Back to Blog
Tools

WHOIS Lookup: Who Actually Owns That Domain

By Kunal KhatriFeb 5, 2026
WHOIS Lookup: Who Actually Owns That Domain

Every registered domain has ownership records stored in the WHOIS database — the registrant's name, organisation, address, phone number, and email. For decades this was fully public. Then GDPR arrived, registrars redacted personal data for European registrants, and suddenly everyone thought WHOIS was dead. It isn't.

What WHOIS Still Shows

Even post-GDPR, WHOIS records show the registrar, the registration and expiration dates, the nameservers, and the domain status codes. For business-registered domains, the organisation name often remains visible. For domains registered without privacy protection, personal details can still appear — registration privacy services are optional and not everyone uses them.

IP address WHOIS (handled through ARIN, RIPE, APNIC, etc.) is less affected by GDPR. Network block registrations for business IP ranges typically show the company name, address, and abuse contact. This is intentional — the internet needs a way to report abuse to the right people.

How to Read a WHOIS Record

The key fields are: Registrant (who owns the domain), Registrar (which company sold the domain), Nameservers (which DNS servers are authoritative for it), and dates. The creation date tells you how old the domain is — a suspicious-looking site registered last week is a different risk profile than one that's been running for eight years.

RDAP — the newer Registration Data Access Protocol — is replacing the old WHOIS protocol. It returns structured JSON instead of free-form text, supports access control so different requestors see different levels of detail, and is genuinely more useful for automated analysis. ICANN has been pushing RDAP adoption, and most major registries now support it.

What WHOIS Is Actually Used For

Security researchers use WHOIS to track threat actor infrastructure — attackers reuse registrant email addresses, nameserver patterns, and registration timing across domains. Journalists use it to link anonymous sites to their real owners. Brand protection teams use it to find counterfeit domains before they do damage. Legal teams use it to identify defendants in domain disputes.

The catch is that domain privacy services don't make ownership invisible. They replace your details with proxy contact information from the privacy service. The registrar still knows who really owns the domain. Subpoenas to the registrar can surface real ownership data when legally required.

WHOIS Data in Security Investigations

Security researchers use WHOIS patterns to track campaign infrastructure. Attackers who register domains for phishing campaigns often reuse the same registrant email across dozens of domains, use the same registrar or nameserver configuration, and register domains in bursts — 10 similar domains in one week, then nothing for a month, then another burst. WHOIS history services like DomainTools or SecurityTrails let you see these patterns across time and link related infrastructure.

For IP addresses, WHOIS and BGP routing data together tell you a lot. An IP registered to a hosting provider in one country, routing through an ASN in another country, with reverse DNS pointing to a third location is the signature of VPN infrastructure or deliberately obscured hosting. Legitimate businesses generally have consistent, matching data across all three layers.

Look Up Any Domain or IP

Run a WHOIS lookup to see registration data, nameservers, and ownership information for any domain.

WHOIS Lookup
KK

About Kunal Khatri

Kunal is a network security specialist and systems administrator with 8+ years of experience auditing secure connections and building network infrastructure.

Share this article: