As we’ll see, WHOIS is no longer what it once was in terms of data disclosure (which is a relief, considering the privacy breaches you could drive a truck through), but it still holds more value than it seems.
What Is WHOIS
WHOIS is a query tool that allows access to publicly available information about domain names and IP addresses, including registration details, technical contact information, and associated name servers, among other data.
Providing your information when registering a domain is mandatory under international regulations set by ICANN (Internet Corporation for Assigned Names and Numbers) or by local authorities such as Red.es in Spain, which manage domain ownership and assignment. Registrars are required not only to collect this data but also, in the interest of transparency and abuse prevention, to make certain personal and technical details publicly accessible through a WHOIS lookup.
Ironically, this effort to prevent abuse ended up enabling a different kind of misuse—against the very individuals registering domains.
It was a more naïve time, and phone numbers, names, and home addresses were just one WHOIS query away. This led to serious privacy issues. As a result, the information you can obtain today through a WHOIS lookup is much more restricted—but still very useful.
Types of WHOIS Queries
There are several methods and tools available to perform a WHOIS query (which I’ll explain in more detail shortly), and one of the easiest ways is through one of the many web services that offer this feature. One of my favorites is ViewDNS, which allows you to:
- Search by domain (e.g., example.com).
- Search by IP address.
You simply enter the domain or IP into the search form, and it will return the information provided by WHOIS—such as the domain owner, contact address, how long it has been active, the country it belongs to, postal address of the registrant, and so on.
Another WHOIS-related method is the “reverse” search. That is, there are reverse WHOIS, lookup tools—such as the one offered again by ViewDNS—that allow you to input a name or email address and find all the domain names associated with them.
What Information Does a WHOIS Query Provide?
When you perform a WHOIS lookup on a domain, here’s the kind of information you may commongly retrieve:
- Registrar identity: This includes the name and URL of the domain registrar (e.g., Registrar: GoDaddy.com LLC), and may also provide a link to the registrar’s privacy policy, support contact, email addresses, postal address, and registrar ID.
- Domain registration dates: Including when the domain was created, when it will expire, and the last update date. For example: Creation Date: 2022-03-15 – Expiration Date: 2024-03-25.
- Technical and administrative contacts: Often includes the email address of the person or organization managing the domain or servers (e.g., [email protected]).
- DNS and associated servers: Such as ns1.cloudflare.com, which shows the DNS infrastructure supporting the domain.
- Additional information: Depending on the WHOIS service used, you may also see the IP address associated with the domain if it wasn’t known previously, among other details.
Practical Applications of WHOIS in IT and Security
The data retrieved from a WHOIS lookup can be highly valuable in general IT management—and especially in cybersecurity. For example, OSINT (Open Source Intelligence) researchers may use WHOIS to investigate email domains used in phishing campaigns or IPs involved in breaches and attacks.
- Registrar details help identify who manages a domain. This is useful for migrations, resolving technical issues, or verifying registrar legitimacy (e.g., avoiding impersonators like GoDaddyPro.net). In security contexts, it also enables you to contact the registrar about malicious activity hosted on their infrastructure so they can take appropriate action.
- Registration, expiration, and update dates can be used to automate renewal alerts for your own domains, especially if auto-renew is not configured at the registrar. They’re also useful in investigations: a domain registered just days ago but claiming to represent an established organization may raise red flags, signaling phishing or fake websites.
- Technical and administrative contacts are valuable when reporting a security breach, such as spam or malware originating from the domain. These contacts may be responsible for misconfigurations, like weak or missing DMARC settings.
- DNS and associated servers are helpful in security monitoring to detect unauthorized changes (e.g., DNS hijacking). If the domain is yours, you can verify its integrity. If not, and it’s hosted on platforms like Cloudflare or AWS, you can also alert these service providers about the malicious activity they may be unknowingly hosting.
Current Challenges of the WHOIS System
All of this sounds great for our day-to-day IT or cybersecurity work, but—like most things in life—there’s always a “but.” If you’ve run a WHOIS query recently, you may have noticed that things aren’t what they used to be.
Today, WHOIS information is heavily limited in most cases. Instead of showing the real person or organization behind a domain, it usually displays only the registrar’s details (like GoDaddy or similar). Why? Because the system has evolved—mainly due to growing concerns around privacy.
Believe it or not, the internet is full of people who lost their sense of decency somewhere and never came back for it—along with bots that constantly scrape any personal data they can find. WHOIS used to be a goldmine for both.
Massive WHOIS queries became a prime method for harvesting email addresses, which were then sold or used for spamming. Or worse: imagine an enraged Star Trek fan looking up the domain owner of a website that dares claim The Best of Both Worlds is the best TNG episode, when obviously it’s Yesterday’s Enterprise. With WHOIS, they could find your home address or phone number and let you know—perhaps with menacing late-night phone calls and Darth Vader breathing—just how wrong you are.
They’re both wrong—because the best episode is The Inner Light. But the real issue is that, back in the day, registering a domain meant you were far too exposed.
That’s why nearly all registrars now offer the option to make domain ownership data private, replacing your personal info with theirs. So when you run a WHOIS lookup today, you’ll see data from Namecheap or similar registrars, but not the actual registrant’s identity.
However, this isn’t the only challenge with WHOIS data. There are a few others worth noting:
- Inaccuracy of the information provided. Registrants are supposed to input real, accurate information when purchasing a domain. But rarely does someone from ICANN or IANA show up at your door to verify it. This means the data shown in a WHOIS lookup can be misleading—or outright false. This happens frequently with domains used for malicious purposes. In fact, it was a common tactic in the early days of the web, when the internet was a bit of a Wild West and a simple WHOIS lookup could expose your personal information to anyone.
- GDPR and data availability. Privacy laws—especially in Europe—have drastically reduced what’s available through WHOIS. The General Data Protection Regulation (GDPR) was a turning point, setting strict rules that sensitive personal information like phone numbers or physical addresses could not be publicly displayed. Before GDPR, countries like Spain (via Red.es) had fairly lax policies. If you registered a .es domain, the registrar was required to expose your personal details, with no option for privacy protection. That all changed with GDPR, which enforced stronger safeguards for domain owners’ privacy.
Recommended WHOIS Tools
As I mentioned, there are many tools available to perform WHOIS queries, so let’s take a look at some of them.
Any self-respecting IT administrator will use the Linux terminal—and in most distributions, the whois command is already installed by default (or it can be added instantly via the package manager if not). With it, all you need to do is run:
whois dominio.com
And the information will be displayed directly in the terminal, without needing to leave it.
If you prefer web-based tools, you can go straight to the source by ICANN Lookup, or opt for popular sites like Who.is or the previously mentioned ViewDNS, which are all just a quick Google search away.
And if you use Windows, we recommend Pandora MINI, a 100% free tool with no commitment, no registration or anything else, that makes your life easier when it comes to managing your network. It includes WHOIS lookups, of course, but that’s just the beginning: you also get an IP calculator, traceroute, MIB browser, port scanner, and much more. You can download it here and there is no small print anywhere, unlike other options.
RDAP, the Evolution of WHOIS
If you use a site like Who.is, you’ll notice that alongside the typical WHOIS output, there’s an interesting button labeled RDAP (Registration Data Access Protocol).
This protocol is the modern, enhanced successor to WHOIS, designed to overcome its technical limitations and align with today’s privacy and security standards.
RDAP is based on HTTP/HTTPS and uses a RESTful API to provide programmatic and standardized access to domain registration data, IP addresses, and ASN (Autonomous System Numbers). It was developed with the goal of replacing WHOIS, which lacks both a consistent structure and basic security features.
Here’s a quick comparison table:
|
Feature |
WHOIS |
RDAP |
|
Data Format |
Unstructured plain text |
Structured and standardized JSON |
|
Security |
No encryption (port 43/TCP) |
HTTPS with TLS encryption |
|
Privacy |
Public exposure of data (now often limited by GDPR or registrar protection) |
Granular access control (e.g., GDPR compliance) |
|
Internationalization |
Limited character support |
Full Unicode support (e.g., 中文) |
|
Search Capabilities |
Basic (domain/IP lookups) |
Advanced (filtering by contact type, etc.) |
Although the main advantage of RDAP lies in its programmatic access capabilities, we can also perform direct RDAP lookups using web services like RDAP.org.
For terminal lovers, there are command-line clients such as OpenRDAP that can be installed, or you can use web services directly from the terminal with commands like:
curl -H “Accept: application/rdap+json”
https://rdap.verisign.com/com/v1/domain/ejemplo.com
Just replace example.com with the domain you’re querying, and the command will return structured data about that domain.
How Pandora FMS Complements WHOIS Analysis
As we’ve seen, even when limited, the data from a WHOIS query can still be extremely useful, —especially when integrated with other sources during security incidents or data breaches.
That’s exactly what Pandora FMS enables: it makes life easier by retrieving WHOIS data and correlating it with other information. Pandora allows you to:
- Integrate domain/IP-related events into Pandora SIEM.
- Enrich logs and alerts with WHOIS data, so you don’t have to rely on terminal queries or external websites.
- Use WHOIS in incident management and correlate it with other sources
As we can see, despite its current limitations, WHOIS data remains valuable—especially when integrated and correlated as Pandora does.
Also, for obvious reasons (and because it’s beyond the scope of this article), we’ve left out more advanced OSINT techniques that—while based on or involving WHOIS—can sometimes overcome modern privacy restrictions, and uncover valuable information without crossing into unethical or illegal territory.
If you’re reading this as an IT or security manager, you may already know—or want to explore—that historical WHOIS search services can reveal previously scraped and stored data from before the privacy curtain fell. Or that, for certain domains (especially high-profile ones), you might strike gold using services like Archive.org, combined with a little black magic and some carefully crafted search parameters.
The point is, even with the rise of RDAP and increasing privacy challenges, WHOIS remains a highly valuable source of data—one that every IT or cybersecurity professional should be using and keeping in mind.
Can one tool have global visibility?
