WHOIS / RDAP Lookup

Pull registrar, expiry, EPP status codes and nameservers from the authoritative registry. RDAP first, legacy WHOIS where the TLD hasn't migrated.

Try an example: google.com ยท openai.com

How this WHOIS lookup works

WHOIS (RFC 3912) is the port-43 text protocol registries have used since the 1980s to publish who owns a domain. RDAP (RFC 7480) is the JSON-over-HTTPS replacement ICANN mandated for gTLDs in 2017. The data is the same. The wire format is not.

Type a domain above and the tool asks the IANA bootstrap registry which RDAP server is authoritative for that TLD, then queries that server directly. If the TLD has not moved to RDAP yet (.za, .ac, most of the older ccTLDs), we fall back to the legacy WHOIS server and parse the free-text response. Privacy-redacted fields are labelled as such so you can tell "withheld for GDPR" from "the registrar never set it".

What do the EPP status codes mean?

Status codes are the registry's record of what the domain is allowed to do. The client* codes are set by the registrar, the server* codes by the registry. The locks you actually want to see on a production domain: 

clientTransferProhibited    ← blocks unauthorised registrar transfer
clientUpdateProhibited      ← blocks contact / nameserver edits
clientDeleteProhibited      ← blocks accidental deletion

The ones you don't want: pendingDelete (queued for release), redemptionPeriod (expired, paid recovery window still open), and clientHold or serverHold (the domain has been suspended and is no longer resolving).

How accurate is the registrant data?

Since GDPR took effect in May 2018, most gTLD registrars redact the registrant name, address and phone number from public output by default. You'll see REDACTED FOR PRIVACY or an empty field. The technical contacts (nameservers, expiry, registrar of record, abuse channel) stay public because the rest of the stack needs them.

Our take: for any post-GDPR domain, treat the redacted output as the default and don't read meaning into a blank registrant. If you need the actual contact for an abuse report, go through the registrar's abuse address (which is in the output) rather than expecting WHOIS to hand you a person.

Why does the expiry date matter?

Domains don't drop the moment they expire. ICANN gives you a 30-day auto-renew grace window, then a 30-day redemption period at a recovery fee that's usually 10× the normal renewal, then a 5-day pending-delete state before the domain hits the open market. ccTLDs run their own timetables. .co.za gives 30 days plus a closed-redemption window, after which the domain is auctioned through ZACR.

What to do: if the expiry chip on this page shows under 90 days, book the renewal now. If it shows under 30 days and the registrar isn't responding, escalate to their abuse contact. The lookup surfaces that address.

Where to go next

WHOIS tells you which nameservers the registry has on record. To confirm those nameservers are actually serving the zone you expect, use the DNS lookup tool. For the equivalent service on an IP address (network owner, ASN, abuse contact), see the IP / ASN lookup. If the domain you're checking is meant to send mail, run it through the deliverability checker for SPF, DKIM and DMARC in one pass.

Frequently Asked Questions

Common questions about WHOIS, RDAP, and registry data.

For gTLDs (.com, .net, .org and the rest of the new generic tail), registrars have redacted the registrant name and contact details from public output since May 2018 to comply with GDPR. The field is usually replaced with REDACTED FOR PRIVACY, sometimes just left empty. The owner still exists in the registrar's internal records. They're simply not on public display.

If you need to reach whoever runs the domain, the abuse contact in the registrar block is the route. ICANN requires every registrar to maintain a working abuse address and act on reports within 24 hours.

WHOIS is the port-43 plain-text protocol that's been running since 1982. RDAP is JSON over HTTPS, with the same underlying data and a defined schema. ICANN required every gTLD registry and accredited registrar to support RDAP from 2019 and is in the process of retiring port-43 for gTLDs entirely.

This tool queries RDAP first via the IANA bootstrap registry, then falls back to legacy WHOIS for TLDs that haven't migrated yet (mostly older ccTLDs, including .za). You shouldn't have to care which protocol answered, but the output box notes it so you know whether you're reading parsed JSON or scraped text.

Probably, if you move now. For gTLDs the timeline is fixed: 0–30 days after expiry the registrar will still auto-renew at the normal price, 30–60 days you're in the redemption period and recovery costs roughly ten times a renewal, then 60–65 days is pending-delete and the domain is unrecoverable. Day 65 it hits the drop pool.

ccTLDs differ. .co.za gives you a closed-redemption window through ZACR; some registries auction expired premium names rather than dropping them. The status code in the lookup tells you which stage you're in. redemptionPeriod is the loud one.