What is Whois?
Whois is an internet protocol that shows who owns a domain name, when it was registered, and through which registrar.
In short, a Whois query reveals information such as the domain owner, contact details, registration date, IP address, and DNS servers.
Technical Aspects of Whois
1. How Does the Whois Protocol Work?
- Whois is an old but still widely used TCP-based protocol running on port 43.
- A client (e.g., using the whois command in the terminal) connects to a Whois server.
- The queried domain’s registration details are returned in plaintext (unencrypted text).
- While this makes data retrieval easy, it also poses privacy and security weaknesses.
2. Where Does the Data Come From?
- Domain information is stored in the databases of registrars authorized by ICANN (Internet Corporation for Assigned Names and Numbers).
- Each top-level domain (TLD, e.g., .com, .org, ) has its own Whois servers.
- For example:
- .com and .net → Verisign Whois servers
- .org → Public Interest Registry
3. Typical Fields in a Whois Record
A Whois record usually includes:
- Domain Name: The domain itself
- Registrar: The registration company
- Creation Date: When the domain was registered
- Registry Expiry Date: When it will expire
- Updated Date: Last modification date
- Registrant Name / Organization: The person or company that owns the domain
- Registrant Contact (Email, Phone, Address): Contact details of the owner
- Name Server: The DNS servers associated with the domain
- Domain Status:
- clientTransferProhibited → Transfer lock enabled
- ok → Domain is active
- redemptionPeriod → Expired but still renewable
4. Limitations of Whois Queries
- Rate Limit: Whois servers restrict excessive queries (anti-bot protection).
- Inconsistency: Different TLDs use different formats; there is no universal standard.
- Privacy Issues: Some domains are hidden behind “privacy protection” services.
- Manipulation: Malicious actors may register domains with fake information.
5. RDAP (Registration Data Access Protocol)
ICANN developed RDAP to address the weaknesses of Whois.
- Works with JSON format (machine-friendly).
- Uses HTTPS for secure communication.
- Provides standardized data across different TLDs.
- Supports authentication and stronger privacy policies.
Real-World Cybersecurity Incidents Involving Whois
PayPal Phishing Attack (2007)
In 2007, attackers launched a phishing campaign targeting PayPal users through fake domains like paypal-security-update.com.
Role of Whois Query:
Investigators discovered through Whois that:
- The domain had been registered only a few days earlier.
- The registrar was a poorly monitored company.
- DNS information pointed to suspicious servers in Eastern Europe.
These findings enabled rapid detection of the attack, and the domain was quickly taken down.
Booking.com Lookalike URL Attack (2025)
In 2025, attackers targeted Booking.com users by creating lookalike domains.
For example, they registered domains using the Japanese character “ん” to mimic booking.com.
Role of Whois Query:
Whois data revealed that:
- The domains had been registered very recently.
- The registrar was a low-cost, weakly regulated company.
- Whois privacy protection was enabled, but DNS servers pointed to suspicious hosting providers.
The Company’s Mistake:
Booking.com’s biggest failure was the lack of proactive monitoring for brand-related domains.
- They did not implement a domain monitoring strategy to track new domains containing “booking.”
- Users were not sufficiently educated about verifying URLs.
- If the security teams had detected the lookalike domains earlier, fewer users would have been affected.
Why Whois Matters in Cybersecurity
As seen in the incidents above, Whois is one of the most critical tools ensuring internet transparency.
- In the PayPal case, a simple Whois query led to the rapid shutdown of the phishing domain.
- In the Booking.com case, Whois revealed fraudulent activity, but the company’s failure to monitor domain registrations allowed the attack to spread.
Whois in Cybersecurity Usage
Whois is one of the most frequently used OSINT (Open Source Intelligence) tools by cybersecurity professionals. It is especially useful for:
- Investigating the history of suspicious domains
- Detecting phishing and fraud attacks faster
- Tracing the source of attacks during incident response
- Protecting brand integrity through domain monitoring
- Tracking attackers’ digital footprints via OSINT investigations
- Feeding data into threat intelligence systems
In short:
Whois is a simple but powerful tool that provides big clues from small queries.