DNS & Infrastructure 10 min read

WHOIS / RDAP Domain Lookup Guide

Use this guide to understand what registry RDAP data reveals about a domain, why expiry and lock status are security signals rather than administrative trivia, and how to harden registration against the most common loss and hijacking scenarios.

Run WHOIS / RDAP Lookup

Overview

The domain registration is the root of trust for the website, email, and every certificate issued for it. The lookup reads live registry RDAP data because expiry dates, hold flags, missing transfer locks, and unsigned delegations are the cheapest problems to fix and the most expensive ones to discover after an incident.

Registration signals to review together

  • Expiration: Confirm the renewal date is comfortably in the future and auto-renew is enabled with a valid payment method.
  • Status flags: Keep clientTransferProhibited enabled and investigate any hold status immediately.
  • DNSSEC: A signed delegation protects DNS answers for the domain against spoofing and cache poisoning.

RDAP Signals and Meaning

SignalHealthy stateCommon weakness
Expiration dateMore than 90 days away with auto-renew enabledRenewal left to a manual reminder and a stale payment card.
Transfer lockclientTransferProhibited presentNo lock, so a compromised registrar account can move the domain.
Hold statusNo hold flags presentclientHold or serverHold silently removing the domain from DNS.
DNSSECDelegation signed with a DS record at the registryUnsigned delegation leaving DNS answers spoofable.
Registrar contactVerified account email and MFA at the registrarExpired contact addresses that block renewal and recovery notices.

Practical Registration Hardening Examples

Healthy status flags (RDAP)
"status": [
  "client transfer prohibited",
  "client update prohibited",
  "client delete prohibited"
]
Check a domain with RDAP directly
curl -s https://rdap.org/domain/example.com | jq '.events, .status'

Recommended Remediation Flow

  1. Fix expiry exposure first Renew anything close to its expiration date, enable auto-renew, and confirm the payment method on file is current.
  2. Enable registrar locks Turn on the transfer lock (clientTransferProhibited) for every production domain; request registry lock for high-value names.
  3. Verify account hygiene Confirm the registrar account email is monitored, enable MFA, and remove stale users from the registrar account.
  4. Enable DNSSEC and retest Sign the zone at the DNS host, publish the DS record through the registrar, then re-run the lookup to confirm the delegation is reported as signed.

Troubleshooting Common Issues

The lookup reports no expiration date

Some registries, especially ccTLDs, do not publish expiration events over RDAP.

  • Check the renewal date directly in the registrar control panel.
  • Treat missing data as unverified, not as safe.
  • Set an independent calendar reminder for portfolio domains on sparse registries.
A hold status appeared unexpectedly

Holds are applied by registrars or registries for billing, contact verification, or abuse reasons, and they stop DNS resolution.

  • Contact the registrar support channel immediately to identify the cause.
  • Check for unanswered ICANN contact-verification emails.
  • Resolve any outstanding invoice or abuse report, then confirm the flag is removed.

Validation Checklist

Post-fix validation

  • Confirm the expiration date is more than 90 days away or auto-renew is verified.
  • Verify clientTransferProhibited appears in the status flags.
  • Check that no clientHold or serverHold status is present.
  • Re-run the WHOIS / RDAP Lookup after changes and confirm DNSSEC is reported as signed where enabled.

FAQ

Is WHOIS the same as RDAP?

RDAP is the structured, IETF-standardized successor to the legacy WHOIS protocol and is authoritative for gTLDs.

  • RDAP returns machine-readable JSON instead of free-form text.
  • Privacy rules redact most personal contact data in both systems.
  • Security-relevant fields like status flags, events, and DNSSEC remain visible.
Does a transfer lock make the domain unsellable or stuck?

No. The lock is reversible by the account owner at any time and only blocks transfers initiated while it is active.

  • Disable it temporarily when you genuinely transfer registrars.
  • Combined with registrar MFA it blocks most hijacking attempts.
  • Registry lock adds an out-of-band verification step for high-value domains.

Related Security Tools

WHOIS / RDAP Lookup

Re-check registration status after renewal, lock, or DNSSEC changes.

DNS Record Lookup

Review the zone the registration delegates to in one inventory pass.

CAA Record Analyzer

Control certificate issuance for the domain after registration is locked down.

Ready to audit your domain registration?

Run the WHOIS / RDAP Lookup on your domain, fix expiry and lock gaps first, and re-test to confirm the registry reports the protections you expect.

Run WHOIS / RDAP LookupCreate Account For Broader Workflow