WHOIS Lookup
What is WHOIS Lookup?
WHOIS LookupA query against the WHOIS or RDAP database that returns the registration details of a domain or IP, including registrar, registrant, dates, and name servers.
WHOIS is the legacy protocol that publishes domain and IP registration metadata: registrant, registrar, creation and expiry dates, status flags, and authoritative name servers. Investigators use it to age a domain (newly registered names are higher risk), correlate infrastructure across registrants, and find pivot points such as shared email addresses. WHOIS is being replaced by RDAP (RFC 7480-7484), which delivers structured JSON, supports authentication, and integrates with GDPR-aware redaction. Many registries now mask personal data, so analysts combine WHOIS or RDAP with passive DNS, certificate transparency, and historical archives such as DomainTools to recover useful signal.
● Examples
- 01
Discovering that a phishing domain was registered 12 hours before being used in a campaign.
- 02
Pivoting from a registrant email to dozens of similarly named domains created the same week.
● Frequently asked questions
What is WHOIS Lookup?
A query against the WHOIS or RDAP database that returns the registration details of a domain or IP, including registrar, registrant, dates, and name servers. It belongs to the Defense & Operations category of cybersecurity.
What does WHOIS Lookup mean?
A query against the WHOIS or RDAP database that returns the registration details of a domain or IP, including registrar, registrant, dates, and name servers.
How does WHOIS Lookup work?
WHOIS is the legacy protocol that publishes domain and IP registration metadata: registrant, registrar, creation and expiry dates, status flags, and authoritative name servers. Investigators use it to age a domain (newly registered names are higher risk), correlate infrastructure across registrants, and find pivot points such as shared email addresses. WHOIS is being replaced by RDAP (RFC 7480-7484), which delivers structured JSON, supports authentication, and integrates with GDPR-aware redaction. Many registries now mask personal data, so analysts combine WHOIS or RDAP with passive DNS, certificate transparency, and historical archives such as DomainTools to recover useful signal.
How do you defend against WHOIS Lookup?
Defences for WHOIS Lookup typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for WHOIS Lookup?
Common alternative names include: WHOIS, RDAP lookup.
● Related terms
- defense-ops№ 792
Passive DNS
A historical database of observed DNS resolutions that lets investigators look up which IPs a domain pointed to and which domains shared an IP over time.
- defense-ops№ 159
Certificate Transparency
An ecosystem of append-only public logs of TLS certificates, defined by RFC 6962 and 9162, that lets anyone audit which certificates exist for any domain.
- attacks№ 349
Domain Hijacking
The unauthorized takeover of control over a registered domain name at the registrar or registry level, allowing an attacker to redirect traffic, email, and trust to malicious infrastructure.
- attacks№ 269
Cybersquatting
Registering domain names that contain trademarks or well-known brand names without authorization, typically to extract money from the rights holder or to deceive users.
- defense-ops№ 266
Cyber Threat Intelligence (CTI)
Evidence-based knowledge about adversaries, their motivations, and methods, used to inform defensive decisions and prioritize controls.