A WHOIS record is a structured data set maintained by domain registrars and registries that documents the registration details for a domain name. A complete WHOIS record contains multiple categories of information. Registrant information includes the name, organization, email address, postal address, and phone number of the entity that registered the domain. Registrar information identifies the accredited registrar through which the domain was registered, including the registrar's name and IANA-assigned registrar ID number. Administrative and technical contacts may be listed separately from the registrant, identifying individuals responsible for the domain's administration and DNS infrastructure.
The WHOIS record also documents the domain's lifecycle dates: the creation date (when the domain was first registered), the last updated date, and the expiration date (when the registration expires if not renewed). The record lists the authoritative nameservers currently delegated for the domain, which identify the DNS hosting provider. Domain status codes — a set of EPP (Extensible Provisioning Protocol) status values — indicate the current operational state of the domain and which operations are permitted or restricted by the registrar and registry. These status codes have important security implications that are discussed in detail below.
- Registrant details: name, organization, email, phone, postal address (subject to GDPR redaction)
- Registrar identification: registrar name and IANA registrar ID number
- Lifecycle dates: domain creation date, last update date, and registration expiration date
- Nameservers: the authoritative nameservers currently delegated for the domain's DNS
- Domain status codes: EPP status values indicating operational state and permitted operations
The original WHOIS protocol, defined in RFC 3912, operates on TCP port 43 and returns plain-text responses in a format that varies significantly between registrars and registries — there is no standardized data format, making automated parsing unreliable. A WHOIS query is made by connecting to the appropriate WHOIS server (either the registry server for TLD-level data or the registrar server for registrant-level data) and sending the domain name as a plain-text query. The command-line tool whois example.com is available on most Unix-like systems and automatically locates the appropriate server for the queried domain.
RDAP (Registration Data Access Protocol), standardized by the IETF, is the modern replacement for WHOIS. RDAP uses HTTPS for transport, returns structured JSON responses with a standardized schema, supports authentication and differentiated access levels, provides internationalization support, and links related objects (registrar, registrant, nameservers) as structured relationships. RDAP queries are made via standard HTTPS GET requests to RDAP endpoints, such as https://rdap.org/domain/example.com. ICANN mandated RDAP support for all gTLD registries and registrars since 2019, making it the preferred protocol for programmatic domain data access in modern tooling.
- WHOIS: TCP port 43, plain text, no standard format — each registrar formats responses differently
- RDAP: HTTPS, structured JSON, standardized schema, supports authentication and differentiated access
- Command-line WHOIS:
whois example.comavailable on Linux and macOS by default - RDAP query:
https://rdap.org/domain/example.comreturns structured JSON response - ICANN mandated RDAP support for all gTLD registries and registrars since August 2019
The General Data Protection Regulation, which came into full effect in May 2018, fundamentally changed the availability of personal data in WHOIS records. For domains registered by individuals in the European Economic Area, registrars are legally required to redact or anonymize personal data — name, email address, postal address, and phone number — from publicly accessible WHOIS responses. This applies regardless of which registrar or registry maintains the domain, because the GDPR's obligations follow the data subject's location, not the registrar's jurisdiction. Registrars responded by replacing personal contact data with generic registrar contact information or privacy service proxy details.
Domain privacy and proxy services further obscure registrant identity for registrants worldwide, not just EU residents. These services replace the registrant's personal information in WHOIS records with the privacy service's contact information, forwarding emails and potentially calls to the actual registrant. While these services have legitimate privacy use cases — protecting individuals from spam and harassment — they also complicate security investigations by hiding the identity of domain operators. Tiered access models, where law enforcement, intellectual property professionals, and accredited security researchers can request access to underlying registrant data through formal processes, are still being implemented by the industry under ICANN's policies.
- GDPR since May 2018: personal data of EU registrants must be redacted from public WHOIS responses
- Domain privacy services replace registrant contact data with proxy contact information globally
- Redacted WHOIS still shows: registrar, creation date, expiry date, nameservers, and status codes
- Tiered access: law enforcement and accredited researchers may request underlying data through formal processes
- RDAP's authentication support enables the differentiated access model GDPR tiered access requires
Security professionals use WHOIS data extensively in threat intelligence operations, incident response, and phishing investigations. When investigating a phishing domain, the registrant email address — when visible — can be cross-referenced against other known malicious domains to map the threat actor's infrastructure. Even when personal data is redacted, the registrar, creation date, and nameservers provide valuable pivoting points: domains registered at the same registrar through the same privacy service with similar creation dates may be part of the same phishing campaign. Nameserver correlation is particularly powerful — threat actors often reuse the same DNS hosting infrastructure across many malicious domains.
WHOIS data also supports abuse reporting and takedown requests. When a phishing site or command-and-control domain is identified, the registrar identified in the WHOIS record is the correct point of contact for abuse reports and domain suspension requests. Most registrars have published abuse email addresses required by ICANN policy. The registry (not the registrar) has the authority to place a domain on clientHold status, effectively disabling it by removing it from DNS, which is often faster than a full deletion in emergency abuse scenarios.
- Phishing investigation: registrant email cross-reference across malicious domain databases
- Infrastructure correlation: group domains by shared registrar, nameservers, or creation date patterns
- Threat intelligence enrichment: WHOIS data adds context to IP addresses and domain indicators
- Abuse reporting: registrar contact for domain suspension; registry contact for emergency clientHold
- OSINT pivot: even redacted WHOIS provides registrar, creation date, expiry, and nameserver data
Current WHOIS data shows only the present registration state of a domain, but historical WHOIS data can reveal how a domain's ownership, infrastructure, or operational purpose has changed over time. DomainTools and SecurityTrails both maintain extensive archives of historical WHOIS snapshots, enabling analysts to look back at who registered a domain years ago when it may have been used for malicious purposes, even if ownership has since changed. These historical records also reveal patterns in domain creation and registration behavior that help attribute campaigns to specific threat actors.
Passive DNS databases complement historical WHOIS data by recording which IP addresses a domain has historically resolved to. While WHOIS shows who registered a domain, passive DNS shows which servers have hosted it over time. Farsight DNSDB and RiskIQ (now Microsoft Defender Threat Intelligence) are the leading passive DNS providers used by security researchers. Combining passive DNS pivots — finding all domains that resolved to a specific IP address — with WHOIS pivots — finding all domains registered by a specific entity — enables comprehensive infrastructure mapping during threat actor attribution and incident investigation.
- DomainTools: commercial historical WHOIS archive with reverse WHOIS search by email or name
- SecurityTrails: historical WHOIS, DNS records, and subdomain enumeration data
- Farsight DNSDB: passive DNS database recording historical A, MX, NS, and other record resolutions
- Reverse WHOIS: find all domains registered by a specific email address or organization
- Passive DNS pivot: find all domains that have resolved to a given IP address historically
EPP (Extensible Provisioning Protocol) domain status codes appear in WHOIS records and describe the operational state of a domain registration. The clientTransferProhibited status means the registrar has locked the domain to prevent transfer to another registrar, protecting against domain hijacking through unauthorized transfer. The serverDeleteProhibited status, set by the registry, means the domain cannot be deleted — used for important infrastructure domains and as a protective measure by registries. The clientHold status suspends the domain, removing it from active DNS resolution — it is used by registrars as an abuse enforcement measure.
The pendingDelete status indicates a domain that has been deleted by its registrant or expired and passed through the redemption grace period, and is scheduled for final deletion and release back to the registry pool for re-registration. Domains in pendingDelete status are visible in WHOIS and cannot be renewed or recovered. They are released to the registry drop pool after a 5-day period. Security teams should monitor important brand-adjacent domains as they approach expiration and enter pendingDelete, as typosquatters and brand impersonators actively monitor and attempt to register expiring domains of security or commercial value immediately upon their release from the drop pool.
clientTransferProhibited: registrar lock preventing transfer — should always be set on production domainsserverTransferProhibited: registry lock — set by registry on critical infrastructure domainsclientHold: domain suspended, removed from DNS — often an abuse enforcement actionpendingDelete: domain queued for deletion after expiry, released to the drop pool in 5 days- Always enable registrar lock (
clientTransferProhibited) on all domains to prevent unauthorized transfers