How to Read a WHOIS Lookup (And Why It’s Now RDAP)

Last updated: June 10, 2026

Most articles about WHOIS lookups describe a protocol that no longer exists for gTLDs. ICANN officially retired WHOIS for generic top-level domains on January 28, 2025. RDAP took over. By September 2025, 374 gTLD registries had disabled their WHOIS service. The term WHOIS lookup persists in everyday use, but the actual protocol underneath is now RDAP.

This guide covers what a WHOIS lookup shows in 2026 and why the protocol changed. It explains how to read EPP status codes, the most under-covered part of any domain record. It also walks through what the August 2025 Registration Data Policy actually changed. The freshness wedge is the WHOIS sunset and its downstream effects. The differentiator is the EPP code depth.

What a WHOIS Lookup Actually Shows

A WHOIS lookup queries a public database to retrieve information about a domain name. The data includes the registrar, registration dates, expiration dates, and nameservers. It also includes registrant contact details (if not redacted) and status codes that indicate locks or restrictions.

The basic anatomy of a domain record covers six categories of information:

• Domain identity — the domain name, the registry (e.g., Verisign for .com), and the registrar that sold the registration.
• Registration dates — when the domain was first created, when it was last updated, and when it expires.
• Nameservers — the authoritative DNS servers for the domain. Usually two or more, often provided by the hosting service or DNS provider.
• Registrant data — name, organization, email, phone, and address of the domain owner. Usually redacted in 2026.
• EPP status codes — flags indicating whether the domain can be transferred, deleted, updated, or resolved.
• DNSSEC status — whether the domain uses DNSSEC signing and the associated key data.

Each field serves a specific purpose. Dates tell you whether the domain is active and how long it has existed. Nameservers reveal where DNS lives. Status codes show protection level and any operational issues. The registrar tells you who has administrative control. Together they paint a picture of how a domain is managed, how mature it is, and whether anything looks unusual.

WHOIS Is Dead for gTLDs — RDAP Replaced It on January 28, 2025

ICANN officially sunset the WHOIS protocol for gTLDs on January 28, 2025. RDAP (Registration Data Access Protocol) replaced it. By September 2025, 374 gTLDs had disabled their WHOIS service. Country-code TLDs still use WHOIS in most cases.

The WHOIS protocol dates to 1982 (RFC 812). It served the internet for over four decades. RDAP, defined in RFC 9082 and RFC 9083 (2023), is the modern replacement. The transition was years in the making.

The Transition Timeline

• 2015: First version of RDAP published (RFCs 7480 through 7484).
• 2019: All gTLD registries required to support RDAP alongside WHOIS.
• 2023: Consolidated RDAP specification published (RFCs 9082, 9083, 9224).
• January 28, 2025: ICANN officially sunset the WHOIS requirement for gTLDs.
• February 2025: 74 gTLD registries shut down their WHOIS service within a month.
• June 2025: RDAP query volume surpassed WHOIS for the first time.
• August 21, 2025: ICANN Registration Data Policy took effect. New minimal data set rules apply.
• September 2025: 374 gTLDs had disabled WHOIS entirely.
• January 2026: ICANN revoked registrar Brennercom’s accreditation for failing to implement RDAP. First enforcement precedent.

Why RDAP Is Better

RDAP improves on WHOIS in four important ways. Responses are structured JSON instead of unstructured plain text, which means parsing is consistent across registrars. The protocol uses HTTPS instead of the unencrypted port 43, which protects query privacy. Internationalization (non-ASCII characters in domain names and registrant data) works natively. And tiered access lets ICANN provide different views to different audiences. The public, registrars, and law enforcement each see appropriate levels of data.

The ccTLD Exception

Country-code TLDs operate independently of ICANN’s gTLD rules. The .uk, .de, .ca, .jp, .au, and most other ccTLDs still use WHOIS in 2026. Some ccTLD registries have voluntarily moved to RDAP. Most have not. When you query a ccTLD domain, the underlying protocol depends on the registry’s choice.

How to Run a Modern Domain Lookup

Use ICANN’s official RDAP-based tool at lookup.icann.org. Enter any domain name and view the structured registration data. NetworkCheckr’s WHOIS Lookup tool also queries RDAP under the hood and returns parsed results without ads or signup.

Three practical paths cover most use cases.

The Web Browser Path

For most users, a web-based tool is the right choice. Two options:

• ICANN Lookup at lookup.icann.org — the official source. Query any gTLD domain. Returns raw RDAP data plus a structured view. No registration. No ads.
• NetworkCheckr WHOIS Lookup — queries RDAP under the hood for gTLDs and falls back to WHOIS for ccTLDs. Returns parsed results with status codes interpreted in plain language. Try it here.

The Command Line Path

For terminal users, the legacy whois command still works for ccTLDs. On some systems, the command also acts as a wrapper that routes through RDAP for gTLDs. The output format is unstructured plain text:

whois example.com

For native RDAP queries, ICANN provides an open-source command-line client on GitHub. Most Linux distributions also have RDAP-capable utilities like rdap-client in their package repositories.

The API Path

For automated systems, RDAP is a REST API. A simple curl command returns JSON:

curl -H "Accept: application/rdap+json" https://rdap.verisign.com/com/v1/domain/example.com

The bootstrap registry at rdap.iana.org lists the RDAP endpoint for each TLD. Modern scripts should use the bootstrap discovery flow rather than hard-coding endpoints.

Reading the Registration Data (Dates, Registrar, Nameservers)

Five fields matter most. The registrar tells you who manages the domain. Creation date shows domain age. Expiration date shows when renewal is due. Nameservers show where DNS is hosted. EPP status codes show active locks and restrictions on the domain.

Dates

Three dates appear in most records. The creation date (sometimes labeled “registration date”) shows when the domain was first registered. This rarely changes. The updated date shows the last time any field in the record was modified. The expiration date (sometimes “registry expiry date”) shows when the registration term ends. Most registrars allow renewal within a window before this date.

Domain age (calculated from the creation date) is a meaningful signal. Long-established domains carry more reputational weight in SEO and security contexts. Brand-new domains (under 30 days old) are common in phishing operations.

Registrar

The registrar field shows the company through which the current registration was placed. Examples include GoDaddy, Namecheap, Google Domains (now Squarespace Domains), Cloudflare Registrar, and Tucows. The registrar handles billing, renewal, and most administrative changes. Each registrar has its own ICANN accreditation and unique IANA ID number.

Nameservers

Nameservers are the authoritative DNS servers for the domain. They tell the internet where to look up A, AAAA, MX, TXT, and other DNS records. Most domains have two to four nameservers. The nameservers are usually provided by the hosting service or a dedicated DNS provider like Cloudflare or AWS Route 53.

Mismatched or unexpected nameservers are worth investigating. A domain marketed as being hosted on AWS but using GoDaddy nameservers means DNS is decoupled from hosting. This split is common but not always intentional.

DNSSEC

DNSSEC fields indicate whether the domain uses DNS Security Extensions (cryptographic signing of DNS records). If DNSSEC is signed, the record shows DS (Delegation Signer) data including key tags, algorithms, and digests. DNSSEC is uncommon (around 4 percent of .com domains) but is recommended for high-security domains.

Understanding EPP Status Codes (The Protection Layer)

EPP status codes indicate whether a domain can be transferred, deleted, updated, or resolved. The codes fall into three groups. Client codes are set by the registrar. Server codes are set by the registry. Pending codes indicate operations in progress.

EPP (Extensible Provisioning Protocol) status codes are the most operationally important fields in a domain record. They reveal protection level, active issues, and lifecycle stage. Most articles barely mention them. Here is the reference.

Normal Operation Codes

Code	Meaning	Severity
ok	No restrictions. Domain is active and modifiable.	Normal
inactive	No nameservers attached. Domain does not resolve.	Neutral

The ok status disappears the moment any prohibit code is applied. A domain with clientTransferProhibited will not also show ok.

Security Protection Codes (Set by Registrar)

Code	Meaning	When to use
clientTransferProhibited	Registry rejects transfer requests.	Default for 60 days after registration; recommended permanently.
clientDeleteProhibited	Registry rejects deletion requests.	Guard against accidental or malicious deletion.
clientUpdateProhibited	Registry rejects updates to nameservers, contacts, or other fields.	During disputes; or to freeze a record.
clientRenewProhibited	Registry rejects renewal requests.	Rare; usually during a dispute.

Server-Set Codes (Registry-Level Protections)

Code	Meaning	Context
serverTransferProhibited	Registry blocks transfers at the registry level.	60-day new-registration lock; legal hold.
serverDeleteProhibited	Registry blocks deletion at the registry level.	Often paired with redemption period for dispute domains.
serverUpdateProhibited	Registry blocks all updates.	Trademark disputes; serious policy violations.
serverHold	Registry suspends DNS resolution.	Court order; fraud finding; major policy violation.

Lifecycle and Pending Codes

Code	Meaning	Action needed
pendingCreate	New registration is processing.	Wait; usually completes within hours.
pendingTransfer	Transfer is in progress.	Wait up to 5 days; or confirm with old registrar.
pendingDelete	Domain will be deleted in 5 days.	Urgent. Renew immediately if you want to keep it.
redemptionPeriod	Domain was deleted; 30-day recovery window active.	Pay redemption fee (typically $80-150) to restore.
autoRenewPeriod	Registry auto-renewed the domain after expiration.	Pay the registrar to confirm the renewal.
clientHold	Registrar suspended DNS resolution.	Usually non-payment. Pay your registrar.

The most operationally critical combinations to recognize:

• pendingDelete means your domain disappears in 5 days. Renew immediately or lose it.
• redemptionPeriod means your domain was deleted but you have a 30-day window to recover it. Pay the redemption fee to your registrar.
• serverHold is the most serious flag a registry can apply. The domain is suspended at the registry level. Resolution requires direct contact with the registry, typically through legal channels.
• Multiple client-prohibited codes together (clientTransferProhibited + clientDeleteProhibited + clientUpdateProhibited) indicate a properly locked production domain. This is the gold standard for any business-critical domain.

What “REDACTED FOR PRIVACY” Means (And the Minimal Data Set)

Since GDPR took effect in 2018, most gTLD registrations show REDACTED FOR PRIVACY for registrant fields. ICANN’s August 2025 Registration Data Policy went further and abolished Admin, Billing, and Technical contact requirements entirely. Only the registrant data set is now collected.

For most of the internet’s history, WHOIS records exposed the registrant’s name, organization, email, phone number, and physical address publicly. This led to spam, harassment, and identity theft issues. The General Data Protection Regulation (GDPR) took effect in May 2018. The regulation made this publication unlawful for personal data of EU residents. Most registrars responded by redacting registrant data globally rather than maintaining two-tier policies.

The August 2025 Registration Data Policy

ICANN’s Registration Data Policy took effect on August 21, 2025, after a year-long transition period. Two major changes:

• Admin, Billing, and Technical contacts are no longer collected. Registrars must purge historical data from these fields. Only the registrant data set is collected going forward.
• Minimal data set principle. Registrars collect only the data strictly necessary for domain operation, aligned with GDPR’s data minimization principle.

The practical effect is consistent. An RDAP lookup in 2026 typically shows the registrar, dates, nameservers, status codes, and a redacted registrant record. The full registrant data is held by the registrar but not exposed in public output.

Accessing Nonpublic Data Legitimately

ICANN operates the Registration Data Request Service (RDRS) for legitimate access to nonpublic data. The RDRS is a centralized portal. Law enforcement, intellectual property professionals, cybersecurity researchers, consumer protection advocates, and government officials can request information from participating registrars. Requests must include a documented legitimate interest. Participating registrars review and respond on their own timelines, which vary widely.

The RDRS began as a two-year pilot in November 2023. The pilot ended on November 30, 2025. ICANN’s Board then extended RDRS operations through December 2027 while standardized-access policy work continues. ICANN published the Two-Year Pilot Summary Report in early 2026.

For ad-hoc cases, you can also contact the sponsoring registrar directly through their abuse or legal channels. The general public does not have a path to nonpublic registration data. This is the intended outcome of the policy.

Common Red Flags in Domain Data

Three red flags in domain data signal potential abuse. Newly registered domains under 30 days old are common in phishing. Missing or generic privacy proxies on impersonating sites indicate fraud. Suspicious EPP status combinations (especially clientHold on legitimate-looking sites) deserve investigation.

Domain data is a useful signal for detecting fraud, phishing, and impersonation. Five patterns matter most.

Brand-New Domains

Phishing operations frequently register fresh domains for short-lived campaigns. A domain that claims to be a major brand but was registered three days ago is almost certainly fraudulent. Major brands have decades-old domains. Any “official” lookalike registered within the last 30 days is a red flag.

Cheap Privacy Proxies on Sensitive Sites

Privacy redaction is normal for individual registrants. It is unusual for major brands. A domain that looks like a bank, government agency, or healthcare provider but shows generic privacy-proxy contact data is suspicious. Legitimate organizations typically register with their full corporate identity visible.

Unusual EPP Status Combinations

clientHold on a legitimate-looking site means the registrar has suspended DNS for that domain. This often follows a complaint, non-payment, or policy violation. Visiting such a domain typically returns a DNS error, which itself is informative.

Domains showing serverHold indicate registry-level suspension, usually for severe violations like abuse, fraud, or court orders. These domains are effectively dead at the protocol level.

Recently-Changed Nameservers

The updated date in the record, paired with a recent change in nameservers, can indicate two things. Either a legitimate move to a new hosting provider, or a takeover by an attacker. Context matters. If you see this pattern on a domain you do not control, check whether the nameservers point to known-bad infrastructure.

Mismatched Geographic and Linguistic Signals

Consider a domain in English claiming to serve North American customers, registered through a registrar in a high-risk jurisdiction. The nameservers are in a third country. This combination is worth a second look. None of these signals individually is conclusive, but together they raise the probability of fraud.

Related Tools & Resources

NetworkCheckr offers three tools that pair with this guide. The WHOIS Lookup queries domain registration data via RDAP. The DNS Lookup reveals current DNS configuration. The Reverse DNS Lookup verifies server identity associated with the domain.

• WHOIS Lookup — query domain registration data via RDAP (or WHOIS for ccTLDs).
• DNS Lookup — check A, AAAA, MX, TXT, and other DNS records.
• Reverse DNS Lookup — confirm the PTR record for an IP address.
• SSL Certificate Checker — verify any domain’s TLS certificate.
• IP Blacklist Check — check if your sending IP is on a major DNSBL.
• How SSL Certificates Work — companion guide to the SSL Certificate Checker.
• All NetworkCheckr Tools — the full set of free networking utilities.

Frequently Asked Questions

Six questions cover the practical edge cases. Whether WHOIS is completely gone. Why the registrant field is blank. What clientTransferProhibited actually means. How to access nonpublic data legitimately. The difference between gTLDs and ccTLDs. And whether RDAP query results are slower.