WHOIS Lookup (RDAP)

About this tool

This WHOIS lookup tool uses RDAP (Registration Data Access Protocol) - the modern, structured replacement for the legacy WHOIS text protocol. RDAP returns registration data for domains and IP addresses in JSON format, making it easier to parse programmatically and more consistent across registries. Typical data includes registrant contact information, registration and expiration dates, nameservers, and the registrar name.

Real example

Input: example.com

The RDAP response includes:
ldhName: EXAMPLE.COM
status: client delete prohibited, client transfer prohibited, client update prohibited
registrar: RESERVED-Internet Assigned Numbers Authority
events: registration date 1995-08-14, last changed date (recent)
nameservers: a.iana-servers.net, b.iana-servers.net

For an IP like 8.8.8.8, the ARIN RDAP response shows the network block 8.8.8.0/24, the organization (Google LLC), and the abuse contact handle.

Common use cases

• Phishing and threat investigation: When a suspicious domain appears in your logs or in a reported phishing email, RDAP lookup reveals when the domain was registered, who the registrar is, and whether key privacy fields are redacted. Recently registered domains with privacy protection and generic nameservers are a common phishing signal.
• Infrastructure attribution: During a security incident, look up the IPs making suspicious requests to identify the hosting provider and whether they belong to known cloud, CDN, or bot infrastructure. Combine with IP Lookup for ASN-level detail.
• Brand protection and domain monitoring: Check registration details for lookalike domains (typosquats) targeting your brand. Expiration dates and registrar information can inform takedown requests.
• Abuse reporting: RDAP responses include abuse contact handles. Look up the hosting IP to find the correct abuse reporting address for a provider.

How it works

For domains, the tool queries https://rdap.org/domain/<domain>. For IPv4 addresses, it queries https://rdap.arin.net/registry/ip/<ip> (the ARIN registry, which handles North American IP space). The full RDAP JSON response is returned and displayed. RDAP replaced WHOIS because WHOIS responses are unstructured text that differs by registry - RDAP is a standardized JSON API defined in RFC 7483.

Common mistakes

• CORS failures are expected: Some RDAP endpoints block direct browser requests due to CORS policy. If the lookup fails, use the rdap.org or rdap.arin.net endpoints directly from your terminal: curl https://rdap.org/domain/example.com | jq .
• Privacy-redacted contacts are the norm: GDPR and registrar policies result in most registrant contact fields being redacted. The absence of a registrant name does not mean the domain is suspicious - most consumer registrations are now privacy-protected.
• RDAP scope is limited to registration data: RDAP tells you who registered a domain and when - it does not show DNS records, hosting details, or traffic information. For DNS, use Hostname to IP.

FAQ

What is the difference between RDAP and classic WHOIS
Classic WHOIS is a plain-text protocol defined in RFC 3912 with no standardized response format. RDAP (RFC 7483) returns structured JSON with consistent field names, supports authentication, and is the replacement standard that most registries have now adopted.

Why does the lookup sometimes fail
Browser-based RDAP queries are subject to CORS restrictions. Some registries and regional Internet registries do not allow direct browser queries. For reliable lookups, use a CLI tool like whois or curl from a server.

Can I look up IPv6 addresses
Yes. Enter the full IPv6 address and the tool will query the appropriate RDAP registry endpoint for that address block.

What does "client transfer prohibited" status mean
It means the registrar has placed a lock on the domain preventing transfer to another registrar. This is a standard security lock applied to most commercial domains to prevent unauthorized transfers.