WHOIS Lookup
with modern RDAP.

Look up domain registration details, expiry dates, nameservers and registrar information. Uses the modern RDAP protocol first with traditional WHOIS as fallback — structured JSON whenever possible, plain-text when not.

RDAP Modern protocol

WHOIS Plain-text fallback

< 2s Per lookup

$0 No account

Look up domain registration, expiry date and registrar details using RDAP with WHOIS fallback. Enter any domain — root or with subdomain — and we'll resolve to the registered apex automatically.

Domain

Try:

Note: All checks are public. To keep your checks private, create a free account.

Global Network Diagnostics

Run a check to see your service from around the world.

Tested from 22 monitoring locations worldwide
Results in seconds, not minutes
Shareable result links for your team
No account or signup required

What is WHOIS?

WHOIS is a query and response protocol used to look up records associated with domain name registrations. It was developed in the early days of the internet, when ARPANET administrators needed a reliable way to look up who was responsible for a domain and how to reach them. The name is simply a phonetic shorthand for "who is" — as in, who is the owner of this domain?

When a domain is registered, the registrar collects information from the domain owner and submits it to a central registry. WHOIS servers maintained by registries and registrars expose this information over TCP port 43. A WHOIS query sends the domain name to the appropriate server and receives a plain-text response containing the registration record.

The data returned typically includes the registrar (the company through which the domain was purchased), registration and expiry dates, authoritative nameservers, domain status codes, and contact information for the registrant, administrative and technical contacts — though contact details are increasingly hidden by privacy services.

ICANN mandates that domain registrars maintain accurate WHOIS data for all registered domains under generic top-level domains (gTLDs). Country-code TLD registries operate under their own policies, which is why WHOIS availability and detail level can vary significantly between TLDs.

Every registered domain has a public registration record — registrar, expiry, nameservers, status flags. Reading it is the only way you'll catch a silent transfer-lock change, a nameserver hijack, or an expiry deadline before it takes the site down.

What WHOIS Returns

A WHOIS or RDAP response surfaces the core registration metadata for a domain. The fields below appear in nearly every record — the exact wording varies between registries, but the meaning is consistent.

Field	Description
Registrar	Accredited company the domain is registered through.
Created	Date the domain was first registered.
Expires	Date the registration lapses if not renewed in time.
Updated	Last modification to the registration record.
Nameservers	Authoritative DNS servers responsible for the domain's zone.
Status	EPP status codes that control which operations are currently allowed.
DNSSEC	Whether the domain is signed with DNSSEC, plus the DS key data when available.

RDAP: The Modern WHOIS

The Registration Data Access Protocol (RDAP) is the modern successor to WHOIS, standardized by the IETF in 2015 (RFC 7480–7484). It was designed to address the long-standing limitations of the aging WHOIS protocol and is now mandated by ICANN for all accredited registrars managing gTLD domains.

The most significant improvement RDAP brings is structured data. Traditional WHOIS responses are free-text with no enforced schema — every registrar formats responses differently, making programmatic parsing unreliable. RDAP returns JSON, which is machine-readable, consistently structured and straightforward to process in code without brittle regex patterns.

Beyond structured output, RDAP brings several important advantages over traditional WHOIS:

Capability	WHOIS	RDAP
Response format	Free-text, unstructured	Structured JSON
Standardized schema	No — varies by registrar	Yes — IETF standardized
Internationalization	Limited — ASCII-centric	Full Unicode support
Access control	None	Role-based, authenticated tiers
Transport security	Plaintext TCP / 43	HTTPS
RESTful API design	No	Yes
Referral mechanism	Manual, inconsistent	Bootstrapped via IANA

How Emercom queries domains

Emercom queries RDAP first. The IANA RDAP bootstrap registry is consulted to find the authoritative RDAP service for each TLD, and a structured JSON response is retrieved over HTTPS. If no RDAP service is available for the TLD — common with some country-code TLDs and legacy registrars — Emercom automatically falls back to the traditional WHOIS protocol on TCP port 43 and parses the plain-text response.

Most major TLDs including .com, .net, .org, .io and hundreds of others now have full RDAP support, so structured JSON is the common case rather than the exception.

A Real RDAP Response

The structured-JSON nature of RDAP is hard to appreciate in the abstract — easier to see in a real response. Below is what an RDAP query for emercom.io looks like on the wire: a self-describing JSON object that any tool can parse without regex, with explicit event types for every important date and machine-readable status codes instead of free-text prose.

On the wire — RDAP response from https://rdap.iana.org/domain/emercom.io

{
  "objectClassName": "domain",
  "handle": "EMERCOM.IO",
  "ldhName": "emercom.io",
  "status": [
    "client transfer prohibited"
  ],
  "events": [
    {
      "eventAction": "registration",
      "eventDate": "2023-08-15T10:23:11Z"
    },
    {
      "eventAction": "expiration",
      "eventDate": "2026-08-15T10:23:11Z"
    },
    {
      "eventAction": "last changed",
      "eventDate": "2025-08-20T14:55:33Z"
    }
  ],
  "nameservers": [
    { "ldhName": "ns1.cloudflare.com" },
    { "ldhName": "ns2.cloudflare.com" }
  ],
  "entities": [
    {
      "roles": ["registrar"],
      "vcardArray": [
        "vcard",
        [ ["fn", {}, "text", "Gandi SAS"] ]
      ]
    }
  ],
  "secureDNS": {
    "delegationSigned": false
  }
}

Event dates — drive expiry monitoring Status — current EPP locks Identity — domain & registrar names

Three things stand out next to a plain-text WHOIS dump. First, every date is in ISO 8601 with a timezone (2026-08-15T10:23:11Z) — no more parsing locale-specific free-form strings like "Sat Aug 15 10:23:11 UTC 2026". Second, status codes are an array of canonical strings, not a comma- and newline-separated blob you have to split. Third, the registrar is structured: a separate entity with a typed role and a vCard, so you can extract the name without guessing where one field ends and the next begins.

The vcardArray shape (line starting with "vcard") looks alien at first — it's RFC 7095 jCard, the JSON encoding of vCard contact records. It is structurally awkward but every field is precisely typed, which is exactly the point: you can build a domain-monitoring system that consumes this without ever writing a regex against free-text data.

Understanding WHOIS Results

A WHOIS or RDAP response contains several key fields that tell you about the domain's history, current state and configuration. Here is what each field means and why it matters.

Registration Fields

Registrar is the accredited company through which the domain was purchased — for example, GoDaddy, Namecheap, Cloudflare or Google Domains. Each registrar has a unique IANA ID. Knowing the registrar is the first step when you need to transfer a domain, update contact records, or dispute ownership.

Registration Date tells you when the domain was first registered. A domain registered many years ago is generally considered more established, while a very recently registered domain can be a signal worth noting for security or trust assessments.

Expiry Date is the most operationally critical field. If a domain is not renewed before this date, it enters a grace period before eventually becoming available for anyone to register. Monitoring expiry dates is essential — an accidentally expired domain will take down every service running under it, from websites to email to API endpoints.

Last Updated reflects the most recent change to the registration record. Unexpected updates to this field can indicate a domain transfer, nameserver change, or registrant information update.

Technical Fields

Nameservers are the authoritative DNS servers for the domain. These are the servers that hold the zone file and answer DNS queries for all records under the domain. Changing nameservers is how you move DNS management from one provider to another — for instance, from your registrar's default DNS to Cloudflare or Route 53.

DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records. When DNSSEC is enabled, resolvers can verify that the DNS responses they receive have not been tampered with in transit. The WHOIS record will indicate whether DNSSEC is signed and, if so, provide the delegation signer (DS) key data.

EPP Status Codes

Domain status codes use the Extensible Provisioning Protocol (EPP) standard. They control what operations can be performed on the domain. Understanding these codes helps you know what actions are currently locked or permitted.

Status Code	Meaning
clientTransferProhibited	Transfer to another registrar is locked at the registrant's request. The most common status — protects against unauthorized domain hijacking.
serverTransferProhibited	Transfer prohibited by the registry (not the registrant). Often set during dispute resolution or ICANN proceedings.
clientDeleteProhibited	The domain cannot be deleted by the registrar at the registrant's request. Common on high-value domains.
serverDeleteProhibited	Deletion prohibited by the registry. Typically set during a legal hold or dispute.
clientUpdateProhibited	Domain record updates (nameservers, contacts) are locked at the registrant's request.
serverUpdateProhibited	Updates prohibited by the registry.
clientHold	Domain is suspended by the registrar — it will not resolve in DNS. Can occur for non-payment or policy violations.
serverHold	Domain suspended by the registry. Common during the Add Grace Period immediately after new registration.
pendingDelete	The domain is scheduled for deletion after the redemption period has expired. It will shortly become available for re-registration.
redemptionPeriod	The domain has expired and is in the registrar's redemption grace period. It can still be recovered by the original registrant, typically for a higher fee.

Reading status codes in a hurry? client*Prohibited codes mean the registrant set a lock — usually good, it stops accidents and hijacks. server*Prohibited codes mean the registry imposed the lock — often during a dispute. clientHold / serverHold means the domain is offline right now (won't resolve in DNS). pendingDelete and redemptionPeriod are time-bound lifecycle states — both indicate someone forgot to renew.

Domain Privacy & Proxy Services

Many domain registrants use WHOIS privacy or proxy services to hide their personal contact information from the public WHOIS record. When privacy protection is active, the registrant, administrative and technical contact details are replaced with the privacy provider's information rather than the actual domain owner's name, address and email.

This is a legitimate and widely used practice — ICANN permits it. The domain itself is still findable, and registration and expiry dates, nameservers and status codes are always shown. Only the contact details are obscured. Registrars and privacy services are required to maintain a confidential record of the actual registrant and can reveal it upon valid legal request.

Common privacy service providers include Domains By Proxy (GoDaddy), Privacy Guardian (NameSilo) and Cloudflare's built-in WHOIS redaction. You can usually identify proxy protection when the registrant organization contains phrases like "Privacy Service", "Whois Agent" or "Domain Protection".

Why Watch WHOIS Records?

A WHOIS record looks static — registration date, expiry, nameservers, a few status flags. In practice, every one of those fields can change without warning, and you usually find out only when something breaks. Five failure modes that a regular WHOIS check would catch days or weeks before the outage:

Expiry creep. A registration quietly approaches its renewal deadline. Without a watch, you discover it the day the domain stops resolving — typically a Sunday, typically with the only person who knows the registrar password on holiday.
Transfer-lock removed. clientTransferProhibited disappears from the status list. Someone — legitimate owner or attacker — has unlocked the domain so it can be moved to another registrar. Often the first signal of an in-progress hijack.
Nameserver swap. Authoritative DNS changes to servers you do not control. By the time DNS propagates and visitors notice, the new operator already controls your email, web traffic and any service tied to the domain.
DNSSEC suddenly off. A signed zone going unsigned (delegationSigned: false where it used to be true) is a red flag. Either an attacker stripped it to enable spoofing, or someone disabled validation by accident during maintenance.
Ownership / contact change. Registrant company swapped, admin email rotated, postal address moved. Most are legitimate — staff turnover, restructuring — but some are the prelude to a takeover, an expiry-roulette buyout, or a domain dispute.

Common Uses for WHOIS Lookup

WHOIS lookup is the starting point for a long list of operational, security and business workflows. Four of the most common reasons people reach for a WHOIS query:

Domain Expiry Monitoring

Track expiry dates across an entire portfolio so renewals happen weeks in advance, not the morning the domain stops resolving. The single most important monitor every operations team should have running.

Brand Protection

Detect typo-squat and look-alike domains targeting your brand. WHOIS reveals when a suspicious domain was registered, who registered it, and whether it's hiding behind a privacy proxy — the first triage step in a takedown process.

Security Investigation

When tracing a phishing campaign, a C2 host, or a fraudulent storefront, registration metadata is the breadcrumb trail. Registrar, registration date, and shared nameservers often cluster malicious domains operated by the same actor.

Pre-Acquisition Research

Before buying a domain (or a company that owns one), verify the registration timeline, current registrar, transfer-lock state, and nameserver setup. A 20-year-old domain with multiple silent ownership changes is a different asset than a fresh registration — and the WHOIS record tells you which.

WHOIS Myths That Won't Die

WHOIS is one of the internet's oldest still-running protocols, and a lot of the folk knowledge around it dates back to a different era. Six assumptions that quietly turn into outages or wasted hours when treated as fact.

"WHOIS data is current."

Reality: Registries sync to WHOIS / RDAP servers on their own schedule — minutes to hours, occasionally longer for ccTLDs. A change you made through your registrar can take a few hours to appear in third-party WHOIS lookups. If a status flag disappears in a check, give it 30 minutes and re-query before assuming a hijack.

"Privacy services make the owner anonymous."

Reality: Privacy / proxy services only hide the public-facing record. The registrar still has the real registrant details on file and is required to disclose them on valid legal request — subpoena, court order, ICANN URS / UDRP proceedings. Anonymity from random observers, not from law enforcement.

"Expired = available the next day."

Reality: Most gTLDs run a 30-day Redemption Grace Period after expiry, during which the original owner can pay a higher fee to reclaim. Then comes a 5-day Pending Delete window before the name returns to the registry pool. Total lag from expiry to re-registration is typically 35-45 days — and drop-catching services already have it queued before you see "available."

"WHOIS is encrypted."

Reality: Traditional WHOIS on TCP port 43 is plaintext. Anyone on the network path can read the query and response. RDAP fixed this by running over HTTPS — one of its underrated benefits — but as long as a TLD only offers WHOIS-43, every lookup against it is observable in transit.

"All registrars expose the same fields."

Reality: Field names, formatting, encoding and even available fields vary registrar by registrar. Some return Expiry Date, others Registry Expiry Date or Expiration Time. This inconsistency is exactly why RDAP exists — its JSON schema is the same across every IETF-compliant server, no regex required.

"Domain transfers happen instantly."

Reality: An ICANN-compliant gTLD transfer requires an auth code, an unlock from the losing registrar, and a 5-day window during which the registrant can cancel. Even a clean transfer typically takes 24-48 hours; a disputed one can take weeks. Plan transfers with that timeline, not the marketing copy on the gaining registrar's homepage.

Frequently Asked Questions

Quick answers to the most common questions about WHOIS, RDAP and domain registration data.

What is the difference between WHOIS and RDAP?

WHOIS is the legacy protocol — plain-text response over TCP port 43, no schema, every registrar formats fields differently. RDAP is its modern replacement standardized by the IETF in 2015: structured JSON over HTTPS, consistent across all compliant servers, supports internationalization. Emercom queries RDAP first and falls back to WHOIS only when a TLD does not yet offer RDAP.

Why does the registrant contact say "Privacy Service"?

Many registrants use a WHOIS privacy or proxy service to hide their personal contact details from the public record. The registrar still has the real registrant on file and discloses it on valid legal request, but random observers see only the privacy provider's placeholder. ICANN explicitly permits this.

How long after expiry can I re-register a domain?

For most gTLDs, expect 35-45 days: a 30-day Redemption Grace Period during which the original owner can pay a higher fee to reclaim the domain, followed by a 5-day Pending Delete window before the name returns to the registry pool for re-registration. Drop-catching services compete aggressively for high-value drops.

What does clientTransferProhibited mean?

It is an EPP status code meaning the registrant has asked the registrar to lock the domain against transfer to another registrar. It is the most common protective lock and the recommended default — without it, anyone who phishes the registrar account can move the domain to another registrar before the legitimate owner notices.

Why are some WHOIS fields missing?

Two main reasons. Country-code TLDs (ccTLDs) operate under their own registry policies — some return only minimal data, some require authentication. Even on gTLDs, GDPR and similar privacy regulations have caused most registrars to redact registrant contact details by default; only the technical metadata (dates, nameservers, status, registrar) is universally available.

Can WHOIS data be trusted as evidence?

For legal proceedings, no — WHOIS records can be incomplete, redacted, or fabricated at registration time and registrars are not authoritative attesters. For operational and investigative purposes, yes — registration timeline, nameservers, status flags and registrar are reliable enough to drive monitoring alerts, takedown decisions, and security triage.

Related Tools

More free network diagnostics, all running from the same 22-location footprint.