NetGlobe is live on the Microsoft Store·Download for Windows now
Network glossary

WHOIS vs RDAP

Both answer the same question — who owns this domain or IP address, and who runs the network behind it? WHOIS is the decades-old, text-based way to ask. RDAP is the modern, structured successor to WHOIS, built to do the same job in a form that machines can parse reliably.

The short version

WHOIS is the original registration-lookup service, dating back to the early internet: you query a server and get back free-form text that differs from one registry to the next.

RDAP does the same job with a modern REST/JSON design. It's IETF-standardized and has been adopted by ICANN and the Regional Internet Registries. In practice the two overlap today — RDAP is steadily replacing WHOIS, but plenty of registries still answer both.

Definition

What is WHOIS?

WHOIS is the long-standing protocol and service for querying registration data about domain names and IP address blocks (and AS numbers). Ask a WHOIS server who is behind a domain or an address range and it returns the registrar or regional registry, key dates, name servers, and — historically — contact details. Queries traditionally run over TCP port 43, and most registries also expose a web form.

Its biggest weakness is consistency. WHOIS responses are free-form text with no standard schema, so every registry formats its output differently and reliable parsing is a chore. And since the EU's GDPR took effect in 2018, most personal contact data in domain WHOIS records is now redacted behind privacy or proxy services, leaving the registrar, dates, and network-level fields visible but the human details masked.

Definition

What is RDAP?

RDAP — the Registration Data Access Protocol — is the modern successor built to fix those problems. Instead of free-form text over port 43, RDAP is a RESTful web service over HTTPS that returns structured JSON. It was standardized by the IETF (RFCs 7480–7484) and has been adopted by ICANN for generic top-level domains and by all five Regional Internet RegistriesARIN, RIPE NCC, APNIC, LACNIC, and AFRINIC — that allocate IP address space.

Because the format is standardized, RDAP adds capabilities WHOIS never had: consistent, machine-readable fields; differentiated and authenticated access, so authorized parties can see more than the public view; proper internationalization for non-ASCII names; and bootstrapping, where an IANA registry points your client to the authoritative RDAP server for any given domain, IP address, or AS number.

Side by side

WHOIS vs RDAP, at a glance.

Same question, two generations of answer.

  WHOIS RDAP
Response format Free-form text Structured JSON
Transport TCP port 43 (plus web forms) HTTPS / RESTful web service
Standardization Loosely defined (RFC 3912) IETF-standardized (RFCs 7480–7484)
Machine-readable fields No — parsing varies by registry Yes — consistent JSON objects
Access control All-or-nothing, increasingly redacted Differentiated / authenticated access
Internationalization Limited Built in (Unicode, IDNs)
Finding the authoritative server Manual referral-chasing IANA bootstrap registry
Status Legacy, still widely available Modern successor · ICANN & the RIRs

Both WHOIS and RDAP cover domain names, IP address blocks, and AS numbers. RDAP is designed to replace WHOIS over time; during the transition many registries continue to answer both.

Why it matters

Context for every connection.

When you see a connection to an unfamiliar IP address or domain, the first question is who owns it? A WHOIS or RDAP lookup answers exactly that — the network owner, the address-block allocation, and the registration details: the responsible organization, the registry that delegated the resource, and the dates and contacts on record.

That context is often the difference between recognizing an expected CDN or cloud provider and spotting something that has no business talking to your machine. Registration data won't tell you a connection is malicious on its own, but paired with geolocation, reverse DNS, and threat intelligence it's a key input when you're deciding whether a connection is expected.

In NetGlobe

One click, from the Endpoint Focus panel.

NetGlobe runs one-click WHOIS/RDAP lookups straight from its Endpoint Focus panel: click any connection on the live map and the owner, allocation, and registration details appear alongside the TLS certificate, reverse DNS, and process trust score. You never have to know which registry to ask or copy an address into a separate lookup site.

NetGlobe uses RDAP where it's available and falls back to WHOIS when it isn't, and results are cached locally so repeat lookups are instant and stay on your device. NetGlobe is a network-intelligence and diagnostics tool — it explains what your machine is connecting to; it is not a firewall and does not block traffic.

Common questions

WHOIS vs RDAP — FAQ

What's the difference between WHOIS and RDAP?

WHOIS is the original registration-lookup service: it returns free-form text over port 43 (or a web form), and the format varies from one registry to the next. RDAP is its modern successor — a RESTful HTTPS service that returns standardized JSON, with support for authenticated access, internationalization, and automatic discovery of the authoritative server. Both answer the same question about who owns a domain or IP address; RDAP just does it in a structured, machine-readable way.

Is RDAP replacing WHOIS?

Yes. RDAP was designed as the successor to WHOIS, and ICANN and the Regional Internet Registries have been transitioning from the legacy port-43 WHOIS service to RDAP. WHOIS is still widely available today, but new tooling increasingly targets RDAP because its structured JSON is far easier and more reliable to work with.

Why is WHOIS data redacted now?

Because of privacy law. Since the EU's GDPR took effect in 2018, registries and registrars generally remove or mask personal contact details — names, emails, and phone numbers — from public domain records. You'll still see the registrar, key dates, name servers, and network-level information, but personal data is usually replaced with a privacy service or a redaction notice.

How do I look up who owns an IP address?

IP address blocks are registered with one of the five Regional Internet Registries — ARIN, RIPE NCC, APNIC, LACNIC, or AFRINIC — depending on the region. A WHOIS or RDAP query against the right RIR returns the organization the block is allocated to, the address range, and the responsible contacts. In NetGlobe you don't have to know which registry to ask: click the endpoint and it runs the lookup for you.

Does NetGlobe do WHOIS/RDAP lookups?

Yes. NetGlobe performs one-click WHOIS/RDAP lookups from its Endpoint Focus panel for any connection you select, using RDAP where it's available and falling back to WHOIS when it isn't. Results are cached locally on your device, so there's no separate lookup site to visit and nothing leaves your machine beyond the lookup itself.

WHOIS and RDAP are open internet standards maintained by the IETF, ICANN, IANA, and the Regional Internet Registries. This page is an educational glossary entry; protocol details, adoption timelines, and redaction policies evolve — consult the relevant registry or RFC for authoritative specifics.

Available now

See who's on the other end of every connection.

NetGlobe runs WHOIS and RDAP lookups for you, right from the endpoint panel. A one-time $18.99 — on the Microsoft Store for Windows, or a direct download for Mac.

Get it from the Microsoft Store Live

No account. Runs entirely on your device. See the full feature list or the FAQ.