One of the major tools used by cybersecurity professionals is the WHOIS query. The query enables retrieval of information about a given domain – where it was registered, when it was registered, when it expires, what its name servers are, and more. This information can be crucial for brand protection, law enforcement investigations, and more. WHOIS queries can also be performed on IP addresses, revealing the web hosting company that owns the IP address.
For example, a WHOIS query can look something like this:
Domain Name: intelfinder.io
Registry Domain ID: e80decefd9554551a0a4c0b4a1bd9e28-DONUTS
Registrar WHOIS Server: whois.godaddy.com/
Registrar URL: http://www.godaddy.com/domains/search.aspx?ci=8990
Updated Date: 2024-09-12T13:15:35Z
Creation Date: 2019-07-29T13:14:37Z
Registry Expiry Date: 2025-07-29T13:14:37Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: cctldassistance@godaddy.com
Registrar Abuse Contact Phone: +1.4805058800
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Registrant Organization: Domains By Proxy, LLC
Registrant State/Province: Arizona
Registrant Country: US
Name Server: ns52.domaincontrol.com
Name Server: ns51.domaincontrol.comUnfortunately, WHOIS queries are showing their age, which isn’t surprising considering they’ve been around longer than most people have been alive. The WHOIS protocol was introduced in 1982, over a decade before the internet became a thing. Those who perform WHOIS queries often can easily point to the problems that exist in the protocol, dramatically affecting its effectiveness.
The Issues with WHOIS
WHOIS is a distributed service, meaning each WHOIS server usually holds information only on domains of a specific zone or TLD. Unlike DNS, if the information doesn’t exist in a particular server, it cannot route the query to the appropriate server. There is also no public central list of known WHOIS servers. Therefore, anyone interested in building a WHOIS solution must manually map these servers and develop their own list, which would likely be incomplete.
Another issue that plagues WHOIS is lack of standardization. While WHOIS servers were designed to receive requests on a specific port, 43, there are many WHOIS servers today that only accept requests via a web interface – for example, the WHOIS server for the TLD .dev, operated by Google. The lack of standardization doesn’t stop there – the format of WHOIS responses varies across different servers.
Here is the WHOIS response for london.gov.uk:
Domain name:
gov.uk
Registrant:
UK Cabinet Office
Registrant type:
UK Government Body
Registrant's address:
Government Digital Service
The White Chapel Building 7th Floor
10 Whitechapel High Street
London
E1 8QS
GB
Registrar:
No registrar listed. This domain is directly registered with Nominet.
Relevant dates:
Registered on: before Aug-1996
Registration status:
No registration status listed.
Name servers:
dns1.nic.uk.
dns2.nic.uk.
dns3.nic.uk.
dns4.nic.uk.
nsa.nic.uk.
nsb.nic.uk.
nsc.nic.uk.
nsd.nic.uk.
WHOIS lookup made at 23:07:19 24-Apr-2025As can be seen, the format is completely different compared to our original WHOIS query on intelfinder.io. For organizations wishing to parse the information in order to utilize it, this lack of consistency can make that task incredibly difficult. Making matters worse, in some cases even important information is omitted from the response. For example, the expiration date of a domain, which can be used to identify when a domain is expiring in order to ensure that it gets renewed in time, is not often provided in WHOIS queries on domains in ccTLDs from Oceania (Australia, New Zealand).
One of the original main purposes of WHOIS queries was to identify the owner of a domain. With the introduction of GDPR, all information on the Registrant (the person who registered the domain through a Registrar) has been redacted from the responses. This information was critical for attribution and link analysis in cyber investigations and was no longer available to anyone. While solutions to hide the registrant have been available long before GDPR, they were not always used by registrants.
Other issues include lack of proper handling of non-ASCII characters, limiting global usability, no authentication or access control, and no security considerations – i.e. the data is stored in plaintext and the communication isn’t encrypted.
The Next Generation: the Registration Data Access Protocol (RDAP)
To address all these issues, the Internet Engineering Task Force (IETF) has developed the Registration Data Access Protocol, or RDAP, a modern replacement for the aging WHOIS protocol. RDAP attempts to address these issues in a few ways. First, centralized public lists of RDAP servers, operated by IANA (Internet Assigned Numbers Authority), are now available. More precisely, there are several – for domains (based on their TLDs), for IP addresses in ipv4 format and for addresses in ipv6. By querying these lists, a tool can quickly identify the relevant RDAP server and send the query specifically to them.
Second, all responses are formatted in JSON, facilitating automated processing much better. The move to JSON indicates that the IETF has realized that most RDAP queries would not be made manually, but through investigation tools and automated processes. Here is an example of what a JSON response of an RDAP request for london.co.uk looks like:
{"rdapConformance":["rdap_level_0"],"objectClassName":"domain","links":[{"value":"https://rdap.nominet.uk/uk/domain/london.co.uk","rel":"self","href":"https://rdap.nominet.uk/uk/domain/london.co.uk","type":"application/rdap+json"}],"notices":[{"title":"Terms of Service","description":["The Registry Operator, offers this Registration Data Access Protocol (RDAP) service and provides access to the records in the RDAP database for information purposes only, to assist you in obtaining information about the registration records of existing domain names. The stored information in the RDAP database is provided as is. We do not guarantee its accuracy or completeness, and cannot be held liable if the stored information in the RDAP database is wrong, incomplete, or inaccurate in any way. By querying the RDAP database in any way, you agree that you will not use this data: (i) to allow, enable or otherwise support the transmission of unsolicited, commercial advertising or other solicitations in any form or by any means; (ii) to enable high volume, automated, electronic processes that query or send data to the Registry Operator or any registrar or registrant; (iii) for target advertising; (iv) to cause nuisance to registrants by sending (by any means) messages to or contacting them; (v) to violate any law, rule, regulation or statute; and/or (vi) in violation of applicable data and privacy protection acts. You are explicitly prohibited from extracting, copying and/or using or re-using in any form and by any means (electronically or not) all or part (quantitatively or qualitatively) of the contents of the RDAP database without prior and explicit permission from the Registry Operator. Any copying or transmission of data for commercial purposes violates this prohibition. You agree that we can take measures to limit the use of the RDAP service to protect the privacy of registrants or the integrity of the database. We reserve the right to make changes to this website, the RDAP service, and these Terms and Conditions at any time without prior notice to you. You should review these Terms and Conditions each time you access or use the RDAP database and the RDAP service to learn of any changes. If you do not agree to the changes we have made, your only remedy is to stop your use of the RDAP database and the RDAP service. By executing a query, in any means whatsoever, you agree to these Terms of Service."],"links":[{"value":"https://nominet.uk/rdap-tos","rel":"related","href":"https://nominet.uk/rdap-tos","type":"text/html"}]},{"title":"Status Codes","description":["For more information on domain status codes, please visit https://icann.org/epp"],"links":[{"value":"https://icann.org/epp","rel":"related","href":"https://icann.org/epp","type":"text/html"}]},{"title":"RDDS Inaccuracy Complaint Form","description":["URL of the Nominet WHOIS data complaint process: https://www.nominet.uk/complaints/#complaining-about-incorrect-whois-data"],"links":[{"value":"https://www.nominet.uk/complaints/#complaining-about-incorrect-whois-data","rel":"related","href":"https://www.nominet.uk/complaints/#complaining-about-incorrect-whois-data","type":"text/html"}]}],"events":[{"eventAction":"registration","eventDate":"1994-11-25T18:09:26Z"},{"eventAction":"last changed","eventDate":"2024-11-10T12:48:51.217056Z"},{"eventAction":"expiration","eventDate":"2025-11-25T18:09:26Z"},{"eventAction":"transfer","eventDate":"2024-11-07T08:35:21Z"},{"eventAction":"last update of RDAP database","eventDate":"2025-04-24T22:37:07.437Z"}],"status":["active"],"handle":"D_23713099-UK","ldhName":"london.co.uk","unicodeName":"london.co.uk","secureDNS":{"delegationSigned":false,"maxSigLife":3024000},"entities":[{"objectClassName":"entity","links":[{"value":"https://rdap.nominet.uk/uk/entity/SYS3","rel":"self","href":"https://rdap.nominet.uk/uk/entity/SYS3","type":"application/rdap+json"}],"handle":"SYS3","vcardArray":["vcard",[["version",{},"text","4.0"],["fn",{},"text","Sys3 Limited"],["adr",{},"text",["","","18 Dedham Vale Business Centre, Manningtree Road, Dedham, Essex, CO7 6BL","","","",""]],["tel",{"type":"voice"},"text","0345-313-1919"],["email",{},"text","support@sys3.com"],["url",{},"uri","https://sys3.com"]]],"roles":["registrar"],"publicIds":[{"type":"Registry Identifier","identifier":"SYS3"}],"entities":[{"objectClassName":"entity","vcardArray":["vcard",[["version",{},"text","4.0"],["fn",{},"text","Abuse contact"],["tel",{"type":"voice"},"text","0845-313-1919"],["email",{},"text","ian@sys3.com"]]],"roles":["abuse"]}]},{"objectClassName":"entity","remarks":[{"title":"REDACTED FOR PRIVACY","type":"object redacted due to authorization","description":["Some of the data in this object has been removed"]},{"title":"EMAIL REDACTED FOR PRIVACY","type":"object redacted due to authorization","description":["This data is not generally available, if you have legitimate reason to request access please review Nominets data release process."]},{"title":"Data Quality","description":["Name validated.","Address validated.","Nominet responsible for validation."]}],"events":[{"eventAction":"registration","eventDate":"2024-11-07T08:35:21Z"}],"status":["validated"],"vcardArray":["vcard",[["version",{},"text","4.0"],["fn",{},"text",""]]],"roles":["registrant"]}],"publicIds":[{"type":"Registry Identifier","identifier":"D_23713099-UK"}],"nameservers":[{"objectClassName":"nameserver","links":[{"value":"https://rdap.nominet.uk/uk/nameserver/clay.ns.cloudflare.com.","rel":"self","href":"https://rdap.nominet.uk/uk/nameserver/clay.ns.cloudflare.com.","type":"application/rdap+json"}],"events":[{"eventAction":"registration","eventActor":"123-REG","eventDate":"2014-07-20T16:35:12Z"}],"status":["active","associated"],"handle":"H_592545-UK","ldhName":"clay.ns.cloudflare.com.","unicodeName":"clay.ns.cloudflare.com."},{"objectClassName":"nameserver","links":[{"value":"https://rdap.nominet.uk/uk/nameserver/val.ns.cloudflare.com.","rel":"self","href":"https://rdap.nominet.uk/uk/nameserver/val.ns.cloudflare.com.","type":"application/rdap+json"}],"events":[{"eventAction":"registration","eventActor":"TUCOWS-CA","eventDate":"2014-07-18T08:40:35Z"}],"status":["active","associated"],"handle":"H_597675-UK","ldhName":"val.ns.cloudflare.com.","unicodeName":"val.ns.cloudflare.com."}]}RDAP also introduces differentiated access through authentication and access control, allowing law enforcement to identify themselves and gain access to information on the registrant that wouldn’t be available to non-law enforcement personnel. Unlike WHOIS, RDAP uses HTTPS, ensuring encrypted data transmission, as well as support for non-ASCII characters, accommodating global users.
With all the newly introduced features, RDAP is a definite step forward, providing the same value as WHOIS in a modern way. However, as those who have implemented RDAP can attest – it is not without its faults and issues.
Is RDAP a Missed Opportunity?
ICANN announced that the WHOIS protocol would be officially sunset on 28 January 2025, marking the full transition to RDAP for gTLDs. However, operators of ccTLDs are not contractually required to move to RDAP. As a result, there are many ccTLDs that still do not appear on IANA’s RDAP directory, forcing solutions to perform a legacy WHOIS query. Considering the popularity of some ccTLDs — including .io, which is often used by startups and tech companies, and regional ccTLDs such as .de and .ch, none of which are listed in the RDAP directory — the transition is far from complete. Solutions must support both legacy WHOIS and the newer system in order to effectively identify the registrar of a domain or the web hosting company which hosts an IP address.
Such issues most likely stem from this being a transitionary period, until ccTLDs are also required to move to RDAP. The harder issue to solve is that, much like WHOIS, RDAP also doesn’t excel in consistency. While all RDAP responses are provided in JSON and the format is generally the same, there can be quite a lot of variations once you start looking more closely, significantly depending on the registry, the object type (IP network vs. domain), and the policies of the authority managing the data.
For example, an RDAP query for an IP address from ARIN includes detailed organization information, such as addresses (via the ‘vcardArray’ field), multiple layers of linked contact points (technical, abuse, routing), and rich event histories. In contrast, a domain RDAP query, can omit basic information such as a physical address for the registrar or registrant. Even within similarly named fields like entities, the depth of information and sub-entities can vary drastically.
This inconsistency poses real challenges for anyone trying to build automated parsers or standardized analysis tools. A developer cannot assume, for example, that an entity will always include a postal address, a phone number, or even a validated email. Parsing logic has to branch heavily based on the object class (ip network vs. domain) and registry-specific quirks. Worse, even simple data like telephone numbers and emails may differ in format — sometimes being inside vcardArray fields, sometimes not — making robust data extraction much harder than it should be for a protocol supposedly designed for structured, machine-readable responses.
As a result, while RDAP is a step in the right direction, it doesn’t go all the way, as it doesn’t address one of the main pain points of incorporating WHOIS queries into automated processes – consistency. Even worse, as both RDAP and WHOIS exist at the same time, if one type of query fails (some WHOIS servers may stop responding due to rate limitation) and the other is used, the extracted values on the same entity may not match, making matters even more complex.
One can hope that these issues will eventually be addressed, or that the availability of tools less impacted by formatting inconsistencies (such as LLMs) will make it more economical to incorporate them into the querying process. Until then, RDAP may not end up simplifying the process of performing WHOIS queries, but may actually make it more complex.