DomainOpsDomainOps

How to Read a WHOIS Record: A Field-by-Field Guide

Learn how to read a WHOIS record field by field: registrar vs registrant, key dates, nameservers, and what status codes like clientHold and pendingDelete mean.

DomainOps Team··5 min read

Knowing how to read a WHOIS record turns an intimidating block of text into a clear, at-a-glance summary of who controls a domain, when it expires, and whether anything is wrong with it. WHOIS (and its modern successor RDAP) is the public registration record every domain carries. Once you can parse it, you can answer questions like "when does this lapse?", "who actually owns it?" and "why isn't this resolving?" in seconds.

This is a field-by-field walkthrough using a typical gTLD record.

A sample record

Domain Name: example.com
Registrar: Example Registrar, Inc.
Registrar WHOIS Server: whois.exampleregistrar.com
Registrar URL: http://www.exampleregistrar.com
Updated Date: 2026-01-04T09:12:33Z
Creation Date: 2014-03-13T04:00:00Z
Registry Expiry Date: 2027-03-13T04:00:00Z
Registrar Abuse Contact Email: [email protected]
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: NS1.EXAMPLEDNS.COM
Name Server: NS2.EXAMPLEDNS.COM
DNSSEC: unsigned

The dates

Three dates matter, and people routinely confuse the first two:

  • Creation Date — when the domain was first registered. Useful for judging a domain's age and history; irrelevant to renewal.
  • Registry Expiry Date — the one that actually matters. This is the authoritative expiry held by the registry. If you only watch one field, watch this.
  • Updated Date — the last time the record changed. A surprise update you didn't make is worth investigating; it can signal a transfer or nameserver change.

All times are UTC (the trailing Z). A domain "expiring on the 13th" expires at a UTC instant, which may be the 12th or 14th in your timezone — a subtlety that catches people out at the margins.

Registrar vs registrant — the crucial distinction

These two sound similar and mean very different things:

  • The registrar is the company you bought the domain through and pay to renew it — GoDaddy, Namecheap, Cloudflare, and so on. The record shows the registrar's name, abuse contact and WHOIS server.
  • The registrant is the legal owner of the domain — the person or organisation it belongs to.

Since GDPR and ICANN's Temporary Specification, registrant contact details are usually redacted in public WHOIS, replaced with "REDACTED FOR PRIVACY" or a privacy-proxy address. So a modern record tells you the registrar plainly but rarely the registrant directly. To reach the owner you typically go through the registrar's anonymised relay or abuse contact.

This matters for ownership audits: the public record reliably tells you where a domain is managed, not always who owns it. Tracking the registrant yourself is part of good portfolio hygiene.

Nameservers

The Name Server lines tell you where the domain's DNS is hosted — which is not necessarily the registrar. A domain can be registered at one company and have its DNS served by Cloudflare, AWS Route 53 or anywhere else. If a site isn't resolving, checking that these nameservers match what you expect is an excellent first diagnostic.

DNSSEC

DNSSEC: unsigned means the domain isn't using DNSSEC; signedDelegation means it is. Not every domain needs it, but an unexpected change here can indicate someone has been tinkering with the zone.

Status codes: the most overlooked field

The Domain Status lines (EPP status codes) are where the real story lives. They come in two families — client codes set by your registrar, and server codes set by the registry — and they tell you what the domain can and can't do right now.

Status codeWhat it means
ok / activeNormal, no restrictions
clientTransferProhibitedRegistrar lock — a good default that blocks unauthorised transfers
clientHoldRegistrar has removed the domain from DNS — the site won't resolve, often due to non-payment or a dispute
serverHoldRegistry-level hold — same effect, set by the registry
pendingTransferA transfer to another registrar is in progress
autoRenewPeriodThe domain recently auto-renewed (or expired into this window)
redemptionPeriodThe domain was deleted and is in its expensive 30-day recovery window
pendingDeleteFinal 5-day phase before the domain is purged — not recoverable

A couple of these deserve emphasis. clientHold is the one people miss: the expiry date can look fine while the domain is deliberately switched off because of a billing problem. And pendingDelete is the end of the line — if you see it on a domain you want, recovery is no longer possible; your only option is to try to catch it when it drops.

Multiple status codes can appear at once — clientTransferProhibited plus clientDeleteProhibited is a healthy, well-locked domain.

Reading it quickly from the command line

For a fast check, filter for the fields that matter:

bash
whois example.com | grep -Ei 'registrar:|expiry|status|name server'

Be aware that raw WHOIS is rate-limited and inconsistently formatted between TLDs, which is why checking many domains by hand is painful — RDAP, the structured JSON successor, is far friendlier for automation.

Don't read it once — read it continuously

A WHOIS record is a snapshot. The expiry date creeps closer, a clientHold can appear overnight, nameservers can be changed by someone who shouldn't have. Reading the record once tells you the state today; what protects a portfolio is watching it change over time. DomainOps continuously parses WHOIS/RDAP across all your domains and alerts you when an expiry nears or a status code shifts — see the domain monitoring docs, or start monitoring for free.

whoisdomainsdns