There's a running joke among domain-industry veterans: WHOIS is the only protocol that's been "about to die" for fifteen consecutive years. It's still alive in 2026, still useful, and also noticeably less powerful than it was in 2017. The thing that killed most of its superpower wasn't a new protocol — it was a piece of European privacy law nobody saw coming for the domain business.
This guide explains what WHOIS looks like now, how to actually read a modern record, what replaced it (RDAP), and the tricks investigators and security teams still pull out of it. If the last time you used WHOIS was 2015, a lot has changed.
TL;DR
- Since GDPR (2018), most personal data in WHOIS records is redacted behind privacy proxies or simply blank.
- RDAP is WHOIS's modern JSON-shaped successor; most TLDs support both.
- WHOIS still reveals registrar, creation date, nameservers, and often the registrant's organisation — enough for abuse reports and basic OSINT.
A one-minute history
WHOIS started in 1982 as a way to look up the humans behind ARPANET hosts. It stayed essentially unchanged through four decades of internet growth. Until 2018, every `.com` record came with the registrant's full name, address, phone number and email — publicly available to anyone who typed `whois example.com`.
Then GDPR took effect in May 2018. European law made publishing that data by default illegal for registries operating in or serving the EU. ICANN scrambled, registrars updated defaults overnight, and within weeks most WHOIS lookups returned a sea of "REDACTED FOR PRIVACY" where ownership used to be.
What a modern WHOIS record looks like
Here's a real-ish example of what you get today on a domain with standard privacy:
Domain Name: EXAMPLECOMPANY.COM
Registry Domain ID: 2548123456_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2025-11-12T14:02:03Z
Creation Date: 2019-03-14T09:44:17Z
Registry Expiry Date: 2027-03-14T09:44:17Z
Registrar: NameCheap, Inc.
Registrar IANA ID: 1068
Domain Status: clientTransferProhibited
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Example Company Ltd
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant Country: US
Registrant Email: Please query the RDDS service of the Registrar of Record
Name Server: NS1.CLOUDFLARE.COM
Name Server: NS2.CLOUDFLARE.COM
DNSSEC: unsigned
Half the fields are gone. But what's left is still informative:
- Registrar — who sold the domain. Sometimes a strong clue (a brand-new Porkbun registration vs a 15-year-old GoDaddy record tells very different stories).
- Creation date — how old is this site really?
- Last updated — was ownership transferred recently?
- Registrant organisation — businesses often still appear here; only personal data got hidden.
- Country — required in most TLDs, rarely redacted.
- Nameservers — reveals hosting: Cloudflare, AWS, a boutique DNS provider.
- DNSSEC — signal of how seriously the operator takes security.
RDAP: the modern replacement
WHOIS is plain text over port 43, designed to be read by humans squinting at a terminal. RDAP (Registration Data Access Protocol) is the same data delivered over HTTPS as structured JSON, with proper authentication support. Registrars and registries have been migrating for years; as of 2026, most gTLDs serve RDAP, and the command-line tools have caught up.
Why it matters: RDAP supports authenticated queries. In theory, a law-enforcement agency or a trademark owner with appropriate credentials can see non-redacted data through RDAP that public WHOIS would never show. In practice, adoption of that authenticated layer has been slow, but the plumbing is there.
You can test RDAP for any domain: rdap.org/domain/example.com returns clean JSON.
What WHOIS still reveals that matters
Even post-GDPR, WHOIS stays the first stop for four kinds of work:
1. Abuse reporting
The abuse-mailbox of the registrar and the hosting nameservers are exactly what you email to get a phishing site taken down. A good abuse desk responds within hours. We cover the full process in our separate guide on tracking scammers by IP.
2. Domain purchase negotiation
If you want to buy example.shop from its current owner, you need to find them. WHOIS rarely gives a contact email directly anymore, but the listed registrar usually runs a "contact-the-owner" relay service — you email the placeholder address, they forward, the real owner decides whether to reply.
3. Trademark and brand protection
Corporate trademark teams run weekly WHOIS sweeps for typo-squatted domains. Even with personal data redacted, you get "new domain registered yesterday, mimicking our brand, registered through Russian registrar with Cloudflare nameservers" — enough to open a UDRP case.
4. OSINT and journalism
Investigators correlate WHOIS across many domains to find clusters owned by the same actor. Shared registrant organisation, unusual nameservers, similar creation dates, matching reverse-DNS patterns — it's like fingerprinting, but for websites.
How to actually pull a WHOIS record
Several paths, pick your poison.
Command line
whois example.com # classic, port 43
curl -s https://rdap.org/domain/example.com | jq # modern, JSON
Web UIs
Our own WHOIS Lookup pulls both the classic record and the RDAP JSON, renders it cleanly, and highlights abuse contacts. No sign-up.
Programmatic
If you're building tooling, RDAP is the way — it's JSON, it's HTTPS, it's versioned. Libraries exist for Python (`whoisit`, `pyrdap`), Node (`node-rdap`), and Go.
Tricks that still work in 2026
Historical WHOIS
Services like WhoisXMLAPI, SecurityTrails and DomainTools keep archives of WHOIS records dating back 10–20 years. A domain registered in 2012 by "John Doe, 742 Evergreen Terrace" is still John Doe's — even if today's record says "REDACTED FOR PRIVACY". For investigations, historical data is gold.
Reverse WHOIS
Given a non-redacted email or organisation, these same services will tell you every other domain owned by the same entity. Useful for mapping a scam ring, a brand's full portfolio, or a company about to lose a domain they forgot to renew.
Nameserver pivoting
WHOIS rarely redacts nameservers. If a phishing cluster all uses the same custom NS (`ns1.badactor.ru`), pulling every domain pointing at those NSes is straightforward via reverse-DNS services, and you often surface the whole cluster in a minute.
Creation-date clustering
A wave of similarly-themed domains all created within 72 hours of each other is a campaign. Check the creation timestamps across suspicious lookalikes — if they cluster, so does the intent behind them.
Caveats and gotchas
- Privacy proxies aren't just GDPR — most registrars offer paid "WHOIS privacy" as a $3/year add-on. It's used by everyone from privacy-minded individuals to outright scammers.
- Some ccTLDs (country-code TLDs) have their own rules and don't follow ICANN. `.de`, `.fr`, `.co.uk`, `.ru` each have different levels of disclosure.
- Fake WHOIS data: between 2003 and 2018, ICANN estimated 10–20% of records contained deliberately false contact information. It's down but not gone.
- IP WHOIS is separate from domain WHOIS. Querying an IP gets you the owner of the IP block (ARIN, RIPE, APNIC, LACNIC, AFRINIC), not the owner of any website on that IP.
FAQ
Why does WHOIS show "REDACTED FOR PRIVACY" so often now?
Because under GDPR and ICANN's subsequent Temporary Specification, personal data in generic TLDs must not be published by default. Organisations can still appear, and public authorities can request full data through authenticated RDAP.
Is WHOIS privacy the same as GDPR redaction?
No. GDPR redaction is free and automatic for individuals. WHOIS privacy is a paid service from the registrar that replaces your data with theirs as the visible contact. Many domains have both applied.
Can I look up the IP of a website with WHOIS?
Not directly. Domain WHOIS returns the nameservers; you then need a DNS lookup to get the IP. Our DNS Lookup tool does this in one step.
What's the difference between WHOIS and DNS lookup?
WHOIS tells you who registered the domain. DNS lookup tells you what addresses the domain currently points to. They're both useful and they answer different questions.
Do new TLDs like .app or .dev have different WHOIS?
Core schema is the same, but Google (which operates several of these TLDs) defaults to stricter privacy. `.app` records often show less than `.com`. `.io` is a ccTLD with its own weirdnesses. Check per-TLD when it matters.
Is WHOIS going away?
Not in this decade. RDAP will eventually replace the plain-text protocol, but the data model and the public-availability norms have been stable since the GDPR shake-out. Expect incremental tightening of personal-data exposure, not a sudden disappearance.
Tools on ip-checker.pro that help
→ WHOIS Lookup — clean WHOIS + RDAP rendering, highlighted abuse contacts
→ DNS Lookup — pair with WHOIS to see where a domain actually points
→ IP Lookup — WHOIS for IP addresses (ARIN/RIPE/APNIC data)
→ Security Check — combine WHOIS signals with blacklist checks