WHOIS Lookup: The Complete Guide for 2026

Everything engineers and site owners need to know about WHOIS lookup — from reading registrar records to automating expiry monitoring in 2026.

7 May 2026·Uptrue Team

WHOIS Lookup: The Complete Guide for 2026

By Steve

If a domain goes dark without warning, the first thing most engineers do is run a WHOIS lookup. It takes five seconds and immediately tells you who registered the domain, which registrar holds it, when it expires, and whether the nameservers are still pointing where they should. That single query can cut a 90-minute incident investigation down to three minutes.

This guide covers everything you need to know about WHOIS lookup — how it works under the hood, how to read the output, what the common failure modes are, and how to stop relying on ad-hoc checks when automated monitoring can do the job continuously.

What Is a WHOIS Lookup?

A WHOIS lookup is a query against a public database that returns registration metadata for a domain name, IP address, or Autonomous System Number (ASN). For domains, the response typically includes:

  • Registrant details — the domain owner's name, organisation, and contact addresses (often redacted under GDPR)
  • Registrar — the company through which the domain was registered
  • Registration and expiry dates
  • Nameservers
  • Domain status codes (e.g. clientTransferProhibited, serverHold)

The protocol itself is ancient — RFC 954 was published in 1985 — but it remains the canonical source of truth for domain ownership metadata. RDAP (Registration Data Access Protocol) is the modern successor with a JSON API, but plain WHOIS still works for the vast majority of lookups.

!Diagram showing a WHOIS query flowing from a client to a TLD registry and then to a registrar's WHOIS server

How the Query Actually Works

When you run whois example.com, your client:

  1. Connects to the IANA root WHOIS server (whois.iana.org) to find the authoritative WHOIS server for that TLD.
  2. Queries that TLD registry server (e.g. Verisign's whois.verisign-grs.com for .com).
  3. The registry response often includes a pointer to the registrar's own WHOIS server for the full record.

That two-step delegation means you sometimes get thin records (just registrar and nameserver info) from the registry, and the thick record (full registrant details) from the registrar. Tools that only query one level silently miss data.

Reading a WHOIS Record

Here is an annotated example of a real-world .com WHOIS response:

` Domain Name: EXAMPLE.COM Registry Domain ID: 2336799_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.iana.org Registrar URL: http://res-dom.iana.org Updated Date: 2023-08-14T07:01:34Z Creation Date: 1995-08-14T04:00:00Z Registry Expiry Date: 2024-08-13T04:00:00Z ← watch this Registrar: IANA Registrar IANA ID: 376 Domain Status: clientDeleteProhibited Name Server: A.IANA-SERVERS.NET Name Server: B.IANA-SERVERS.NET `

The fields to pay attention to are:

| Field | Why It Matters | |---|---| | Registry Expiry Date | Let this slip and the domain drops — potentially to a squatter | | Registrar | Knowing your registrar speeds up support escalations | | Domain Status | Certain statuses (e.g. serverHold) stop DNS resolving entirely | | Name Server | Unexpected changes here often signal a hijack or misconfiguration |

Common WHOIS Status Codes Explained

EPP status codes trip up a lot of people. Here is a quick reference:

  • clientTransferProhibited — the registrar has locked the domain against outgoing transfers. Standard for live domains.
  • clientUpdateProhibited — WHOIS record changes are locked at the registrar level.
  • serverHold — set by the registry, not the registrar. Often means the domain has been suspended. DNS will not resolve.
  • pendingDelete — the domain is in the deletion pipeline. Recovery is possible during the redemption grace period but expensive.
  • redemptionPeriod — 30-day window post-expiry where you can still recover the domain, usually at a premium fee.

If you see serverHold on a production domain, escalate immediately. You cannot fix it at the registrar level — it requires a registry intervention.

Why WHOIS Data Is Incomplete (and What to Do About It)

Since GDPR came into force in 2018, most registrars redact personal registrant data for domains registered by EU individuals. You will frequently see something like:

` Registrant Organization: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record `

This is expected. For your own domains, you should still have full visibility through your registrar's dashboard. For third-party domains, proxy/privacy services are now the default rather than the exception.

A few things still reliably show through even with privacy protection:

  • Registrar identity
  • Expiry date
  • Domain status codes
  • Nameservers

These are exactly the fields that matter for monitoring — which is why WHOIS-based alerting is still highly effective even in a post-GDPR world.

The Real Risk: Domains That Expire Silently

Here is a failure mode that happens more often than it should. A domain is registered years ago by a team member who has since left. The renewal reminder goes to an email inbox that nobody monitors. The domain expires. The site goes down — or worse, the domain is immediately snatched by a squatter who then redirects your traffic or harvests email for a few days before anyone notices.

The fix is straightforward: stop relying on registrar reminder emails and start monitoring expiry dates programmatically.

A WHOIS monitoring tool queries your domain records on a schedule, parses the expiry date, and fires an alert when you drop below a threshold — say, 60 days, 30 days, and 7 days. That gives you time to renew well before any grace period begins.

WHOIS Lookup vs. DNS Lookup — Know the Difference

These two queries answer completely different questions:

| | WHOIS Lookup | DNS Lookup | |---|---|---| | Asks | Who owns this domain and when does it expire? | Where does this domain resolve to? | | Data source | Registrar / registry database | Authoritative nameservers | | Update speed | Hours to days | Seconds to 48 hours (TTL-dependent) | | Useful for | Ownership, expiry, lock status | IP addresses, MX records, CDN config |

Both matter for a complete picture of domain health. If a domain's DNS resolves fine but the WHOIS record shows it expired two weeks ago and is in redemptionPeriod, you have a ticking clock — DNS will stop working the moment the registry clears it.

Our DNS monitoring tracks record changes and resolution failures continuously, so you catch problems at both layers.

How to Run a WHOIS Lookup

Command line (Linux / macOS):

`bash whois uptrue.io `

Windows (PowerShell):

`powershell

No native WHOIS; install via Sysinternals or use RDAP

Invoke-RestMethod "https://rdap.org/domain/uptrue.io" | ConvertTo-Json -Depth 5 `

Online tool:

If you want a clean, parsed view without installing anything, use our free WHOIS lookup tool. It queries both the registry and registrar WHOIS servers, parses EPP status codes into plain English, and flags upcoming expiry dates.

Automating WHOIS Monitoring — The Case for Continuous Checks

Running a manual WHOIS lookup is fine for one-off investigations. It does not scale to a portfolio of 20, 50, or 200 domains. Manual checks also have no memory — if a nameserver changed overnight and you checked it yesterday, you will not know until something breaks.

Automated WHOIS monitoring solves this by:

  1. Polling on a schedule — typically daily for expiry tracking, more frequently for change detection
  2. Storing historical snapshots — so you can see exactly when a field changed
  3. Alerting on specific conditions — expiry within N days, status code changes, registrar changes, nameserver changes
  4. Covering your whole domain portfolio — not just the one you happened to think of checking today
### Monitor Every Domain You Own — Automatically

>

Uptrue monitors WHOIS records, SSL certificates, uptime, DNS, and security headers across your entire domain portfolio. Get alerts before expiry, hijacks, or downtime cause real damage.

>

Start monitoring free → /signup

What to Monitor in a WHOIS Record

Not every field in a WHOIS record is worth alerting on, but these six are:

1. Expiry Date

The most critical. Set alerts at 60, 30, and 7 days. Some registrars add a 5-day auto-renew grace period — do not rely on it.

2. Registrar

An unexpected registrar change is a strong signal of domain hijacking. Legitimate transfers take days and involve explicit approval steps. If your domain suddenly shows a different registrar, investigate immediately.

3. Nameservers

Nameserver changes redirect all traffic for your domain. A single unauthorised NS change can redirect your website, intercept your email, and invalidate your SSL certificates in one move.

4. Domain Status Codes

Watch for serverHold, pendingDelete, and redemptionPeriod. Any of these on a live production domain is an incident.

5. Registrant Organisation

Even with privacy protection, changes in the registrant organisation field can indicate account takeover at the registrar level.

6. WHOIS Server Availability

If the WHOIS server itself is unreachable, you are flying blind. A good monitoring tool tracks server reachability separately so you know whether a missing response is a data problem or an infrastructure problem.

WHOIS and Domain Hijacking: What the Attack Looks Like

Domain hijacking typically follows one of two paths:

Path 1 — Registrar account compromise. An attacker gains access to your registrar account (phishing, credential stuffing, SIM swap). They change the nameservers or initiate a transfer. WHOIS shows the changes almost immediately.

Path 2 — Social engineering the registrar. The attacker convinces registrar support to make changes on their behalf. Rarer, but it has happened to high-profile domains.

In both cases, monitoring the WHOIS record gives you the earliest possible warning. A nameserver change will appear in WHOIS within minutes of it being processed. If you have a daily WHOIS check running, the worst case is a 24-hour detection window — far better than waiting for users to report that your site is serving someone else's content.

Enable registrar-level two-factor authentication and domain locking (clientTransferProhibited and clientUpdateProhibited) as baseline defences. Then let monitoring catch what your defences miss.

Conclusion

A WHOIS lookup is a small query that answers some very important questions: who registered this domain, which registrar controls it, when does it expire, and is anything structurally wrong with it right now. Every engineer managing production infrastructure should understand how to read a WHOIS record — and every organisation managing more than a handful of domains should be monitoring them automatically.

Manual checks are better than nothing. Automated WHOIS monitoring is better than manual checks. The gap between a domain expiring silently and your users seeing an outage can be as short as a few hours. Close that gap before it costs you.

ShareX / TwitterLinkedIn
Get weekly reliability reports
Uptime rankings, incident summaries, and response time trends — every Monday.
Uptrue TeamWebsite Monitoring Platform