WHOIS / RDAP Lookup

Q: How do I report network abuse using WHOIS data?

Look for the abuse-mailbox or OrgAbuseEmail field in the IP WHOIS record (via the responsible RIR). For domains, the registrar abuse contact is typically published on the registrar's website. You can also use ARIN, RIPE, APNIC, LACNIC, and AFRINIC's online forms.

Q: How current is WHOIS data?

Domain WHOIS is usually updated in minutes to hours after a change is made at the registrar. IP WHOIS from RIRs reflects registry data that may be months old if the holding organisation has not kept records current. Always treat registration contact details as potentially stale.

Query domain and IP registration data from the internet's authoritative registries using WHOIS and RDAP.

Run a live WHOIS / RDAP lookup from global worker nodes Try WHOIS on QueryBox →

TL;DR

WHOIS and RDAP both answer the question: "who registered this domain or IP prefix?" WHOIS is the 40-year-old plaintext protocol; RDAP is its modern HTTPS/JSON replacement. Both reveal registration dates, nameservers, registrar, and administrative contacts (where not redacted).

What it is

WHOIS (RFC 3912) was conceived in the early internet to let anyone look up who operates a network or owns a domain. Every public IP address block and every domain name has a registration record stored in a chain of registries — the Regional Internet Registries (RIRs) for IPs, and ICANN-accredited registrars and registries for domains.

RDAP (Registration Data Access Protocol, RFC 7480–7484) was designed to modernise WHOIS. It uses HTTPS instead of a raw TCP query, returns structured JSON, supports authentication, and uses a bootstrap registry so clients can automatically find the correct data source for any input.

How it works

For a domain lookup:

The TLD (e.g. .com) determines which registry to query (Verisign for .com, Nominet for .uk, etc.)
The registry record holds the registrar, dates, nameservers, and (often redacted) contact data
For detailed registrant information the registrar's own WHOIS is a second query

For an IP or prefix lookup:

The IP range determines which RIR holds the record: ARIN (North America), RIPE NCC (Europe/Middle East/Central Asia), APNIC (Asia-Pacific), LACNIC (Latin America), or AFRINIC (Africa)
The RIR record shows the prefix, the organisation it was assigned to, contact handles, and abuse contacts

When to use it

Identify the owner of a domain or IP address
Find the registrar and nameservers for a domain
Check domain registration and expiry dates
Find abuse contacts for reporting spam, phishing, or network attacks
Confirm a domain was registered recently (often a fraud signal)
Check whether a domain is privacy-protected or publicly registered
Investigate an IP address appearing in logs or attack traffic
Verify IP prefix ownership for routing investigations

Running it on networktoolkit.io

Select whois, enter a domain name or IP address, and the lookup runs via RDAP with a WHOIS fallback. Sample domain output:

Query: example.com (RDAP)
Registry: rdap.verisign.com

Domain name:         example.com
Registry domain ID:  2336799_DOMAIN_COM-VRSN
Registrar:           RESERVED-Internet Assigned Numbers Authority
IANA ID:             376
Status:              clientDeleteProhibited
               clientTransferProhibited
               clientUpdateProhibited
Created:             1995-08-14T04:00:00Z
Updated:             2023-08-14T07:01:31Z
Expires:             2024-08-13T04:00:00Z

Nameservers:
  a.iana-servers.net
  b.iana-servers.net

Contacts: [redacted — GDPR]

Sample IP output:

Query: 93.184.216.0/24 (RDAP via ARIN)

Network name:  EDGECAST
Handle:        NET-93-184-216-0-2
Range:         93.184.216.0 – 93.184.216.255 (/24)
Parent:        NETBLK-US-EDGECAST-NETWORK-2 (93.184.0.0/16)
Org:           Edgio, Inc.
Country:       US
Allocated:     2008-06-23

Abuse contact: abuse@verizondigitalmedia.com

Reading domain WHOIS fields

Field	Meaning
Registrar	The ICANN-accredited registrar the domain owner used to register
Status	EPP status codes: `clientDeleteProhibited`, `clientTransferProhibited`, `pendingTransfer`, etc.
Created	When the domain was first registered
Updated	Last time the registration record was modified
Expires	When the domain will lapse if not renewed
Nameservers	The authoritative DNS servers for the domain
Contacts	Registrant, admin, tech contacts — often redacted under GDPR for gTLDs

Domain WHOIS vs IP WHOIS

Aspect	Domain WHOIS	IP WHOIS
Authority	ICANN registries, accredited registrars	Regional Internet Registries (ARIN, RIPE, APNIC, LACNIC, AFRINIC)
Object	A domain name	An IP prefix (range) or individual IP
Contact redaction	Common (GDPR, privacy protection services)	Rare; abuse contacts must be present per RIR policy
Abuse reporting	Via registrar abuse contact	Via RIR record's abuse-mailbox / OrgAbuseEmail

Limitations & gotchas

GDPR redaction means domain registrant details are often absent for .com, .net, .org, and other gTLDs registered by EU/UK individuals. ccTLDs have their own policies.
Data may be stale. Organizations are not always prompt in updating their RIR records. Treat contact details as a starting point, not a definitive answer.
Rate limiting. WHOIS servers enforce query limits. Heavy use can result in temporary blocks from individual servers.
Accuracy varies by TLD. Some registries have poor data quality requirements. Others enforce strict validation. Domain age alone does not indicate whether data is current.
Privacy proxy services deliberately obfuscate registrant identity. RDAP "redactedForPrivacy" or a privacy-service registrant (e.g., "Domains By Proxy") indicates this.

Standards & references

RFC 3912 — WHOIS Protocol Specification
RFC 7480 — HTTP Usage in RDAP
RFC 7483 — JSON Responses for RDAP
RFC 7484 — Finding the Authoritative Registration Data (RDAP) Service
IANA RDAP JSON Values Registry
RIR RDAP endpoints: ARIN, RIPE, APNIC, LACNIC, AFRINIC

FAQ

What is the difference between WHOIS and RDAP?

WHOIS is a 40-year-old plaintext protocol (RFC 3912) that returns free-form text. RDAP is the modern replacement: it uses HTTPS and returns structured JSON, supports authentication, and provides bootstrapping to find the correct registry automatically. Both answer the same fundamental question: who registered this domain or IP prefix?

Why is registrant contact information redacted?

GDPR and similar privacy regulations led ICANN to require that personal contact details be redacted in gTLD WHOIS since 2018. Registrars replaced direct contacts with anonymised email forms. The domain's administrative details (registrar, dates, nameservers) remain visible.

How do I report network abuse using WHOIS data?

Look for the abuse-mailbox or OrgAbuseEmail field in the IP WHOIS record via the responsible RIR. For domains, the registrar abuse contact is typically published on the registrar's website. You can also use ARIN, RIPE, APNIC, LACNIC, and AFRINIC's online forms.

How current is WHOIS data?

Domain WHOIS is usually updated within minutes to hours after a change at the registrar. IP WHOIS from RIRs reflects registry data that may be months old if the holding organisation has not kept records current. Always treat registration contact details as potentially stale.