WHOIS is one of the oldest protocols on the internet — a query-response system for looking up registration information about domain names and IP address blocks. When you want to know who registered a domain, when it expires, or which organisation controls an IP range, WHOIS is where you look.
The name "WHOIS" (pronounced "who is") literally asks: who is responsible for this resource? The protocol dates back to 1982, when the internet was a small academic network and network operators needed a way to contact each other to report problems.
When you register a domain name, your registrar submits your details to the domain registry. This data is publicly queryable via WHOIS. A typical domain WHOIS record includes:
Key fields explained:
IP address blocks are managed by Regional Internet Registries (RIRs). Each RIR maintains a WHOIS database recording which organisation was assigned each IP range. An IP WHOIS record typically contains:
The abuse contact is particularly useful for security researchers and sysadmins — it gives you a direct channel to report spam, DDoS attacks, or other malicious activity originating from that IP block.
The traditional WHOIS protocol (RFC 3912) returns plain, unstructured text with no standardised format — each registrar and registry has slightly different output. This makes it difficult to parse programmatically.
RDAP (Registration Data Access Protocol), defined in RFC 7480–7484 (2015), is the modern replacement. It offers:
ICANN mandated RDAP support for all gTLD registrars in August 2019. Our tool uses RDAP when available, falling back to WHOIS for legacy TLDs.
Before the EU's General Data Protection Regulation (GDPR) took effect in May 2018, domain WHOIS records were fully public. You could look up any domain and see the registrant's full name, home address, phone number, and email.
GDPR changed this dramatically. Because personal data of EU residents cannot be published without legal basis, registrars began redacting personal information from public WHOIS records. Today, most .com, .net, and .org domain records show:
Law enforcement agencies can still request unredacted data from registrars through legal processes. Legitimate security researchers can request access through ICANN's SSAD (System for Standardized Access/Disclosure) framework.
WHOIS and RDAP data are invaluable tools for threat intelligence and domain investigation:
Before trusting a website or clicking a link, check when the domain was registered. Phishing domains are often registered days or hours before a campaign launches. A domain claiming to be a bank but registered last week is a major red flag.
Domains used in malware campaigns, phishing kits, or spam operations often share registrar accounts, name servers, or registration patterns. WHOIS data helps analysts cluster related domains and map attacker infrastructure.
If you receive spam from a server or discover a site hosting malware, the WHOIS abuse contact gives you the right email to report it to the hosting provider or ISP.
Look up WHOIS for any domain or IP
Registration dates, registrar, name servers, abuse contacts, and full RDAP data — instantly.
Try IP & Domain Tracker →