WHOIS is a protocol for querying domain registration data. It tells you who registered a domain, which registrar they used, when the registration expires, and which name servers the domain is pointed at. The protocol has been part of internet infrastructure since 1982 and remains a standard first step whenever something goes wrong with a domain.
What WHOIS Shows You
A WHOIS record contains several categories of information.
Registrant contact details — the name, organization, address, email, and phone number of the domain owner. In practice, much of this is now hidden or replaced with proxy contact details. More on why in the privacy section below.
Registrar — the company through which the domain was registered: its name, IANA ID, and an abuse contact address. Useful if you need to report a domain being used for phishing or spam.
Name servers — the authoritative DNS servers for the domain. This is one of the most practically useful fields. If the name servers in WHOIS don't match what's configured in your control panel, that mismatch explains most "unexplained" outages. A name server change only takes effect once it's reflected in the registry record — WHOIS confirms whether it has.
Registration dates — three timestamps appear in every WHOIS record: when the domain was first created, when the record was last updated, and when the current registration period expires. The creation date is useful for security checks: a domain registered yesterday that's already sending email or handling payments is a reliable indicator of fraud. The updated date is worth checking any time something changes with a domain you didn't intentionally touch.
Domain status — shows which operations are currently permitted or blocked on the domain. A domain can carry multiple status codes simultaneously.
DNSSEC status — indicates whether the domain has cryptographic signing enabled for its DNS records. Without it, the field typically reads unsigned.
Domain Status Codes Explained
ok — the domain is active with no restrictions. This is the normal state for a functioning domain; all operations are available.
clientTransferProhibited — the domain is locked against transfers to another registrar. Most registrars set this automatically after registration or an incoming transfer as a safeguard against unauthorized domain hijacking. To move the domain, remove this lock through your registrar's control panel first, then request the EPP code.
clientUpdateProhibited — changes to registration data are blocked: name servers, contact details, and other record fields cannot be modified. Often set alongside clientTransferProhibited as a basic layer of protection against unauthorized changes.
clientDeleteProhibited — the domain cannot be deleted while this status is active. Typically applied to high-value or critical domains to prevent accidental or malicious deletion from taking down infrastructure.
serverTransferProhibited / serverUpdateProhibited / serverDeleteProhibited — the same restrictions as their client equivalents, but set by the registry rather than the registrar. These cannot be removed through your registrar's control panel — the registry itself must lift them. They usually appear during dispute resolution, ICANN compliance procedures, or active investigations.
clientHold / serverHold — the domain is suspended: the site won't resolve and email won't deliver, even if DNS is correctly configured. clientHold is set by the registrar, typically for non-payment or a terms violation — contact your registrar to resolve it. serverHold is set by the registry; the registrar can't help here, and you'll need to deal with the registry directly.
redemptionPeriod — the domain wasn't renewed in time and has entered a recovery window of up to 30 days. You can still get it back, but the fee is typically several times higher than a standard renewal. Once this period ends, the domain moves to pendingDelete.
pendingDelete — the final stage before the domain is released. Recovery is no longer possible. Within a few days the domain will become available for anyone to register.
Why Registration Data Is Often Hidden
Before 2018, WHOIS databases publicly exposed the full name, address, email, and phone number of every domain registrant. That data was routinely harvested for spam campaigns, social engineering, and identity theft.
When the EU's General Data Protection Regulation (GDPR) came into force in May 2018, most registrars stopped publishing personal data for individual registrants. What you see instead is a redaction notice or a proxy contact address. The underlying data still exists at the registrar and can be obtained through official legal channels — for example, during UDRP domain dispute proceedings.
For companies and organizations the restrictions are generally less strict, so corporate registrant details appear in WHOIS more often. Country-code domains (.uk, .de, .ru, and others) follow rules set by their national registries, so data availability varies considerably from one TLD to another.
How to Check WHOIS
The most reliable method is the command line — it queries the registry directly without caching:
whois example.com
For TLDs with their own WHOIS server, you can specify it explicitly:
whois -h whois.nic.de example.de
On Ubuntu and Debian, the tool installs in one step:
apt install whois
For one-off lookups without terminal access, several web tools work well. lookup.icann.org is ICANN's official tool and pulls data directly from the registry. who.is has a clean interface and shows historical record changes. domaintools.com provides extended WHOIS history, though some features require a paid account. Keep in mind that web tools often serve cached results — when you need to confirm that a recent change has propagated to the registry, the command line is more reliable.
WHOIS, RDAP, and DNS: What's the Difference
These three systems are frequently mentioned together but serve distinct purposes.
WHOIS queries registration dаta: owner, registrar, name servers, status, dates. It works over port 43 and returns unstructured plain text in a format that varies between registries.
RDAP (Registration Data Access Protocol) is the modern replacement for WHOIS. It returns the same registration data but as structured JSON with a standardized schema — the same field names regardless of which registry you're querying. RDAP also supports tiered access, meaning authenticated users can potentially retrieve more data than anonymous requests. ICANN mandated RDAP support for all generic TLD registries in 2019. A basic RDAP query looks like this:
curl https://rdap.org/domain/example.com
DNS is an entirely separate system with nothing to do with registration data. DNS answers the question "where does this traffic go?" — returning IP addresses, MX records, CNAME records, and so on. It contains no information about who registered a domain or when.
The practical rule: use WHOIS or RDAP to check registration data; use DNS tools (dig, nslookup) to trace resolution paths and debug zone configuration.
Frequently Asked Questions
Why doesn't WHOIS show the domain owner's name?
Since 2018, most registrars have stopped publishing personal data for individual registrants, in line with GDPR. The data exists at the registrar but isn't exposed publicly. For companies and organizations the restrictions are typically less strict, so corporate registrant details appear more often.
How can I tell if a domain's name servers were changed without my knowledge?
Check the updated date in the WHOIS record. A recent timestamp when you haven't made any changes is a reason to review the activity log in your registrar's control panel.
Why is RDAP better than WHOIS for scripting?
RDAP returns JSON with consistent field names across all registries. WHOIS returns plain text in a format that varies from one registry to another. For automated monitoring or data pipelines, RDAP is far easier to work with — no need to write separate parsers for each TLD.
What should I do if my domain is in redemptionPeriod?
Contact your registrar immediately. The recovery window lasts up to 30 days, and you can still get the domain back — but the fee is typically several times higher than a standard renewal. Once redemptionPeriod ends, the domain enters pendingDelete and recovery is no longer possible.
Can I trust WHOIS data when buying a domain?
Treat it as a starting point rather than a definitive source. Before completing a purchase, verify the status codes (look for ok or a removable clientTransferProhibited), check there are no registry-level holds (serverHold, serverTransferProhibited), and confirm the seller can provide the authorization code (EPP code) required to transfer the domain.