Skip to content

WHOIS vs RDAP: Understanding Domain Registration Data Protocols

·12 min read·Domain Security

Every domain name on the internet — from google.com to your personal blog — leaves a trail of registration data. This data tells you who owns the domain, when it expires, which nameservers it uses, and more. For over 30 years, the WHOIS protocol (RFC 3912) was the only way to query this information. But in 2015, the IETF introduced its modern successor: RDAP — the Registration Data Access Protocol (RFCs 7480–7484).

On January 28, 2025, ICANN officially sunset WHOIS for all gTLDs (.com, .net, .org, .io, and hundreds more). RDAP is now the required standard. If you're building domain tools, automating WHOIS lookups, or monitoring domain security, you need to understand both protocols — and why the transition matters.

Table of Contents

  1. What Is WHOIS? (RFC 3912)
  2. What Information Does WHOIS Provide?
  3. What Is RDAP? (RFCs 7480–7484)
  4. WHOIS vs RDAP — Side-by-Side Comparison
  5. Why Domain Registration Data Matters
  6. Code Examples: Querying WHOIS & RDAP
  7. Sources & References

1. What Is WHOIS? (RFC 3912)

WHOIS is a TCP-based query/response protocol defined in RFC 3912, published in September 2004 (obsoleting the original RFC 954 from 1985). It operates on TCP port 43 and was originally designed as a "white pages" directory for Internet users — you'd look up a domain name and get back the registrant's contact information.

"While originally used to provide 'white pages' services and information about registered domain names, current deployments cover a much broader range of information services." — RFC 3912, Introduction

How the WHOIS Protocol Works

  1. A client opens a TCP connection to port 43 on a WHOIS server.
  2. The client sends a text query terminated with ASCII CR + LF (\r\n).
  3. The server responds with one or more lines of human-readable text.
  4. The server closes the connection — the closed connection signals the end of the response. There is no explicit end-of-response marker in the protocol itself.

Key Limitations of WHOIS

WHOIS was designed in 1982 and shows its age:

  • No standard data schema — every registry returns data in a different format. A .com WHOIS response looks completely different from a .de or .uk response.
  • No security — all queries and responses travel in plaintext over port 43. No encryption, no authentication.
  • No internationalization — ASCII only. Domain names in Chinese, Arabic, Cyrillic, or any non-Latin script simply cannot be handled.
  • No standardized redirection — if you query the wrong WHOIS server, you get nothing useful back. There's no built-in mechanism to say "go ask this server instead."
  • Hard to parse programmatically — every parser must handle dozens of ad-hoc text formats, each with different field names, line breaks, and legal disclaimers.

2. What Information Does WHOIS Provide?

While RFC 3912 defines the wire protocol (the how), ICANN's registry agreements specify the minimum data that registries and registrars must publish through WHOIS. A typical domain WHOIS response includes:

Category Fields
Domain Metadata Domain Name, Domain ID, WHOIS Server, Referral URL, Creation Date, Updated Date, Registry Expiry Date, Domain Status (clientDeleteProhibited, clientTransferProhibited, etc.)
Registrar Sponsoring Registrar, Registrar IANA ID
Registrant Name, Organization, Street, City, State/Province, Postal Code, Country, Phone, Email
Admin Contact Same structure as registrant
Tech Contact Same structure as registrant
Nameservers Name Server hostnames, DNSSEC status (signedDelegation or unsigned)

⚠️ Privacy Redaction (GDPR): Since May 2018, most WHOIS responses for gTLDs redact personal contact information (registrant name, email, phone, address) to comply with GDPR. You'll see "Redacted for Privacy" or registrar proxy services instead of actual owner details. ICANN continues to evolve policy in this area through the Registration Data Directory Services (RDDS) framework.

3. What Is RDAP? (RFCs 7480–7484)

RDAP is an HTTP-based, RESTful protocol developed by the IETF WEIRDS working group and published in March 2015. It is now designated as IETF STD 95. Unlike WHOIS, RDAP was designed from the ground up for the modern web — HTTPS, JSON, REST — and addresses every shortcoming of the legacy protocol.

RFC Title Purpose
RFC 7480 HTTP Usage in RDAP Defines HTTPS as the transport
RFC 7481 Security Services TLS, authentication, access control
RFC 7482 Query Format URL-based query syntax
RFC 7483 JSON Responses Standardized JSON data model
RFC 7484 Bootstrapping How to find the authoritative RDAP server

How RDAP Works

  1. Make an HTTPS GET request to the RDAP endpoint for a given resource: https://rdap.org/domain/example.com
  2. The server returns structured JSON — consistently formatted across all registries.
  3. If the query hits the wrong registry, the response includes a redirect to the authoritative server (HTTP 301/302).
  4. IANA-maintained bootstrap registries tell clients which RDAP server handles each TLD, IP block, or ASN range.

4. WHOIS vs RDAP — Side-by-Side

Feature WHOIS (RFC 3912) RDAP (RFCs 7480–7484)
Transport Custom TCP on port 43 HTTPS (port 443)
Data Format Unstructured plain text Structured JSON
Security None — plaintext only Mandatory TLS + authentication
Internationalization ASCII only — no Unicode Full UTF-8 / IDN support
Redirection None standardized Built-in HTTP redirects
Access Control Impossible — one level Tiered/role-based access
Machine Parsability Difficult — custom parsers Trivial — standard JSON
Server Discovery Manual Automated (IANA bootstrap)

5. Why Domain Registration Data Matters

Domain registration data serves multiple critical functions:

5.1 Cybersecurity & Threat Intelligence

WHOIS/RDAP data enables security teams to attribute malicious domains, track phishing infrastructure, map attacker networks, and monitor for typosquatting. The structured JSON from RDAP makes automated threat intelligence pipelines far more reliable than parsing scraped WHOIS text.

5.2 Domain Lifecycle Management

Expiration dates tell you when a domain must be renewed. Domain status codes reveal whether a domain is locked against transfer, in redemption period, or pending deletion. Automated expiry monitoring — the core of what DomainWatcher does — depends on this data.

5.3 Brand Protection

Companies monitor WHOIS/RDAP data to detect domain registrations that impersonate their brand, enabling rapid takedown actions through UDRP or other legal mechanisms.

5.4 Due Diligence & Acquisitions

Before acquiring a domain, buyers verify the registrant, the registrar, the creation date (older domains carry more trust/SEO weight), and that the domain isn't locked or in dispute.

📊 Current RDAP Adoption (2025): ~77% of all TLDs have deployed RDAP, with 100% of gTLDs compliant. ~34% of ccTLDs have adopted RDAP (up from 29% in early 2025). While many ccTLDs still run WHOIS on port 43 alongside RDAP, the trend is clear — RDAP is the future. (Dynadot, 2025)

6. Code Examples: Querying WHOIS & RDAP

6.1 WHOIS via Command Line (bash)

# Basic WHOIS lookup (uses system whois client)
whois example.com

# Query a specific WHOIS server
whois -h whois.verisign-grs.com example.com

# Bulk domain WHOIS lookup
while read domain; do
  echo "Looking up $domain..."
  whois "$domain" > "$domain.txt"
  sleep 1  # avoid rate limiting
done < domains.txt

6.2 WHOIS via Python (Raw Socket)

import socket

def whois_lookup(domain: str, server: str = "whois.verisign-grs.com") -> str:
    """Raw WHOIS lookup over TCP port 43 per RFC 3912."""
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.settimeout(10)
    sock.connect((server, 43))
    sock.send(f"{domain}\r\n".encode())
    response = b""
    while True:
        data = sock.recv(4096)
        if not data:
            break
        response += data
    sock.close()
    return response.decode(errors="replace")

print(whois_lookup("example.com"))

6.3 RDAP via curl

# Basic RDAP domain lookup (redirects to authoritative registry)
curl -sL https://rdap.org/domain/example.com | jq .

# Extract registration & expiration dates
curl -sL https://rdap.org/domain/github.com | jq '
  .events[] | {action: .eventAction, date: .eventDate}
'

# Extract nameservers
curl -sL https://rdap.org/domain/github.com | jq '
  [.nameservers[]?.ldhName]
'

# IP address lookup
curl -sL https://rdap.org/ip/8.8.8.8 | jq .

# ASN lookup
curl -sL https://rdap.org/autnum/AS15169 | jq .

6.4 RDAP via Python

import requests
from datetime import datetime, timezone

def rdap_domain(domain: str) -> dict:
    """Query RDAP for domain registration data."""
    resp = requests.get(f"https://rdap.org/domain/{domain}")
    if resp.status_code != 200:
        return {"error": f"HTTP {resp.status_code}"}

    data = resp.json()
    events = {e["eventAction"]: e["eventDate"] for e in data.get("events", [])}

    reg_date = events.get("registration")
    age_years = None
    if reg_date:
        age_days = (datetime.now(timezone.utc) -
                    datetime.fromisoformat(reg_date.replace("Z", "+00:00"))).days
        age_years = round(age_days / 365.25, 1)

    return {
        "domain": data.get("ldhName"),
        "status": data.get("status", []),
        "registered": reg_date,
        "expires": events.get("expiration"),
        "updated": events.get("last changed"),
        "age_years": age_years,
        "nameservers": [ns["ldhName"] for ns in data.get("nameservers", [])],
    }

info = rdap_domain("github.com")
for k, v in info.items():
    print(f"  {k}: {v}")

6.5 RDAP via JavaScript (Node.js)

// Node 18+ has built-in fetch
async function rdapLookup(domain) {
    const res = await fetch(`https://rdap.org/domain/${domain}`);
    if (!res.ok) throw new Error(`HTTP ${res.status}`);

    const data = await res.json();
    const events = {};
    data.events?.forEach((e) => {
        events[e.eventAction] = e.eventDate;
    });

    return {
        domain: data.ldhName,
        status: data.status,
        registered: events.registration,
        expires: events.expiration,
        nameservers: data.nameservers?.map((ns) => ns.ldhName) ?? [],
    };
}

// Usage
rdapLookup("github.com").then(console.log).catch(console.error);

RDAP Key API Endpoints: All queries are free and require no API key. Use the hub endpoint https://rdap.org/ (redirects to the correct registry) or query registry-specific endpoints. The IANA bootstrap registries at data.iana.org/rdap/ map every TLD, IP block, and ASN range to its authoritative RDAP server.

7. Sources & References


DomainWatcher monitors WHOIS and RDAP data for 500+ TLDs in real-time — tracking expiration dates, registrar changes, and nameserver updates. Try it free at domainwatcher.org.