Skip to content(if available)orjump to list(if available)

Sunsetting Whois

Sunsetting Whois

111 comments

·March 17, 2025
Visit

transcriptase

The concept of WHOIS has felt sleazy for many years.

If I register a domain, the registrar will basically extort me a couple extra dollars per year for “domain privacy” for the privilege of not having my name, home address, phone number, and email publicly available and then mirrored across thousands of shady scraped content sites in perpetuity. Even If you don’t care about that, then begins the never ending emails texts and calls begin from sleazy outfits who want to sell you related domains, do SEO for you, revamp your site, schedule a call, or just fill your spam box up with legitimate scams and bootleg pharma trash.

All because you wanted a $10/year dot com without paying the bribe.

And yes I grew up leafing through well worn phone books next to corded phones. This is not comparable.

Tarball10

This is about sunsetting the WHOIS protocol in favor of RDAP, not doing away with domain owner registration data.

anthropodie

It's crazy how many people just read the headline and choose to comment or upvote these links.

Also, why the title is not same as the article? It makes no sense.

whalesalad

Tangentially - RDAP was created partially to resolve issues with PII in WHOIS

jsheard

That was a common racket a long time ago, but pretty much every widely recommended registrar offers free whois privacy now. At least when they're allowed to, some TLDs forbid obfuscating the whois information.

mrbluecoat

For example, *.us domain registrars aren't allowed to privacy protect your domain: https://www.reddit.com/r/webdev/comments/101qjbq/wow_never_b...

wtmt

Same with registry.in in India (for .in domains), where WHOIS privacy is not allowed as per the terms and conditions. [1]

[1]: https://www.registry.in/system/files/Terms_and_Conditions_fo...

airstrike

a little less than a year ago, my wife registered a .us domain that she ended up not using at all. she still gets phone calls nearly daily from people trying to sell her web design/dev work

throwaway150

Wow! These policies are like 30 years behind. Exposing your phone number and address on WHOIS makes absolutely no sense in this day and age!

re-thc

> but pretty much every widely recommended registrar offers free whois privacy now

If you go by the book e.g. Cloudflare not every field (e.g. state and country) is hidden. So not exactly.

october8140

You’re just using bad registrars.

https://porkbun.com/products/whois_privacy

CursedSilicon

Porkbun only came out in 2014

Two decades late on a problem

nextts

Oh the good ol days. $10/m for slow PHP shared hosting and $150 for an SSL certificate too.

doublepg23

I've never had to pay Namecheap extra for WHOIS protection.

TZubiri

It used to be more common back then

renewiltord

They always list it in the line items and in the renewal but whatever. In fact, it looks like I forgot to turn on auto-renew on their domain privacy product so it's sitting there in the 'grace' period. They work as a registrar so I use it.

null

[deleted]

fitsumbelay

I don't have the greatest registrar but hiding my info from whois is free

CydeWeys

GDPR is what changed this. Before that, registrars had little incentive to hide it for free when they could instead charge you for the service. It was not trivial that Google Domains (rip) came with free privacy proxy right from the beginning.

betaby

> GDPR

And yet all German sites must have such thing: https://0pointer.net/imprint

TZubiri

Note that it is being replaced with a different protocol, is there any indication that there are less stringent requirements on identity data disclosure on the new proto?

TZubiri

This is a very hypocritical take of privacy extremists. On the one hand you want privacy great. But on the other you would naturally expect transparency of the owners of websites you consume.

Yes you want privacy to have a website, but don't you want website owners to be held accountable?

I would actually backtrack a bit, let's normalize some form of transparency. This is actually a very common problem in law, companies must have some form of public registration, but there are some forms that protect the privacy and identity of their owners.

The issue is with natural people owning websites, when companies own websites there is no issue because they use the address and data of the company.

The dream of personal websites from the 2000s is pretty much dead. Nowadays only tech people have a personal website, we have come to the conclusion that domain owners will provide web profiles internally for consumers.

The privacy whois thing is an added service that basically subverts the original protocol requirement, and you are complaining for being allowed to break these requirements? We should be apologizing every time we obscure whois data and thanking the registrar for letting us use their data, don't you feel how fucking shady it is?

With what gall you would then be able to complain when phishers and hackers make spam and phishing domains? Or when literally every company incorporates their company in delaware when they have absolutely no business there.

Whatever, I do it too, but I don't put my tinfoil hat in that it's designed to extract 10$/yr, that's just missing the whole forest for the tree that is blocking your sun.

int_19h

I'm fine with the notion that corporations have to provide public information but not individuals.

brown

RDAP replaces WHOIS, offering a more technologically advanced way to discover the domain is protected by privacy services.

jeroenhd

Domain whois is useless, but IP whois is at least kind of useful to check before blanket banning entire IP ranges.

grendelt

Interestingly, when discussing WHOIS with my networking students, I discovered .edu WHOIS is not (cannot?) hidden. I suppose EDUCAUSE either requires WHOIS to remain open or they do not offer information hiding.

Doing some WHOIS lookups, we found a point of contact at a university, called the network admin said hello and launched into an impromptu network admin interview. It was cool stuff. I emailed him later in the day to apologize to and thank him for being a good sport about the whole thing. He (fortunately) found it all rather enjoyable.

homebrewer

It's useful for checking if a domain name is taken without doing that through a registrar, which is both less convenient, and (in case of shitty registrars) can be sold to domain speculators.

whalesalad

whois/rdap is very useful to identify if a domain is registered or not, and if so with whom. still lots of use there without pii data.

nine_k

Both give you a way to find out the domain's registrar, registration date, transfer status, and administrative contacts like abuse@. Nameserver data can also be somehow useful.

Otherwise, what did you expect the registrar to divulge to you, a random passer-by?

HeatrayEnjoyer

As a random passer-by I can look up the registered ownership of any building on the street.

skissane

As an Australian, I can look up the ownership of random properties in the US for free. But if I want to do the same for a building on my own street, I have to pay a US$11 fee per a property searched.

The US has a reputation of being a hypercapitalist society, yet they seem to be behind Australia in the descent into hypercapitalism by not (yet) privatising the registration of land titles. [0]

[0] https://www.abc.net.au/news/2017-04-12/$2.6-billion-price-ta...

TZubiri

I get the joke, but whois is super valuable for abuse report contact and for registrar and even ip block info!

Huge protocol for cybersecurity

gkoberger

Wow. I never noticed how much how I used the internet changed. I haven’t done a WHOIS in a decade.

When I started using the internet, it’s how I contacted people. If I liked their site or their blog, I’d check who was behind it and get an email address I could contact.

Now… humans don’t really own domains anymore. Content is so centralized. I obviously noticed this shift, but I had forgotten how I used to be able to interact with the internet.

xeckr

My only nitpick is that humans still own domains, but I agree with the overall sentiment and thank you for sharing this perspective.

It is fascinating to consider how our experience with the internet is changing over time.

Remember phreaking? Having been born in the Netscape era, I certainly don't, but I can imagine that losing the ability to pull that trick off must have felt like a loss to those who were initiated in the art.

Thankfully the trend appears to be that new technologies and thus new 1337 h4x are still forthcoming.

icameron

And after you emailed them you could finger their address and see when they last checked their email, and their unread message count usually.

giancarlostoro

I had no idea this was a thing for email... Wow.

bdcravens

I use it primarily to lookup info on an IP address.

tombert

I think in most ways it's better, it makes the web more approachable to less technical users, making it less gate-keepey, but I also kind of miss the loosely-coupled cluster of web pages from the late-90's and early 2000's web.

Stuff felt less homogeneous; everyone had kind of a loose understanding of HTML, and people would customize their pages in horrendously wonderful ways. It felt more personal.

jfengel

So many tech people have a fondness for that time. To me, it was a very narrow slice of the human experience. Today I can find sites and communities on any subject I can conceive and billions more that I cannot.

And personally I found it more horrendously ugly than horrendously wonderful. But that's just my opinion.

tombert

Yeah, as I said in most way things are better now than they were in the rose-tinted memories of the late 90's and early 2000's. Now if you want to say something on the internet, you can open up a Substack, or a Bluesky, or a Medium, or you can find a niche Subreddit. You don't need to know anything very technical, and that's a good thing.

I'll acknowledge that the old web was ugly, even at the time. I guess I just liked how much of it was, for lack of a better word, "custom". Most people were pretty bad at HTML, common web standards really hadn't caught out outside of "make it work in Internet Explorer", and CSS really hadn't caught on, so people glued together websites the best that they could.

Most websites looked pretty bad, but they were genuine. They didn't feel like some corporation built them, they felt like they were made by actual humans, and a lot of the time, actual children. I was one of those children.

I posted about this a week ago [1], but my first foray into programming was making crappy websites. It felt cool to me that a nine year old could make and publish a website, just like the grownups could. I didn't know anything about style so I had bright green backgrounds and used marquee tags and blink tags and I believe I had a midi of the X-files theme song playing in the background.

I guess it's the same sentimentality that I have when I look at a child's terrible drawing or reading one of my old terrible essays I wrote when I was eleven years old that my mom kept around. They're bad, they're embarrassing, but they're also kind of charming.

[1] https://news.ycombinator.com/item?id=43297104

dkh

I sometimes use whois multiple times in a day lol.

Should it exist? Maybe not, probably not, but that doesn't stop me from using it when I want to try to do some sleuthing. Most of the time though it doesn't work because they have privacy enabled.

I did get screwed once with certain TLDs not being able to enable privacy. I had registered a .at domain to use with a video site I had that at the time was reasonably popular and going viral fairly regularly. I hadn't realized beforehand that privacy wasn't possible, but once I learned, I didn't love it, but I wasn't sure if it would matter that much. I was wrong. I was getting calls and emails regularly from random people on the internet who found our content on reddit or whatever and decided to do some sleuthing

pavel_lishin

> Now… humans don’t really own domains anymore.

Even when they do, it's generally a smart idea to anonymize the whois information.

You might be looking up my domain to make a buddy, but someone else might be looking up my domain to SWAT me.

neom

Although shit did happen back in the day. Someone show up at the house of the DeviantART CEO in like... I wanna say like, mmm.. 2007? and slashed his tires etc. WhoIs was only cool in the 90s.

ocdtrekkie

A big part of that is because GDPR basically murdered Whois. It hasn't been useful for many of those last ten years.

imoreno

The article is titled:

> ICANN Update: Launching RDAP; Sunsetting WHOIS

Bit deceptive to editorialize it into something that sounds like something else much more interesting (removing contact info from domains) but isn't the case at all (they're just changing the method to access the same info).

vekatimest

To be replaced with a system providing a standardized method to give law enforcement easier "secure access" to your redacted personal information.

wmf

We have ownership records for real estate for a reason. Domains need some level of accountability.

idle_zealot

I'm not sure this follows. You're allowed to publish, say, a book or pamphlet without signing it with your legal name and address. So is a website more like a book, or a building?

callc

Somewhere in the middle IMO. If the domain name is desirable it looks more like a building, because people generally care about who owns the land when it is not getting put to good use.

Websites are more like books when they have a domain no else else cares about.

greyface-

Domains point to IPs, and IPs already have subpoenable ownership records at RIRs. In the real estate metaphor: we have property ownership records, but we don't have records of every rental tenancy.

IncRnd

That's not true. Those are registration records NOT ownership records. People do not purchase ip address or domains. They register them for temporary use.

RIMR

This is completely untrue.

https://www.zdnet.com/home-and-office/networking/court-rules...

longtailofsighs

ICANN accredited domain registrars (so any registrar selling generic TLDs like .org, .com, .design etc) have contractual obligations related to technical abuses like phishing, malware, and botnets, insofar as they intersect with a domain name.

Content/expression related harms are outside of ICANNs bylaws and any obligations related to what a domain points at are not from ICANN, but from the laws in the jurisdiction in which the registrar operates. This is generally good. There is no global standard for acceptable limits on expression, with the possible exception of CSAM which is illegal everywhere.

Requiring domain registrars to arbitrate what content should be accessible via the DNS is perilous.

imoreno

No they don't.

imoreno

"Only law enforcement" is still better than "everyone".

dawnerd

Wait, people use real information?

riffic

that's grounds for cancellation of a domain sooooo.....

phendrenad2

Most people won't even notice this change. They'll still go to a "whois lookup service" and input a domain, and get the same results. The fact that it arrived via a different protocol (RDAP) won't mean anything.

throwaway150

There's something about WHOIS I've never understood. If you run `whois ycombinator.com` you'll see name servers in the output.

  Name Server: NS-1411.AWSDNS-48.ORG
  Name Server: NS-1914.AWSDNS-47.CO.UK
  Name Server: NS-225.AWSDNS-28.COM
  Name Server: NS-556.AWSDNS-05.NET
But if you run `dig ycombinator.com ANY +noall +answer` you'll see name servers here too.

  ycombinator.com.        21600   IN      NS      ns-556.awsdns-05.net.
  ycombinator.com.        21600   IN      NS      ns-1914.awsdns-47.co.uk.
  ycombinator.com.        21600   IN      NS      ns-225.awsdns-28.com.
  ycombinator.com.        21600   IN      NS      ns-1411.awsdns-48.org.
  ycombinator.com.        900     IN      SOA     ns-225.awsdns-28.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
If you see all the output together, you'll find the same name servers are present in WHOIS output and the DNS NS records. But wait, there's more.

The name server `ns-225.awsdns-28.com` is present three times- in WHOIS, in DNS NS records, in DNS SOA record.

Which of these name servers get used to resolve `ycombinator.com` to its IP address like when I do `ping ycombinator.com`?

What if the information between the WHOIS and DNS NS records and the DNS SOA records are inconsistent? Which record wins?

null

[deleted]

Ayesh

If you `ping`, your recursive resolve (like Google DNS, or your ISP DNS servers) will do the recursive lookup for you.

WHOIS data are irrelavant to resolving the host IP address. The SOA will be used to find the primary name server (for an AXFR lookup perhaps), but generally, each NS entry will work in a round-robin fashion and SOA isn't queried.

Most resolves just ignore duplicate records, but I imagine some resolvers may change the "odds" to likely pick the duplicated NS entry.

Finally, most authorative resolvers do not want to spend resources on ANY queries and almost always don't return all records, or like you saw, do not de-duplicate answers.

throwaway150

Thanks! Do you know why the name servers are part of the WHOIS data?

Same question for SOA record. If the NS entries are used in a round-robin fashion, why is the name server present in SOA record too?

CydeWeys

If you're trying to debug why a website's setup isn't working, the first step is to see if what the registry thinks the nameservers should be matches what the nameservers in DNS actually are. These can fall out of sync if e.g. the registry's connection to its DNS provider is experiencing issues. This does actually happen from time to time.

greyface-

> Do you know why the name servers are part of the WHOIS data?

The NS returned from the registrar's WHOIS server reflects the registrar's view; the NS returned from the TLD nameservers reflects the registry's view; the NS returned from the zone's authoritative nameservers reflects the registrant's view. These should typically be the same, but can differ.

> why is the name server present in SOA record too?

The NS in the SOA record is used for RFC2136 dynamic updates and RFC1996 zone replication.

renewiltord

In practice it will round-robin because all of those guys have the same performance characteristics but through whoever else is upstream of you in the DNS chain. The SOA isn't used for resolution so it doesn't matter there.

throwaway150

> In practice it will round-robin

Which data though? Is it the WHOIS name server data that is used for round-robin? Or the DNS NS record data?

Do you know why the name server is present in SOA if it isn't used?

renewiltord

The NS records and the WHOIS should be the same usually. One comes from the registrar's configs and the other from your next level upstream resolver (which should, unless it's cached and a recent change happened, be the same). But the thing that is used is whatever your next level upstream resolver is, which is the `dig` output unless you did `dig @someoneelse`.

The SOA nameserver is pretty much only significant for DNSSEC these days. In the AWS case there, I don't think it does anything unique. Pretty much there just to meet the standard.

nine_k

Back in 2014, when TLD .church was introduced, me and my friends tried to register alonzo.church and (ab)use the contact information records to provide some biographic information and links, explaining literally whois alonzo.church on the command line. That would not prevent hosting whatever services on that domain as normal.

Sadly, we were not able to secure the domain on time, and after 11 years, the attempted trick is becoming irrelevant.

smoyer

When can I finally see an article announcing that ICANN has been sunsetted?

RIMR

Why so flippant? The Internet would be in a sorry state without ICANN...

dannyobrien

Can you explain more?

renewiltord

One bright side of ICANN being a California non-profit is that when they tried to sell off .org to their own confederates so they could juice up the prices they were stopped from doing it. If they were in other places, I imagine it would have gone through.

oefrha

People say WHOIS is useless these days due to WHOIS privacy, but it's useful for at least one thing: checking when a domain was registered/transferred. Fishy stuff tend to be registered/transferred recently. Also older and larger companies tend to not hide their organizational identity.

Btw, I tried the icann-rdap CLI tool and the default rendered-markdown output mode is atrocious. Sea of output, each nameserver has one or more standalone tables taking up 15x$repetition lines, almost impossible to fish out useful info. The retro gtld-whois mode is so much cleaner. Their web tool https://lookup.icann.org/en/lookup is fine too, don't know why the rendered markdown mode isn't like that. WTF.

zacwest

I like the `rdap` cli from https://www.openrdap.org (in Brew, too: https://formulae.brew.sh/formula/rdap#default). Very clean, concise output.

1970-01-01

I don't play with domains all day, but this very much feels like nothing important was accomplished, and things are just being made more complicated for political reasons. Sorry if that is being harsh, but I've never had any issue using WHOIS.

CydeWeys

If you've ever tried to parse WHOIS programmatically, you'd realize that it being an unstructured blob of text is actually quite unconducive to it being useful. Having every endpoint return a standardized JSON payload specified in an RFC is much better.

notepad0x90

Whois needs it's own port open usually, this is good I suppose, now it's all HTTPS. Now, if only passive dns resolution data was part of this same api. As it stands today, if you're looking into WHOIS information, historical WHOIS and passive dns are a must, and they are usually provided by commercial entities.