markdown guide

When you register a domain you input personal information about yourself (or whoever you want really.. ) or you can pay to have that information hidden. So think of a WHOIS lookup as a digital phonebook of all of those records, except some of those records might be lies or private. It's the contact information tied to an IP address or domain. It's mainly used to report Abuse on a site. For example, if someone figured out a way to spoof spam emails from, if there is a WHOIS record someone could report it to the proper admin.


AFAIK it's prohibited to put whoever you want for the info about the domain holder. ICANN makes registrars to periodically sends notifications to you to check if your personal info is okay. They can freeze or completely remove your domain if they'll find out you're lying with the WHOIS info. Paying for hiding the info would only hide it from regular users, ICANN (and probably other companies/users) still can ask for it in a legal form (a signed document or something like that).

The Expert Working Group (EWG) of the Internet Corporation for Assigned Names and Numbers (ICANN) recommended on 24 June 2013 that WHOIS should be scrapped. It recommends that WHOIS be replaced with a system that keeps information secret from most Internet users, and only discloses information for "permissible purposes."

(c) Wikipedia.


This is probably less important for someone who knows their site will be taken down within a day for phishing or distributing malware though right?

This is still important for those who look for WHOIS privacy and thinks that putting random stuff in the "domain holder" form isn't that bad. I did it once and received a mail that if the info is wrong, your domain may be removed. I reverted it immediately because:

  1. I didn't know about that.
  2. I didn't want to lose my domain :)

Of course those who spread malware on the Internet doesn't care about that. I guess they have some methods to register domains without putting a lot of info and don't get banned, but I'm not one of them so I don't know :)

I mentioned it to reaffirm that a WHOIS record is not a reliable source for attribution. Just because there's a name and phone number for a malicious site in a WHOIS record doesn't mean it's real.


AFAIK there are companies behind any TLD domain and the domain registrars have to send the info about you to them. Whenever you're doing a WHOIS query, the client asks hard coded servers about the WHOIS server for the TLD of the url it requested (e.g. They returns the servers responsible for that TLD (.to), the client asks them about the domain (WHOIS SERVER:{some company responsible for the .to TLD}) and you get your stuff.



It's like a DNS query. You ask hard coded servers, they response with some other servers, they response with the data.


This is somewhat off-topic to the technical description of how WHOIS lookups operate, but I'll share anyway.

A domain owner sets their WHOIS information at their domain name Registrar. A registrar is an entity that is accredited by ICANN to handle the registration and management of domain names. I believe the biggest registrar at this point is GoDaddy (yes, of those provocative Super Bowl ads), but other big ones you've probably heard of include Enom, Network Solutions, and Tucows.

A lot of times the registrars maintain Reseller relationships with various hosting companies, allowing them to sell domains through their own platform. IE, "create your $10/mo hosting account and get a free domain name!"

Registrars can transfer names back and forth between each other. In order to ensure the transfer is authorized, and that the true owner actually does want to move the name, the host-registrar will generate a secret token (called an auth code or EPP) that is sent to the rightful owner of the domain name. The recipient has to enter that EPP code on the receiving registrar in order to pass along the "handshake" that this is in fact an authorized transfer.

However, there's a major flaw in this design. That auth code is typically sent to the administrative email on file with the registrar β€” information that lives in the public WHOIS database! Now, why is that a problem?

A savvy attacker can generate a list valuable domain names, programmatically scrape all of the administrative emails from the WHOIS data, and then go check which of those emails are available. For instance, if I had set the admin email on my domain portfolio to "" but then let "" expire, anyone can go register that domain name and "hijack" my email. Doing so gives them control to initiate a transfer on my domain name, receive "my" EPP key to the email they control, and then fraudulently authorize the transfer at the receiving registrar.

So, my account at the registrar is never directly compromised, but there's a leakage in the authorization control that allows someone to steal the contents of my account, the domains themselves.

I haven't been actively in the domain world for a few years, so some of this might be a bit out of date or patched up at this point. Registrars also include "locks" which sometimes require an additional verification before they allow the transfer which can help mitigate the problem. But the fact remains that the public WHOIS info, especially on the admin email, can cause a lot of headaches.

Lastly, standard disclosure that I've never leveraged any of these techniques, that this write-up is purely for education purposes, that you shouldn't steal domain names or try to, etc.

Classic DEV Post from Apr 18

The Weird Rules I Set Myself That Got Me a Job

Ben Halpern profile image
A Canadian software developer who thinks he’s funny.