Skip to main content
Explainer · registries

What is WHOIS? (The internet's registration directory, explained)

WHOIS answers one narrow question well: who registered this name, or who was allocated this block of addresses? It is two very different systems wearing the same name, it is far less revealing than it was a decade ago, and the thing you are actually querying in 2026 is probably RDAP.

WHOIS in one paragraph

WHOIS is a query-and-response directory for internet registration data. You hand it an identifier — a domain name, an IP address, a network block, an autonomous system number — and it hands back a record describing who that identifier was issued to, when, by whom, and how to contact the responsible party. It is not a search engine and not a database of people. It is a registration ledger, and it knows only what the registries were told when the resource was handed out.

The name is a pun on the Unix who command, and the protocol dates to the early 1980s, when the whole network fitted comfortably in one text file. That history explains much of its remaining quirkiness.

The two worlds people constantly conflate

Almost every confusion about WHOIS comes from one fact: the word covers two separate systems, run by different organisations, answering different questions. They share a protocol and nothing else.

Domain WHOIS — the name registration record

Query a domain and you are talking, indirectly, to the registry that runs the top-level domain (Verisign for .com, Nominet for .uk, and so on) and to the registrar the domain was bought through. A typical record contains:

IP and ASN WHOIS — the address allocation record

Query an IP address instead and you are talking to a completely different set of bodies: the five Regional Internet Registries, each responsible for a slice of the world.

The record they return is about networks, not people: the netblock the address falls inside, the organisation it is allocated to, the country of registration, the autonomous system number that announces it, and — the part that matters most in practice — an abuse contact, the mailbox the operator publishes for reports of misbehaviour from its address space. Try it on a well-known address such as 8.8.8.8 and the shape of it is immediately clear.

That distinction is the whole ballgame. Domain WHOIS describes a registration someone bought; IP WHOIS describes an allocation made to an organisation that runs a network. The first sometimes named an individual; the second essentially never does.

How a lookup actually resolves

There is no single WHOIS server holding everything. The system is a referral chain, which is why lookups sometimes return a stub record pointing somewhere else.

At the top sits IANA, which maintains the master registries of top-level domains, IP address ranges, and AS number ranges. For an IP address, IANA's record for the enclosing range says “this block was delegated to APNIC”, and the client re-queries APNIC, which returns the network, the holder, and the abuse contact. For a domain, IANA points at the TLD's registry, and the registry either answers in full or names the registrar holding the contact details. Modern tools collapse those hops for you; underneath, several servers were consulted.

RDAP: the modern replacement

Classic WHOIS is a remarkably thin protocol: open a TCP connection to port 43, send a string, read back text until the server hangs up. There is no standard for what that text looks like, no defined character encoding, and no way to request a specific field. Every registry invented its own layout, so every tool consuming WHOIS became a pile of registry-specific parsing hacks.

RDAP — the Registration Data Access Protocol — is the standardised successor, and what serious tooling uses today, IPFerret included. It runs over HTTPS, returns structured JSON with consistent object types, handles international text correctly, supports proper redirects between registries, and allows differentiated access: an anonymous request can be served a redacted record while an authenticated, accountable requester can be served more. That last property is why RDAP is the strategic answer to the privacy problem and not merely a nicer wire format. All five RIRs and the gTLD registries operate RDAP services. You will still see the word “WHOIS” everywhere — but increasingly the machinery underneath is RDAP.

The privacy shift: why the records got quieter

If you last read a domain WHOIS record in 2010, you probably remember a name, a street address, a phone number and an email. That era is over, for two reinforcing reasons.

Privacy and proxy services. Most registrars now offer — often bundled free — a service that substitutes their own contact details for the registrant's. The registration is still legally the registrant's; the public record simply points at a shield.

The GDPR. Publishing individual registrants' personal data to the entire internet, indefinitely, with no access control, sits badly with European data protection law. Since 2018, registrars and registries have redacted those fields by default in records covered by it, while the industry slowly builds accredited-access machinery to let vetted requesters see more.

Be precise about what that means. Redaction is common but not universal — records for organisations rather than individuals are often still published in full, and policy varies by TLD and registrar. The non-personal skeleton generally survives: registrar, creation and expiry dates, nameservers, status codes, and a route to reach the responsible party about abuse. Domain WHOIS is far less revealing than it once was, but it is not empty. IP WHOIS was affected much less — a netblock is allocated to an organisation, not a person — which is why it remains the more operationally useful of the two.

What WHOIS is genuinely good for

What WHOIS will not tell you

Frequently asked questions

Can WHOIS tell me who a person is from their IP address?

No. IP WHOIS identifies the organisation holding the address block — usually an ISP, a hosting company or a large enterprise — plus its abuse contact. It does not identify the subscriber using the address, and it does not return a name or a home address. That mapping exists only inside the ISP, and under carrier-grade NAT a single public IP may be shared by hundreds of customers at once.

What is the difference between WHOIS and RDAP?

WHOIS is the original protocol: a TCP connection to port 43, a query string, and free-form text whose layout varies by registry. RDAP is its standardised successor — HTTPS, structured JSON, proper internationalised text, and differentiated access so authenticated parties can be shown more than anonymous ones. All five RIRs and the gTLD registries run RDAP today, and it is what IPFerret queries under the hood.

Why is most of the registrant information in a domain WHOIS record redacted?

Two reasons, and they compound. Registrar privacy and proxy services substitute the registrar's own details for the registrant's, often at no cost. And the GDPR made publishing individual registrants' personal data to the whole internet legally risky, so those fields are redacted by default in records covered by it. What remains public is the non-personal skeleton: registrar, dates, nameservers, status codes, and a contact route for abuse.

Try it now

Run a lookup on an address you actually care about — the one at the top of the IPFerret home page, or one pulled from a log line that has been bothering you. Read the holder, the ASN, and the abuse contact. Everything WHOIS can honestly tell you is in those three fields.

Related reading