What Is WHOIS? The Complete Beginner's Guide to Domain Lookup

Every domain name on the internet has a registration record, and WHOIS is the system that lets you look it up. Whether you're buying a domain, investigating a suspicious website, or just curious about who runs a particular site, WHOIS gives you the answers.

What Is WHOIS?

WHOIS (pronounced "who is") is a query-and-response protocol used to look up information about registered domain names and IP addresses. It was first standardized in 1982 as part of RFC 812 and later updated in RFC 3912. The name comes from the question it answers: "Who is responsible for this domain?"

When you register a domain name, your registrar (like GoDaddy, Namecheap, or Cloudflare) collects your contact information and submits it to the registry that manages the top-level domain (TLD). For .com and .net domains, that registry is Verisign. For country-code TLDs like .fr or .de, it's the national registry authority.

This registration data is stored in WHOIS databases that anyone can query. It's the internet's version of a phone book for domain names.

What Information Does WHOIS Reveal?

A typical WHOIS record contains several categories of information:

Domain Registration Details

Domain name — The registered domain (e.g., example.com)

Registrar — The company that manages the registration (e.g., GoDaddy, Cloudflare Registrar)

Registration date — When the domain was first registered

Expiration date — When the registration expires and must be renewed

Last updated date — When the record was last modified

Contact Information

Registrant — The domain owner (name, organization, address, email, phone)

Administrative contact — The person authorized to manage the domain

Technical contact — The person responsible for DNS and technical configuration

Technical Details

Nameservers — The DNS servers that handle the domain's records

DNSSEC — Whether the domain uses DNS Security Extensions

EPP status codes — The domain's current state (locked, active, pending transfer, etc.)

Note: Since GDPR took effect in 2018, most European registrants have their personal contact details redacted. You'll see "REDACTED FOR PRIVACY" or a privacy proxy service instead.

How WHOIS Works Behind the Scenes

When you perform a WHOIS lookup, here's what happens:

1.Your query hits a WHOIS client (like CheckHost's WHOIS tool)

2.The client queries the root WHOIS server for the TLD (e.g., whois.verisign-grs.com for .com)

3.The root server returns a referral to the registrar's WHOIS server

4.The client follows the referral and queries the registrar's server

5.The registrar returns the full WHOIS record with all available details

This referral chain is why some WHOIS tools show incomplete data — they only query the first server and don't follow the referral. CheckHost follows the full chain automatically.

Common EPP Status Codes Explained

Status codes tell you what state a domain is in:

Status Code	Meaning
clientTransferProhibited	Transfer locked by registrar (security feature)
clientDeleteProhibited	Cannot be deleted (security feature)
clientUpdateProhibited	Settings cannot be changed (security feature)
serverHold	Suspended by the registry (DNS stops resolving)
pendingDelete	In deletion queue, will be released soon
redemptionPeriod	Expired but recoverable for a premium fee
ok / active	Normal, no restrictions

If you see "serverHold", the domain has been suspended — usually for non-payment, legal dispute, or abuse. The domain will stop resolving in DNS until the issue is resolved.

WHOIS Privacy: Why Is Information Hidden?

You'll often find that a WHOIS query returns a privacy service instead of real contact details. This happens for two reasons:

1. Opt-in privacy protection — Most registrars offer WHOIS privacy (free or paid) that replaces your personal info with the privacy service's details. This is standard practice to prevent spam, phishing, and identity theft targeting domain owners.

2. GDPR compliance — Since May 2018, registrars must redact personal data for EU-based registrants under the General Data Protection Regulation. Many registrars now apply privacy by default for all customers, regardless of location.

Privacy protection does not mean a domain is suspicious. It means the owner is protecting their personal information — which is recommended best practice.

WHOIS vs. RDAP: The Future of Domain Lookup

RDAP (Registration Data Access Protocol) is the modern successor to WHOIS. Key improvements:

Structured data — Returns JSON instead of unstructured text, making it machine-readable

Access controls — Can show different data to authenticated vs. anonymous users

Standardized format — Consistent across all registrars (unlike WHOIS which varies)

HTTPS transport — Encrypted connections by default

Internationalization — Proper support for non-ASCII characters

ICANN has mandated RDAP support, and it now runs alongside WHOIS. Over time, RDAP will fully replace WHOIS as the primary lookup protocol.

Practical Uses of WHOIS Lookup

For Domain Buyers and Investors

Check a domain's registration history, expiry date, and age. Older domains with clean histories are generally more valuable. You can also monitor expiring domains to snap them up when they become available.

For Cybersecurity Professionals

Investigate phishing domains, identify the registrar to submit abuse reports, and cross-reference registration patterns across suspicious domains. WHOIS data is a fundamental part of threat intelligence.

For Brand Protection

Monitor whether someone registers domains similar to your brand (typosquatting). Set up alerts for new registrations that contain your trademark.

For SEO Specialists

Assess domain authority by checking registration age, verify that a domain's WHOIS matches the claimed business, and research competitor domains.

For Legal and Compliance

Gather evidence for intellectual property disputes, identify domain owners for cease-and-desist notices, and verify business legitimacy.

Try It Now

Ready to look up a domain? Use [CheckHost's free WHOIS lookup tool](/en/whois) to query any domain instantly. Our tool follows the full WHOIS referral chain, structures the raw data into a clean format, and highlights the most important fields — registration dates, nameservers, and status codes — at the top of the results.