How to Read WHOIS Output: Fields, Status Codes, and RDAP Explained

TL;DR WHOIS output shows registration and ownership data for domains, IP addresses, and ASNs. The two key things to understand: (1) domain WHOIS and IP WHOIS return completely different field sets, and (2) most modern tools (including DNS Buddy) use RDAP instead of legacy WHOIS — giving you structured, consistent data instead of free-form text.

Look up A records

Enter a domain name to lookup A records

View full DNS lookup tool with advanced options →

WHOIS vs RDAP: What's the Difference?

Legacy WHOIS is a 40-year-old protocol that returns unformatted plain text. The format varies by registrar and registry — fields have different names, ordering differs, and parsing it automatically is unreliable.

RDAP (Registration Data Access Protocol) is the modern replacement. It returns structured JSON with consistent field names across all registries. DNS Buddy uses RDAP by default wherever supported, falling back to legacy WHOIS for registrars that haven't migrated.

The data is the same — RDAP just structures it consistently so it's easier to read and cross-reference.

Domain WHOIS: Field by Field

When you look up a domain, you're querying the domain registry (for gTLDs like .com, this is Verisign) and the registrar (where the domain was purchased). Here's what each field means:

Registrar Information

Registrar: The company where the domain is registered (GoDaddy, Namecheap, Cloudflare, Google Domains, etc.).

Registrar IANA ID: A unique numeric identifier assigned to the registrar by ICANN.

Registrar Abuse Contact Email / Phone: Where to report abuse originating from domains registered through this registrar.

Important Dates

Creation Date / Registered On: When the domain was first registered. A very recent creation date on an unfamiliar domain is a signal worth noting in security investigations.

Updated Date / Last Updated: The last time any registration data was modified. Frequent updates can indicate the domain is actively managed — or actively manipulated.

Expiry Date / Registry Expiry Date: When the registration expires. Domains approaching expiry may be at risk of lapsing. During a domain acquisition or security audit, check whether the expiry date gives you enough runway.

Name Servers

Name Server: The DNS servers authoritative for the domain — where DNS queries for this domain are sent. Nameservers tell you who manages the domain's DNS (Cloudflare, AWS Route 53, a hosting provider, etc.). Unexpected nameserver changes are a strong indicator of domain hijacking.

Domain Status Codes

Status codes describe what operations are currently allowed on the domain. Multiple statuses can apply simultaneously.

Status	Meaning
`ok`	No restrictions. Normal state.
`clientTransferProhibited`	Transfer to another registrar is locked at the registrar level. Common — prevents unauthorized transfers.
`clientDeleteProhibited`	Domain cannot be deleted by the registrant.
`clientUpdateProhibited`	Domain data cannot be modified.
`serverTransferProhibited`	Transfer prohibited at the registry level (stronger than client-level lock).
`serverDeleteProhibited`	Deletion prohibited at the registry level.
`serverUpdateProhibited`	Updates prohibited at the registry level.
`pendingTransfer`	A transfer to another registrar is in progress.
`pendingDelete`	Domain is in the deletion pipeline — likely recently expired.
`redemptionPeriod`	Domain expired and is in a grace period where the original registrant can still reclaim it (usually 30 days).
`pendingRestore`	Registrant requested restore from redemption period.

What to look for: a domain with no transfer or delete locks (ok only) is more vulnerable to unauthorized transfers. High-value domains should have clientTransferProhibited and clientDeleteProhibited at minimum.

Registrant / Contact Data

Registrant / Admin / Tech contact: Name, organization, email, phone, and address of the domain owner and administrative contacts. In practice, most of this is now redacted.

Why Most Contact Data Is Redacted

Since GDPR (2018) and ICANN's subsequent policy changes, registrars are required to redact personal data for registrants in privacy-protected jurisdictions. Most .com, .net, and .org registrations now show something like:

Registrant Email: Please query the RDDS service of the Registrar
Registrant Organization: REDACTED FOR PRIVACY

This is normal and expected. It's not a sign the domain is suspicious — it's the default for virtually all consumer registrations.

For business domains registered through a corporate account, organization name may still be visible even when personal data is redacted.

IP Address WHOIS: Field by Field

IP WHOIS data comes from the Regional Internet Registries (RIRs) — ARIN (North America), RIPE NCC (Europe/Middle East), APNIC (Asia-Pacific), LACNIC (Latin America), and AFRINIC (Africa).

RIR and Allocation Data

Network / NetRange / CIDR: The IP address block allocated to this organization. If you're investigating a single IP, this shows the full range it belongs to.

NetName / Network Name: A short identifier for the network block, assigned by the RIR.

Organization / OrgName: The company or entity that was allocated this IP block.

OrgId: A unique identifier for the organization in the RIR's database.

Country: The country where the IP block is registered. Note: this reflects registration location, not necessarily where servers using these IPs are physically located.

Contact Information

OrgAbuseEmail / Abuse-Mailbox: The email address for reporting abuse (spam, attacks, illegal activity) originating from IPs in this block. This is what you use to file an abuse report.

OrgTechEmail: Technical contact for network-level issues.

OrgNOCEmail: Network Operations Center contact — for routing or connectivity problems.

Dates

RegDate: When the IP block was allocated to this organization.

Updated: Last modification to the registration data.

ASN WHOIS: Field by Field

An ASN (Autonomous System Number) identifies a network that operates under a single routing policy on the internet — typically an ISP, cloud provider, or large enterprise.

ASN / AutNum: The AS number itself (e.g., AS13335 for Cloudflare).

AS Name: Short identifier for the AS.

Organization: Who operates this autonomous system.

Description: Free-text description of the network's purpose.

IP Prefixes: The IP ranges announced by this AS. Knowing the ASN lets you understand the full scope of addresses under one operator's control — useful when clustering IPs from the same source.

Reading RDAP Output in DNS Buddy

DNS Buddy displays RDAP results in a structured format rather than raw JSON or legacy WHOIS text. Key things to orient to:

Domain lookups show registration summary at the top (dates, registrar, status), then nameservers, then contact data (often redacted)
IP lookups show the network block and owning organization first, then abuse/tech contacts
ASN lookups show the operator and IP ranges announced

For a mixed list of domains, IPs, and ASNs, use Bulk WHOIS Lookup — it handles all three in one request and shows results side by side.

Common Use Cases

Security investigation: unknown IP in logs

Look up the IP — identify the owning organization and CIDR block
Note the ASN — cluster other IPs from the same AS to see if the activity is coordinated
Use OrgAbuseEmail to file an abuse report if needed

Domain due diligence

Check creation date — very new domains are a risk signal
Check expiry date — ensure the domain isn't about to lapse
Check nameservers — verify they match the expected DNS provider
Check status codes — confirm transfer locks are in place

Vendor security review

Look up the vendor's domain — note registrar and expiry
Look up their mail server IPs — confirm they belong to a known mail provider
Check nameservers — confirm DNS is managed by a reputable provider

Frequently Asked Questions

Why is most WHOIS contact data redacted?

Since GDPR in 2018 and subsequent ICANN policy changes, registrars are required to redact personal contact data for EU registrants and increasingly apply the same globally. Most consumer registrations now show 'REDACTED FOR PRIVACY' for name, email, and address fields. This is standard and doesn't indicate anything suspicious.

What is the difference between domain WHOIS and IP WHOIS?

Domain WHOIS data comes from domain registries and registrars — it covers registration dates, nameservers, status codes, and registrant contact data. IP WHOIS data comes from Regional Internet Registries (RIRs like ARIN and RIPE) — it covers which organization was allocated an IP block, the CIDR range, and abuse contacts. They are entirely separate systems.

What does 'clientTransferProhibited' mean?

It means the registrar has placed a lock on the domain preventing it from being transferred to another registrar. This is the most common domain lock and is considered a baseline security measure — it prevents unauthorized domain transfers even if an attacker gains access to the registrant's account email.

Why does the IP WHOIS show a different country than where the server actually is?

WHOIS country reflects where the IP block was registered with the RIR — the legal jurisdiction of the organization that holds the allocation. Physical server location may differ. A US company can deploy servers in Europe while the IP block is registered to a US address.

What is RDAP and how is it better than legacy WHOIS?

RDAP (Registration Data Access Protocol) returns JSON with consistent field names across all registries. Legacy WHOIS returns unstructured text that varies by registrar — field names, ordering, and formatting are all inconsistent. RDAP makes the same data machine-readable and easier to parse. DNS Buddy uses RDAP where available.

WHOIS Lookup — look up a domain, IP, or ASN
Bulk WHOIS Lookup — query multiple domains, IPs, and ASNs at once
DNS Lookup — query DNS records alongside WHOIS data
PTR Record — reverse DNS, closely related to IP WHOIS