WHOIS Lookup: How to Find Out Who Owns a Domain
Find out who owns any domain with WHOIS lookup. Learn what WHOIS data shows, why it's often hidden, how GDPR changed everything, and how to use it for security research.
Every registered domain has a paper trail. When someone registers a domain, their contact details, registration dates, and technical configuration are recorded in a public database called WHOIS. According to Verisign’s Domain Name Industry Brief (Q4 2025), there are over 359 million registered domains globally, and every one has a WHOIS record behind it.
This guide explains what WHOIS is, what information you can realistically expect to find, why privacy protection hides much of it now, and how to use WHOIS data for legitimate research tasks like verifying domain age, checking expiry dates, and identifying suspicious sites.
Key Takeaways
- WHOIS is a public protocol dating back to RFC 812 (1982) that stores registration data for every domain name.
- GDPR enforcement in May 2018 caused registrars to redact personal registrant data for EU-based registrations, hiding most contact details behind privacy proxies.
- WHOIS data still shows the registrar, registration date, expiry date, nameservers, and status flags even when registrant info is hidden.
- RDAP (Registration Data Access Protocol) is the modern structured replacement for WHOIS, with JSON responses and better access controls.
- Domain age is one of the most reliable trust signals: older domains with consistent history are far harder to fake than newly registered ones.
Look Up Any Domain’s Owner Right Now
Query registration data, nameservers, expiry dates, and registrar details for any domain instantly.
What Is WHOIS?
WHOIS is a query-response protocol that retrieves registration records for domain names, IP address blocks, and autonomous system numbers. The protocol originated with RFC 812, published by the Internet Engineering Task Force in 1982, making it one of the oldest protocols still in widespread use. Its original purpose was simple: provide a directory of network users on ARPANET. It has since grown into the primary mechanism for identifying who registered any domain on the internet.
The database itself is decentralized. ICANN (Internet Corporation for Assigned Names and Numbers) coordinates the overall system. Individual registrars, companies like Namecheap, GoDaddy, and Google Domains, maintain their own WHOIS servers with data for domains registered through them. When you query a WHOIS server, you’re querying that registrar’s database.
understanding DNS alongside WHOIS
What Information Does a WHOIS Record Contain?
A complete WHOIS record can contain more than a dozen distinct fields, though privacy services now hide the most sensitive ones. According to ICANN’s registration data policy documentation, the minimum required fields registrars must publish are the registrar name, registration and expiry dates, nameservers, and domain status codes.
| Field | What It Tells You | Privacy Impact |
|---|---|---|
| Domain Name | The registered domain | Always public |
| Registrar | Company that sold the domain registration | Always public |
| Registration Date | When the domain was first registered | Always public |
| Expiry Date | When the registration lapses if not renewed | Always public |
| Updated Date | Last time the WHOIS record was modified | Always public |
| Nameservers | DNS servers controlling the domain | Always public |
| Domain Status | EPP status codes (active, pendingDelete, etc.) | Always public |
| Registrant Name | Legal name of the domain owner | Often redacted post-GDPR |
| Registrant Email | Owner's contact email address | Often redacted or proxied |
| Registrant Organization | Company name if a business registration | Often redacted post-GDPR |
| Registrant Country | Owner's country of residence | Sometimes shown, sometimes hidden |
| Admin Contact | Administrative contact for the domain | Often redacted post-GDPR |
| Tech Contact | Technical contact for DNS issues | Often redacted post-GDPR |
Even heavily redacted records give you useful signals. The registrar tells you where the domain was purchased. The creation date tells you how old it is. The expiry date tells you whether it’s about to lapse. The nameservers reveal which hosting provider or CDN is in use.
Why Is WHOIS Data Often Hidden?
The short answer is GDPR. Before May 2018, WHOIS records for most domains showed the registrant’s full name, physical address, email, and phone number. That changed when the EU’s General Data Protection Regulation came into force. ICANN’s own compliance documentation from that period shows ICANN scrambling to issue temporary specifications to registrars, acknowledging that publishing personal data of EU residents in public WHOIS records likely violated GDPR’s data minimization and purpose limitation principles.
Registrars responded by implementing privacy-by-default for individuals. Instead of your name and address, the registrant section now shows a placeholder like “Redacted for Privacy” or the contact details of a privacy proxy service. The underlying data still exists at the registrar, but it’s not publicly visible. Law enforcement can obtain it with a legal request. Intellectual property lawyers can submit formal requests through ICANN-sanctioned processes. Everyone else sees a wall.
Privacy protection services vs. GDPR redaction
These are different things, though the result looks identical in a WHOIS record. Privacy protection (also called WHOIS guard or proxy registration) is a paid or free add-on where the registrar’s own entity is listed as the registrant, forwarding communications to the real owner. GDPR redaction is an automatic data minimization applied to EU registrant records. Both result in hidden contact info, but the mechanism differs.
Country-code TLDs (ccTLDs) like .uk, .de, and .nl often have stricter privacy defaults than .com, .net, or .org. Some ccTLD registries, like Nominet for .uk domains, have operated redacted WHOIS for years before GDPR, citing privacy concerns.
How to Do a WHOIS Lookup: Step by Step
Performing a WHOIS lookup takes under 30 seconds. You don’t need command-line access or specialist software. The process is the same whether you’re checking a domain you want to buy, researching a suspicious website, or confirming your own domain’s expiry date.
Using the WHOIS lookup tool
- Enter the domain name in the search box above (e.g.,
example.com- nohttps://prefix needed) - Click “Look Up” or press Enter
- The tool queries the authoritative WHOIS server for that TLD directly
- Results appear within 2-3 seconds, showing all publicly available fields
The tool handles different TLDs automatically. A .com query goes to VeriSign’s WHOIS server. A .uk query goes to Nominet. A .io query goes to the Internet Computer Bureau. Each TLD has its own registry with its own WHOIS endpoint.
Using the command line
If you’re comfortable with a terminal, the whois command is available on macOS and Linux by default:
# Basic lookup
whois example.com
# Query a specific WHOIS server directly
whois -h whois.verisign-grs.com example.comOn Windows, you can use the Sysinternals WHOIS tool or query via PowerShell.
Interpreting EPP status codes
Domain status codes use the Extensible Provisioning Protocol (EPP) format. “clientTransferProhibited” means the domain can’t be transferred to another registrar without authorization — common on all active domains. “pendingDelete” means the domain is in a deletion grace period and will soon be available to register. “serverHold” means the registry has suspended the domain, often due to abuse or non-payment.
check DNS records alongside WHOIS data
What Can You Learn From WHOIS Data?
Citation capsule: WHOIS records reliably expose five facts about any domain: the registrar, the registration date (domain age), the expiry date, the nameservers, and the current domain status codes. According to ICANN’s minimum data requirements (ICANN Registration Data Policy, 2022), registrars must publish these fields regardless of privacy settings or GDPR compliance status.
Domain age
The “Creation Date” field is one of the most valuable pieces of information in a WHOIS record. A domain registered in 2003 has 22 years of history. A domain registered last month has none. Domain age correlates with legitimacy because it takes time to build a search footprint, reputation, and trust. Scammers rarely invest in long-term domain history.
Expiry date
Checking when a domain expires matters in several scenarios. If you’re about to sign a business contract that depends on a company’s website, confirming their domain doesn’t expire next month is basic due diligence. For your own domains, WHOIS expiry data is a backup check on top of registrar renewal reminders.
Nameservers as hosting clues
The nameserver entries reveal which DNS provider controls the domain. ns1.cloudflare.com means Cloudflare. ns1.google.com or ns-cloud-*.googledomains.com means Google. ns1.hover.com means Hover. For security research, nameservers can help identify whether a suspicious domain is hosted on the same infrastructure as known-malicious domains.
DNS Lookup
Query all DNS record types for any domain — A, AAAA, MX, TXT, CNAME, NS, SOA, CAA — via Cloudflare DoH.
How Do Security Researchers Use WHOIS?
Security professionals use WHOIS data as an early triage layer when investigating suspicious domains, phishing campaigns, and abuse reports. It’s rarely conclusive on its own, but it provides context quickly. According to the Anti-Phishing Working Group (APWG) Phishing Activity Trends Report Q3 2025, over 60% of phishing domains are registered less than seven days before they’re used in attacks. A quick WHOIS check that shows a domain registered yesterday is a significant red flag.
Identifying phishing domains
When a user reports a suspicious email, checking the sender domain via WHOIS takes 10 seconds. Red flags include registration within the last 30 days, a privacy-protected registrant (not inherently suspicious, but combined with other signals it matters), a registrar known for lax abuse handling, and nameservers pointing to bulletproof hosting providers.
Contacting domain owners about abuse
If a domain is sending spam or hosting harmful content, WHOIS provides the contact pathway. Even with privacy protection, registrars are obligated to forward abuse reports to the actual registrant. The contact email shown for privacy-protected domains often routes to the registrar’s abuse desk, which can take action on legitimate complaints.
Domain squatting and trademark research
Businesses use WHOIS to check whether domains containing their trademarks are registered by third parties. If the registrant information is accessible, it can establish identity. If it’s protected, the registrar’s standard WHOIS relay process still provides a contact channel. Formal UDRP (Uniform Domain-Name Dispute-Resolution Policy) arbitration, coordinated by ICANN, uses WHOIS records as part of the evidence process.
WHOIS data accuracy is not guaranteed
Registrants are contractually required to provide accurate information, but there’s no real-time verification. Someone can enter a fake name, a disposable email, and a fictional address when registering a domain. ICANN requires registrars to verify email addresses, but name and address accuracy rely on the honor system. Treat WHOIS data as a starting point, not a ground truth.
Does Domain Age Actually Matter for Trust?
Domain age isn’t a perfect trust signal. Established domains get compromised. Old parked domains get re-registered and turned into spam infrastructure. But as a quick heuristic, it’s reliable. A domain registered today impersonating your bank is suspicious. A domain registered in 2009 serving your bank’s website is not.
Consistent history matters too. A domain whose WHOIS record shows the same registrar and registrant country over many years is harder to fake than one that changed ownership recently. WHOIS history services (separate from live WHOIS queries) track changes to registration records over time, which is a valuable resource for deeper investigations.
What Is RDAP and How Does It Differ From WHOIS?
RDAP (Registration Data Access Protocol) is the modern replacement for WHOIS, standardized by the IETF in RFC 7483 (2015). ICANN began mandating RDAP support from all accredited registrars in August 2019. Unlike WHOIS, which returns unstructured plain text, RDAP returns structured JSON responses.
| Feature | WHOIS (Legacy) | RDAP (Modern) |
|---|---|---|
| Response format | Unstructured plain text | Structured JSON |
| Authentication | None - fully anonymous | Supports tiered access with credentials |
| HTTPS support | No (port 43, TCP only) | Yes (HTTPS by default) |
| Internationalization | ASCII only | Full Unicode support |
| Differentiated access | One response for everyone | Can return different data per requester role |
| Standardization | Inconsistent across registrars | Consistent schema per RFC 7483 |
| Error codes | Freeform text or nothing | Standardized HTTP status codes |
| ICANN requirement | Being phased out | Mandatory since August 2019 |
RDAP’s tiered access model is the key design improvement. Law enforcement, intellectual property attorneys, and security researchers can authenticate with registrars to receive fuller data than anonymous queries return. Anonymous queries still get the public fields (registrar, dates, nameservers, status). Credentialed queries can potentially get registrant contact data if the registrar’s policy permits it.
For most everyday use cases, WHOIS and RDAP return the same publicly visible information. The difference becomes meaningful for bulk lookups, programmatic integrations, and legal requests where the structured JSON format and access control mechanisms of RDAP are significant advantages.
check SSL certificates after researching domain ownership
SSL Certificate Checker
Check SSL/TLS certificate validity, issuer, expiry, and SANs for any domain via Certificate Transparency logs.
What Are the Limitations of WHOIS?
WHOIS is a useful tool, but it has real constraints worth understanding before you draw conclusions from a query.
GDPR and privacy redaction. As covered above, registrant contact data is routinely hidden for individual registrants. Corporate registrations sometimes show real company information, but this is inconsistent.
Inaccuracy by design and by accident. Nothing forces real-time verification of the data registrants submit. Common issues include outdated email addresses (the owner changed email but never updated the record), placeholder names, and addresses that were valid years ago. The registrar validates the email once at registration. Everything else is on the honor system.
Inconsistency across TLDs. Each TLD registry runs its own WHOIS server with its own format. .com records look different from .uk records, which look different from .io records. Some registries provide minimal data. Country-code TLDs often publish less information than gTLDs by policy.
Rate limiting and query restrictions. WHOIS servers impose rate limits to prevent bulk scraping. If you’re doing many lookups in quick succession, you’ll start seeing timed-out responses or CAPTCHA challenges. Commercial WHOIS APIs exist for high-volume use cases.
No ownership history by default. Standard WHOIS shows only the current record. It doesn’t show previous owners, previous registrars, or how many times ownership has changed. Third-party WHOIS history services fill this gap, but they’re separate from the protocol itself.
Frequently Asked Questions
Is WHOIS information accurate?
WHOIS data accuracy varies significantly. Registrars verify contact email addresses at registration time, but name, address, and phone number are not independently verified. ICANN’s 2024 Registration Data Accuracy Study found that a meaningful percentage of WHOIS records contain outdated or unverifiable contact information. Treat the data as a starting point for investigation, not a verified source of ground truth.
How do I contact a domain owner if their WHOIS is private?
Most registrars operating privacy protection services forward messages to the actual domain owner. Look for a privacy-proxy email address in the registrant section (something like abc123@privacy.registrar.com) and send your message there. The registrar’s system forwards it to the real owner’s email. Response rates vary, but this is the correct channel. For formal legal or intellectual property matters, ICANN’s Uniform Rapid Suspension (URS) and UDRP processes provide structured escalation paths.
Why does WHOIS show “Redacted for Privacy”?
This means either the registrant purchased a privacy protection service (sometimes called WHOIS guard or domain privacy), which substitutes the registrar’s proxy contact for the owner’s real details, or GDPR-compliant redaction was applied automatically because the registrant is an EU resident. Both produce the same visible result. The underlying data still exists at the registrar and is accessible to law enforcement via legal process. According to ICANN’s WHOIS accuracy program reports, privacy protection is now enabled by default at most major registrars for individual registrations.
How do I check when a domain expires?
The “Registry Expiry Date” or “Expiration Date” field in a WHOIS record shows exactly when the registration lapses. Run a lookup on any domain using the tool above. The date is always displayed in UTC. Most registrars send renewal reminders 60, 30, and 7 days before expiry. If you’re checking a competitor’s domain or a domain you want to acquire, set up expiry monitoring or note the date and check back manually. Domains don’t disappear the day they expire; most registrars offer a grace period of 0-45 days before the domain enters pending-delete status.
Can WHOIS tell me who is hosting a website?
Not directly. WHOIS shows the nameservers (NS records), which tells you who controls the DNS. ns1.cloudflare.com means Cloudflare handles DNS, but the actual web host could be anything Cloudflare is proxying in front of. For deeper hosting intelligence, combine WHOIS nameserver data with a DNS lookup to find the origin IP, then use IP geolocation or ARIN/RIPE WHOIS to identify the hosting provider.
run a DNS lookup to find hosting details
DNS Lookup
Query all DNS record types for any domain — A, AAAA, MX, TXT, CNAME, NS, SOA, CAA — via Cloudflare DoH.
Wrapping Up
WHOIS is 44 years old and still one of the fastest ways to get baseline facts about any domain. Creation date, expiry date, registrar, nameservers, and status codes are available on virtually every domain query, even when contact details are hidden.
The key things to take away: don’t expect to find a name and phone number in 2026. GDPR redaction is the norm, not the exception. But the data that remains public, domain age, registrar, nameservers, and status, gives you enough to make informed judgments about whether a domain is legitimate, how long it’s been around, and when it might expire.
For security research and basic due diligence, WHOIS paired with a DNS lookup covers most of what you need. Run both when something looks suspicious. Domain age plus hosting infrastructure plus DNS configuration together paint a much clearer picture than any single data source.
look up any domain’s WHOIS record check DNS records for a domain
Related articles
DNS Record Types Explained: A, AAAA, CNAME, MX, TXT
Every DNS record type explained with real dig examples. Covers A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV, and CAA records used across 350M+ domains.
SSL/TLS Explained: How HTTPS Actually Works
How TLS handshakes, certificate chains, and HTTPS encryption work step by step. TLS 1.3 cuts handshakes to 1 round trip, down from 2 in TLS 1.2.
What Is My IP Address? Public vs Private IP Explained
Find your public IP address instantly. Learn the difference between public and private IPs, how geolocation works, and how to protect your privacy online.