If you own a domain name, you have probably heard of “WHOIS”. Whether you had to do a WHOIS lookup or enter the WHOIS information of your domain name, the term keeps popping up. What exactly does it mean, though?

What is WHOIS?

WHOIS is a query and response protocol that is used to identify who owns a particular domain name and to check the current domain registration information. While the available data may vary from one domain extension to another, in the general case the WHOIS information includes the domain registration, expiration and update dates, the registrar company, the owner’s contact information and the name servers that show where the domain is hosted. For some extensions, additional administrative and technical contacts may be listed as well.

For the generic TLDs, the available information is separated into two models depending on the contractual obligations of the registry organization that manages a specific TLD:

  • Thin – a WHOIS lookup returns only general technical information about the domain name – sponsoring registrar, domain status, name servers, registration and expiration dates. An additional query to the WHOIS server of the specific registrar is needed to find out the domain owner information. Verisign, which manages the .COM and .NET extensions, is an example of a thin registry.
  • Thick – a WHOIS lookup returns the complete information with a single query – technical and contact details. The thick model is used by Neustar (.BIZ) and Afilias (.INFO), for example. Using the thick model means faster queries to obtain the information as only one server needs to be contacted.

A short history

The WHOIS system was created in 1982 by the Defense Advanced Research Projects Agency (DARPA) as a centralized directory that listed the contact information of domain owners. DARPA was the only organization that managed the domain name system back then, which made the administration of the WHOIS information pretty easy.

In 1993, domain management was directed to Network Solution, Inc. - the first private company to be in charge of domains. In 1999, the Internet Corporation for Assigned Names and Numbers (ICANN), which was created as a US government agency, took over the .com, .net and .org top-level domains. Shortly after that, it opened the market to other entities and assigned the extensions to different registries – organizations that maintain a complete database of all domains under a specific extension, along with their contact information. The registries, along with the registrar companies that were established to sell domains to end clients, had WHOIS servers of their own. This is when the WHOIS system stopped being a centralized one.

Today, most generic and country-code extensions use the same protocol and follow the same rules, so you can obtain the publicly available information for any domain by querying any WHOIS server. Some small registries, especially national ones, do not have a WHOIS server of their own, but they should still provide a way for their database to be accessed. The most common way for that is through their website.

A map of the regional Internet registries that maintain WHOIS servers.

Privacy concerns

Back in the 20th century, WHOIS servers supported wildcard searches. In other words, a query for a given name returned all domains owned by individuals with that name, a query for a certain keyword returned a list of all domains that contained that word, etc. As the service was massively abused by spammers, such searches were forbidden. Nowadays, there are two main concerns when it comes to publicly available personal information – identity theft and spam.

Identity theft has been quite an important issue in the past several years as more and more people have started using various internet-based services, such as social media, online banking, etc. Public details such as a postal address and an email make it easier for hackers to impersonate a person and get access to their content or steal their money. Privacy protection has been offered by many registrars in an attempt to combat identity theft but, unfortunately, a lot of domain extensions do not support this service.

Publicly available email addresses are often harvested by spammers who either send tons of unsolicited messages or sell lists of addresses to other spammers. Some WHOIS lookup services try to block bots from harvesting emails by displaying lookup results as an image, not plain text, or by limiting the number of queries per hour and/or IP address. Similar to the privacy protection service mentioned above though, these protection mechanisms are not adopted universally by all WHOIS lookup websites. As a result, such measures slow down email harvesting, but cannot stop it.

Domain status codes

If you have looked up a domain with any generic TLD, you have probably noticed it has a status code in its WHOIS details. There are a total of 18 status codes, and if you are interested what each one means, you can check them out at https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en.

GDPR – the game changer

The General Data Protection Regulation of the European Union (GDPR), which came into force in May 2018, is the first legal attempt to offer privacy protection on a global scale. The regulation affects all companies that collect personal data from individuals from the European Union as they have to comply with it to be able to operate in the EU. Domain registrars are included as they offer digital services to EU individuals and organizations. Personal data includes any information that can be used to identify an individual.

The most visible effect of the Regulation in regards to domain registrations is in the information that a WHOIS query returns. Effective immediately, all personal information that individuals provided to registrars had to be hidden from the public eye by default and not on demand. The change means that a WHOIS lookup will return the registrar name, registration and expiration dates, and the name servers of the domain, but no other personal information.

A sample WHOIS output after the GDPR came into force.

Although the Regulation affects only EU-based individuals and organizations, it is a big step towards tackling identity theft and spam. As ICANN mandates that the email address associated with a domain name must always be valid, registrar companies now replace the email in the WHOIS details with a link to an online contact form. This way, anybody can contact the domain owner without seeing their real contact information. Anybody who would like their information to be publicly available, has the option to do so through the registrar company. It is important to note that personal details of European individuals and organizations can still be disclosed to law enforcement agencies, if needed.

The GDPR is praised as a big success in protecting personal information, so it is not a surprise that there are voices calling for the adoption of a similar regulation in the US as well, since it is the largest domain market in the world. Unfortunately, the lack of a central authority that oversees privacy in the country, along with different state and federal legislation, means that it is unlikely for an equivalent of the GDPR to be adopted any time soon.

WHOIS privacy

Even before the GDPR came into force in the European Union, privacy was a major concern. This is why many registrars have been offering a privacy protection service for quite some time as an attempt to protect their clients’ information from being abused. Different companies have different names for it – WHOIS protection, Privacy protection, WHOIS shield, Domain privacy, etc. Regardless of the different names, the service is the same – your personal information is replaced with the names, address, email and phone number of the registrar or the daughter company they use as a privacy service provider. This way, a WHOIS lookup will not reveal any of your contact details.

Since the GDPR came into effect, EU-based individuals and organizations no longer have to worry about their privacy and they no longer need an additional service to hide their information. Anybody else can use a privacy protection service, but there are two problems with it. The first one is that the service is supported by most generic domain extensions and some of the country-code ones, but many extensions simply do not support privacy protection. In other words, your information will be public no matter what. The second problem is that even if you use privacy protection, many registrars disable the service quite easily not only if they receive a subpoena or a court order, but also if they receive a simple phone request or a cease and desist letter.

The reason for this questionable practice is that most companies are reluctant to get involved in legal battles, so they simply release the real domain owner information and let the two sides handle their differences, regardless of what the case is. In this light, using privacy protection can sometimes give domain owners a false sense of security. Nonetheless, the service is useful to regular domain owners as it helps to protect their identity from spammers.

The WHOIS privacy service does not cost anything to the registrar. The domain owner’s information is replaced automatically with the registrar information. Nonetheless, a lot of companies charge up to $20/year for privacy protection, i.e. for nothing. Others, like ICDSoft, provide the service for free with each and every domain name that supports it.

Why the WHOIS information is important

ICANN requires that all domain owners provide valid contact information when they order a new domain. Many people feel uneasy about having their personal information accessible online, so using a WHOIS privacy service is a solution for them. If the domain extension does not support the service, however, people are often tempted to provide false information on purpose. While such a move is understandable, it can have unforeseen consequences in case there is a problem with the domain name or its registrar.

The Registrant of a domain name is considered to be its rightful owner. If there is a dispute over the domain ownership, if you lose access to your account, or if the registrar company or the reseller you work with goes out of business, you will have to prove that you really own the domain. The only way for this to happen is if the domain WHOIS information is yours. If another name is listed as the Registrant, you will not be able to gain access to the domain – as far as ICANN or the registrar are concerned, you may be trying to steal the domain from its rightful owner.

It is important to note that there have been some controversial and somewhat curious cases of domains that used a WHOIS privacy service. One domain registrar went out of business, so ICANN could see only the privacy service provider information, but not the actual domain owner information. If this happens, it is extremely difficult to prove who really owns the name and the process can take quite a long time.

A more trivial reason to keep your WHOIS information up-to-date is to receive critical communication on time. If your domain is about to expire or there is some issue with it, you will want to have a valid email address where the registry organization or the registrar you bought the domain from can contact you.

The future of WHOIS

EU’s GDPR was a political act that was adopted after years of negotiations within the Union, but it is highly unlikely that a global policy will be adopted by all countries around the world. Country-code TLDs are managed on a national level and each one has its own policy in regards to handling domain contact information. As all global TLDs are governed by ICANN and not by a national body, however, the organization is taking steps to find the balance between privacy and public interest for these extensions.

RDS, or Registration Directory Service, is the proposed successor of WHOIS. There is no roadmap when the new protocol will replace WHOIS, but it has already been discussed by the ICANN Board of Directors in 2020. The most important change RDS will bring to the domain world is that lookup queries will be only purpose-driven. A generic lookup will return only the domain technical information – sponsoring registrar, name servers, registration and expiration dates. More sensitive information will be available only by interested parties – domain owners, law enforcement agencies, domain regulators, etc. The new system should improve privacy and accountability, bringing an end to data harvesting and unsolicited emails. We will see in the near future if this will really happen.

This is what the proposed RDS record should look like with gated access.

Author

A web hosting provider since 2001. We host over 58,000 websites for customers in over 140 countries around the globe.