What Is WHOIS? (And Why It's Not IP Geolocation)
This guide covers: What Is WHOIS? (And Why It's Not IP Geolocation).
WHOIS is how you look up who registered a domain or who owns a block of IP addresses. If you have searched for "who is" a domain, that is the same thing - "who is" and "whois" are just two spellings of the identical lookup, named after the question it answers. It is older than the web itself and remains one of the most useful tools for investigating ownership, peering, abuse contacts, and basic due diligence on any internet resource. This guide covers what WHOIS actually returns, how it differs from an IP lookup, why RDAP is replacing it, and how privacy rules like GDPR have changed what you can see.
What WHOIS is, in plain terms
WHOIS is both a protocol and a set of public databases. The protocol was standardised in RFC 3912 and runs over TCP port 43. You send a query as a short text line, and the server replies with ownership and registration data in a loosely formatted plain-text response. Most users never touch port 43 directly - WHOIS lookups usually happen through a web form or a command-line tool that wraps the protocol.
There are two broad categories of WHOIS data:
- Domain WHOIS - maintained by domain registries and registrars. Returns information about a registered domain name, including its registrar, creation and expiration dates, nameservers, and (when not hidden) contact details.
- IP WHOIS - maintained by the five Regional Internet Registries (ARIN for North America, RIPE for Europe/Middle East, APNIC for Asia-Pacific, LACNIC for Latin America, AFRINIC for Africa). Returns information about who owns a block of IP addresses and which ASN announces it.
What a WHOIS query actually returns
Exact fields vary by registry, but most domain WHOIS responses include:
- Domain name and status flags
- Registrar name, IANA ID, and abuse contact
- Creation date, last updated date, and expiration date
- Nameservers currently serving the zone
- DNSSEC status
- Registrant, administrative, and technical contacts - often redacted behind a privacy service
For IP WHOIS the response focuses on network allocation:
- The CIDR block and its size
- The organisation that received the allocation
- Parent and child blocks if the space was further suballocated
- Abuse, technical, and administrative contact email addresses
- The ASN(s) that announce the block, which ties the record to a real routing entity
WHOIS vs an IP lookup
The two tools answer different questions. A classic IP lookup - like the one on our homepage - answers "where is this IP seen, and what network family does it belong to?" That tool returns geolocation hints, ISP name, ASN, timezone, and connection type.
WHOIS answers a narrower question: "who administratively owns this resource and where does accountability live?" The ISP name you see in an IP lookup is sometimes a resale brand or a friendly label. WHOIS reveals the actual legal entity that holds the allocation and the abuse email you would contact if you needed to report a problem.
For serious investigations - spam analysis, brand abuse, fraud triage - the two tools are complementary. Start with the IP lookup to see the routing and geolocation context, then pivot to WHOIS / RDAP for ownership confirmation.
Why RDAP is replacing classic WHOIS
Classic WHOIS is showing its age. Responses are plain text with no defined schema, which means every registry formats fields slightly differently. There is no standard way to authenticate, no internationalisation, no structured pagination, and no way to request just the fields you need. Parsers constantly break when a registry changes its layout.
RDAP (Registration Data Access Protocol) is the modern replacement. It runs over HTTPS and returns structured JSON. It supports authenticated access, standardised status codes, redirection between registries, and internationalised fields. ICANN mandated RDAP for gTLD registries and registrars in 2019, and all five Regional Internet Registries now offer RDAP alongside classic WHOIS.
You can still use the traditional port-43 WHOIS service for most resources, but anything written for automation today should target RDAP first and fall back to WHOIS only when RDAP is unavailable.
How GDPR and privacy rules changed WHOIS
Before May 2018, domain WHOIS responses routinely included the registrant's real name, postal address, phone number, and email. Under the European Union's General Data Protection Regulation that level of public disclosure became untenable for individuals, and registrars quickly began redacting personal fields or replacing them with proxy contacts.
Today most consumer domain WHOIS records show a generic registrar privacy service instead of the actual registrant. Corporate domain ownership is still often visible because organisations are not protected by GDPR the same way individuals are, but you should assume that contact data is partial, redacted, or routed through a proxy.
IP WHOIS was less affected because IP allocations go to organisations, not individuals. Abuse contacts, netnames, and CIDR boundaries generally remain visible - which is why IP WHOIS remains essential for network security work even when domain WHOIS data is thin.
Practical uses for WHOIS in daily work
- Spam and abuse handling. The abuse contact returned by WHOIS or RDAP is the official channel for reporting an IP to its network owner. Responses are rarely instant, but a well- documented complaint sent to the right address does work.
- Phishing investigation. Comparing registration dates and registrars for a suspect domain against legitimate brand domains often reveals cheap, recently-registered lookalikes. A new domain using a privacy shield at a low-cost registrar is a strong warning signal.
- Security research. Mapping related domains to a single registrant email (when visible) or a shared nameserver set can uncover infrastructure clusters used by a threat actor.
- Business due diligence. Before depending on a vendor's public service, checking the WHOIS record confirms the domain is active, up to date, and administered by the expected entity.
- Network operations. When a peer IP misbehaves, WHOIS gives you the ASN, upstream relationships, and contact path needed to escalate within minutes rather than hours.
Reading a WHOIS response without getting confused
A few quick rules help cut through the noise in WHOIS output:
- Registrar and registrant are not the same thing. The registrar is the company through which the domain was purchased. The registrant is the legal owner of the name.
- Status codes like
clientTransferProhibitedorserverHoldare EPP status codes that describe what actions are currently allowed on the domain. A frozen or held domain is often a sign of a policy dispute, abuse, or non-payment. - The "last updated" timestamp refers to the most recent change in the registry record, not the last time the site content changed.
- For IP WHOIS, the most specific record wins. When you query an IP inside a suballocation, the response will show the small netblock first. Walk up the parent references to see who originally received the larger allocation.
- If a WHOIS server refers you to another server ("refer" or "whoisserver" field), follow that referral - the authoritative record lives there, not on the server that answered first.
Rate limits and what to do about them
Public WHOIS and RDAP servers enforce rate limits to discourage bulk harvesting. Casual manual queries rarely trip the limits. Automated tooling should either use an authenticated RDAP endpoint, spread requests across multiple registries, or back off aggressively when the server returns a rate-limit error. Ignoring the limits can get your IP temporarily blocked from the registry's infrastructure.
For heavy investigation workflows, many teams cache WHOIS responses locally for a day or two. Registration data does not change minute-by-minute, so a short cache dramatically reduces the number of live lookups needed.
Automating WHOIS and RDAP queries
Manual lookups are fine for ad-hoc work. Anything at scale needs tooling. A few patterns that hold up in production:
- Target RDAP first. Every RIR and ICANN-accredited registry now exposes an RDAP endpoint. The JSON response is deterministic and easier to parse than port-43 text. Fall back to WHOIS only when RDAP returns a 404.
- Respect the bootstrap registry. ICANN publishes IANA bootstrap files that tell you which RDAP server handles which ranges or TLDs. Cache these files locally and refresh daily rather than hammering IANA on every lookup.
- Cache responses. Registration data changes slowly. A 24-hour cache captures almost all meaningful updates while cutting registry load by orders of magnitude.
- Handle redirects explicitly. WHOIS responses often point to a more authoritative server. An RDAP response may use HTTP 302 to redirect. Follow once, not in a loop, and log the chain for audit.
- Normalise the output. Different registries use different field names for the same concept. Build a small mapping layer so downstream code always sees consistent keys like
registrant.email,abuse.email, andnetwork.cidr.
TLD differences you will hit
WHOIS policy varies a lot by top-level domain. Generic TLDs (.com, .net, .org, new gTLDs like .tech or .shop) fall under ICANN's contracts, which mandate a consistent set of fields and a public access channel. Country-code TLDs (.uk, .de, .fr, .jp) are managed by national registries that set their own rules.
- .uk publishes abbreviated records by default and exposes richer data only to authenticated users.
- .de returns almost no contact data to the public and requires out-of-band contact for abuse reports.
- .cn and .ru expose technical fields but rarely registrant contacts.
- .io, .ai, and other "vanity" TLDs often route through the same shared infrastructure and offer WHOIS that looks like gTLD data.
When researching a specific TLD for the first time, check the registry's public documentation before assuming the response format. An unfamiliar field layout almost always has a documented meaning.
A realistic investigation walkthrough
Imagine a phishing email arrives pretending to be from a major bank. Start with the headers and pull the sending IP. Here is the typical pivot chain using WHOIS and related tools:
- Run the sending IP through an IP lookup to confirm geolocation and ASN. Note the ASN name.
- Run the IP through RDAP. The response returns a CIDR block and an abuse email. Save the block - other addresses inside the same range may be part of the same campaign.
- Extract the phishing link from the email body and run a domain WHOIS or RDAP query on it. Age, registrar, and nameserver set almost always tell the story: a two-day-old domain at a low-cost registrar with a privacy shield is the classic phishing profile.
- Run a reverse DNS on the sending IP. Patterns like
host-...-hosting.example.netindicate a VPS; the hostname often reveals the actual hoster even when WHOIS lists a reseller. - Query the ASN to see what else the network announces. Related blocks may belong to the same bad actor.
- Send a well-structured abuse report to every contact you collected along the way - hosting abuse address, registrar abuse address, and any higher-level contact on the ASN.
This five-minute routine catches a surprising amount of commodity phishing infrastructure and turns raw signal into actionable reports.
Common WHOIS pitfalls
- Treating privacy data as a dead end. Even when the registrant is hidden, the registrar, creation date, and nameserver set still tell a story about how the domain was set up.
- Assuming contact emails are monitored. Large ISPs have dedicated abuse teams; small hosting providers often do not. If an abuse contact is silent, escalate through the upstream ASN or the RIR's abuse pathway.
- Confusing WHOIS with DNS. WHOIS tells you who registered a resource. DNS tells you how to reach it. They rely on totally different infrastructure and refresh cycles.
- Relying on WHOIS for real-time data. Registries update records on their own schedules. A brand-new registration can take hours to appear; a cancellation can take days to disappear from cached responses.
Tools and next steps
- WHOIS / RDAP Lookup returns domain and IP registration data with structured fields when available.
- ASN Lookup surfaces the network announcing an IP, which is useful for escalation when the direct abuse contact is unresponsive.
- Reverse DNS Lookup often confirms whether the hostname pattern matches the owner listed in WHOIS.
- IP lookup gives you the routing and geolocation context before you dig into WHOIS.
Frequently asked questions
Is WHOIS data legally binding? WHOIS is a public record, but registrants self-declare most of the information. Verified accreditation programs exist for some TLDs, but unverified WHOIS data should be treated as a strong clue, not courtroom proof.
Why does one lookup return different data than another? Thick and thin WHOIS registries work differently. A thin registry only stores basic fields and refers you to the registrar for the rest. If the first service you use did not follow the referral, you saw a partial record.
Can I hide my own WHOIS data? For consumer domains, most registrars include free or paid privacy services that replace your details with a proxy. For IP space, the allocation is tied to an organisation and cannot be anonymised the same way.
Does WHOIS show VPN users? No. WHOIS returns the owner of the IP block, which for commercial VPNs is the VPN provider itself. A subscriber hidden behind the VPN is not visible at the WHOIS layer.
For privacy-focused follow-up, start with protecting your IP address and learn what websites can actually infer from you in IP geolocation.