sysadmintools
· Sysadmin Tools

WHOIS lookup explained: what's actually in a domain registration record

WHOIS is the public directory of who owns a domain. Here's what each field means, why some of them are redacted, and how to read a registration record.

WHOIS (pronounced "who is") is the public directory of domain name registrations. When you register example.com, the registrar sends the registration details to the appropriate registry (Verisign for .com, PIR for .org, etc.) and that registry publishes them via WHOIS. Anyone can query them. That's how you find out who owns a domain — and when it was registered and when it expires.

The fields you'll see

  • Registrar — the company you bought the domain through. GoDaddy, Namecheap, Cloudflare, MarkMonitor, etc.
  • Registrant — who actually owns it. For a company this is usually the legal entity name. For a personal registration it's your name (or a privacy proxy's name, more on that below).
  • Created / Updated / Expires — when the domain was first registered, when the record was last modified, and when the current registration expires. Auto-renew shows up here as an extended expiry date.
  • Status — codes from the registrar telling you what's allowed. clientTransferProhibited means the registrar won't let you move the domain to a different registrar (a common anti-theft setting). clientHold means the registry has suspended it.
  • Nameservers — which DNS servers are authoritative for this domain. This is what makes your A records resolvable. If these are wrong, your domain doesn't work regardless of what your registrar's DNS panel says.

Why some fields are missing

If you look up an EU-registered domain and the registrant is just REDACTED FOR PRIVACY, that's GDPR. After 2018, most registries redacted the natural-person fields (registrant name, address, phone, email) because exposing them publicly was deemed to violate the EU's data-protection regulation. Most registrars now offer a privacy proxy service that puts their own contact info in the registrant field as a go-between.

This is why a lot of WHOIS lookups just show the registrar's name in the registrant field instead of the actual owner's. The registrar still has the real data on file — you just can't see it via public WHOIS. To get it you'd typically need a legal request through the registrar's abuse contact, or a UDRP proceeding.

When you'd actually run a WHOIS lookup

  • Before buying an expired domain — check the expiry date and the nameservers (a domain that's still pointed at someone else's site has residual value but also residual cleanup).
  • When investigating abuse — the Registrar Abuse Contact Email is where you send spam / phishing / malware reports.
  • When debugging DNS — if a domain isn't resolving, the nameservers in WHOIS tell you where the zone should be served from. If they're wrong, that's the first thing to fix.
  • To verify a domain is what it claims to be — checking that example-bank.com is actually registered to a known bank (and not a typo-squatter who registered it last Tuesday).

Run a lookup from your browser — parses the messy registry output into clean fields:WHOIS Lookup.

Keep reading