WHOIS Lookup

WHOIS is a query-and-response protocol used to retrieve registration records for internet resources — primarily domain names, but also IP address blocks and autonomous system numbers. The data is maintained by registrars and regional internet registries (RIRs) such as ARIN, RIPE, and APNIC. A WHOIS record typically includes the registrant name and organization, registrar, registration and expiration dates, name server assignments, and contact details. ICANN mandates minimum data retention standards, though GDPR and similar regulations have caused many registrars to redact personal contact fields since 2018.

WHOIS data is a foundational element of domain-based threat investigation. Analysts use it to identify who registered a domain, when it was registered relative to an incident, which registrar was used, and whether infrastructure clusters share registration patterns. Newly registered domains are a common indicator of phishing and malware delivery campaigns. WHOIS history — maintained by third-party providers even after redaction — enables attribution across campaigns by surfacing shared registrant emails, phone numbers, or name server patterns used before privacy protections were applied.

A WHOIS client sends a plain-text query to a WHOIS server (default port 43) for the relevant registry or registrar. For generic TLDs (.com, .net), queries first hit Verisign's registry to identify the authoritative registrar WHOIS server, then re-query that server for full record details. For ccTLDs, each country registry operates its own WHOIS service with varying data fields and access policies. RDAP (Registration Data Access Protocol) is the modern successor to WHOIS, offering structured JSON responses and authentication support, increasingly adopted by registries to replace the legacy plain-text format.