WHOIS in one paragraph
WHOIS is a query-and-response directory for internet registration data. You hand it an identifier — a domain name, an IP address, a network block, an autonomous system number — and it hands back a record describing who that identifier was issued to, when, by whom, and how to contact the responsible party. It is not a search engine and not a database of people. It is a registration ledger, and it knows only what the registries were told when the resource was handed out.
The name is a pun on the Unix who command, and the protocol dates to the early 1980s, when the whole network fitted comfortably in one text file. That history explains much of its remaining quirkiness.
The two worlds people constantly conflate
Almost every confusion about WHOIS comes from one fact: the word covers two separate systems, run by different organisations, answering different questions. They share a protocol and nothing else.
Domain WHOIS — the name registration record
Query a domain and you are talking, indirectly, to the registry that runs the top-level domain (Verisign for .com, Nominet for .uk, and so on) and to the registrar the domain was bought through. A typical record contains:
- The registrant — the person or organisation the domain is registered to, plus administrative and technical contacts. Usually redacted now; more below.
- The registrar — the company that sold and manages the registration, with an abuse contact of its own.
- Dates — creation, last update, and expiry. The creation date is the single most useful field for anyone assessing a site's credibility, which is why it has its own tool: domain age.
- Nameservers and status codes — the authoritative DNS servers the domain delegates to, plus machine-readable flags such as
clientTransferProhibitedorpendingDeletedescribing what can be done to the registration right now.
IP and ASN WHOIS — the address allocation record
Query an IP address instead and you are talking to a completely different set of bodies: the five Regional Internet Registries, each responsible for a slice of the world.
- ARIN — North America.
- RIPE NCC — Europe, the Middle East and Central Asia.
- APNIC — Asia-Pacific.
- LACNIC — Latin America and the Caribbean.
- AFRINIC — Africa.
The record they return is about networks, not people: the netblock the address falls inside, the organisation it is allocated to, the country of registration, the autonomous system number that announces it, and — the part that matters most in practice — an abuse contact, the mailbox the operator publishes for reports of misbehaviour from its address space. Try it on a well-known address such as 8.8.8.8 and the shape of it is immediately clear.
That distinction is the whole ballgame. Domain WHOIS describes a registration someone bought; IP WHOIS describes an allocation made to an organisation that runs a network. The first sometimes named an individual; the second essentially never does.
How a lookup actually resolves
There is no single WHOIS server holding everything. The system is a referral chain, which is why lookups sometimes return a stub record pointing somewhere else.
At the top sits IANA, which maintains the master registries of top-level domains, IP address ranges, and AS number ranges. For an IP address, IANA's record for the enclosing range says “this block was delegated to APNIC”, and the client re-queries APNIC, which returns the network, the holder, and the abuse contact. For a domain, IANA points at the TLD's registry, and the registry either answers in full or names the registrar holding the contact details. Modern tools collapse those hops for you; underneath, several servers were consulted.
RDAP: the modern replacement
Classic WHOIS is a remarkably thin protocol: open a TCP connection to port 43, send a string, read back text until the server hangs up. There is no standard for what that text looks like, no defined character encoding, and no way to request a specific field. Every registry invented its own layout, so every tool consuming WHOIS became a pile of registry-specific parsing hacks.
RDAP — the Registration Data Access Protocol — is the standardised successor, and what serious tooling uses today, IPFerret included. It runs over HTTPS, returns structured JSON with consistent object types, handles international text correctly, supports proper redirects between registries, and allows differentiated access: an anonymous request can be served a redacted record while an authenticated, accountable requester can be served more. That last property is why RDAP is the strategic answer to the privacy problem and not merely a nicer wire format. All five RIRs and the gTLD registries operate RDAP services. You will still see the word “WHOIS” everywhere — but increasingly the machinery underneath is RDAP.
The privacy shift: why the records got quieter
If you last read a domain WHOIS record in 2010, you probably remember a name, a street address, a phone number and an email. That era is over, for two reinforcing reasons.
Privacy and proxy services. Most registrars now offer — often bundled free — a service that substitutes their own contact details for the registrant's. The registration is still legally the registrant's; the public record simply points at a shield.
The GDPR. Publishing individual registrants' personal data to the entire internet, indefinitely, with no access control, sits badly with European data protection law. Since 2018, registrars and registries have redacted those fields by default in records covered by it, while the industry slowly builds accredited-access machinery to let vetted requesters see more.
Be precise about what that means. Redaction is common but not universal — records for organisations rather than individuals are often still published in full, and policy varies by TLD and registrar. The non-personal skeleton generally survives: registrar, creation and expiry dates, nameservers, status codes, and a route to reach the responsible party about abuse. Domain WHOIS is far less revealing than it once was, but it is not empty. IP WHOIS was affected much less — a netblock is allocated to an organisation, not a person — which is why it remains the more operationally useful of the two.
What WHOIS is genuinely good for
- Finding who to report an offending IP to. The single best use. Something is hammering your login endpoint; the IP WHOIS record tells you which network it belongs to and where that operator wants abuse reports sent. It pairs naturally with an IP reputation check.
- Attributing traffic to a network. Cloud provider, residential ISP, university, mobile carrier? The holder and the ASN answer that, which is the foundation of most bot and fraud heuristics.
- Checking a domain's age and status. A payment page on a domain registered days ago deserves suspicion; so does a business-critical domain quietly approaching expiry.
- Incident response and due diligence. Pivoting from an indicator to the network hosting it is a standard first move, as is confirming a counterparty's domain sits on a registrar and nameservers consistent with their story.
What WHOIS will not tell you
- Who a person is. An IP WHOIS record names a network operator, not a subscriber. Even an unredacted domain record only names whoever filled in the registration form. WHOIS is not an identity service, and treating it as one produces confident, wrong conclusions about real people.
- Which user was behind a shared address. Under carrier-grade NAT, one public IP can front hundreds of customers at once; the mapping from address, port and timestamp to a customer exists only in the carrier's own logs. Likewise for anything behind a private address range — WHOIS has nothing to say about addresses that were never allocated to anyone.
- Physical location, or a verdict. The country in an allocation record is where the resource was registered — often the operator's headquarters, not where the traffic originates. And a record is a fact about registration, not a judgement: plenty of abuse comes from reputable networks, and plenty of odd-looking allocations are entirely innocent.
Frequently asked questions
Can WHOIS tell me who a person is from their IP address?
No. IP WHOIS identifies the organisation holding the address block — usually an ISP, a hosting company or a large enterprise — plus its abuse contact. It does not identify the subscriber using the address, and it does not return a name or a home address. That mapping exists only inside the ISP, and under carrier-grade NAT a single public IP may be shared by hundreds of customers at once.
What is the difference between WHOIS and RDAP?
WHOIS is the original protocol: a TCP connection to port 43, a query string, and free-form text whose layout varies by registry. RDAP is its standardised successor — HTTPS, structured JSON, proper internationalised text, and differentiated access so authenticated parties can be shown more than anonymous ones. All five RIRs and the gTLD registries run RDAP today, and it is what IPFerret queries under the hood.
Why is most of the registrant information in a domain WHOIS record redacted?
Two reasons, and they compound. Registrar privacy and proxy services substitute the registrar's own details for the registrant's, often at no cost. And the GDPR made publishing individual registrants' personal data to the whole internet legally risky, so those fields are redacted by default in records covered by it. What remains public is the non-personal skeleton: registrar, dates, nameservers, status codes, and a contact route for abuse.
Try it now
Run a lookup on an address you actually care about — the one at the top of the IPFerret home page, or one pulled from a log line that has been bothering you. Read the holder, the ASN, and the abuse contact. Everything WHOIS can honestly tell you is in those three fields.
Related reading
- WHOIS lookup for 8.8.8.8 — a live record to read alongside this article.
- What is an ASN? — the number in every IP WHOIS record.
- Domain age — the WHOIS creation date, made useful.
- IP reputation and blocklists — the natural next question after “whose network is this?”
- Public vs private IPs — why some addresses have no registration record at all.
- CGNAT explained — why one public IP can represent hundreds of people.
- The IPFerret glossary — short definitions for the terms used above.
