Article Summary: WHOIS is the global protocol for querying domain registration data from authoritative registry servers. This article explains how WHOIS works, what EPP status codes mean, how GDPR changed WHOIS privacy, and how to interpret lookup results for tasks such as domain transfers, expiry tracking, and ownership verification.
What Is WHOIS Lookup?
WHOIS is a query-and-response protocol defined in RFC 3912 that allows anyone to retrieve publicly available registration information about a domain name. The data is maintained by domain registrars and stored in registries operated by organizations such as Verisign (for .com/.net) or country-code registry operators worldwide, under oversight of ICANN (the Internet Corporation for Assigned Names and Numbers).
When you perform a WHOIS lookup, the query travels to the correct authoritative WHOIS server for the domain's TLD. For example, a .com query goes to whois.verisign-grs.com, while a .uk query goes to Nominet's server. The server returns a structured text block containing all publicly available registration data for that domain.
WHOIS data is critical for a wide range of use cases: network administrators use it to verify nameserver delegation, domain buyers use it to assess availability and ownership, security researchers use it to attribute malicious domains, and legal teams use it for trademark enforcement and domain dispute resolution (UDRP).
Modern implementations also support RDAP (Registration Data Access Protocol), a newer JSON-based standard that is gradually replacing plain-text WHOIS for easier machine parsing and structured privacy controls.
How It Works
Step 1 — TLD Resolution
The tool first extracts the top-level domain (TLD) from the domain you enter. It then consults the IANA root WHOIS server (whois.iana.org) or an internal TLD-to-server mapping to identify which authoritative WHOIS server is responsible for that TLD. Each TLD registry operates its own WHOIS server.
Step 2 — Registry Query
A TCP connection is made to the identified WHOIS server on port 43. The domain name is sent as a plain-text query, and the server returns the registration record. For most gTLDs, the registry record contains the registrar name, IANA registrar ID, and basic domain dates — but delegates full registrant contact details to a registrar WHOIS server.
Step 3 — Registrar Referral
When the registry record includes a Registrar WHOIS Server field, a second query is made to that registrar's server to retrieve the complete record including registrant, admin, and tech contact details (subject to GDPR redaction), nameservers, and full EPP status codes.
Step 4 — Result Display
The raw WHOIS text is returned and displayed. Key fields to note are Creation Date, Registry Expiry Date, Name Server entries, and any Domain Status EPP codes that indicate whether transfers or updates are locked.
Common Use Cases
Domain Expiry Monitoring
The Registry Expiry Date field tells you when a domain will expire. Monitoring expiry is essential for businesses that depend on critical domains — an expired domain can be snapped up by competitors or domain squatters within days of the grace period ending. WHOIS lookups are the standard method to track expiry dates for domains you own or wish to acquire.
Registrar Verification and Domain Transfers
Before initiating a domain transfer, you must confirm the current registrar, ensure the domain is not locked with clientTransferProhibited or serverTransferProhibited EPP statuses, and that the domain is older than 60 days. WHOIS provides all of this information in a single lookup.
Security and Threat Intelligence
Security analysts perform WHOIS lookups to attribute newly registered phishing domains, identify domain infrastructure linked to malware campaigns, and correlate registrant data across multiple malicious domains. The creation date is particularly useful — very recently registered domains with privacy protection are a common indicator of malicious intent.
Legal and Brand Protection
Trademark holders and brand protection teams use WHOIS to identify cybersquatted domains — domains that incorporate brand names registered without authorization. This data is required when filing a UDRP (Uniform Domain-Name Dispute-Resolution Policy) complaint with ICANN-accredited arbitration panels.
WHOIS Privacy and GDPR
Before May 2018, WHOIS records almost always contained the registrant's full name, email address, postal address, and phone number. The enforcement of the EU General Data Protection Regulation (GDPR) fundamentally changed this. ICANN issued a Temporary Specification permitting registrars to redact personal data from public WHOIS for registrants in jurisdictions covered by GDPR and similar privacy laws.
Today, most registrant contact fields for individuals show generic redaction notices such as "REDACTED FOR PRIVACY" or display a proxy email address operated by a WHOIS privacy service (e.g., Domains By Proxy, WhoisGuard). Organizations and companies may still appear in the registrant field, as business data has different legal treatment under GDPR.
RDAP is being designed with built-in, standardized roles and access controls to handle this more elegantly than the old plain-text WHOIS protocol. Law enforcement and accredited researchers can submit requests through gated registrar portals to access non-public registrant data when legitimate need is demonstrated.
Technical Reference
| EPP Status Code | Meaning | Action Required |
|---|---|---|
| clientTransferProhibited | Registrar has locked outbound transfers | Unlock at registrar before initiating transfer |
| serverTransferProhibited | Registry has locked transfers (e.g. within 60 days of registration) | Wait for registry lock to expire; contact registry if urgent |
| clientUpdateProhibited | Registrar has locked registrant data updates | Unlock at registrar to make WHOIS changes |
| serverDeleteProhibited | Registry prevents deletion of the domain | Contact registry; often applied to high-value or disputed domains |
| pendingTransfer | A transfer to another registrar is in progress | Approve or reject the transfer via registrar email |
| pendingDelete | Domain is scheduled for deletion after grace period | Redemption may be possible — contact registrar immediately |
| redemptionPeriod | Domain has expired and entered the 30-day redemption window | Pay redemption fee to registrar to restore the domain |
| addPeriod | Domain was recently registered (first 5 days) | No action needed; registrar may offer free deletion in this window |
Frequently Asked Questions
What is WHOIS?
WHOIS is an internet protocol used to query databases that store registration information about domain names and IP addresses. It was first defined in the early 1980s and remains the primary method for retrieving domain registration data including the registrar, registrant contact details, nameservers, and critical dates such as creation, last update, and expiry.
Why is the registrant information hidden?
Since the enforcement of GDPR in 2018, most registrars now use WHOIS privacy services or redact personal data by default to comply with data protection laws. Individual registrants are protected, while business registrants may still have their organization details visible. You can still contact the registrant via the proxy email address provided by the registrar's privacy service.
How do I transfer a domain to another registrar?
First, verify via WHOIS that the domain does not have clientTransferProhibited or serverTransferProhibited status codes and that it was registered more than 60 days ago. Then unlock the domain at your current registrar, request an EPP authorization code (also called an auth-info or transfer key), and submit the transfer at the gaining registrar. The process typically completes within 5 days.
What do WHOIS EPP status codes mean?
EPP (Extensible Provisioning Protocol) status codes describe the current state of a domain registration. Codes beginning with "client" are set by the registrar; codes beginning with "server" are set by the registry. Common codes include clientTransferProhibited (transfer locked by registrar), serverHold (domain not resolving in DNS), and pendingDelete (domain about to be released). The full reference is published by ICANN.
How long before a domain expires can I renew it?
Most registrars allow renewal up to 10 years in advance from the current expiry date. After a domain expires, there is typically a 30–45 day grace period during which the registrant can renew at the standard price. This is followed by a 30-day redemption period where recovery is possible but incurs a significant fee. After redemption, the domain enters a pending-delete state and is eventually released for public registration.
Conclusion and Takeaways
WHOIS lookup remains an essential tool for domain administrators, security professionals, legal teams, and anyone involved in domain management. Understanding the data it returns — registrar details, EPP status codes, expiry dates, and nameserver delegation — gives you the information needed to manage domain assets responsibly, respond to security incidents quickly, and protect your brand online. With GDPR-driven privacy protections now standard, WHOIS results often show redacted contact data, but key technical fields remain publicly accessible and immediately actionable.
Ready to Check?
Use the WHOIS Lookup tool above — no login required, instant results.