Tool
WHOIS Lookup
Verify domain legitimacy, detect phishing risks, and analyze ownership details instantly.
About
What is WHOIS?
WHOIS is a query protocol that retrieves registration data for internet resources — primarily domain names. Every domain registered worldwide must have corresponding WHOIS data on file with ICANN-accredited registrars, making it a foundational tool for domain research, network investigations, and phishing detection.
Modern WHOIS queries use RDAP (Registration Data Access Protocol), ICANN's structured replacement for the legacy plain-text protocol. RDAP returns consistent, machine-readable JSON across over 2,000 supported TLDs — covering all gTLDs and most ccTLDs.
For security professionals, WHOIS data is an essential first pivot in any investigation. Domain registration date, registrar choice, and nameserver configuration often reveal infrastructure patterns shared across threat actor campaigns.
Data Points
What Does This Tool Return?
Registrar
The ICANN-accredited company where the domain is registered — Namecheap, GoDaddy, Cloudflare Registrar, etc.
Registration & Expiry Dates
When the domain was first registered and when it expires. Recently registered domains are a strong phishing indicator.
Nameservers
The authoritative DNS servers for the domain. Nameserver hosting provider often reveals infrastructure relationships across threat campaigns.
DNSSEC Status
Whether DNS Security Extensions are enabled, protecting against DNS spoofing and cache poisoning attacks.
Domain Status
ICANN status codes indicating if the domain is locked, pending deletion, or has transfer restrictions applied.
Registrant Contact
Owner contact information — often redacted via privacy services, but when visible, useful for cross-referencing domains in an investigation.
FAQ
Frequently Asked Questions
What is a WHOIS lookup?+
A WHOIS lookup queries the ICANN RDAP and legacy WHOIS databases to retrieve registration data for a domain — registrar, registration and expiry dates, nameservers, and DNSSEC status.
How do I check when a domain expires?+
Enter the domain above — the expiry date is shown in the registration section. Domains approaching expiry are sometimes targeted by attackers using domain-grabbing services to take over expired assets.
Why is registrant contact information hidden?+
Most registrars offer WHOIS privacy protection that replaces contact details with proxy information. This is standard practice and doesn't indicate anything suspicious on its own.
How can WHOIS help identify phishing domains?+
Phishing domains are typically registered hours before a campaign launches. A domain registered today or yesterday, combined with an unknown registrar and privacy protection, is a strong phishing indicator worth investigating further.
What is the difference between WHOIS and RDAP?+
WHOIS is the legacy protocol returning plain text. RDAP is its structured JSON replacement — more consistent across registrars, supporting internationalized domain names. CyrusX queries RDAP where available, falling back to WHOIS for older TLDs.