3v-Hosting Blog
11 min read
When you register a domain, launch a website, or transfer a project to a new server, a mechanism that is rarely thought about is activated in the Internet infrastructure - the WHOIS mechanism. It allows you to find out who registered a domain name, when it expires, which DNS servers are used for its resolution, and what the current status of the domain is.
For website owners and administrators, DevOps engineers, and specialists in any digital projects, WHOIS is one of the most useful working tools. It is used to check domain infrastructure, analyze registration history, and perform initial diagnostics of problems. In this article, we will discuss how WHOIS works, what data it provides, how it has been affected by GDPR, and why RDAP is increasingly being mentioned.
WHOIS is a network protocol and distributed database system designed to store and provide registration information about domain names, IP addresses, and autonomous systems (ASN). It is not a centralized database, as the data is distributed among domain registrars, top-level domain registries (e.g., for .com, .org, .ua), and regional Internet registries (RIRs) that manage IP address space.
When a WHOIS query is made, the system contacts the appropriate server, domain registry server, or regional registry. In response, information is returned about who the domain or IP range is delegated to, when the object was registered, what its status is, and what contact details are associated with it (unless they are hidden by privacy policies).
Simply put, WHOIS is a technical registry of owners and administrators of Internet resources. It allows you to determine who is responsible for a particular domain or subnet, through which registrar the registration was made, and who to contact in case of technical or legal issues.
When you perform a WHOIS query for a specific domain, the system returns the following data:
WHOIS was originally created for maximum transparency. For example, if a domain is used for spam or phishing, you can quickly identify the responsible registrar or organization in order to file an abuse report. In the early days of the internet, real names, phone numbers, and email addresses were published here, but over time the situation has changed and now real data is rarely disclosed.
A WHOIS check is essentially sending a request to the registrar's server or regional Internet registry and receiving registration data in response. There are several ways to do this, either with a simple console command or using web interfaces. Let's take a look at the main options.
The most straightforward and technically correct way is to use the simple console utility whois, which is installed by default in most Linux distributions. If for some reason it is not there, you can easily install it on your server using the command:
sudo apt install whois
After that, execute the WHOIS query itself:
whois example.com
The system will send a request to the appropriate WHOIS server and return a text response with registration data.
This method is especially convenient for DevOps engineers and administrators who work mainly in the console, as it allows you to:
If you don't use the command line in your work, you can use online WHOIS check services, which are abundant on the web. Such tools are provided by domain registrars, specialized domain analysis services, and cybersecurity platforms.
Essentially, they perform the same query to the WHOIS server, but display the data in a convenient and structured format. Sometimes, they also show the history of changes, information about DNS, SSL certificates, and hosting.
This method is convenient for entrepreneurs, marketers, and those who do not work directly with server infrastructure.
Well, it's pretty obvious: if you work with servers or diagnose problems through the console, then a simple CLI request via whoisis optimal. But if you need to quickly check a domain without access to a terminal, then a web interface will do. Your cap :)
From a technical point of view, all methods use the same mechanism, i.e., they send a request to the WHOIS server and receive registration data in text form. The only difference is in convenience and the level of automation.
WHOIS is a fairly old protocol that works through TCP port 43. The client sends a text request to the server, which returns a text response. There is no REST or JSON in the classic implementation.
It is important to understand that WHOIS is not a modern API, but a protocol from the early days of the Internet, so the response format is not strictly standardized, which is why different registrars may return information in slightly different forms.
Later, web interfaces and automated tools appeared, but the basis remained the same: a simple request to the WHOIS server and receiving a text block of data.
WHOIS is not just a check of the domain registration date. The server's response contains a whole set of technical and registration information that allows you to assess the current status of the domain, its history, and level of manageability. For administrators, it is a diagnostic tool; for businesses, it is a means of control; and for analysts, it is a source of indirect signals about the reliability of the resource.
Let's take a closer look at a test fragment of a typical WHOIS response for a domain:
Domain Name: example.com
Registrar: Example Registrar, Inc.
Creation Date: 2015-03-10T12:00:00Z
Registry Expiry Date: 2027-03-10T12:00:00Z
Name Server: ns1.examplehost.com
Name Server: ns2.examplehost.com
Domain Status: clientTransferProhibited
Let's break down the key fields:
| Field | Meaning | Why It Matters |
|---|---|---|
| Domain Name | The domain name | Verifies that the correct domain was queried |
| Registrar | The domain registrar company | Identifies who manages the registration and whom to contact |
| Creation Date | Registration date | Helps assess the domain’s age |
| Registry Expiry Date | Expiration date | Allows monitoring of renewal deadlines |
| Name Server | DNS servers | Used to verify domain delegation |
| Domain Status | Domain status | Indicates locks, restrictions, or transfer prohibitions |
Essentially, we can see that when performing a WHOIS query, we can determine:
clientTransferProhibited, clientHold, serverHold);
This data allows you to draw a number of practical conclusions. For example, for SEO analysis, the age of the domain can serve as an indirect indicator of the trustworthiness and stability of the project. For administrators or DevOps engineers, WHOIS is a quick way to check delegation, identify possible blockages, and ensure that changes at the registrar are applied correctly. And for businesses and owners of digital projects, it is a tool for controlling their domain name portfolio, for example, tracking domain renewal dates, statuses, and registration data, which helps to avoid brand loss or website downtime.
Until 2018, the WHOIS system in many domain zones published fairly detailed personal data of domain owners, such as name, surname, address, phone number, and email. This information was available to virtually any Internet user without additional authentication.
But the situation changed after the General Data Protection Regulation (GDPR) came into force. This is the European Union's General Data Protection Regulation, which came into effect in May 2018. The GDPR established strict requirements for the processing and publication of EU citizens' personal data, including data posted in public registries.
Since WHOIS in its classic form disclosed personal information, registrars and domain registries were forced to change their data display policies. As a result:
Now, instead of names and email addresses, WHOIS responses often display entries such as:
This means that the domain administrator's data is either hidden in accordance with legal requirements or protected by a privacy service provided by the registrar.
After the implementation of GDPR, direct access to personal data through public WHOIS is virtually impossible. However, in some cases, the information can still be obtained legally.
If you need to contact the domain owner or conduct an investigation, the following actions are possible:
However, it is important to understand that without legal grounds, it is now impossible to obtain the personal data of a domain owner through WHOIS. This is a fundamental change that has made the system less transparent but has significantly increased the level of protection for personal information.
From a security and privacy perspective, this is a positive step. From the perspective of investigations and legal disputes, it is an additional level of complexity that requires compliance with formal procedures.
As we mentioned above, WHOIS applies not only to domains, but also to IP addresses and ASNs (autonomous system numbers).
For IP queries, data is provided by regional Internet registries (RIRs):
Here is an example of a simple query:
whois 195.64.109.1
In response, you will receive information about:
This is especially important for hosting providers and DevOps engineers when working with abuse requests and network diagnostics.
Although WHOIS is still actively used, it is technically considered an outdated solution. It is gradually being replaced by RDAP - Registration Data Access Protocol. This is a modern protocol for accessing registration data, developed as a replacement for the classic WHOIS.
RDAP was created to address the limitations of the old protocol, such as the lack of a standardized structure, weak security, and the inability to flexibly manage access to data.
Let's take a closer look at the key differences between the two tools.
| Parameter | WHOIS | RDAP |
|---|---|---|
| Transport | TCP port 43 | HTTPS |
| Response Format | Unstructured text | Structured JSON |
| Authentication | Not supported | Supported |
| Security | No encryption | TLS encryption |
| Standardization | Partially standardized | Strictly standardized |
| Outlook | Gradually being replaced | Modern standard |
WHOIS operates over TCP port 43. It is a simple text protocol with no built-in encryption. The request is sent in plain text, and the server returns a text response.
RDAP runs over HTTPS, the same protocol used for websites. This means that the connection is protected by TLS encryption, which improves data transfer security.
WHOIS returns plain raw text, and the output format can vary depending on the registry or registrar, which complicates automatic data processing.
RDAP uses JSON format, which is structured and machine-readable. This makes it convenient for integration into automated systems, APIs, and analysis tools.
WHOIS was originally conceived as a completely public system. It does not provide for authentication or access control mechanisms.
RDAP supports authentication and allows different amounts of data to be returned depending on the user's rights. This is especially important after the introduction of GDPR and other personal data protection laws.
Despite the technical advantages of RDAP, the term “WHOIS” continues to be used everywhere. This is due to history, as WHOIS has been around for decades and its name has become synonymous with checking registration data.
In many tools and interfaces, the word “WHOIS” is used as a general term for domain verification, even if the query is actually performed via RDAP.
Thus, RDAP is a modern and more secure way to access registration information, but in a professional environment, both terms coexist for now.
In everyday work with domains and infrastructure, there are situations when a WHOIS check is no longer a simple formality, but becomes a necessary step before making a decision. Below are five typical scenarios in which it is difficult to do without WHOIS.
Before purchasing a domain, it is important to check its current status, registration expiration date, and registrar. WHOIS will show whether the domain is in redemptionPeriod or pendingDelete status, whether there are any transfer restrictions (clientTransferProhibited), and when exactly the registration expires. This helps to avoid purchasing a problematic or nearly expired domain.
After changing the DNS or hosting, WHOIS allows you to verify that the domain has the correct NS servers. If the changes have not been applied by the registrar, the website may not start working even if the server is configured correctly. In this case, WHOIS is a quick way to check the delegation and rule out a problem at the domain record level.
When identifying a phishing site or fraudulent project, WHOIS helps determine the domain registration date, registrar, and technical contacts. A recent registration (e.g., a few days ago) is often an indirect indicator of risk. You can also use WHOIS to find the abuse contact to file a complaint.
For businesses that own multiple domains, monitoring registration dates is critical. WHOIS allows you to check the delegation expiration date and ensure that the domain has not been transferred to clientHold status due to payment or verification issues. This reduces the risk of brand loss or website downtime.
When analyzing competitive projects, WHOIS helps to assess the age of the domain, its registration history, and sometimes its ownership structure (if the data is public). The age of the domain can indirectly indicate the stability of the business and the length of the company's presence in the market.
In all these scenarios, WHOIS acts as a quick technical verification tool, allowing you to make decisions based on actual registration data.
WHOIS displays the registration data of a domain, IP address, or autonomous system (ASN). A typical response shows the registration date and delegation expiration date, registrar, current domain status, NS servers used, and technical contacts (if not hidden). For IP addresses, the organization that owns the range and the abuse contact are also indicated.
Yes. Most registrars provide a Privacy Protection service, which replaces real contacts with service contacts. In addition, in the EU and a number of other regions, data is automatically restricted in accordance with the requirements of the GDPR and similar personal information protection laws.
Most often, this is due to personal data protection laws or an activated privacy service. As a result, technical placeholders such as REDACTED FOR PRIVACY are displayed instead of the name and email address. Full access to the data is only possible if a valid request is made to the registrar.
WHOIS is an old text protocol that works through TCP port 43 and does not provide encryption or authentication. RDAP (Registration Data Access Protocol) is a more modern standard that uses HTTPS and a structured JSON format. RDAP provides better security, standardization, and the ability to differentiate access to data.
Yes, if you only use publicly available information and do not violate data protection laws. Checking the age of a domain, registrar, or delegation status is legal technical analysis. However, attempts to obtain hidden personal data without legal grounds may violate legal norms.
So, in this article, we have learned that WHOIS is one of the basic infrastructure mechanisms of the Internet. Despite the age of this protocol and the industry's gradual transition to RDAP, this system remains an important tool for working with domains, IP addresses, and autonomous systems.
It is not just a reference database, but a practical tool for checking domain status, controlling delegation, and analyzing registration data. WHOIS allows you to quickly determine which registrar registered the domain, when it expires, which DNS servers are used, and whether there are any restrictions on its operation.
Understanding how WHOIS works and the differences between WHOIS and RDAP allows you to navigate the domain infrastructure with confidence and make technically sound decisions when working with Internet resources.
Inodes are a fundamental yet often overlooked component of the Linux filesystem. They store critical metadata about every file and directory, enabling the opera...
In today's IT environments, it is imperative to have secure and efficient server access. SSH key-based authentication is a reliable alternative to traditional p...
Thinking about hosting your own Minecraft, CS:GO, or Valheim server? This article explores the best VPS solutions for game servers — including what specs you n...
Favicon - what it is, why you need it, and how to set it up correctly for all browsers and devices. Sizes, formats, SEO impact, and common mistakes in one guide...
Switching users in Ubuntu: su, sudo, sudo -i, sudo -u, and SSH. A practical guide to working securely with permissions, environments, and sessions on servers an...
Managing ports on VPS and dedicated servers: how to check open ports, configure your firewall correctly, avoid common mistakes, and improve infrastructure secur...
