What Is a WHOIS Lookup?
A WHOIS lookup is a query against the registration record that a domain registry or registrar keeps for a domain name. The result — historically called a "WHOIS record" — tells you who registered the domain (or a privacy proxy, if enabled), which company manages the registration, when it was created and when it expires, which nameservers it points to, and what status codes are currently applied to it.
The name comes from the original protocol, defined in RFC 3912, which is a simple text-based query/response system: a client opens a TCP connection on port 43, sends a domain name terminated by a carriage return and line feed, and the server replies with plain text before closing the connection. RFC 3912 itself documents the protocol's limits — it has no authentication, no encryption, and no defined character set for internationalized text, since it predates modern security expectations by decades.
WHOIS data is used for a wide range of practical tasks: verifying who controls a domain before a business deal, checking when a domain you manage is due to expire, confirming that a DNS or nameserver change propagated to the registry, investigating phishing or abuse domains, and researching a competitor's infrastructure history. Every domain has a registry-level record (held by the registry that operates the top-level domain, e.g., Verisign for .com) and, for most gTLDs, a registrar-level record (held by the company you bought the domain from, e.g., GoDaddy or Namecheap) — a two-tier structure known as "thin" (registry) and "thick" (registrar) WHOIS.
Since January 2025, the underlying protocol for gTLDs has technically changed from WHOIS to RDAP, but the query is still colloquially called a "WHOIS lookup" — see WHOIS vs RDAP below.
How Does a WHOIS Lookup Work?
A WHOIS or RDAP query follows a referral chain, not a single flat database. Here's the sequence for a .com domain:
- Registry query. The client (a WHOIS tool, RDAP client, or command-line utility) first queries the registry's WHOIS/RDAP server for the top-level domain —
whois.verisign-grs.comfor.comand.net. IANA maintains the authoritative list of registry WHOIS servers per TLD. - Registrar referral. The registry response includes a
Registrar WHOIS Serverfield pointing to the domain's actual registrar (the company the owner bought the domain from). - Registrar query. The client queries that registrar's server for the full record, which includes contact data (if not redacted), nameservers, and status codes.
- Response parsing. The client displays or parses the plain-text (WHOIS) or JSON (RDAP) response.
Here's what a real referral chain looks like using the command-line whois client against a .com domain:
$ whois example.com
Domain Name: EXAMPLE.COM
Registry Domain ID: 2336799_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.iana.org
Registrar URL: http://res-dom.iana.org
Updated Date: 2024-08-14T07:01:34Z
Creation Date: 1995-08-14T04:00:00Z
Registry Expiry Date: 2025-08-13T04:00:00Z
Registrar: RESERVED-Internet Assigned Numbers Authority
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Name Server: A.IANA-SERVERS.NET
Name Server: B.IANA-SERVERS.NET
DNSSEC: signedDelegation
example.com is reserved for documentation under RFC 2606, so its registrar is IANA itself — a normal commercial domain's output will show a public registrar (Namecheap, GoDaddy, Cloudflare, etc.) and, in almost every case today, REDACTED FOR PRIVACY in place of registrant name, email, and address.
What Information Does a WHOIS Lookup Reveal?
The fields below are what a WHOIS/RDAP query returns for a typical gTLD domain in 2026. Registrant contact fields are redacted by default; the rest is public.
| Field | Typical Visibility | What It Tells You |
|---|---|---|
| Registrar | Public | The company managing the registration (e.g., GoDaddy, Namecheap, Cloudflare) |
| Creation Date | Public | When the domain was first registered |
| Registry Expiry Date | Public | When the current registration period ends |
| Updated Date | Public | Last time the registration record changed |
| Name Servers | Public | Which DNS provider or host controls the domain's records |
| Domain Status (EPP codes) | Public | Transfer/delete/update locks and lifecycle state — see table below |
| DNSSEC | Public | Whether the domain has a signed DS record at the registry |
| Registrant Name/Org | Redacted (default) | Domain owner — visible only if privacy is disabled or the registrant opts in |
| Registrant Email/Phone | Redacted (default) | Contact details — replaced with REDACTED FOR PRIVACY or a proxy address |
The registrar and expiry date are the two fields most people actually need day to day — the registrar tells you who to contact for a transfer or dispute, and the expiry date tells you whether a domain is about to lapse. Both remain public even on privacy-protected domains, since ICANN's registrar accreditation agreement requires that operational registry data stay accessible.
Why Is WHOIS Data Redacted or Hidden?
Registrant name, email, phone, and postal address are hidden on most domains today because of privacy regulation, not a registrar policy choice. When the EU's General Data Protection Regulation (GDPR) took effect in 2018, ICANN adopted a Temporary Specification directing registrars and registries to redact personal data from public WHOIS output for any registrant whose data falls under GDPR scope. In practice, nearly every registrar applies this redaction globally — not just to EU registrants — because maintaining two separate WHOIS pipelines is operationally impractical.
When redaction is active, you'll see placeholder text like REDACTED FOR PRIVACY in the registrant name, organization, email, and phone fields, sometimes alongside a registrar-hosted proxy email (e.g., abc123@privacy-protect.example) that forwards messages to the real registrant without exposing their address. This is distinct from a paid "WHOIS privacy" add-on, which some registrars still sell — the GDPR-driven redaction happens automatically at the registry/registrar level regardless of whether the owner pays for an extra privacy product.
Non-redacted (public) data still includes the registrar, dates, nameservers, and status codes, because that information is operationally necessary — anyone resolving or managing the domain needs it, and none of it identifies an individual.
What Do EPP Domain Status Codes Mean?
Every domain carries one or more EPP (Extensible Provisioning Protocol) status codes, defined by ICANN, that describe locks and lifecycle state. These are one of the most misread parts of a WHOIS record — a code like clientHold explains why a domain suddenly stopped resolving, and pendingDelete explains why an expired domain vanished from search.
| Status Code | Set By | What It Means |
|---|---|---|
ok | Registry | No restrictions — the default state when nothing else applies |
clientTransferProhibited | Registrar | Registrar-side lock blocking transfer to another registrar |
clientHold | Registrar | Domain removed from the zone file — site and email stop resolving |
clientDeleteProhibited | Registrar | Registrar-side lock blocking deletion |
clientUpdateProhibited | Registrar | Registrar-side lock blocking record changes |
autoRenewPeriod | Registry | 45-day grace period after auto-renewal where the registrar can still get a refund |
redemptionPeriod | Registry | 30-day window after expiry where the domain can be restored (usually for a redemption fee) |
pendingDelete | Registry | Final 5-day window before an expired, unredeemed domain is released back to the public pool |
If you manage a domain and see clientHold, the fix is usually a billing or verification issue with the registrar, not a DNS problem — check the registrar account before troubleshooting DNS records with a DNS Lookup tool.
WHOIS vs RDAP: What Changed in 2025?
On January 28, 2025, ICANN formally sunset the legacy WHOIS protocol for generic top-level domains (gTLDs), replacing it with RDAP (Registration Data Access Protocol) as the required, authoritative source for registration data — confirmed in ICANN's official announcement. Registries and registrars for gTLDs (.com, .org, .net, and the newer TLDs under ICANN contracts) are contractually required to run RDAP; the old port-43 WHOIS service is being progressively decommissioned.
RDAP, standardized in RFC 9082 (query format) and RFC 9083 (JSON responses), fixes the structural problems RFC 3912 documented in WHOIS:
| WHOIS (RFC 3912) | RDAP (RFC 9082/9083) | |
|---|---|---|
| Transport | Raw TCP, port 43 | HTTPS |
| Response format | Unstructured plain text | Structured JSON |
| Authentication | None | Supports OAuth/bearer tokens for differentiated access |
| Internationalization | No defined character set | UTF-8 native |
| Machine parsing | Requires per-registrar text scraping | Standard schema, directly parseable |
For most day-to-day lookups this is invisible — "WHOIS lookup" tools and the term itself persisted, and many now query RDAP endpoints under the hood while presenting the same familiar output. Country-code TLDs (ccTLDs like .io, .co, .uk) are not bound by the ICANN gTLD contract and may continue running legacy WHOIS servers indefinitely, so a .uk or .io lookup may still hit port 43 directly.
How Do You Run a WHOIS Lookup?
Command line (macOS/Linux):
whois example.com
Command line (Windows, via WSL or a WHOIS client, since Windows has no built-in whois):
nslookup -type=NS example.com
# then query the registrar's RDAP endpoint directly for full detail
RDAP query (structured JSON, works on any OS with curl):
curl -s "https://rdap.verisign.com/com/v1/domain/example.com" | head -40
Browser tool: for a formatted result with no terminal required, use the WHOIS Lookup tool — it resolves the registry-to-registrar referral chain automatically and displays registrar, dates, nameservers, and status codes in one view. Pair it with the NS Lookup tool to confirm the nameservers WHOIS reports are actually the ones answering DNS queries — a mismatch between the two usually means a nameserver change hasn't propagated yet at the registry.
Common WHOIS Lookup Issues and Fixes
Problem: "No match for domain" on a domain you know is registered. Cause: you queried the wrong WHOIS server, or the domain uses a ccTLD with a non-standard server. Fix: use a tool that resolves the correct registry server automatically, or check IANA's WHOIS server list for that TLD.
Problem: Registrant name shows REDACTED FOR PRIVACY and you need to contact the owner.
Cause: GDPR-driven redaction (see above) — this is expected on the vast majority of domains today, not a sign of anything suspicious.
Fix: use the registrar's proxy email if one is listed, or the registrar's abuse contact form if the request involves abuse or a legal matter.
Problem: WHOIS shows different nameservers than what's actually resolving. Cause: a nameserver change at the registrar hasn't finished propagating at the registry, or a caching resolver is serving stale data. Fix: check the registry-level record directly (it updates faster than some caching WHOIS mirrors), and cross-check with a DNS Propagation Checker to see the live answer from resolvers worldwide.
Problem: A .io, .co, or other ccTLD lookup times out or returns nothing.
Cause: some ccTLD registries run rate-limited or web-only WHOIS services rather than an open port-43 server.
Fix: check the ccTLD registry's own website for a web-based lookup, since RDAP mandates only apply to ICANN-contracted gTLDs, not ccTLDs.
Key Takeaways
- ✓ A WHOIS lookup returns registrar, dates, nameservers, and EPP status codes for a domain — registrant contact data is redacted by default under GDPR-driven policy.
- ✓ The legacy WHOIS protocol (port 43, plain text, defined in RFC 3912) was formally sunset for gTLDs by ICANN on January 28, 2025, replaced by RDAP (RFC 9082/9083) over HTTPS with JSON output.
- ✓ Lookups follow a referral chain — registry server first, then a redirect to the domain's registrar server for the full record.
- ✓ EPP status codes like
clientHoldorpendingDeleteexplain lifecycle states that a plain "domain not resolving" symptom won't. - ✓ ccTLDs (
.io,.co,.uk, etc.) aren't bound by the ICANN gTLD RDAP mandate and may still run legacy WHOIS servers.
Frequently Asked Questions
Q: What does a WHOIS lookup show?
A WHOIS lookup shows a domain's registrar, creation and expiration dates, nameservers, and EPP status codes. Registrant name, email, and phone are redacted by default on almost all domains due to GDPR-driven privacy rules.
Q: Is WHOIS lookup free?
Yes. WHOIS and RDAP are public registration-data services required by ICANN's registry/registrar agreements, so any WHOIS tool, RDAP endpoint, or command-line whois client can query them at no cost.
Q: Why can't I see who owns a domain in WHOIS?
Since 2018, ICANN's GDPR-driven Temporary Specification requires registrars to redact registrant name, email, and phone from public WHOIS/RDAP output by default, showing REDACTED FOR PRIVACY instead.
Q: What is the difference between WHOIS and RDAP?
WHOIS (RFC 3912) is an unencrypted, plain-text, port-43 protocol with no defined character set. RDAP (RFC 9082/9083) replaced it for gTLDs on January 28, 2025, using HTTPS and structured JSON with support for differentiated, authenticated access.
Q: How do I find out when a domain expires?
Run a WHOIS lookup and check the "Registry Expiry Date" field, which is public even when the registrant's contact details are redacted. The WHOIS Lookup tool displays this directly.
Q: What does clientTransferProhibited mean in a WHOIS record?
It's an EPP status code set by the registrar that blocks the domain from being transferred to another registrar. It's a normal anti-hijacking lock, not an error — it must be removed by the current registrar before a transfer can proceed.
Q: Can I do a WHOIS lookup on an IP address?
Yes. WHOIS also covers IP address allocations, managed by the five Regional Internet Registries (ARIN, RIPE NCC, APNIC, LACNIC, AFRINIC) instead of domain registrars — the query returns the allocated network block and the organization it was assigned to.
Next Steps
Run a live lookup with the WHOIS Lookup tool, then cross-check the nameservers it reports against the NS Lookup tool and the live DNS answer from the DNS Lookup tool. If you're chasing a redirect or migration issue instead of a registration question, the Website Redirect Checker traces the HTTP chain a WHOIS record can't show you.