What Is WHOIS? The Internet's Public Records System
WHOIS is a query and response protocol used to look up information about the registered owners of domain names and IP address blocks. Think of it as the internet’s equivalent of a property records office. You can look up who registered a domain, when they registered it, when it expires, which registrar manages it, and the nameservers it uses. For IP addresses, WHOIS reveals which organization owns the IP block and their contact information. It has been a fundamental internet tool since the early 1980s, though privacy regulations have significantly changed what data is actually visible.
How WHOIS Works
The WHOIS protocol (defined in RFC 3912) is remarkably simple. A client connects to a WHOIS server on port 43, sends a query (a domain name or IP address), and the server returns a text response with the registration details.
When you run a WHOIS lookup on whatismyip.wiki:
- Your WHOIS client connects to a WHOIS server (usually starting with the root WHOIS server at
whois.iana.org) - The root server directs you to the appropriate TLD WHOIS server (for
.wikidomains) - The TLD WHOIS server provides registrar information and directs you to the registrar’s WHOIS server
- The registrar’s WHOIS server returns the full registration details
Modern web-based WHOIS tools handle all of this automatically. You type a domain, get the results. Behind the scenes, the tool is chaining through multiple WHOIS servers.
What a Domain WHOIS Record Looks Like
A typical WHOIS response includes:
| Field | Description |
|---|---|
| Domain Name | The queried domain |
| Registry Domain ID | Unique identifier in the registry |
| Registrar | The company where the domain was registered |
| Registrar WHOIS Server | URL for detailed records |
| Creation Date | When the domain was first registered |
| Updated Date | Last modification date |
| Expiration Date | When the registration expires |
| Status | Domain status codes (clientTransferProhibited, etc.) |
| Nameservers | DNS servers handling the domain |
| Registrant | Name, organization, address, email, phone |
| Admin Contact | Administrative contact details |
| Tech Contact | Technical contact details |
The registrant, admin, and tech contact sections are where privacy gets interesting. Before GDPR, these fields typically showed real names, physical addresses, phone numbers, and email addresses. Now, many of these are redacted or replaced with registrar proxy information.
IP WHOIS (Different from Domain WHOIS)
WHOIS for IP addresses queries different databases maintained by the five Regional Internet Registries. An IP WHOIS lookup tells you:
- Which organization owns the IP block
- The block size (CIDR range)
- The country and address of the organization
- Abuse contact information
- Allocation dates
- The regional registry that manages it
This is genuinely useful for network administrators, security researchers, and anyone trying to identify the owner of an IP address. When you trace an attacker’s IP or investigate spam, IP WHOIS is often the first stop.
The GDPR Impact
The EU’s General Data Protection Regulation (2018) fundamentally changed domain WHOIS. GDPR classifies domain registration data as personal information subject to privacy protections. The result:
- Registrant names, addresses, and phone numbers are redacted for EU individuals
- Email addresses are replaced with registrar-operated contact forms
- Many registrars applied this privacy protection globally (not just for EU registrants) because it’s easier than maintaining two systems
- Most registrars now offer WHOIS privacy for free (it used to cost $5 to $15 per year)
ICANN, the organization that coordinates domain name policy, has been working on a standardized system called RDAP (Registration Data Access Protocol) to replace WHOIS with a more structured, privacy-aware system. RDAP is defined in RFCs 7480 to 7484 and is gradually replacing WHOIS as the primary lookup protocol.
Practical Uses of WHOIS
Domain research: Before buying a domain, check its WHOIS history. Has it been registered before? Is the previous owner reputable? Old domains with good history can be valuable for SEO. Domains with spam or malware history can be toxic.
Investigating suspicious emails: Got a phishing email? Check the WHOIS for the domain in the sender address or any links. Freshly registered domains are a strong phishing indicator. If a domain claiming to be from your bank was registered three days ago, that’s a red flag.
Legal proceedings: WHOIS data can help identify the party behind a domain involved in trademark infringement, fraud, or other legal issues. While privacy shields complicate this, legal processes through registrars can still unmask registrants.
Security research: Tracking down the origin of attacks, spam campaigns, or malware distribution often starts with WHOIS lookups of the involved domains and IP addresses.
Domain expiration monitoring: WHOIS shows when a domain expires. Services that alert you when a domain you’re interested in is about to expire rely on WHOIS data. Domain investors (domainers) watch WHOIS expiration dates heavily.
Competitive intelligence: WHOIS can reveal when a competitor registered a new domain, which registrar they use, and sometimes their hosting infrastructure through nameserver information.
WHOIS Privacy Services
WHOIS privacy (also called privacy protection, WHOIS guard, or domain privacy) replaces your personal information in WHOIS records with the registrar’s proxy details.
Without privacy: your name, address, email, and phone are publicly visible. With privacy: the registrar’s name, address, and a contact-forwarding email appear instead.
This became standard practice after GDPR, but even before that, many domain owners used privacy services to prevent:
- Domain-related spam (bots scrape WHOIS for email addresses)
- Social engineering attacks targeting domain owners
- Personal information exposure
- Unsolicited purchase offers for valuable domains
Most domain registrars (Namecheap, Cloudflare Registrar, Google Domains, Porkbun) now include WHOIS privacy for free with every domain. If your registrar charges extra for it, consider switching.
RDAP: The WHOIS Replacement
RDAP (Registration Data Access Protocol) is the modern replacement for WHOIS, offering several improvements:
Structured data: RDAP returns JSON instead of unstructured text, making it easier for software to parse. Standardized format: WHOIS responses varied wildly between registrars. RDAP defines a consistent format. Authentication: RDAP supports authenticated access, allowing authorized parties (law enforcement, intellectual property attorneys) to request more detailed data than anonymous users. Internationalization: Better support for non-ASCII characters in names and addresses. Security: HTTPS transport by default, unlike WHOIS’s plaintext protocol.
All major registries and many registrars already support RDAP alongside WHOIS. The transition is gradual, and WHOIS will likely remain accessible for years, but RDAP is the future.
Test It Yourself
WHOIS Lookup
Look up registration details for any domain. See ownership, creation dates, nameservers, and registrar info.