How do I do a WHOIS / RDAP lookup for a domain or IP?

A WHOIS lookup tells you who is behind a domain or an IP address: which registrar manages it, when it was created and when it expires, which nameservers it uses, and what registry status codes are set on it. For decades this came from the legacy WHOIS protocol on port 43, which returned unstructured free text with no common format and no access controls.

WHOIS vs RDAP

RDAP (Registration Data Access Protocol, RFC 9082 and RFC 9083) is the modern, standardised replacement. It runs over HTTPS, returns structured JSON, supports internationalised data and differentiated access, and is the protocol ICANN now requires every gTLD registry and registrar to operate. The WHOIS lookup tool queries RDAP directly — it resolves the authoritative server for a TLD or IP block through IANA's official bootstrap registry and parses the JSON, with the public rdap.org redirector as a fallback. So what you see comes straight from the registry rather than from scraped WHOIS text.

What you get for a domain

Enter a domain (e.g. example.com) and you reliably get the registrar (and its IANA ID), the registration, update and expiry dates, the nameservers, and the EPP status codes. Those status codes are worth reading. Codes beginning with client are set by the registrar and codes beginning with server by the registry. The clientTransferProhibited, clientDeleteProhibited, and clientUpdateProhibited locks are good news — they protect a domain against hijacking. Codes such as clientHold, pendingDelete, or redemptionPeriod are warnings: they mean the domain may not resolve, or is on its way to being deleted and released. The tool annotates each code in plain language.

What you get for an IP address

You can also look up an IP address. For IPv4 or IPv6, the lookup goes to the Regional Internet Registry responsible for the block — ARIN, RIPE NCC, APNIC, LACNIC, or AFRINIC — and returns the network range and CIDR, the network name, the owning organisation, the country, and the abuse contact. That is exactly what you need to report abuse or identify who operates an address.

Why the registrant is usually blank

Since GDPR came into force in 2018, registries and registrars redact personal registration data by default. For a typical domain the registrant's name, postal address, email, and phone are withheld unless the registrant is an organisation (a company name is often still shown) or has opted in. A good RDAP tool never fabricates those fields — it displays only what the registry actually returns. Some country-code TLDs (ccTLDs) also have not deployed RDAP at all; for those the lookup returns a clean "no RDAP service for this TLD" message rather than an error, and you would need a traditional WHOIS client.

Where it fits

WHOIS/RDAP answers who owns and administers a name or address; it does not test how the domain is configured. When you are finished, run a full DNS and email security scan, check delegation and records with the DNS lookup tool, or verify the signing chain with the DNSSEC checker.