WHOIS Lookup (RDAP)

About this tool

This WHOIS lookup tool uses RDAP (Registration Data Access Protocol) - the modern, structured replacement for the legacy WHOIS text protocol. RDAP returns registration data for domains and IP addresses in JSON format, making it easier to parse programmatically and more consistent across registries. Typical data includes registrant contact information, registration and expiration dates, nameservers, and the registrar name.

Real example

Input: example.com

The RDAP response includes:
ldhName: EXAMPLE.COM
status: client delete prohibited, client transfer prohibited, client update prohibited
registrar: RESERVED-Internet Assigned Numbers Authority
events: registration date 1995-08-14, last changed date (recent)
nameservers: a.iana-servers.net, b.iana-servers.net

For an IP like 8.8.8.8, the ARIN RDAP response shows the network block 8.8.8.0/24, the organization (Google LLC), and the abuse contact handle.

Common use cases

• Phishing and threat investigation: When a suspicious domain appears in your logs or in a reported phishing email, RDAP lookup reveals when the domain was registered, who the registrar is, and whether key privacy fields are redacted. Recently registered domains with privacy protection and generic nameservers are a common phishing signal.
• Infrastructure attribution: During a security incident, look up the IPs making suspicious requests to identify the hosting provider and whether they belong to known cloud, CDN, or bot infrastructure. Combine with IP Lookup for ASN-level detail.
• Brand protection and domain monitoring: Check registration details for lookalike domains (typosquats) targeting your brand. Expiration dates and registrar information can inform takedown requests.
• Abuse reporting: RDAP responses include abuse contact handles. Look up the hosting IP to find the correct abuse reporting address for a provider.

How it works

For domains, the tool queries https://rdap.org/domain/<domain>. For IPv4 addresses, it queries https://rdap.arin.net/registry/ip/<ip> (the ARIN registry, which handles North American IP space). The full RDAP JSON response is returned and displayed. RDAP replaced WHOIS because WHOIS responses are unstructured text that differs by registry - RDAP is a standardized JSON API defined in RFC 7483.

Common mistakes

• CORS failures are expected: Some RDAP endpoints block direct browser requests due to CORS policy. If the lookup fails, use the rdap.org or rdap.arin.net endpoints directly from your terminal: curl https://rdap.org/domain/example.com | jq .
• Privacy-redacted contacts are the norm: GDPR and registrar policies result in most registrant contact fields being redacted. The absence of a registrant name does not mean the domain is suspicious - most consumer registrations are now privacy-protected.
• RDAP scope is limited to registration data: RDAP tells you who registered a domain and when - it does not show DNS records, hosting details, or traffic information. For DNS, use Hostname to IP.

FAQ

What is the difference between RDAP and classic WHOIS
Classic WHOIS is a plain-text protocol defined in RFC 3912 with no standardized response format. RDAP (RFC 7483) returns structured JSON with consistent field names, supports authentication, and is the replacement standard that most registries have now adopted.

Why does the lookup sometimes fail
Browser-based RDAP queries are subject to CORS restrictions. Some registries and regional Internet registries do not allow direct browser queries. For reliable lookups, use a CLI tool like whois or curl from a server.

Can I look up IPv6 addresses
Yes. Enter the full IPv6 address and the tool will query the appropriate RDAP registry endpoint for that address block.

What does "client transfer prohibited" status mean
It means the registrar has placed a lock on the domain preventing transfer to another registrar. This is a standard security lock applied to most commercial domains to prevent unauthorized transfers.

Reading WHOIS/RDAP data for security investigations

WHOIS and RDAP lookups are standard first steps in domain and IP investigations — phishing analysis, abuse reporting, vendor due diligence, and incident response all start with "who controls this?" The data returned comes from the registrar and the regional Internet registry (RIR) that manages the address space, so the accuracy depends on what those organizations have on file.

Registration date: A domain registered very recently — within days or weeks of suspicious activity — is a strong phishing and fraud signal. Legitimate organizations almost never spin up new domains immediately before using them for major communications. A two-week-old domain sending "urgent security notices" is almost certainly malicious. Registrar WHOIS data includes creation date; RDAP surfaces it in the events array with event action registration.

Registrar: Some registrars are disproportionately associated with abuse due to lax verification. Seeing a registrar with a poor abuse reputation is an additional risk signal. The registrar's abuse contact is also in the WHOIS record — useful for filing abuse reports directly.

Name servers: The authoritative name servers listed in WHOIS reveal who controls DNS for the domain. Domains using fast-flux DNS (rapidly rotating name servers or IPs) will show name servers that change between lookups. Infrastructure-as-a-service name servers (Route 53, Cloudflare, etc.) are neutral; unusual or unknown name servers warrant additional scrutiny.

Privacy/proxy registration: GDPR and similar regulations have led most registrars to redact registrant contact data by default, replacing it with privacy service contact details. Redacted contacts do not indicate a malicious domain — they indicate a domain using standard privacy protection. However, for legitimate business domains, the absence of any organizational information is worth noting.

IP WHOIS vs domain WHOIS

Domain WHOIS (queried by domain name) is handled by the domain's registrar and returns registration details. IP WHOIS (queried by IP address) is handled by the relevant RIR — ARIN for North American IPs, RIPE for European IPs, APNIC for Asia-Pacific, LACNIC for Latin America, AFRINIC for Africa — and returns network block ownership and abuse contact information.

The two lookups serve different purposes. Domain WHOIS tells you who registered example.com. IP WHOIS tells you which organization controls the IP block that example.com resolves to. For a phishing domain, you typically want both: domain WHOIS to see the registrant and registration date, and IP WHOIS (via IP Lookup) to see the hosting provider and send an abuse report to the right NOC contact.

RDAP vs classic WHOIS: RDAP returns structured JSON with consistent field names, making it machine-parseable. Classic WHOIS is free-text with no standardized format — parsing it requires per-registrar regex patterns. RDAP is the modern standard; most TLD registries now provide RDAP endpoints. This tool uses RDAP where available for more reliable structured output.

For a complete investigation workflow: start with Hostname to IP to resolve the domain, then IP Lookup for ASN and geolocation, and WHOIS Lookup for domain registration history and abuse contacts.