Every domain name registered on the internet has a public record that contains information about who owns it, when it was registered, and when it expires. The system used to query these records is called WHOIS — one of the oldest protocols on the internet, dating back to the early 1980s. Whether you are a domain investor scouting for opportunities, a developer researching a website, or a business owner protecting your brand, understanding WHOIS is essential.
This guide covers everything you need to know about WHOIS lookup: how to read and interpret WHOIS records, how domain privacy protection works, what happens when a domain expires, and how to navigate the domain drop-catching landscape.
WHOIS is both a query protocol and a database system. It allows anyone to look up registration information for any domain name. The protocol operates on port 43 and uses a simple request-response format: you send a domain name, and the server returns the associated registration data.
WHOIS records are maintained by domain registrars (companies like GoDaddy, Namecheap, Google Domains) and regional registries (like Verisign for .com, Nominet for .uk). When you register a domain, your registrar collects your contact information and stores it in the WHOIS database. This information is publicly accessible unless you opt for privacy protection.
A typical WHOIS record contains several key fields. Understanding what each field means helps you extract useful information from any lookup:
Status codes are standardized by ICANN and provide important information about a domain's state. The most common ones include:
clientTransferProhibited — The domain owner has locked the domain to prevent unauthorized transfers. This is a security best practice.clientDeleteProhibited — The domain cannot be deleted without the registrant's explicit consent.serverHold — The domain is suspended and does not resolve in DNS. This often happens after non-payment.pendingDelete — The domain has entered the deletion process and will be purged from the registry.ok — No special conditions apply to the domain.The WHOIS protocol has a rich history that reflects the evolution of the internet itself. Understanding this history helps explain why the system works the way it does today — and why it faces significant challenges.
WHOIS was created in 1982 by Elizabeth Feinler and her team at the Stanford Research Institute's Network Information Center (NIC). Originally, it was a simple directory service for ARPANET users to find contact information about other network operators. In these early days, the entire internet consisted of a few hundred connected organizations, and the WHOIS database was essentially a phone book for system administrators.
The commercialization of the internet and the introduction of generic top-level domains (gTLDs) in the mid-1990s transformed WHOIS from a small technical directory into a massive public database. ICANN was established in 1998 to manage the domain name system, and WHOIS data became subject to contractual obligations through the Registrar Accreditation Agreement (RAA). Registrars were required to collect and publish accurate WHOIS data, making it a tool for law enforcement, trademark protection, and cybersecurity.
The introduction of the European Union's General Data Protection Regulation (GDPR) in May 2018 triggered a fundamental shift. GDPR classified personal WHOIS data (names, addresses, email, phone) as personally identifiable information (PII), making its public display potentially illegal without consent. ICANN responded with a Temporary Specification that allowed registrars to redact personal data from WHOIS output.
Today, most WHOIS records display only the registrar, registration dates, name servers, and status codes. Personal contact information is hidden behind privacy services or replaced with redacted placeholder text. ICANN's Registration Data Access Protocol (RDAP) was introduced as a modern replacement for WHOIS, offering structured JSON responses, better authentication, and built-in access control, though adoption is still incomplete.
Domain privacy protection (also called WHOIS privacy or ID protection) replaces your personal information in the WHOIS database with the privacy service's contact details. When someone performs a WHOIS lookup, they see the privacy service's information instead of yours.
When you enable privacy protection, the registrar substitutes their proxy information for yours in the WHOIS record. Email sent to the proxy address is filtered and forwarded to you. If a legitimate party needs to contact you (such as for a trademark dispute), the privacy service acts as an intermediary. Some registrars include privacy protection for free, while others charge an additional fee.
Understanding what happens when a domain expires is critical for both domain owners (to avoid losing their domains) and domain investors (to acquire valuable expiring domains). The lifecycle follows a predictable timeline:
Drop catching is the practice of attempting to register a domain the moment it is deleted from the registry. Because valuable domains can be worth thousands or even millions of dollars, competition for dropping domains is intense. Specialized drop-catching services use direct API connections to registries and automated systems to submit registration requests within milliseconds of a domain becoming available.
Drop-catching services operate by maintaining persistent connections to registry systems. When a domain drops, they submit a registration command almost instantaneously — far faster than a human could type a registration form. Major drop-catching services include DropCatch, SnapNames, NameJet, and GoDaddy Auctions. These services typically operate on a backorder model: you pay a fee to place a backorder, and if the service successfully catches the domain, you win the auction or pay a fixed price.
There are several ways to look up WHOIS information for a domain:
The easiest method is to use a web-based WHOIS lookup tool. Simply enter the domain name and get a formatted, readable report. Risetop's WHOIS Lookup tool provides detailed registration data, status codes, and name server information in a clean interface.
On Linux and macOS, you can use the terminal WHOIS client:
whois example.comThis connects to the appropriate WHOIS server and returns the raw record. Windows users can use PowerShell or install a third-party WHOIS client.
RDAP is the modern successor to WHOIS. It returns structured JSON data instead of plain text and supports authentication and access control. You can query RDAP through web-based tools or programmatically via HTTP requests. For example:
curl -H "Accept: application/rdap+json" https://rdap.org/domain/example.comWHOIS data is a valuable resource for cybersecurity professionals and threat researchers. Security teams use WHOIS to investigate phishing domains (checking registration dates and registrant patterns), track threat actor infrastructure (correlating domains registered by the same entity), and identify malicious domain registrations (newly registered domains used in attacks). While GDPR-related redaction has reduced the amount of available data, techniques like reverse WHOIS (finding all domains registered to the same entity) and historical WHOIS (viewing past registration data through services like DomainTools) remain effective investigative tools.
Partially. Since GDPR took effect in 2018, most personal information in WHOIS records has been redacted. You can still see the registrar, registration and expiration dates, name servers, and domain status codes. Full registrant details are only available through legal channels or RDAP access with proper authorization. Some country-code TLDs (.us, .uk, .au) have their own privacy regulations that may provide more or less data than gTLDs.
Not through public WHOIS alone. If a domain uses privacy protection, the WHOIS record shows the privacy service's information instead of the actual owner. However, law enforcement can request registrant data through legal processes. In cases of trademark infringement, you can file a UDRP (Uniform Domain-Name Dispute-Resolution Policy) complaint with WIPO or the National Arbitration Forum, which compels disclosure of the registrant's identity.
WHOIS is a legacy protocol from 1982 that returns unstructured plain text. RDAP (Registration Data Access Protocol) is its modern replacement, standardized by the IETF. RDAP returns structured JSON data, supports authentication and authorization, provides better error handling, and can implement tiered access controls. Both protocols query the same underlying registration data — RDAP is simply a more capable delivery mechanism.
The total time from expiration to availability varies by TLD and registrar, but typically ranges from 30 to 75 days. For .com domains, the timeline is approximately: 0–30 days grace period, 30 days redemption period, 5 days pending delete, then the domain drops. Some registrars extend the grace period or hold expired domains for auction before they drop, which can extend the timeline further.
No. During the grace period and redemption period, the domain cannot be transferred to another registrar. You must renew it with the current registrar. Once renewed, you can initiate a transfer after a 60-day waiting period (per ICANN policy) unless the registrar waives this requirement.
Reverse WHOIS allows you to find all domains associated with a specific registrant — such as a person's name, email address, company name, or phone number. This is valuable for brand protection, competitive research, and threat investigation. Services like DomainTools, Whoxy, and ViewDNS offer reverse WHOIS lookups, though the accuracy has declined since GDPR-related redaction was implemented.
WHOIS data is distributed across hundreds of registrars and registries, and each may update at different intervals. Cached data, proxy services, and regional registry differences can cause discrepancies. Some tools query the registry directly (authoritative), while others query the registrar's WHOIS server (thick vs. thin registry models). For the most accurate results, query the specific registry's WHOIS server or use an RDAP endpoint.
Many registrars now include WHOIS privacy at no extra cost, including Cloudflare, Namecheap, and Google Domains. However, some registrars still charge $10–15 per year for the service. Even "free" privacy is funded indirectly — registrars that offer it for free typically make their margin on the domain registration price itself. Always check whether privacy is included before comparing prices across registrars.