WHOIS Lookup: What It Tells You and When You Actually Need It

WHOIS is one of those tools that most developers have used at least once without really thinking about what they're looking at. You type a domain, you get a wall of text, you find the expiry date or nameservers you needed, and you move on.

But there's quite a bit more in that output if you know what you're reading. And in certain situations — tracking down a phishing domain, debugging email issues, investigating infrastructure before an acquisition — understanding WHOIS properly saves serious time.

WHOIS is a query-response protocol that retrieves registration data from internet registries. Every domain has a registry (Verisign manages .com, PIR manages .org, etc.) and each registry runs a WHOIS server. Registrars are contractually required to publish registration data through it.

The lookup is hierarchical — you query IANA to find the right registry, the registry to find the registrar, the registrar for the full record. Most tools handle this automatically so you just type the domain.

From the terminal: whois example.com

For IP address investigation: whois 8.8.8.8

A complete record includes:

• Registrant name, organization, address, phone, and email • Administrative and technical contact information • Registrar name and IANA ID • Registration date, expiry date, and last updated timestamp • Name servers — crucial for DNS investigation • Domain status codes • DNSSEC status

The registration date is one of the most useful fields. A domain with a 2008 registration date is a fundamentally different risk profile from one registered last Tuesday. That date can't be faked.

clientTransferProhibited — Registrar has locked the domain. Can't be transferred to another registrar. This is the normal state for active domains and is what you want to see.

serverHold — Registry has suspended the domain. It won't resolve. Usually means a policy violation, non-payment, or legal hold.

pendingDelete — Domain is in the 5-day deletion window before being released. WHOIS still returns data but the domain isn't resolving.

redemptionPeriod — Domain expired but the registrant can still recover it for a premium fee, typically within 30 days of expiry.

If you're watching an expiring competitor domain or trying to acquire one that's lapsed: track status codes. Hitting redemptionPeriod means it's getting close to becoming available.

Since 2018, most registrars started redacting personal contact information from public WHOIS records. Where you used to see a registrant's name, address, and email, you now often see:

Registrant Name: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record

For developer and IT purposes though — checking domain age, verifying nameservers, identifying the registrar for an abuse report — WHOIS still gives you everything you need even with privacy protection active.

WHOIS tells you which registrar issued the domain. File your abuse report directly with that registrar — this is significantly faster than generic ICANN complaints. Most registrars have 24-48 hour takedown processes for clear phishing cases.

WHOIS shows nameservers, which tells you who controls DNS for the domain. If a client's emails are bouncing and you're not sure who manages their DNS, WHOIS is your starting point.

Before you build an OAuth integration or set up a webhook relationship with a third-party domain, check the registrant organization. If the org name in WHOIS doesn't match who you're supposedly dealing with, that's worth investigating before you hand over API access.