WHOIS: Domain & IP Registration Lookups

WHOIS is a protocol for querying databases that store registration information about domain names and IP addresses. It reveals who owns a domain, when it was registered, when it expires, which registrar manages it, and contact information for the registrant (when not privacy-protected).

What is WHOIS?

WHOIS (pronounced "who is") is a query and response protocol that dates back to the early days of the internet. It provides public access to registration data for:

• Domain names: Registration details, nameservers, registrar information
• IP addresses: Network allocation, organization ownership, abuse contacts
• AS numbers: Autonomous System allocation and ownership

WHOIS data is maintained by domain registrars, regional internet registries (RIRs), and ICANN-accredited databases.

Basic Usage

Command Line (Linux/macOS)

Most Unix-like systems have the whois command pre-installed:

# Domain WHOIS lookup
whois example.com

# IP address WHOIS lookup
whois 8.8.8.8

# Specify WHOIS server
whois -h whois.verisign-grs.com example.com

Windows

Windows doesn't include a native WHOIS command, but you have options:

# Install via Windows Package Manager
winget install whois

# Or use Sysinternals Whois
# Download from: docs.microsoft.com/sysinternals/downloads/whois

# Usage after installation
whois example.com
whois 8.8.8.8

Online Tools

If you don't have command-line access, numerous websites offer WHOIS lookups:

• ICANN Lookup (lookup.icann.org)
• Domain registrar websites
• WhatIP.ca host intelligence tool

Domain WHOIS Lookups

Domain WHOIS reveals registration information for domain names:

$ whois google.com

   Domain Name: GOOGLE.COM
   Registry Domain ID: 2138514_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.markmonitor.com
   Registrar URL: http://www.markmonitor.com
   Updated Date: 2019-09-09T15:39:04Z
   Creation Date: 1997-09-15T04:00:00Z
   Registry Expiry Date: 2028-09-14T04:00:00Z
   Registrar: MarkMonitor Inc.
   Registrar IANA ID: 292
   ...
   Name Server: NS1.GOOGLE.COM
   Name Server: NS2.GOOGLE.COM
   Name Server: NS3.GOOGLE.COM
   Name Server: NS4.GOOGLE.COM
   DNSSEC: unsigned

Key Fields Explained

Field	Description
Domain Name	The domain being queried
Registry Domain ID	Unique identifier in the registry
Registrar	Company that manages the registration
Creation Date	When the domain was first registered
Expiry Date	When registration expires (important!)
Updated Date	Last modification to WHOIS record
Name Server	DNS servers for the domain
DNSSEC	Whether DNSSEC is enabled
Status	Domain status codes (clientTransferProhibited, etc.)

Domain Status Codes

Status	Meaning
clientTransferProhibited	Transfer lock enabled by registrant
clientDeleteProhibited	Domain cannot be deleted
clientUpdateProhibited	Domain cannot be modified
serverHold	Domain suspended by registry
redemptionPeriod	Domain expired, in recovery period
pendingDelete	Domain scheduled for deletion

IP Address WHOIS Lookups

IP WHOIS shows which organization owns or operates an IP address block:

$ whois 8.8.8.8

NetRange:       8.8.8.0 - 8.8.8.255
CIDR:           8.8.8.0/24
NetName:        GOGL
NetHandle:      NET-8-8-8-0-2
Parent:         NET8 (NET-8-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS15169
Organization:   Google LLC (GOGL)
RegDate:        2023-12-28
Updated:        2023-12-28
Ref:            https://rdap.arin.net/registry/ip/8.8.8.0

OrgName:        Google LLC
OrgId:          GOGL
Address:        1600 Amphitheatre Parkway
City:           Mountain View
StateProv:      CA
PostalCode:     94043
Country:        US

OrgAbuseHandle: ABUSE5250-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-650-253-0000
OrgAbuseEmail:  network-abuse@google.com

IP WHOIS Fields

Field	Description
NetRange/CIDR	IP address block allocated
NetName	Short name for the network
Organization	Entity that owns/operates the IPs
OriginAS	Autonomous System number
OrgAbuse	Contact for reporting abuse
Country	Where organization is registered

Advanced Lookups

Query Specific WHOIS Servers

# Query Verisign for .com domains
whois -h whois.verisign-grs.com example.com

# Query RIPE for European IPs
whois -h whois.ripe.net 185.199.108.153

# Query ARIN for North American IPs
whois -h whois.arin.net 8.8.8.8

# Query APNIC for Asian IPs
whois -h whois.apnic.net 203.0.113.1

TLD-Specific WHOIS Servers

TLD	WHOIS Server
.com, .net	whois.verisign-grs.com
.org	whois.publicinterestregistry.org
.io	whois.nic.io
.ca	whois.cira.ca
.uk	whois.nic.uk
.de	whois.denic.de

WHOIS Privacy Protection

Many domain registrants use WHOIS privacy services to hide personal information:

Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Privacy service provided by Withheld for Privacy
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
...

Why use WHOIS privacy?

• Prevent spam and unwanted contact
• Protect personal address from public exposure
• Reduce domain hijacking attempts
• Comply with data protection regulations (GDPR)

Common Use Cases

Check Domain Availability and History

# See if domain is registered and when it expires
whois desireddomain.com

# Check creation date to gauge domain age (older = more trusted)

Verify Domain Ownership

# Before buying a domain, verify seller owns it
whois domaintobuy.com

# Compare registrant info with seller's claims

Investigate Suspicious Activity

# Find who owns IP sending spam
whois 192.0.2.1

# Get abuse contact to report issue
# Look for OrgAbuseEmail field

Monitor Domain Expiration

# Check expiry date for domains you want
whois example.com | grep -i expir

# Registry Expiry Date: 2025-03-15T04:00:00Z

Research Competitors

# Learn when competitor registered domain
# Find their registrar and nameservers
whois competitor.com