What whois Looks Up
The whois protocol (defined in RFC 3912) provides a query interface to distributed registration databases. When you run whois example.com, your client connects to the appropriate WHOIS server — determined by the TLD — and retrieves the registration record for that domain. For IP addresses, the query goes to one of the five Regional Internet Registries (RIRs) that manage IP address allocation globally.
whois is useful for three distinct tasks. First, checking domain registration details: who registered a domain, through which registrar, and when it expires. Second, identifying IP address ownership: which organization controls a given IP block, and who to contact about abuse. Third, looking up Autonomous System Numbers (ASNs): the routing identifiers assigned to network operators that announce IP prefixes via BGP.
On Linux and macOS, whois is typically installed by default or available via the package manager. On Windows it is not built in — use the Sysinternals Whois.exe tool or an online lookup service.
Domain Lookups
The basic syntax is simply whois followed by the domain name:
whois example.comA typical domain record returns a block of text with fields like these:
Domain Name: EXAMPLE.COM
Registrar: RESERVED-Internet Assigned Numbers Authority
Registrar WHOIS Server: whois.iana.org
Updated Date: 2023-08-14T07:01:34Z
Creation Date: 1995-08-14T04:00:00Z
Registry Expiry Date: 2024-08-13T04:00:00Z
Registrar IANA ID: 376
Domain Status: clientDeleteProhibited
Name Server: A.IANA-SERVERS.NET
Name Server: B.IANA-SERVERS.NETThe most practically useful fields are: Creation Date (how long the domain has been registered — very new domains are sometimes suspicious), Registry Expiry Date (when the registration expires — useful for catching domains about to lapse), Name Server (which DNS servers are authoritative), and Registrar (where it was registered). Domain status codes like clientTransferProhibited indicate whether the domain is locked against transfer.
IP Address Lookups
Querying an IP address returns the record from the relevant Regional Internet Registry. The five RIRs divide the world's IP space geographically: ARIN (North America), RIPE NCC (Europe, Middle East, Central Asia), APNIC (Asia-Pacific), LACNIC (Latin America), and AFRINIC (Africa).
whois 8.8.8.8The record shows the organization the IP block is assigned to, the network range (in CIDR notation), the country of registration, and crucially the abuse contact — the email address to report malicious traffic originating from that IP range. It also includes the ASN that announces the block.
ASN Lookups
An Autonomous System Number identifies a network operator in BGP routing. You can look up an ASN directly by prefixing it with AS:
whois AS15169This returns the record for Google's primary ASN, showing the organization name, the IP prefixes it announces, and contact information. Knowing an IP's ASN helps you understand whether traffic is coming from a cloud provider, an ISP, a CDN, or a specific enterprise network.
Key Differences by Query Type
| Query Type | Example | Data Source | Key Fields |
|---|---|---|---|
| Domain name | whois google.com | TLD registry + registrar | Registrar, creation/expiry dates, name servers, status |
| IPv4 address | whois 8.8.8.8 | Regional Internet Registry (ARIN, RIPE, etc.) | Org name, network range, ASN, abuse contact |
| IPv6 address | whois 2001:4860:: | Regional Internet Registry | Same as IPv4 — org, prefix, ASN, abuse contact |
| ASN | whois AS15169 | Regional Internet Registry | Organization, announced prefixes, contact |
Privacy Redaction and GDPR
Until around 2018, domain whois records included the registrant's full name, address, phone number, and email. GDPR compliance led most registrars to redact this information for domains registered by individuals. You now typically see REDACTED FOR PRIVACY or a proxy email in place of personal contact details. Business registrations may still show company details. Some TLD registries (particularly country-code TLDs) have their own policies that differ from the global norm.
For investigative purposes, ICANN's Registration Data Access Protocol (RDAP) is the modern replacement for whois and returns structured JSON rather than freeform text — though it is subject to the same privacy restrictions.
Frequently Asked Questions
What information does whois return for a domain?
A domain whois record includes the registrar name, registration and expiry dates, name servers, domain status codes, and the WHOIS server used. Registrant contact details are often redacted under GDPR for domains registered by individuals, replaced with privacy proxy information.
How do I look up who owns an IP address with whois?
Run whois [IP address]: for example, whois 8.8.8.8. The output shows the Regional Internet Registry record for that IP block — the organization it is assigned to, the network range, the ASN, and the abuse contact email address.
What is an ASN in whois output?
An ASN (Autonomous System Number) is a unique identifier assigned to a network operator that announces IP address blocks via BGP. Each ISP, cloud provider, and large organization has one or more ASNs. Look one up directly with whois AS[number] — for example, whois AS15169 for Google.
Why is registrant contact information redacted in whois?
GDPR led most registrars to hide personal contact details for domains registered by individuals. Instead of a name and address, records typically show "REDACTED FOR PRIVACY" or a proxy forwarding address. Business registrations may still display company information, and policy varies by TLD registry.
Is whois available on Windows?
whois is not built into Windows. Options include: Microsoft's free Sysinternals Whois.exe tool, the Windows Subsystem for Linux (WSL) which provides a full Linux environment including whois, or any web-based whois lookup service. Chocolatey users can install it with choco install whois.
What is the difference between whois and dig?
whois queries registration databases to find who owns a domain or IP address — it returns administrative and contact information from registrars and regional internet registries. dig queries DNS servers to resolve how domain names map to IP addresses. whois answers "who owns this?" while dig answers "where does this point?"