RDAP vs WHOIS: reading domain registration data
When a suspicious lookalike domain appears, registration data tells you who registered it, when, and through which registrar. WHOIS is the legacy way to get that data; RDAP is its modern, structured successor. Here is what each field means to a defender and how it feeds threat scoring and abuse reporting.
What is WHOIS?
WHOIS is the original protocol and format for domain registration data. A client sends a domain name to a WHOIS server over TCP port 43 and gets back a block of human-readable text listing the registrant, registrar, creation and expiry dates, status codes, and nameservers. It has been around for decades and is still widely referenced, but it was never standardized in a machine-friendly way. Every registry formats its output a little differently, which makes reliable parsing painful.
What is RDAP?
RDAP, the Registration Data Access Protocol, is the modern replacement mandated by ICANN. It returns structured JSON over HTTPS using standard RESTful requests, so the fields are consistent and easy to parse programmatically. RDAP also supports differential access, meaning an authenticated requester can in principle receive more data than an anonymous one, and it provides standardized references to the responsible registrar and registry.
The transition is real and recent. All gTLD registries and registrars have been required to offer RDAP since 2019, and as of January 28, 2025 they are no longer required to operate the old WHOIS service, with a few exceptions such as .com and .net during transition. In practice, build new tooling on RDAP and treat WHOIS as a fallback.
Key fields and what they tell a defender
- Registrar. The company through which the domain was registered. Some registrars are repeatedly abused, and the registrar is also where you send abuse reports.
- Creation date. When the domain was first registered. This is one of the strongest signals for risk scoring.
- Registrant and abuse contacts. Who holds the domain and where to report abuse. Registrant detail is often redacted now (see below), so the abuse contact matters most.
- Nameservers. The authoritative DNS servers. Shared nameservers across several suspicious domains can link a campaign together.
- Status codes. EPP statuses such as
clientHold,serverHold, orpendingDeletetell you whether a domain is active, locked, or being removed, which is useful when tracking a takedown.
Why the registration date matters for threat scoring
Attackers register lookalike domains shortly before they use them. A domain that resembles your brand and was created days or weeks ago is far more suspicious than one registered years back. Newly registered domains are therefore a high-weight feature in any risk model. VigilDNS pulls RDAP registration data and folds the creation date into its AI threat verdicts, so a fresh lookalike with a recent registration is scored higher and surfaces sooner. If you have just found one, read someone registered a lookalike of my domain.
The GDPR and privacy redaction reality
Since GDPR took effect, registrant personal data in public registration records is frequently redacted or replaced with privacy-service placeholders. You often cannot see a real name or email for the registrant. That changes how you investigate: the registrar, the creation date, the nameservers, and the published abuse contact become the load-bearing fields, because the registrant identity may simply not be there. Do not assume a redacted record means the domain is clean; it usually just reflects standard privacy policy.
WHOIS vs RDAP at a glance
| Aspect | WHOIS | RDAP |
|---|---|---|
| Format | Unstructured text | Structured JSON |
| Transport | TCP port 43, plaintext | HTTPS, RESTful |
| Standardization | Varies by registry | Standardized fields |
| Access control | One public view | Differential / tiered access |
| Status | Legacy, being sunset | ICANN-mandated successor |
| Best for | Quick manual lookups | Automation and tooling |
How to look one up
- rdap.org acts as a bootstrap that redirects your query to the correct authoritative RDAP server for the domain's registry.
- ICANN Lookup offers a web interface that queries registration data for any gTLD domain.
- Registry and registrar RDAP endpoints serve the authoritative response directly; the IANA bootstrap registry tells you which server is responsible for a given top-level domain.
For a single domain, a web lookup is fine. For continuous monitoring across many lookalikes, query RDAP programmatically and store the results so you can track changes over time.
How this feeds attribution and abuse reporting
Registration data is the backbone of attribution. Shared registrars, matching creation dates, and overlapping nameservers help you group several lookalikes into one campaign. The published abuse contact and the registrar are exactly who you notify when you escalate. When you are ready to act on a confirmed impersonation, read how domain takedowns work. Note that VigilDNS provides the registration intelligence and monitoring but does not perform managed takedowns; it gives you the evidence to file an effective report.
Frequently asked questions
Is RDAP replacing WHOIS completely?
Largely yes. ICANN has mandated RDAP and, as of early 2025, removed the requirement for most gTLD operators to run WHOIS. WHOIS still exists in places during the transition, but new tooling should target RDAP.
Why is the registrant name blank or hidden?
Because of privacy regulation such as GDPR, registrant personal data is commonly redacted or routed through a privacy service. Focus on the registrar, creation date, nameservers, and the abuse contact instead.
Does a recent creation date prove a domain is malicious?
No, but it raises the risk. Plenty of legitimate domains are new. Combined with a brand-similar name, suspicious nameservers, or a fresh certificate, a recent creation date is a strong signal worth investigating.
Registration data is most useful when you watch many domains continuously rather than checking one by one. Run our free typosquat checker to find lookalikes of your brand, then see certificate transparency monitoring to catch the certificates those domains request.