WHOIS Lookup

The WHOIS Lookup tool queries global WHOIS databases to retrieve registration and ownership information for domain names and IP addresses. WHOIS is a protocol and database system that stores registration data including registrars, nameservers, creation dates, expiration dates, and (historically) registrant contact information. For IP addresses, WHOIS provides allocation details from Regional Internet Registries (RIRs) including network ranges, organization names, and abuse contacts. Whether you're investigating domain ownership, checking domain availability, researching network abuse, or performing due diligence, WHOIS provides authoritative registration data directly from registries and registrars.

WHOIS is a query-response protocol (RFC 3174) used to query databases that store registration information for internet resources including domain names, IP addresses, and autonomous systems.

WHOIS Protocol:

• Port: TCP port 43
• Format: Plain text query/response protocol
• Command: whois domain.com or whois 8.8.8.8
• Servers: Distributed across registries and registrars
• Referral system: Thick vs thin WHOIS models
  • Thick WHOIS: Registry stores all data (e.g., .com, .net post-2014)
  • Thin WHOIS: Registry refers to registrar WHOIS (legacy .com)

Domain WHOIS Data Fields:

• Domain Name: The registered domain (e.g., example.com)
• Registrar: Company that registered the domain (GoDaddy, Namecheap, etc.)
• Registration Date: When domain was first registered
• Expiration Date: When domain registration expires
• Updated Date: Last modification to WHOIS record
• Status: Domain status codes (see below)
• Name Servers: Authoritative DNS servers for the domain
• Registrant: Domain owner (often redacted for privacy)
• Admin Contact: Administrative contact (often redacted)
• Tech Contact: Technical contact (often redacted)
• DNSSEC: Whether DNSSEC is enabled

Domain Status Codes (EPP Status):

• clientDeleteProhibited: Registrar prevents deletion (security measure)
• clientTransferProhibited: Registrar prevents transfer to another registrar
• clientUpdateProhibited: Registrar prevents modifications
• serverDeleteProhibited: Registry prevents deletion
• serverHold: Domain suspended, will not resolve (billing issue, abuse)
• serverTransferProhibited: Registry prevents transfer
• pendingDelete: Domain in redemption grace period before deletion
• ok: No special status, fully functional
• inactive: No nameservers set, domain will not resolve

Privacy Protection (WHOIS Privacy):

• GDPR Impact: EU General Data Protection Regulation (2018)
  • Registrant personal information redacted by default
  • Only technical data (nameservers, registrar) publicly visible
  • Email addresses replaced with privacy proxy emails
• ICANN Temporary Specification: Global adoption of privacy redaction
• Privacy Services: Registrar-provided proxy registration
  • Registrar listed as registrant instead of actual owner
  • Forwards contacts to actual owner
  • Examples: WhoisGuard, Private Registration
• Access Models:
  • Tiered access: Public, registrar, registry levels
  • Law enforcement access to non-redacted data
  • Legitimate interest requests (trademark holders, etc.)

IP WHOIS (Regional Internet Registries):

• ARIN: American Registry for Internet Numbers (North America)
  • whois.arin.net
  • Coverage: USA, Canada, Caribbean, Antarctica
• RIPE NCC: Réseaux IP Européens (Europe, Middle East, Central Asia)
  • whois.ripe.net
  • Coverage: Europe, parts of Middle East and Russia
• APNIC: Asia-Pacific Network Information Centre
  • whois.apnic.net
  • Coverage: Asia, Pacific, Australia
• LACNIC: Latin America and Caribbean Network Information Centre
  • whois.lacnic.net
  • Coverage: Latin America, Caribbean
• AFRINIC: African Network Information Centre
  • whois.afrinic.net
  • Coverage: Africa

IP WHOIS Data Fields:

• NetRange: IP address range allocated (e.g., 8.8.8.0 - 8.8.8.255)
• CIDR: Network in CIDR notation (e.g., 8.8.8.0/24)
• NetName: Network identifier
• NetHandle: RIR reference number
• Organization: Entity that owns the IP allocation
• Country: Country of allocation
• Allocated: Date of allocation
• Abuse Contact: Email/phone for reporting abuse
• Tech Contact: Technical contact information

WHOIS Command-Line Usage:

# Domain WHOIS lookup
whois google.com

# IP WHOIS lookup
whois 8.8.8.8

# Query specific WHOIS server
whois -h whois.arin.net 8.8.8.8

# Show abbreviated output (Linux)
whois google.com | grep -E "Registrar|Expir|Status"

WHOIS API Services:

• WHOIS XML API: Commercial API with parsed data (whoisxmlapi.com)
• RDAP: Registration Data Access Protocol (RFC 7483) - modern JSON-based successor to WHOIS
  • Example: https://rdap.arin.net/registry/ip/8.8.8.8
  • Structured JSON output vs plain text
  • Standardized across RIRs
• DomainTools: Commercial domain research and monitoring
• WhoisFreaks: API with historical WHOIS data

Rate Limiting and Abuse Prevention:

• WHOIS servers implement rate limits to prevent abuse
• Typical limits: 10-100 queries per minute per IP
• Bulk WHOIS access requires special agreements
• Terms of service prohibit automated scraping for commercial purposes

Historical WHOIS Data:

• Services like DomainTools archive historical WHOIS records
• Useful for investigating domain history and ownership changes
• Can reveal patterns in cybercrime infrastructure

Use Cases in Detail:

• Domain Expiration Monitoring:
  • Track renewal dates to prevent accidental expiration
  • Monitor competitor or trademark-related domains
  • Domain backorder services use WHOIS to track expirations
• Phishing Investigation:
  • Check registration date (newly registered domains are suspicious)
  • Identify registrar for takedown requests
  • Find nameservers to understand hosting infrastructure
  • Look for patterns in registrant info (pre-GDPR data)
• Network Abuse Reporting:
  • Query IP WHOIS for abuse contact email
  • Report spam, hacking attempts, DDoS sources
  • ISPs respond to abuse reports sent to official contacts
• Trademark Protection:
  • Monitor registrations of similar domain names
  • Identify potential trademark infringement
  • Gather evidence for UDRP (Uniform Domain-Name Dispute-Resolution Policy)

WHOIS vs DNS:

• WHOIS: Registration information (who owns it, when expires)
• DNS: Resolution information (where it points, IP addresses)
• Both are complementary: WHOIS shows ownership, DNS shows technical configuration

Limitations:

• Privacy redaction makes contact information unavailable for most domains
• Rate limiting prevents bulk queries
• Data accuracy depends on registrant honesty (no verification)
• Proxy services hide true ownership
• Different TLDs have different WHOIS policies and formats

Best Practices:

• Use RDAP instead of WHOIS for programmatic access (modern, structured)
• Respect rate limits and terms of service
• For bulk lookups, use commercial APIs with proper licensing
• Verify abuse contacts are current before reporting
• Cross-reference WHOIS data with DNS records for complete picture