What Is WHOIS? How to Look Up Who Owns a Domain or IP

Every domain name on the internet has a registration record. google.com, example.org, your tiny side-project domain — all of them. It's like a property deed: public information about who registered the name, when, which registrar they bought it through, and how to reach them. The same is true for every block of IP addresses ever allocated.

The system for looking up that data is called WHOIS — pronounced "who-is" — and it has been running since the early 1980s. It's how journalists trace anonymous websites, how abuse teams find someone to contact about a phishing campaign, and how anyone can answer the question "who owns this thing?"

It's also in the middle of a long-overdue transition. The 1980s plaintext protocol is being replaced with something modern, and a lot of the data that used to be public has, since GDPR, gone behind a privacy wall. Here's what's still there and how to read it.

What WHOIS tells you about a domain

A domain lookup returns a handful of fields. The exact shape depends on the TLD and the registrar, but the staples are reliable.

• Registrar. The company the domain was purchased through — GoDaddy, Namecheap, Cloudflare Registrar, MarkMonitor, and so on. Big-brand domains are often registered through enterprise-tier registrars like MarkMonitor; consumer domains usually go through the retail names you recognize.
• Registration date. When the domain was first created. google.com has a registration date of 15 September 1997, which is part of why it shows up at the top of every "oldest active dot-com" trivia list.
• Expiry date. When the current registration ends. Most domains are paid for a year at a time; large brands pay for ten-year stretches because losing the domain would be a catastrophe.
• Last updated date. When the registration was last touched — often a renewal or a name-server change.
• Name servers. Which DNS servers the domain points to. ns1.google.com and similar. This tells you a lot about how the site is hosted: name servers ending in cloudflare.com mean Cloudflare is the DNS provider; awsdns means AWS Route 53. (See our piece on DNS record types for what those servers actually publish.)
• Registrant. The legal owner. In theory, a name, organization, country, and contact details. In practice, this field is usually redacted now — more on that below.
• Abuse contact. An email and phone number for reporting bad behaviour (spam, phishing, malware) coming from the domain. Always required, never redacted.
• EPP status codes. Short strings like clientTransferProhibited that tell you which operations are locked. Important domains usually have transfer, update, and delete prohibitions enabled to prevent hijacks.

The combination is enough to answer most legitimate questions: who runs this, when did it appear, can I trust it, and who do I email if it's misbehaving.

WHOIS for IP addresses

It isn't just domains. Every IP address block is allocated to an organization, and the allocation is public record. The five Regional Internet Registries — ARIN (North America), RIPE NCC (Europe and the Middle East), APNIC (Asia-Pacific), LACNIC (Latin America), and AFRINIC (Africa) — divide the world between them and maintain the assignments for their respective regions.

An IP WHOIS lookup returns a slightly different shape:

• The organization the block was assigned to (a corporation, an ISP, a university, a hosting company)
• The CIDR range — the actual span of addresses (8.8.8.0/24 for the famous Google block that includes 8.8.8.8)
• The country of registration
• The allocation type (DIRECT ALLOCATION, REASSIGNED, etc. — bureaucratic but meaningful)
• An abuse contact for reporting attacks coming from the block

This is how you answer "who owns this IP address?" — a question that comes up constantly when investigating server logs, reporting attacks, or understanding what's actually running at the other end of a connection. For the broader picture of how IP allocation maps to network operators, our companion piece on autonomous system numbers walks through the routing layer above it.

The WHOIS → RDAP transition

The original WHOIS protocol is a relic. Defined in RFC 812 in 1982 and revised in RFC 3912 in 2004, it works like this: you connect over TCP port 43, send a domain name as plain text, and the server sends back a free-form text blob. No authentication, no schema, no standardized fields — every registry returns slightly different text in a slightly different format. Parsing it reliably has been a long-running joke in operations circles.

RDAP — Registration Data Access Protocol — is the modern replacement. It runs over HTTPS, returns structured JSON, supports proper error codes and rate limiting, and is consistent across registries. As of January 2025, ICANN required all gTLDs (.com, .net, .org, and the hundreds of newer ones) to support RDAP, and most have. The major Regional Internet Registries have offered RDAP for IPs for several years.

The transition isn't universal. Some country-code TLDs — notably .de (Germany), .cn (China), .jp (Japan), .uk, and .it — still only support legacy port-43 WHOIS, and modern web-based tools (including the one on this site) can't query them. For those, you need an old-fashioned command-line whois client.

Why so much data is redacted

If you ran a WHOIS lookup on a domain in 2017, you'd typically see the registrant's full name, postal address, phone number, and email. Then GDPR took effect in 2018, and the European Union made it clear that publishing that personal data without consent was no longer acceptable. Registrars complied by replacing those fields with privacy-proxy values or just blank entries marked "REDACTED FOR PRIVACY".

This change is global in practice. ICANN's policy now requires registrars to suppress most registrant personal data from public lookups for individual registrants, regardless of where the registrant lives. Organizations that explicitly opt in to public listing (think large brands that want the world to know they own a domain) still have their names visible.

The data isn't gone — the registrar still has it, and law enforcement can request it through proper channels. It's just not on the public record anymore. The fields you can still rely on are the registrar, the dates, the name servers, the EPP status codes, and the abuse contact. That's a lot, even without the registrant.

When you'd actually use this

WHOIS isn't just for sysadmins. A handful of everyday situations call for it:

• Checking if a domain is available. If a lookup returns "no match", the name isn't registered. (Don't trust this for finalizing a purchase — registrar search tools do this with real-time data.)
• Verifying a business is legitimate. A two-week-old domain with privacy-redacted registration is a red flag for a "company" claiming to have been in business for years.
• Reporting abuse. Found a phishing site? Look up its registrar's abuse contact. The registrar can suspend the domain if it's being used for fraud.
• Investigating suspicious emails. Sender domain paypaI.com (capital i instead of lowercase L) registered three days ago through a registrar known for spam-friendliness? That's a phishing attempt.
• Checking your own domain. Confirming the right name servers, the right expiry date, and that the transfer-lock is on. Worth doing once a year if you own anything important.
• Tracing the operator of an IP. Found an unfamiliar IP hammering your server logs? The IP WHOIS tells you which network operator owns the block, and the abuse contact is where you report attacks. (For known-bad reputation, the separate question of whether an IP is on a blacklist uses different tools.)

WHOIS and reverse DNS together

WHOIS tells you who owns an IP. Reverse DNS — the PTR record system — tells you what hostname the operator has assigned to it. The two complement each other. 8.8.8.8, for example, has a WHOIS record showing it belongs to Google LLC, and a reverse DNS record returning dns.google. Either alone would identify the operator; together they confirm it.

Operators set reverse DNS deliberately, and it's a useful sanity check. A mail server with no reverse DNS — or with reverse DNS that doesn't match its forward DNS — looks suspicious to spam filters. Our piece on reverse DNS covers the PTR system in detail.

For the geolocation side of the IP question — country, city, ISP name, latitude/longitude — the IP lookup tool is the right next stop.