🔍 Tool

WHOIS Lookup — Domain Registrar, Owner & Expiry

Look up registrar, creation date, expiry date, nameservers, and registrant details for any domain. The tool queries the authoritative WHOIS server for the TLD over port 43, parses the response, and renders the result as indexable HTML.

Popular Lookups

What this tool does

The WHOIS Lookup tool queries the authoritative WHOIS server for any domain and returns the registration record: registrar name, registrar URL, creation date, last-updated date, expiry date, DNSSEC status, registrant organisation, registrant country, all configured nameservers, and the calculated domain age in years and months. The check connects directly to the TLD's WHOIS server on port 43 — no third-party API, no rate-limited intermediary. Results render as plain HTML for search-engine indexability and cache for one hour.

What is different about this tool: direct authoritative queries, with computed domain age. Many free WHOIS lookups proxy through a single API and either rate-limit you or strip fields the API doesn't surface. This tool routes by TLD to the correct authoritative WHOIS server (Verisign for .com/.net, PIR for .org, dedicated nic.* servers for new TLDs). The age calculation reads the creation date and shows years + months at a glance — useful because newly-registered domains correlate strongly with phishing, scams, and short-lived attacker infrastructure.

How it works under the hood

When you submit a domain, the tool extracts the registrable hostname and identifies its top-level domain (the part after the final dot). It then looks up the authoritative WHOIS server for that TLD from a built-in routing table — whois.verisign-grs.com for .com and .net, whois.pir.org for .org, whois.nic.io for .io, and equivalent nic.* servers for newer TLDs. For TLDs not in the table, it falls back to whois.nic.{tld} which works for most modern TLDs.

Port 43 query. The tool opens a TCP connection to the WHOIS server on port 43 with a 5-second timeout, writes the domain name followed by CRLF, and reads the response until the server closes the socket. WHOIS is one of the oldest internet protocols (RFC 812 from 1982, refined by RFC 3912 in 2004) and has barely changed — the request format is literally just the domain plus newline.

Field parsing. The raw WHOIS response varies by registrar but follows a loose Field: Value convention. The tool parses each line, looking for known field names (Domain Name, Registrar, Creation Date, Updated Date, Registry Expiry Date, DNSSEC, Registrant Organization, Registrant Country, Name Server). Multiple Name Server entries collect into a separate card. Fields the parser doesn't recognise are silently skipped — different registrars use slightly different field labels.

Domain age calculation. The Creation Date field is parsed via PHP's strtotime(), which handles the major date formats WHOIS servers use (ISO 8601, RFC 822, and various registrar-specific variants). Age is computed in years and months — the years value is what matters most for security analysis (a 1-year-old domain hosting a financial services portal is a strong fraud signal; a 15-year-old domain is unlikely to be attacker infrastructure).

Caching and rate. Results cache for one hour via WordPress transients keyed by domain. WHOIS servers do enforce per-IP rate limits — Verisign in particular is aggressive — and the cache protects both your experience (instant repeat lookups) and the upstream server (one query per domain per hour from our infrastructure regardless of how many users request the same domain).

What this tool does NOT do. It does not show registrant contact details for domains where the registrar has enabled WHOIS privacy (which is now most domains thanks to GDPR — registrant fields show REDACTED FOR PRIVACY or similar). It does not query historical WHOIS data — for that, use SecurityTrails or DomainTools. It does not query .uk, .de, .fr or other ccTLDs that use non-standard WHOIS protocols requiring custom parsing. For those TLDs, you'll need the registry's web-based WHOIS interface or a paid aggregator.

Five real-world use cases

Verify the registration details of a suspicious domain

An email arrives from a domain you don't recognise, or a colleague forwards a link they're unsure about. Run the domain through WHOIS — three fields tell you most of what you need. (1) Creation Date: anything under 90 days old is suspicious by default. (2) Registrar: legitimate businesses use mainstream registrars (Namecheap, GoDaddy, Cloudflare); attackers favour the cheapest budget registrars or registrars that don't enforce abuse complaints. (3) Registrant Country: domains targeting your customers but registered in a country with no business presence is a fraud signal worth flagging.

suspicious-bank-login.com

Confirm domain ownership before paying a renewal invoice

Renewal-scam emails impersonate registrars and try to get businesses to pay them instead of the actual registrar. Before paying any renewal invoice, run the domain through this tool and verify the Registrar field matches who's billing you. The Registrar URL field gives you the registrar's official website — never click links from the renewal email; navigate directly to that URL to log in. This 30-second check catches one of the most common B2B billing scams.

Audit your own domain inventory for upcoming expiries

Run WHOIS against every domain your organisation owns and record the Registry Expiry Date for each. Sort ascending. Anything within 60 days needs a calendar reminder; anything within 30 days needs the renewal action queued for this week. Domain expiry is one of the most preventable causes of business outages — it always comes with months of notice, the cost is trivial, and the failure mode (domain dropped, immediately re-registered by squatter or competitor) is catastrophic.

Bug bounty: identify in-scope subdomains via WHOIS pivoting

When recon expands a target's surface area, WHOIS data on related domains helps confirm what's actually owned by the target organisation versus what's third-party. Run WHOIS against suspected related domains — if the Registrant Organization matches your target's registered company name (and the registration dates cluster around known acquisitions), you've confirmed in-scope assets. WHOIS privacy makes this less reliable than it used to be, but for older corporate registrations the data is still there.

Check registration dates of competitors\u2019 newly-launched products

Competitive intelligence: when a competitor launches a new product, the marketing domain often gets registered weeks or months before the public announcement. Periodic WHOIS checks on plausible product-name domains can give you weeks of advance warning of competitor launches. Note that registrar-side privacy redaction now hides registrant details on most domains — so creation date is usually the only useful field, but creation date alone is often enough to time your own announcements.

Common mistakes & edge cases

Treating REDACTED FOR PRIVACY as suspicious

Since GDPR, most registrars redact the Registrant fields by default for personal-data privacy. Seeing REDACTED FOR PRIVACY or Domain Privacy Service in the Registrant Organization field is now normal, not a red flag. The unredacted fields (Registrar, Creation Date, Expiry Date, DNSSEC, Nameservers) are still authoritative and useful — focus your analysis there.

Confusing Registrar with hosting provider

The Registrar is who sold and manages the domain registration (Namecheap, GoDaddy, Cloudflare Registrar, Google Domains, etc.). The hosting provider is whoever runs the actual servers the domain points to. They're often the same company (Cloudflare, Google) but frequently aren't (a domain registered at Namecheap can host on AWS). To find the hosting provider, use the DNS Lookup tool to get the A record, then the IP Address Lookup to identify the hosting AS.

Reading Creation Date as immutable proof of age

A domain that lapses and gets re-registered shows the new Creation Date, not the original registration. So a domain that's "existed" for 20 years on the public web but lapsed last year and was re-bought reads as 1-year-old in WHOIS — and that one-year-old reading is correct from a security perspective (it's now a different registrant with no continuity). For continuity-vs-change analysis, cross-reference with the Wayback Machine.

Ignoring the Updated Date field

Updated Date shows when the WHOIS record was last modified — usually because the registrant changed nameservers, transferred registrar, renewed early, or updated contact info. A domain with a recent Updated Date but unchanged Creation Date often signals a registration handover or major infrastructure change. For phishing analysis, an Updated Date within the last 30 days combined with a young Creation Date is a high-signal combination.

Trusting Registrant Country at face value

The Registrant Country field is self-reported by whoever registered the domain. There's no validation. A domain registered in US can be operated by anyone anywhere. This field is useful for filtering obvious mismatches (a domain claiming to be your local council registered in Seychelles is a flag) but useless as positive proof of legitimacy. Never make decisions purely on this field.

Querying ccTLDs and getting empty results

Country-code TLDs (.uk, .de, .fr, .nl, .au, .ru, etc.) often use non-standard WHOIS protocols, custom port-43 query formats, or require web-only access via the registry's site. The tool may return empty fields or partial data for these. For .uk specifically, use Nominet's WHOIS service at nominet.uk/whois/; for .de, use denic.de. Each registry has its own canonical lookup interface.

Frequently Asked Questions

Paste the domain into the lookup above. The tool returns the registrar, creation date, expiry date, nameservers, and (where available) registrant organisation and country. Since GDPR most personal registrant details are now redacted by registrars; the Registrar field tells you which company manages the domain registration, but contacting the actual owner usually requires going through the registrar's privacy proxy.
WHOIS literally stands for the question "who is" — as in "who is responsible for this domain?". The protocol dates to 1982 (RFC 812) and was originally designed for the ARPANET to identify network resource owners. The WHOIS protocol itself (port 43, plain-text query and response) has barely changed since RFC 3912 formalised it in 2004.
Since GDPR (May 2018), most registrars redact registrant personal data from public WHOIS responses by default to comply with EU data-protection law. The redaction applies regardless of the registrant's location — registrars apply it globally for simplicity. To contact the actual owner, use the registrar's contact form (linked in the Registrar URL field), which forwards to the registrant via privacy proxy.
Not via free public WHOIS — the protocol only supports forward lookup (domain → registration data). Reverse WHOIS (registrant → all their domains) requires querying a historical WHOIS database. Paid services that do this include DomainTools, WhoisXMLAPI, and SecurityTrails. The data is most useful when investigating a phishing operator's broader infrastructure or doing brand-protection research across typosquats.
Authoritative WHOIS data is highly accurate for the technical fields — Registrar, Creation Date, Expiry Date, Nameservers — because registrars are required to maintain these accurately for the registration to function. Registrant fields are less reliable: registrars don't deeply verify identity, GDPR redaction hides most personal data, and outright fraudulent registrations exist. Treat technical fields as authoritative and registrant fields as advisory.
Country-code TLDs often use non-standard WHOIS protocols, custom query formats, or web-only access. This tool's standard port-43 query works well for gTLDs (.com, .net, .org, .io, etc.) but returns partial or empty results for many ccTLDs. For .uk use Nominet's WHOIS, for .de use DENIC, for .fr use AFNIC. Each registry maintains its own canonical lookup at the registry's website.
Yes. WHOIS is a public protocol designed for public lookups — the data is intentionally accessible to anyone. Both individual investigative use and bulk/automated lookups are legal, though registrars rate-limit aggressive querying to protect their infrastructure. Using WHOIS data for unsolicited marketing ("WHOIS spam") violates registrar Terms of Service and many anti-spam laws including CAN-SPAM and GDPR.
Look at the Creation Date field returned by the lookup. The tool also computes the Domain Age in years and months for convenience. For phishing analysis, anything under 90 days old is statistically suspicious; under 30 days old is a strong indicator. Many legitimate domains are also new (genuine new businesses launch every day), so age is one signal among many — combine with the Phishing URL Scanner and Domain Age Checker for a layered analysis.
Creation Date is when the domain was first registered; it never changes for the life of that registration. Updated Date is when any field in the WHOIS record was last modified — typically because the registrant changed nameservers, transferred registrar, renewed early, or updated contact info. A recent Updated Date with an old Creation Date is normal (active maintenance); a recent Updated Date with a recent Creation Date and unusual content is a higher-attention combination.
DNSSEC adoption remains low — under 5% of domains globally, with mixed adoption even in security-conscious sectors. Most domains, including major commercial sites, run unsigned. Lack of DNSSEC is not a security failure for the typical website; it just means the domain doesn't cryptographically sign its DNS responses. DNSSEC matters most for high-trust services (financial, government, top-level infrastructure) and is gradually being adopted in those sectors.

Related Security Tools

🌐 DNS Lookup Query the actual DNS records for the domain 📅 Domain Age Checker Quick-look age check without full WHOIS noise 🔒 SSL Certificate Verify the cert this domain currently serves 🌐 IP Address Lookup Identify the hosting provider behind the domain

Learn More

📚 Identity Based Attacks 2026 How attacker-owned domains fit identity-attack patterns 🧭 OSINT Fundamentals WHOIS as a primary OSINT data source 🏹 Bug Bounty Reconnaissance Domain pivoting techniques for recon phase