WHOIS Is a 40-Year-Old Protocol (And It Shows)

A Protocol From 1982

WHOIS predates the World Wide Web by a decade. It was specified in RFC 812 in 1982, back when the internet was a few hundred machines and everyone who ran one basically knew each other. The original purpose was simple: "who is responsible for this machine?" You could look up a name and get a phone number.

Forty-plus years later, WHOIS is still how domain registration data is queried. The protocol has barely changed. And every quirk of its 1980s design is still something that anyone building a WHOIS tool -- like Whois Wolf -- has to deal with.

Raw TCP, No HTTP

WHOIS does not use HTTP. It uses a raw TCP connection on port 43. You open a socket, send the domain name as plain text followed by a newline, and the server sends back a blob of text and closes the connection. No headers. No status codes. No content-type. Just text.

This means you cannot query WHOIS from a browser. There is no JavaScript API for raw TCP sockets in a web browser (and there should not be). Every web-based WHOIS tool needs a backend server that opens the TCP connection on the user's behalf and relays the result back over HTTP.

Every Registrar Speaks Differently

Here is the real problem: there is no standard format for WHOIS responses. The protocol specifies how to connect and send a query, but says nothing about how the response should be structured. Every registrar and registry formats their output however they like.

A .com domain queried through Verisign returns data in one format. A .de domain from DENIC returns something completely different. A .jp domain from JPRS returns yet another format, sometimes partially in Japanese. Some registrars use Creation Date:, others use Created:, others use Registration Date:. Some put the registrar name on its own line, others embed it in a sentence.

Building a parser that extracts consistent fields (registrar, creation date, expiration date, nameservers, status) across hundreds of different response formats is the core engineering challenge of any WHOIS tool. It is essentially a natural language processing problem dressed up as a networking problem.

The Referral Chain

For many TLDs, a single query is not enough. A .com lookup first hits Verisign's thin WHOIS server, which returns a pointer to the registrar's own WHOIS server (like GoDaddy or Namecheap). You then have to make a second TCP connection to that registrar's server to get the full details. Some country-code TLDs add a third hop. Each server in the chain might use a different format.

RDAP: The Replacement That Is Taking Its Time

RDAP (Registration Data Access Protocol) is the designated successor to WHOIS. It uses HTTPS, returns structured JSON, and has a proper specification for response format. In theory, it solves every problem described above. ICANN has required registrars to support RDAP since 2019.

In practice, adoption is uneven. Most major gTLD registrars support it, but many country-code TLDs still only offer WHOIS. Some RDAP endpoints are unreliable or return incomplete data. For now, any tool that wants comprehensive coverage needs to support both protocols and fall back gracefully.

Whois Wolf queries RDAP where available and falls back to raw WHOIS for everything else, parsing the results into a clean, consistent format regardless of the source.