WHOIS is one of the oldest active protocols on the internet — it predates the World Wide Web. For thirty years it did one job: given a domain name, hand back the registrant's name, email, physical address, and phone number in a lightly-structured plaintext blob over TCP port 43. That data underpinned everything from trademark enforcement to spam-fighting to journalism. Then GDPR arrived, and the whole edifice had to be rebuilt. In 2026 WHOIS is functionally a redacted shell of what it was, its structured successor RDAP has taken over the technical role, and the actually-useful information hides in a smaller set of fields that most people don't know how to read. This guide covers what's still there, why the rest went away, and how to do a domain lookup properly.
What WHOIS was, briefly
The classic WHOIS server sat on port 43 and spoke a format so loose that every TLD parsed it slightly differently. A query like whois example.com returned dozens of fields — Domain Name, Registrar, Creation Date, Updated Date, Expiration Date, Registrant Name, Registrant Organization, Registrant Street, Registrant City, Registrant Postal Code, Registrant Country, Registrant Phone, Registrant Email, Admin Contact, Technical Contact, Nameservers, DNSSEC status, Domain Status codes. If you were a spammer, you scraped it for email addresses. If you were a lawyer sending a takedown notice, you had the registrant's postal address. If you were a security researcher, you pivoted from a bad domain to every other domain the same person had registered.
What GDPR changed
Article 6 of GDPR requires a lawful basis for processing personal data. Publishing every EU person's home address in a public plaintext database that anyone in the world could scrape has, in retrospect, no lawful basis at all. In May 2018 ICANN adopted the "Temporary Specification for gTLD Registration Data," which required registrars and registries to redact all personal data from public WHOIS/RDAP responses for domains with any EU connection. Most registrars, faced with the cost of running two datasets (redacted and non-redacted), simply started redacting everyone. Today a WHOIS response for a personal domain typically looks like:
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization:
Registrant Email: Please query the RDDS service for the contact details.The actual data is still held by the registrar and is accessible through legitimate legal process — subpoenas, court orders, coordinated abuse reports through ICANN's disclosure mechanism. For casual lookups, it's simply gone.
Enter RDAP
WHOIS's plaintext format made structured parsing brittle. RDAP — Registration Data Access Protocol, RFC 7480 onward — replaced the wire format with structured JSON over HTTPS. Every ICANN-accredited registrar and registry now runs an RDAP endpoint. RDAP responses have well-defined fields, standard status codes, machine-readable event timestamps, and clear indication of what was redacted vs simply absent. Modern lookup tools speak RDAP by default and fall back to WHOIS only for legacy TLDs.
The technical improvements aren't the point most users care about — the point is that everything you'll see in a modern lookup UI ultimately came from RDAP.
The fields that still matter
Even with contact info redacted, a lookup remains useful. The fields worth reading:
- Registrar. Which retailer sold the domain. Useful for abuse reporting — you file the complaint with the registrar, not the registry.
- Creation date. How old is the domain? Freshly-created domains are heavily correlated with scams; a domain registered three days ago sending you email is a red flag.
- Expiration date. When does registration lapse? Useful for anyone considering acquisition or worried about their own upcoming renewal.
- Nameservers. Where DNS is hosted. Often reveals the operator's technology stack.
- Status codes. A field with entries like
clientTransferProhibited,serverHold,pendingDelete. Each one is a defined operational state.serverHoldmeans the registry has suspended the domain (often after an abuse complaint).pendingDeletemeans it's on the way to expiration. - DNSSEC. Whether the zone is signed and DS records are published at the registry. See our DNSSEC guide.
Our WHOIS Lookup exposes all of these in a scannable UI. For age-focused workflows, Domain Age Checker pulls just the creation date.
ccTLDs are their own world
ICANN policy applies to generic TLDs — .com, .org, .net, and the newer gTLDs. Country-code TLDs (.uk, .de, .jp, .cn) each have their own registry with its own rules. Some redact more aggressively than gTLDs. Some (Nominet for .uk, for instance) still publish organizational contacts for company-registered domains. Others don't offer RDAP at all yet. Expect variance.
Using WHOIS for security work
Even with contact fields redacted, WHOIS is still a load-bearing tool for security investigations. Registration date, registrar, nameservers, and pattern-matching across TLDs let you cluster domains almost as effectively as you could with contact data. Threat-intel platforms (RiskIQ, DomainTools, WhoisXML) buy access to historical WHOIS databases so you can see who used to own a domain before redaction — which is often the actionable data point.
Doing a lookup by hand
# Classic WHOIS
whois example.com
# RDAP via curl
curl -s https://rdap.verisign.com/com/v1/domain/example.com | jq .
# Registrar-of-record's own RDAP endpoint
curl -s https://rdap.markmonitor.com/rdap/domain/example.com | jq .For most work, our WHOIS Lookup tool does the RDAP-then-WHOIS fallback and pretty-prints the useful fields.
The bottom line
Public WHOIS in 2026 is not what it was in 2016. If you're trying to identify a specific human behind a domain from public data alone, you'll usually fail. If you want the operational metadata — how old, which registrar, what nameservers, what status — it's all still there and it's still valuable. Learn the fields, use RDAP when possible, and layer paid intel only for the small set of cases where the public data isn't enough.
Related tools: WHOIS Lookup · Domain Age Checker · NS Lookup · DNSSEC Checker
