DEV Community

Cover image for 20 Ways WHOIS Data Gets Used (That Most Developers Never Think About)
Sameer Sheikh for WhoisFreaks

Posted on

20 Ways WHOIS Data Gets Used (That Most Developers Never Think About)

Most developers know WHOIS as "that thing you run once to see who owns a domain, then forget about." Fair enough. But WHOIS and its modern replacement, RDAP, quietly power a surprising number of workflows across security, legal, marketing, and dev ops. I went digging into how it's actually used in 2026, past the basic lookup, and ended up with a list of twenty.

A couple of these surprised me. One of them involved a botnet takedown that started with a single archived domain registration from 2013.

First, the thing that changed everything

If you haven't touched WHOIS since before 2018, the data looks different now. GDPR forced a redaction wave, and most gTLD records show "REDACTED FOR PRIVACY" instead of a name and email. Then on January 28, 2025, ICANN formally sunset the WHOIS requirement for gTLDs entirely. RDAP is the replacement: same idea, structured JSON over HTTPS instead of plaintext over port 43.

RDAP query volume passed WHOIS query volume in June 2025. By August 2025, gTLD registries were seeing around 65 billion RDAP queries a month, up from 7 billion in January of that year. WHOIS queries dropped by more than half over the same stretch. Most of that traffic isn't humans typing into a terminal. It's automation.

WHOIS to RDAP timeline showing GDPR in 2018, RDAP offered in 2019, WHOIS sunset in January 2025, and RDAP overtaking WHOIS in June 2025

Bar chart comparing monthly WHOIS and RDAP query volume in January 2025 versus August 2025

Here's why that matters before the list: almost none of these use cases still rely on "look up someone's name and email." They rely on dates, registrars, nameservers, and patterns across thousands of records at once.

Security and fraud

Grid of eight use-case categories: Security and Fraud, Legal and IP, Marketing and BI, Domain Investing, Compliance, Dev and Ops, Journalism and OSINT, Research

1. Catching phishing domains before they're used. Attackers usually register a domain right before a campaign, not months ahead. Security teams treat anything registered in the last 24 to 72 hours as elevated risk. One study of predicted malicious domains found that 75.8% of them were registered within the past month. That single data point, the creation date, does a lot of work.

2. Tracing an attacker back to their other domains. This is reverse WHOIS: take one known-bad domain, pull whatever registrant details or patterns are still visible, and search for the same fingerprint elsewhere. Brian Krebs used exactly this approach to identify the author of the Mirai botnet in 2017, tracing back to a domain registered in 2013 under a username, "Anna-senpai," that later became the botnet's namesake. Months of digging, one registration record as the thread to pull.

3. Spotting brand impersonation early. Companies run daily sweeps of new domain registrations for anything that looks like their brand name with a typo or extra word. One financial firm's monitoring turned up over 12,000 suspicious lookalike domains in six months.

4. Feeding reputation scores. Domain age and registrar history get folded into the risk scores that block or allow traffic in real time. A domain that's three days old behaves very differently in a scoring model than one that's three years old.

5. Filtering spam. Mail providers weight domain age heavily. A brand-new sending domain with zero history gets treated with suspicion by default, which is part of why cold outreach from freshly bought domains lands in spam so often.

6. Getting attacks shut down faster. Every domain record still has to show an abuse contact, redaction or not. Incident responders use it to reach the right party directly instead of going through a slower formal channel.

Legal and trademark

7. Fighting cybersquatting. Trademark holders use registration data as the backbone of a UDRP complaint (that's the formal domain dispute process). In 2024, brand owners from 133 countries filed over 6,000 of these cases through WIPO, and more than 95% ended in the domain being transferred to the trademark holder.

8. Catching infringement before it escalates. Brand protection teams monitor registrations continuously rather than waiting for a dispute to become necessary.

9. Building a paper trail for takedowns. Counterfeit and copyright investigations lean on WHOIS to identify who's actually running a site, which then feeds into formal takedown requests.

Marketing and business intelligence

10. Watching competitors move. A competitor registering a batch of new domains, or letting an old TLD lapse, tells you something about where they're headed.

11. Sourcing leads from new registrations. Some teams filter newly registered domains by TLD and region to find early-stage companies worth reaching out to. Worth saying clearly: this is legally narrower than it used to be. Redaction and anti-spam rules limit how much of this works on gTLDs now.

12. Mapping who owns what. Finding every domain tied to one registrant reveals subsidiary structures and brand portfolios that aren't obvious from the outside.

Domain investing

13. Valuing and sourcing domains. Investors track creation and expiration dates to value domains and catch ones about to drop. Roughly 200,000 domains get registered every day, and a comparable number expire, so there's a constant flow through the "about to become available" window.

14. Confirming ownership before buying. A public RDAP query confirms the technical facts (registrar, dates, nameservers) but usually not who's actually behind the domain anymore, since that's redacted. Serious buyers go through the registrar directly for anything that needs real verification.

Compliance

15. Light-touch KYC checks. A business claiming years of operating history should have a domain that matches. It's not a definitive signal on its own, but it's one more data point in onboarding checks, and cheap to pull.

16. Vendor and M&A due diligence. Ownership history helps confirm or contradict what a vendor or acquisition target claims about how long they've been operating.

Developer and ops work (the part I actually deal with most)

17. Not forgetting to renew a domain. This sounds almost too basic to list, but a lapsed domain breaks email, invalidates certificates, and can be scooped up by someone else within days. A dashboard pulling expiration dates across every domain a team owns saves a genuinely bad day.

18. Catching a hijack in progress. Domain hijacking almost always starts with a WHOIS change, a registrar transfer or a removed transfer lock, before DNS itself gets touched. Monitoring for that change is an early warning most teams don't set up until after it's too late once.

19. Verifying ownership and untangling DNS issues. Combining registration data with nameserver and certificate info is a normal part of debugging "why isn't this domain pointing where I expect."

Journalism and research

20. Tracing disinformation networks. Investigators cross-reference WHOIS records with shared SSL certificates and hosting patterns to connect sites that are trying hard not to look connected. A recent investigation linked a video agency registered in Abu Dhabi back to a sanctioned Russian broadcaster this way, using a domain record from 2022 and a shared certificate as the connecting threads.

What I'd actually tell someone building on this today

Don't design around registrant names. They're gone for most gTLDs now, and that's not changing back. Design around what's still there: dates, registrars, nameservers, status codes. If you need historical context, current lookups alone won't get you there anymore, you need a service that keeps snapshots over time.

And check which protocol you're actually querying. Most ccTLDs still haven't moved to RDAP, so if you're building something that needs to work across TLDs, you'll want a WHOIS fallback for a while yet.

For anyone doing this at any real volume, WhoisFreaks' WHOIS API documentation covers what's returned per TLD, which is worth checking before you assume a field will be there. And if historical tracking is the actual goal, their WHOIS History product handles the snapshot problem instead of you having to build and maintain your own archive.

Top comments (0)