal if it was unintended.
- addPeriod -- The domain was recently registered and is within the initial add grace period (typically 5 days), during which it can be deleted for a full refund.
When you see multiple status codes combined, read them as a set. A domain showing clientDeleteProhibited, clientTransferProhibited, clientUpdateProhibited, serverDeleteProhibited, serverTransferProhibited, and serverUpdateProhibited has full registry lock enabled -- this is the gold standard for domain security on high-value names like bank.com or google.com. Conversely, a domain showing only pendingDelete is hours or days away from being dropped and becoming available for registration.
Reading a Raw WHOIS Record
Raw WHOIS output is plain text with no standardized schema. Field names and formatting vary across registrars and registries. Here is what a typical WHOIS response looks like for a well-known domain, showing both registry-level (thin) and registrar-level (thick) data.
Domain Name: EXAMPLE.COM
Registry Domain ID: 2336799_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.iana.org
Registrar URL: http://www.iana.org
Updated Date: 2024-08-14T07:01:38Z
Creation Date: 1995-08-14T04:00:00Z
Registry Expiry Date: 2025-08-13T04:00:00Z
Registrar: RESERVED-Internet Assigned Numbers Authority
Registrar IANA ID: 376
Registrar Abuse Contact Email: abuse@iana.org
Registrar Abuse Contact Phone: +1.3108239358
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Name Server: A.IANA-SERVERS.NET
Name Server: B.IANA-SERVERS.NET
DNSSEC: signedDelegation
DNSSEC DS Data: 370 13 2 BE74359954660069D5C63D200C39F5603827D7DD02B56F120EE9F3A86764247C
>>> Last update of WHOIS database: 2026-04-16T10:23:45Z <<<Several things stand out in this record. The creation date of August 1995 makes example.com one of the older .com registrations. The registrar is IANA (Internet Assigned Numbers Authority), which is unusual -- this domain is reserved for documentation purposes per RFC 2606. The three client-level lock statuses indicate full registrar-side protection. DNSSEC shows signedDelegation with a DS record, meaning DNSSEC validation is active. The nameservers are IANA's own authoritative servers. Even without any registrant contact information, this record tells a clear story about the domain's purpose, age, security posture, and operational control.
WHOIS vs RDAP: The Protocol Transition
WHOIS has fundamental design limitations that no amount of convention can fully address. The protocol has no standard data format (responses are free-form text), no authentication mechanism, no internationalization support, no structured error handling, and no way to differentiate access levels. Registration Data Access Protocol (RDAP), specified in RFC 9224 and related RFCs, was designed to solve all of these problems.
RDAP returns structured JSON responses with consistent field names across all registries and registrars. It supports HTTP-based access control, which means registries can offer tiered data access -- public users see redacted data, while authenticated law enforcement or brand protection agents can see more. It handles internationalized contact data natively through jCard (RFC 7095). And it uses standard HTTP status codes for error handling rather than WHOIS's approach of returning error messages as unstructured text that looks identical to valid responses.
As of 2026, ICANN requires all gTLD registries and registrars to support RDAP, and most do. The major ccTLD operators (.uk, .de, .au, .nl, .br) have implemented RDAP services, though some still maintain parallel WHOIS servers. The practical reality is that both protocols will coexist for years. Many tools and workflows still rely on WHOIS, and some ccTLDs have not announced RDAP timelines. DomScan's RDAP Lookup queries the modern protocol directly, returning structured data that is easier to parse and compare across registrars than raw WHOIS text.
- Format: WHOIS returns free-form text; RDAP returns structured JSON.
- Authentication: WHOIS has none; RDAP supports OAuth and other HTTP-based auth for tiered access.
- Internationalization: WHOIS is ASCII-only in practice; RDAP handles Unicode natively via jCard.
- Error handling: WHOIS errors are indistinguishable from responses; RDAP uses standard HTTP status codes.
- Referrals: WHOIS uses ad-hoc referral mechanisms; RDAP uses HTTP redirects with standardized link relations.
- Rate limiting: WHOIS rate limiting varies wildly and is unadvertised; RDAP uses standard HTTP 429 responses.
Practical WHOIS Investigation Techniques
A single WHOIS record answers a narrow question: who registered this domain and when. The investigative value increases dramatically when you start comparing records across multiple domains, looking for patterns that connect seemingly unrelated registrations. This is where WHOIS transitions from a lookup tool to an intelligence source.
Registrar Clustering
When investigating a set of suspicious domains -- say, twenty domains used in a phishing campaign -- the registrar field is often the first useful pivot. Threat actors tend to favor specific registrars, either because of automated registration APIs, low verification requirements, or favorable bulk pricing. If fifteen of twenty domains were registered through the same registrar within the same week, that is a pattern worth escalating to the registrar's abuse team with a single coordinated complaint rather than twenty individual reports.
Creation Date Clusters
Domains registered in tight time clusters often share a common purpose. A set of lookalike domains all created within the same 48-hour window suggests automated registration, whether for brand protection (defensive registrations by the brand owner), typosquatting campaigns, or SEO spam networks. The creation date is especially useful because it is immutable for the current registration period -- unlike nameservers or contacts, it cannot be changed to obscure the connection. DomScan's Domain Profile normalizes these dates across multiple data sources to make cluster detection straightforward.
Nameserver Overlap
Shared nameservers are one of the strongest signals of common infrastructure. If you are investigating a domain and discover it uses nameservers like ns1.suspicioushost.net and ns2.suspicioushost.net, a reverse nameserver lookup will reveal every other domain pointing to the same servers. This technique regularly uncovers the full scope of phishing or malware networks that would be invisible from individual WHOIS lookups alone. Even when the nameservers are a major provider like Cloudflare or AWS Route 53, the combination of shared nameservers plus shared registrar plus similar creation dates builds a strong circumstantial case for common ownership.
Historical WHOIS Analysis
Current WHOIS data shows only the present state. For investigations, the history of changes is often more revealing. A domain that changed registrars three times in six months, switched nameservers from a major CDN to an obscure provider, and had its registrant organization field modified from a real company name to "REDACTED FOR PRIVACY" tells a story of possible compromise or unauthorized transfer. WHOIS History makes these transitions visible by preserving snapshots over time, so you can see exactly when each change occurred and correlate it with other events like DNS changes, SSL certificate issuance, or website content modifications.
The most experienced investigators combine WHOIS data with DNS records, certificate transparency logs, passive DNS, and web archives. No single data source provides the complete picture. But WHOIS is almost always the starting point because it answers the most basic question: who was responsible for this domain at a given point in time.
When WHOIS Data Matters Most
WHOIS data supports decisions across security, legal, business, and operational contexts. The common thread is that someone needs to determine who controls a domain, how long they have controlled it, and whether the current state is expected or anomalous.
M&A Due Diligence
When acquiring a company, its domain portfolio is a material asset. Due diligence teams use WHOIS to verify that the company actually owns the domains it claims, that registrations are not about to expire, that domains are registered through reputable registrars, and that there are no pending transfers or disputes. A domain portfolio where half the names are registered under a former employee's personal email, expiring in different months with no auto-renewal, managed across four different budget registrars, is a portfolio that carries hidden operational risk. WHOIS data exposes that risk before the deal closes.
Brand Protection
Brand owners monitor WHOIS data to detect unauthorized registrations of domains containing their trademarks. When a cybersquatter registers a lookalike domain, the WHOIS creation date establishes when the infringement began, the registrar identity determines where to file a UDRP complaint or abuse report, and the registrant information (when available) may reveal the infringer's identity or connect the domain to a larger pattern of abusive registrations. Domain Monitor automates this surveillance by tracking changes to WHOIS records, DNS configuration, and domain availability over time.
Incident Response
During a security incident -- phishing attack, malware distribution, business email compromise -- the incident response team needs to act fast. WHOIS data on the attacker's domain reveals the registrar (where to send a takedown request), the creation date (a domain registered hours before the attack is strong evidence of malicious intent), the nameservers (which infrastructure provider to contact), and the status codes (whether the domain is already flagged or suspended). Speed matters here: the difference between a takedown request filed with the correct registrar abuse desk versus a generic report to the wrong organization can be measured in hours of continued exposure.
Competitive Intelligence
WHOIS data can reveal competitive moves before they are publicly announced. A competitor registering new product-related domains, securing domains in country-code TLDs they do not currently operate in, or transferring domains to an enterprise registrar may be signaling an upcoming launch or market expansion. This is not speculative when combined with other signals: new domain registrations plus new SSL certificates plus new DNS records for those domains paints a clear picture of infrastructure being prepared for something.
Domain Purchasing
Before making an offer on an aftermarket domain, WHOIS data tells you who you are negotiating with (or at least which privacy service is fronting for them), how long they have held the domain, whether the registration is about to expire (which affects leverage), and whether the domain has any restrictions that might complicate a transfer. A domain in serverHold or pendingDelete status requires a very different purchasing approach than one with clean clientTransferProhibited status and three years until expiry.
Building a WHOIS Workflow
Effective WHOIS analysis is rarely a single lookup. It is a workflow that starts with a question, uses initial WHOIS data to generate hypotheses, and then expands through related lookups and cross-referencing with other data sources. A practical workflow might start with a WHOIS lookup on a suspicious domain, note the registrar and creation date, check WHOIS history for recent changes, pull the Domain Profile for normalized DNS and hosting context, and then use the nameserver and registrar information to search for related domains.
The shift from WHOIS to RDAP does not change this workflow -- it improves it. Structured JSON responses are easier to parse programmatically, consistent field names reduce normalization effort, and tiered access control means that authorized investigators may eventually be able to see data that raw WHOIS queries can no longer access. The investigative logic stays the same; the data quality goes up.
Whatever the context -- security investigation, brand monitoring, due diligence, or competitive research -- the fundamental value of WHOIS has not changed since 1982. It answers the question that every other analysis depends on: who is responsible for this domain, and what does the registration state tell us about their intentions. The protocol may be aging, but the question it answers is as relevant as ever.