skopio
Skopio/Glossary/WHOIS

What is WHOIS? Domain Lookup Explained

WHOIS is the protocol and database for querying domain registration information — who registered a domain, when, and through which registrar.

Definition

When someone registers a domain, the registrar collects contact info: name, email, phone, address. That data is forwarded to a WHOIS database that anyone can query. Originally fully public, modern WHOIS is partially redacted under GDPR — many fields appear as 'REDACTED' for individual registrants. Some data remains visible: registrar, creation date, expiration date, name servers, sometimes country.

Modern OSINT uses WHOIS in combination with: certificate transparency logs (CT logs that record every SSL cert ever issued, revealing subdomains), passive DNS history (showing IP addresses the domain pointed to over time), and registrant clustering (linking domains by shared technical contacts or hosting fingerprints). RDAP (Registration Data Access Protocol) is the modern replacement for the WHOIS protocol — same data, structured JSON. Skopio's domain category aggregates all of these into one query.

Real-world examples

  • 1

    A phishing investigator looking up a lookalike domain to find the registrant

  • 2

    A brand-protection team enumerating typosquats via CT-log analysis

  • 3

    A security researcher pivoting from one C2 domain to find related infrastructure

  • 4

    An acquisition due-diligence team checking when a target's brand domain was registered (newer = lower legitimacy signal)

  • 5

    An individual checking who owns a suspicious domain that emailed them

Related Skopio categories

Lookup categories where this term applies.

domainip

Related glossary terms

OSINT
OSINT is the discipline of collecting and analyzing publicly available information to produce actionable intelligence.

Frequently asked questions

Why is WHOIS partially redacted now?+

GDPR (effective May 2018). Individual registrants in EU jurisdictions get default redaction of name, email, phone. Corporate registrants typically remain visible. ICANN created RDAP as a structured replacement that supports controlled disclosure.

How do I lookup a domain's full WHOIS?+

Use any free WHOIS tool (web-based) or 'whois domain.com' on the command line. Skopio's domain category returns RDAP/WHOIS plus DNS history, CT logs, and registrant clustering in a single query.

What if WHOIS is privacy-protected?+

You'll see the registrar's privacy service in place of registrant data. Sometimes you can pivot — historical CT logs may have captured emails before privacy was applied. Sometimes the technical contact (DNS host) reveals information.

Is querying WHOIS legal?+

Yes — that's its purpose. Some registrars rate-limit WHOIS queries to prevent abuse but the protocol is fully public.

What's CT (Certificate Transparency)?+

CT is a public log of every SSL/TLS certificate ever issued. Since most modern browsers require CT-logged certs, this means a public index of every domain that's ever had an SSL cert. Powerful for finding subdomains, related domains, and historic infrastructure.

Experimente o Skopio em fluxos de WHOIS

Primeira busca por dia grátis. Sem cartão. Sem compromisso.

Cadastrar grátis →ou abrir o app