Who owns example.com? For decades, the answer was a simple command away: whois example.com. (For the privacy implications, see Domain Privacy and Proxy Services.) The WHOIS protocol — one of the internet’s oldest — provided a public phone book of domain ownership. Then GDPR arrived, privacy expectations shifted, and the entire system had to evolve.
This is the story of how we look up domain ownership, why the old way broke, and what replaced it.
WHOIS: The Original Directory
WHOIS predates DNS itself. The protocol was first described in RFC 812 (1982) and formalized in RFC 3912 (2004). It was designed in an era when the internet was a small, trusted community and transparency was assumed.
How WHOIS Works
WHOIS is remarkably simple:
- Client connects to the WHOIS server on TCP port 43
- Client sends a query string (the domain name) followed by a newline
- Server returns a text response with domain data
- Connection closes
That’s it. No authentication, no structured format, no error codes — just plaintext in, plaintext out.
$ whois example.com
Domain Name: EXAMPLE.COM
Registry Domain ID: 2336799_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.iana.org
Registrar URL: http://www.iana.org
Updated Date: 2024-08-14T07:01:38Z
Creation Date: 1995-08-14T04:00:00Z
Registry Expiry Date: 2025-08-13T04:00:00Z
Registrar: RESERVED-Internet Assigned Numbers Authority
Registrar IANA ID: 376
Domain Status: clientDeleteProhibited
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Name Server: A.IANA-SERVERS.NET
Name Server: B.IANA-SERVERS.NET
DNSSEC: signedDelegation
WHOIS Data Fields
A full WHOIS record traditionally contains:
Domain data:
- Domain name, registry ID
- Creation, update, and expiry dates
- Nameservers
- DNSSEC status
- EPP status codes
Registrar data:
- Registrar name and IANA ID
- Registrar WHOIS server URL
- Abuse contact email and phone
Contact data (historically four sets):
- Registrant: The domain owner
- Admin contact: Administrative point of contact
- Tech contact: Technical point of contact
- Billing contact: Payment handling (removed from many TLDs)
Each contact set traditionally included: name, organization, street address, city, state, postal code, country, phone, fax, and email.
The Multi-Server Problem
There’s no single WHOIS server. The system is distributed across registries and registrars:
- Registry WHOIS: Each TLD operates its own WHOIS server (e.g.,
whois.verisign-grs.comfor.com) - Registrar WHOIS: For thick-registry queries, registrars may also operate WHOIS servers with additional detail
- IANA WHOIS:
whois.iana.orgserves as a root referral service, pointing you to the correct TLD WHOIS server
For thin registries (historically .com and .net), a WHOIS query required two steps: first query the registry to find the registrar, then query the registrar for full contact data. The transition to thick registries simplified this, but the multi-server architecture remains.
WHOIS Limitations
The protocol accumulated serious problems over its 40+ years:
No standard format: WHOIS responses are free-text. Every registry and registrar formats output differently. Parsing WHOIS data programmatically requires maintaining hundreds of format-specific parsers.
No internationalization: The original protocol doesn’t support Unicode. Internationalized contact data is inconsistently handled.
No authentication or access control: Anyone can query any domain’s WHOIS data. There’s no mechanism for rate limiting, tiered access, or authenticated queries.
No structured errors: If a query fails, you get a text string that might say “Not found” or “No match” or nothing at all — there’s no standardized error handling.
No referral standard: How one WHOIS server refers you to another (for thin registries) isn’t standardized. Different servers use different referral formats.
The GDPR Earthquake (2018)
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) took effect, and WHOIS broke.
The Problem
WHOIS published personal data (names, addresses, emails, phone numbers) of domain registrants — without consent, to anyone who asked. Under GDPR, this was a clear violation of data protection principles:
- Lawful basis: No legitimate basis for publishing registrant personal data to the public
- Data minimization: Full postal addresses and phone numbers were excessive
- Right to erasure: Registrants couldn’t have their data removed from WHOIS
- International transfers: WHOIS queries from non-EU servers accessed EU residents’ data
The Response
ICANN issued a Temporary Specification for gTLD Registration Data in May 2018, requiring registrars to redact personal data from public WHOIS responses. Overnight, WHOIS records went from fully transparent to mostly opaque:
Before GDPR:
Registrant Name: John Smith
Registrant Organization: Smith Enterprises
Registrant Street: 123 Main Street
Registrant City: Springfield
Registrant State/Province: IL
Registrant Postal Code: 62704
Registrant Country: US
Registrant Phone: +1.5551234567
Registrant Email: john@smithenterprises.com
After GDPR:
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: REDACTED FOR PRIVACY
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: REDACTED FOR PRIVACY
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: US
Registrant Phone: REDACTED FOR PRIVACY
Registrant Email: Please query the RDDS service of the Registrar
Only the registrant’s country and the registrar’s contact info remained visible. The change was applied globally, not just for EU registrants, because most registrars couldn’t easily distinguish EU from non-EU customers at query time.
Impact
The GDPR redaction affected nearly every domain industry practice:
- Brand protection: Companies could no longer easily identify cybersquatters
- Law enforcement: Investigators lost easy access to registrant data
- Security researchers: Tracking malicious domains became harder
- Domain investors: Identifying domain owners for acquisition became difficult
- Abuse reporting: Finding the responsible party for a phishing domain required more steps
ICANN developed a System for Standardized Access/Disclosure (SSAD) to provide tiered access for legitimate users, but progress has been slow and controversial.
RDAP: The Modern Replacement
Registration Data Access Protocol (RDAP) was designed to replace WHOIS with a modern, standardized, and access-controllable protocol. Defined in RFC 7480-7484 (2015) and required for gTLDs since 2019, RDAP addresses virtually every WHOIS limitation.
How RDAP Works
RDAP is a RESTful HTTP/HTTPS protocol that returns structured JSON:
$ curl https://rdap.verisign.com/com/v1/domain/example.com
{
"objectClassName": "domain",
"handle": "2336799_DOMAIN_COM-VRSN",
"ldhName": "example.com",
"status": ["client delete prohibited", "client transfer prohibited"],
"events": [
{
"eventAction": "registration",
"eventDate": "1995-08-14T04:00:00Z"
},
{
"eventAction": "expiration",
"eventDate": "2025-08-13T04:00:00Z"
}
],
"nameservers": [
{"ldhName": "a.iana-servers.net"},
{"ldhName": "b.iana-servers.net"}
],
"links": [...],
"secureDNS": {
"delegationSigned": true
}
}
RDAP vs WHOIS
| Feature | WHOIS | RDAP |
|---|---|---|
| Protocol | TCP port 43 | HTTPS (REST API) |
| Data format | Unstructured text | Structured JSON |
| Internationalization | None | Full Unicode support |
| Authentication | None | HTTP-based auth possible |
| Access control | None | Tiered access supported |
| Referrals | Ad-hoc text | Standardized JSON links |
| Error handling | Informal text | HTTP status codes + JSON |
| Encryption | None (plaintext) | TLS (HTTPS) |
| Discovery | Manual (know the server) | Bootstrap via IANA registry |
RDAP Bootstrap
One of RDAP’s elegant solutions is the bootstrap mechanism (RFC 7484). Instead of needing to know which server to query, clients can consult IANA’s bootstrap registries:
https://data.iana.org/rdap/dns.json— maps TLDs to RDAP servershttps://data.iana.org/rdap/ipv4.json— maps IP blocks to RDAP servers
Query the bootstrap file, find the RDAP server for the TLD you’re interested in, and query it directly. No chain of referrals needed.
RDAP and Access Control
RDAP’s HTTP foundation enables differentiated access:
- Anonymous queries: Get basic domain data (what public WHOIS shows today)
- Authenticated queries: With credentials, access additional registrant data based on your role
- Law enforcement: Could receive full registrant data with proper authorization
- Brand owners: Could access data for trademark enforcement purposes
This tiered access model is what ICANN’s SSAD framework aims to build on, though implementation across all registrars and registries is still evolving.
Privacy and Proxy Services
Even before GDPR, domain registrants who wanted privacy could use privacy/proxy services:
Privacy Services
A privacy service replaces the registrant’s personal data in WHOIS/RDAP with the privacy provider’s contact information. The domain remains legally owned by the actual registrant — only the published contact data changes.
Registrant Name: WhoisGuard Protected
Registrant Organization: WhoisGuard, Inc.
Registrant Email: 7f8k3x9p@whoisguard.com
Proxy Services
A proxy service goes further — the proxy actually registers the domain on behalf of the customer. The proxy is the registrant of record, holding the domain in trust. This provides stronger privacy but means you’re technically not the legal owner of your domain.
Post-GDPR Reality
After GDPR, most registrars began including basic WHOIS privacy for free — since the data was already redacted, there was less to “protect.” Previously, privacy was a popular upsell ($5-12/year). The value proposition shifted from “hide your data” to “provide an operational contact proxy.”
ICANN’s Registration Data Policy (adopted 2024) formalized rules around privacy services, requiring that the underlying registrant data must be disclosed to ICANN or law enforcement under specific conditions.
Key Takeaways
- WHOIS (port 43, plaintext) has served as the domain lookup protocol since 1982 but suffers from lack of standardization, authentication, and privacy controls
- GDPR forced mass redaction of WHOIS personal data in 2018, fundamentally changing the system
- RDAP (HTTPS, JSON) is the modern replacement — standardized, encrypted, and supporting tiered access
- RDAP bootstrap eliminates the need to know which server to query
- Privacy services replace published contact data; proxy services register on your behalf
- The transition from WHOIS to RDAP is ongoing — both protocols currently coexist
Next, we’ll walk through the process of moving a domain from one registrar to another — the transfer process, auth codes, and the locks that protect (and sometimes frustrate) domain owners.