Glossary
What Is WHOIS?
WHOIS is the public registration record for domain names and IP allocations. It tells you who registered a domain (or who an IP block is assigned to), through which registrar, when, and how to contact them. WHOIS has been the canonical answer to "who owns this" on the internet since the early 1980s.
What WHOIS Records Contain
- Registrant — name, organization, postal address, email, phone (subject to redaction; see below).
- Registrar — the company that sold the domain.
- Registration dates — created, updated, expiration.
- Nameservers — the authoritative servers for the zone.
- Status codes — clientHold, clientTransferProhibited, serverDeleteProhibited, etc.
- DNSSEC — whether DS records are present.
WHOIS, RDAP, and the GDPR Era
Since GDPR took effect in 2018, registrars have heavily redacted personal data in WHOIS responses. Many fields now show 'REDACTED FOR PRIVACY' or refer to a registrar-operated proxy address. RDAP (Registration Data Access Protocol) is the modern successor — same data, structured JSON, with tiered access for vetted requesters.
What Is Still Useful
Even with redacted contact data, WHOIS still reveals:
- Registration timing — newly registered domains correlate with phishing and malware staging.
- Registrar choice — some registrars are heavily abused.
- Nameserver patterns — campaigns often share unusual nameservers.
- Status flags — locked, deleted, on hold — useful for takedown tracking.
- DNSSEC presence — a hygiene signal.
Pivoting on WHOIS
Even partial WHOIS data is a powerful pivot point. Find one campaign domain, pivot on its registrant email (where unredacted) or its unusual nameserver pair, and you typically surface the rest of the actor's domain inventory.
WHOIS in Whisper
Whisper ingests WHOIS and RDAP for every observed domain and updates continuously. WHOIS data is just another set of edges in the graph — which means analysts pivot from a registrant fingerprint to every related hostname, IP, and ASN in one query.