WHOIS vs RDAP: Understanding Domain Registration Data Protocols
Every domain name on the internet — from google.com to your personal blog — leaves a trail of registration data. This data tells you who owns the domain, when it expires, which nameservers it uses, and more. For over 30 years, the WHOIS protocol (RFC 3912) was the only way to query this information. But in 2015, the IETF introduced its modern successor: RDAP — the Registration Data Access Protocol (RFCs 7480–7484).
On January 28, 2025, ICANN officially sunset WHOIS for all gTLDs (.com, .net, .org, .io, and hundreds more). RDAP is now the required standard. If you're building domain tools, automating WHOIS lookups, or monitoring domain security, you need to understand both protocols — and why the transition matters.
Table of Contents
- What Is WHOIS? (RFC 3912)
- What Information Does WHOIS Provide?
- What Is RDAP? (RFCs 7480–7484)
- WHOIS vs RDAP — Side-by-Side Comparison
- Why Domain Registration Data Matters
- Code Examples: Querying WHOIS & RDAP
- Sources & References
1. What Is WHOIS? (RFC 3912)
WHOIS is a TCP-based query/response protocol defined in RFC 3912, published in September 2004 (obsoleting the original RFC 954 from 1985). It operates on TCP port 43 and was originally designed as a "white pages" directory for Internet users — you'd look up a domain name and get back the registrant's contact information.
"While originally used to provide 'white pages' services and information about registered domain names, current deployments cover a much broader range of information services." — RFC 3912, Introduction
How the WHOIS Protocol Works
- A client opens a TCP connection to port 43 on a WHOIS server.
- The client sends a text query terminated with ASCII CR + LF (
\r\n). - The server responds with one or more lines of human-readable text.
- The server closes the connection — the closed connection signals the end of the response. There is no explicit end-of-response marker in the protocol itself.
Key Limitations of WHOIS
WHOIS was designed in 1982 and shows its age:
- No standard data schema — every registry returns data in a different format. A .com WHOIS response looks completely different from a .de or .uk response.
- No security — all queries and responses travel in plaintext over port 43. No encryption, no authentication.
- No internationalization — ASCII only. Domain names in Chinese, Arabic, Cyrillic, or any non-Latin script simply cannot be handled.
- No standardized redirection — if you query the wrong WHOIS server, you get nothing useful back. There's no built-in mechanism to say "go ask this server instead."
- Hard to parse programmatically — every parser must handle dozens of ad-hoc text formats, each with different field names, line breaks, and legal disclaimers.
2. What Information Does WHOIS Provide?
While RFC 3912 defines the wire protocol (the how), ICANN's registry agreements specify the minimum data that registries and registrars must publish through WHOIS. A typical domain WHOIS response includes:
| Category | Fields |
|---|---|
| Domain Metadata | Domain Name, Domain ID, WHOIS Server, Referral URL, Creation Date, Updated Date, Registry Expiry Date, Domain Status (clientDeleteProhibited, clientTransferProhibited, etc.) |
| Registrar | Sponsoring Registrar, Registrar IANA ID |
| Registrant | Name, Organization, Street, City, State/Province, Postal Code, Country, Phone, Email |
| Admin Contact | Same structure as registrant |
| Tech Contact | Same structure as registrant |
| Nameservers | Name Server hostnames, DNSSEC status (signedDelegation or unsigned) |
⚠️ Privacy Redaction (GDPR): Since May 2018, most WHOIS responses for gTLDs redact personal contact information (registrant name, email, phone, address) to comply with GDPR. You'll see "Redacted for Privacy" or registrar proxy services instead of actual owner details. ICANN continues to evolve policy in this area through the Registration Data Directory Services (RDDS) framework.
3. What Is RDAP? (RFCs 7480–7484)
RDAP is an HTTP-based, RESTful protocol developed by the IETF WEIRDS working group and published in March 2015. It is now designated as IETF STD 95. Unlike WHOIS, RDAP was designed from the ground up for the modern web — HTTPS, JSON, REST — and addresses every shortcoming of the legacy protocol.
| RFC | Title | Purpose |
|---|---|---|
| RFC 7480 | HTTP Usage in RDAP | Defines HTTPS as the transport |
| RFC 7481 | Security Services | TLS, authentication, access control |
| RFC 7482 | Query Format | URL-based query syntax |
| RFC 7483 | JSON Responses | Standardized JSON data model |
| RFC 7484 | Bootstrapping | How to find the authoritative RDAP server |
How RDAP Works
- Make an HTTPS GET request to the RDAP endpoint for a given resource:
https://rdap.org/domain/example.com - The server returns structured JSON — consistently formatted across all registries.
- If the query hits the wrong registry, the response includes a redirect to the authoritative server (HTTP 301/302).
- IANA-maintained bootstrap registries tell clients which RDAP server handles each TLD, IP block, or ASN range.
4. WHOIS vs RDAP — Side-by-Side
| Feature | WHOIS (RFC 3912) | RDAP (RFCs 7480–7484) |
|---|---|---|
| Transport | Custom TCP on port 43 | HTTPS (port 443) |
| Data Format | Unstructured plain text | Structured JSON |
| Security | None — plaintext only | Mandatory TLS + authentication |
| Internationalization | ASCII only — no Unicode | Full UTF-8 / IDN support |
| Redirection | None standardized | Built-in HTTP redirects |
| Access Control | Impossible — one level | Tiered/role-based access |
| Machine Parsability | Difficult — custom parsers | Trivial — standard JSON |
| Server Discovery | Manual | Automated (IANA bootstrap) |
5. Why Domain Registration Data Matters
Domain registration data serves multiple critical functions:
5.1 Cybersecurity & Threat Intelligence
WHOIS/RDAP data enables security teams to attribute malicious domains, track phishing infrastructure, map attacker networks, and monitor for typosquatting. The structured JSON from RDAP makes automated threat intelligence pipelines far more reliable than parsing scraped WHOIS text.
5.2 Domain Lifecycle Management
Expiration dates tell you when a domain must be renewed. Domain status codes reveal whether a domain is locked against transfer, in redemption period, or pending deletion. Automated expiry monitoring — the core of what DomainWatcher does — depends on this data.
5.3 Brand Protection
Companies monitor WHOIS/RDAP data to detect domain registrations that impersonate their brand, enabling rapid takedown actions through UDRP or other legal mechanisms.
5.4 Due Diligence & Acquisitions
Before acquiring a domain, buyers verify the registrant, the registrar, the creation date (older domains carry more trust/SEO weight), and that the domain isn't locked or in dispute.
📊 Current RDAP Adoption (2025): ~77% of all TLDs have deployed RDAP, with 100% of gTLDs compliant. ~34% of ccTLDs have adopted RDAP (up from 29% in early 2025). While many ccTLDs still run WHOIS on port 43 alongside RDAP, the trend is clear — RDAP is the future. (Dynadot, 2025)
6. Code Examples: Querying WHOIS & RDAP
6.1 WHOIS via Command Line (bash)
# Basic WHOIS lookup (uses system whois client)
whois example.com
# Query a specific WHOIS server
whois -h whois.verisign-grs.com example.com
# Bulk domain WHOIS lookup
while read domain; do
echo "Looking up $domain..."
whois "$domain" > "$domain.txt"
sleep 1 # avoid rate limiting
done < domains.txt
6.2 WHOIS via Python (Raw Socket)
import socket
def whois_lookup(domain: str, server: str = "whois.verisign-grs.com") -> str:
"""Raw WHOIS lookup over TCP port 43 per RFC 3912."""
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(10)
sock.connect((server, 43))
sock.send(f"{domain}\r\n".encode())
response = b""
while True:
data = sock.recv(4096)
if not data:
break
response += data
sock.close()
return response.decode(errors="replace")
print(whois_lookup("example.com"))
6.3 RDAP via curl
# Basic RDAP domain lookup (redirects to authoritative registry)
curl -sL https://rdap.org/domain/example.com | jq .
# Extract registration & expiration dates
curl -sL https://rdap.org/domain/github.com | jq '
.events[] | {action: .eventAction, date: .eventDate}
'
# Extract nameservers
curl -sL https://rdap.org/domain/github.com | jq '
[.nameservers[]?.ldhName]
'
# IP address lookup
curl -sL https://rdap.org/ip/8.8.8.8 | jq .
# ASN lookup
curl -sL https://rdap.org/autnum/AS15169 | jq .
6.4 RDAP via Python
import requests
from datetime import datetime, timezone
def rdap_domain(domain: str) -> dict:
"""Query RDAP for domain registration data."""
resp = requests.get(f"https://rdap.org/domain/{domain}")
if resp.status_code != 200:
return {"error": f"HTTP {resp.status_code}"}
data = resp.json()
events = {e["eventAction"]: e["eventDate"] for e in data.get("events", [])}
reg_date = events.get("registration")
age_years = None
if reg_date:
age_days = (datetime.now(timezone.utc) -
datetime.fromisoformat(reg_date.replace("Z", "+00:00"))).days
age_years = round(age_days / 365.25, 1)
return {
"domain": data.get("ldhName"),
"status": data.get("status", []),
"registered": reg_date,
"expires": events.get("expiration"),
"updated": events.get("last changed"),
"age_years": age_years,
"nameservers": [ns["ldhName"] for ns in data.get("nameservers", [])],
}
info = rdap_domain("github.com")
for k, v in info.items():
print(f" {k}: {v}")
6.5 RDAP via JavaScript (Node.js)
// Node 18+ has built-in fetch
async function rdapLookup(domain) {
const res = await fetch(`https://rdap.org/domain/${domain}`);
if (!res.ok) throw new Error(`HTTP ${res.status}`);
const data = await res.json();
const events = {};
data.events?.forEach((e) => {
events[e.eventAction] = e.eventDate;
});
return {
domain: data.ldhName,
status: data.status,
registered: events.registration,
expires: events.expiration,
nameservers: data.nameservers?.map((ns) => ns.ldhName) ?? [],
};
}
// Usage
rdapLookup("github.com").then(console.log).catch(console.error);
✅ RDAP Key API Endpoints: All queries are free and require no API key. Use the hub endpoint
https://rdap.org/(redirects to the correct registry) or query registry-specific endpoints. The IANA bootstrap registries at data.iana.org/rdap/ map every TLD, IP block, and ASN range to its authoritative RDAP server.
7. Sources & References
- [RFC 3912] Daigle, L., "WHOIS Protocol Specification," IETF, September 2004. rfc-editor.org/info/rfc3912
- [RFC 7480] Newton, A., et al., "HTTP Usage in the Registration Data Access Protocol (RDAP)," IETF, March 2015. datatracker.ietf.org/doc/html/rfc7480
- [RFC 7481] Hollenbeck, S. & Kong, N., "Security Services for the Registration Data Access Protocol (RDAP)," IETF, March 2015. datatracker.ietf.org/doc/html/rfc7481
- [RFC 7482] Newton, A. & Hollenbeck, S., "Registration Data Access Protocol (RDAP) Query Format," IETF, March 2015. datatracker.ietf.org/doc/html/rfc7482
- [RFC 7483] Newton, A. & Hollenbeck, S., "JSON Responses for the Registration Data Access Protocol (RDAP)," IETF, March 2015. datatracker.ietf.org/doc/html/rfc7483
- [RFC 7484] Blanchet, M., "Finding the Authoritative Registration Data (RDAP) Service," IETF, March 2015. datatracker.ietf.org/doc/html/rfc7484
- [ICANN] "WHOIS/RDAP Policy," ICANN. lookup.icann.org
- [Dynadot] "WHOIS vs RDAP: What Changed in 2025 and What You Need to Know," Dynadot Blog, 2025. dynadot.com/hub/domain-management/whois-vs-rdap
- [IONOS] "What is RDAP? The new WHOIS protocol," IONOS Digital Guide, 2025. ionos.com/digitalguide/domains/domain-news/whois-sunset/
- [IANA] "RDAP Bootstrap Registries," IANA. data.iana.org/rdap/
- [RDAP.org] Public RDAP hub endpoint for domain, IP, and ASN queries. about.rdap.org
DomainWatcher monitors WHOIS and RDAP data for 500+ TLDs in real-time — tracking expiration dates, registrar changes, and nameserver updates. Try it free at domainwatcher.org.