How to Read WHOIS Records
WHOIS records contain a lot of information, but most people only look at the expiration date. Here's how to read the whole thing and actually understand what you're seeing.
Anatomy of a WHOIS Record
A typical WHOIS record is divided into several sections. The exact format varies by registrar (which is annoying), but the information categories are consistent. Let's break down what you'll see:
Domain Information
This section covers the basics: the domain name itself, its registry ID (a unique identifier), and which WHOIS server has authoritative data. Not particularly exciting, but useful for verifying you're looking at the right domain.
Important Dates
This is where things get interesting. You'll see:
- Creation Date - When the domain was first registered. Older domains often carry more authority with search engines.
- Updated Date - The last time anything changed in the record. A recent update might mean a renewal, transfer, or contact information change.
- Expiration Date - When the current registration period ends. If the owner doesn't renew, the domain eventually becomes available again.
Registrar Information
This tells you which company processed the registration. GoDaddy, Namecheap, Cloudflare, and thousands of others. The registrar can matter for transfers and disputes, and some registrars have better reputations than others.
Registrant Contact
This is supposedly the domain owner's contact information. In practice, you'll usually see privacy service data here instead of actual personal details. GDPR made this even more common; most European registrations now show minimal contact information.
Nameservers
These are the DNS servers that tell the internet where to find the domain's website and email. Nameservers often reveal which hosting provider or CDN the domain uses. Cloudflare nameservers are easy to spot. So are AWS, Google Cloud, and others.
Understanding Domain Status Codes
Status codes are cryptic but important. They tell you what's actually happening with a domain right now. Here are the ones that matter:
clientTransferProhibited
The registrar has locked transfers. Common and usually intentional. The owner asked for this protection or it's on by default.
serverTransferProhibited
The registry itself has blocked transfers. This might indicate a dispute, legal hold, or UDRP proceeding. Red flag for acquisitions.
clientDeleteProhibited
The domain can't be deleted. Another standard protection that prevents accidental or malicious deletion.
pendingDelete
The domain is scheduled for deletion. This is the final stage before it becomes available again. Domain investors watch closely for this status.
redemptionPeriod
The domain expired and passed the grace period. The original owner can still recover it, but it costs extra. After this comes pendingDelete.
serverHold
The registry has suspended the domain. It won't resolve. Could be non-payment, abuse complaints, or legal action.
ok / active
Everything's normal. No special restrictions, no pending actions. This is what a healthy domain looks like.
Reading Between the Lines
Raw WHOIS data tells one story. What you can infer tells another. Here are some patterns worth knowing:
Domain Age and Trust
A domain registered in 1998 probably isn't a fly-by-night operation. A domain registered last week might be. Search engines factor domain age into their trust calculations, and so should you when evaluating a website's credibility.
Recent Changes
If the Updated Date is recent but the domain is old, something changed. Maybe a routine renewal. Maybe a transfer. Maybe the domain was sold. Compare the current WHOIS to historical records to see what's different.
Privacy Service Usage
Privacy services aren't suspicious by themselves. Lots of legitimate businesses use them. But if you're investigating potential fraud or trademark infringement, hidden registration details make your job harder.
Nameserver Patterns
Nameservers reveal more than people realize. A domain pointing to ns1.parked-domain.com probably isn't actively used. Custom nameservers like ns1.example.com suggest a more serious operation. Sudden nameserver changes might indicate a hosting migration or a hijacked domain.
Common WHOIS Reading Mistakes
A few things trip people up when reading WHOIS records:
- Assuming contact info is accurate - Even without privacy services, people enter fake information all the time. WHOIS data isn't verified.
- Ignoring time zones - WHOIS dates are usually in UTC. That expiration date might be different in your local time zone.
- Trusting cached data - Many WHOIS lookup tools cache results. You might be seeing data that's hours or days old. Always check the source if timing matters.
- Overlooking status codes - The status field is often more important than the contact information. A domain in redemptionPeriod is very different from one that's active.
Making WHOIS Data Actionable
Knowing how to read WHOIS records is useful. Getting automatic alerts when they change is more useful. Status code changes, expiration updates, and registrar transfers are all things you might want to know about before they become problems.
shadom.co tracks these changes automatically. Add a domain to your watchlist, and you'll get notified when anything in the WHOIS record changes. No manual lookups required.