Every time someone registers a domain — example.com, mybusiness.pk, anything — a record is created in a database run by the registry that operates that top-level domain (TLD). For .com that registry is Verisign. For .pk it is PKNIC. For .org it is the Public Interest Registry. The record contains who registered it, through which registrar (GoDaddy, Namecheap, PKNIC retail, etc.), when, when it expires, and which nameservers handle DNS for it.

WHOIS is the protocol that lets the public read those records. It dates from the early 1980s — RFC 812 in 1982, RFC 920 in 1984 — and was originally a plain text query: send a domain name on TCP port 43, get back a text record. Forty years later the protocol is the same, but the data behind it has been profoundly reshaped by privacy laws and a modern replacement called RDAP.

When you query a domain in the panel above, our service contacts the appropriate registry, parses the response into structured fields, and presents them with explanations. For .pk domains we query PKNIC; for gTLDs we query through the registrar of record; for ccTLDs we use the relevant national registry.

WHOIS was a beautiful 1980s artefact: TCP port 43, send a string, receive a string. It worked because the early internet was a small academic community where everyone knew everyone. As the network commercialised, the limitations became obvious — no encryption, no standard format, every registry returned slightly different fields, and no authentication for differentiated access.

RDAP — the Registration Data Access Protocol — was finalised in 2015 (RFCs 7480–7484) as the modern replacement. It runs over HTTPS, returns structured JSON, supports internationalised domain names natively, allows authenticated queries for tiered access, and conforms to a uniform schema across all registries. ICANN required all gTLD registries to support RDAP by 2019.

Today both protocols coexist. WHOIS is still the lingua franca for ccTLDs and quick command-line lookups; RDAP is the engine behind modern panels (including ours) because it returns clean, parseable data. PKNIC supports WHOIS today and RDAP rollout is in progress.

Three parties touch every domain. The registry operates the central database for an entire TLD — Verisign runs .com, PKNIC runs .pk, Identity Digital runs .info, and so on. Registries do not sell to the public; they sell to registrars in bulk.

The registrar is the customer-facing seller. GoDaddy, Namecheap, Cloudflare Registrar, Google Domains (now Squarespace), and locally PKNIC retail itself, Hostbreak, Webzone, and others. The registrar collects your details, holds the relationship, and forwards instructions to the registry over a protocol called EPP.

The registrant is you — the person or organisation listed as the legal owner of the domain. When WHOIS shows ‘Registrant Name: John Doe’, that is the registrant. There are also separate Admin, Tech and Billing contacts, though most modern registrars use the same person for all four.

PKNIC is the registry for all .pk domains and their second-level variants — .com.pk, .org.pk, .net.pk, .edu.pk, .gov.pk and others. It is operated under contract from the Pakistan government and follows policies that differ in several practical ways from gTLDs.

.pk domains historically required documentary verification (CNIC for individuals, business registration for companies) and the fee structure used a two-year minimum. Recent policy updates have streamlined this, but the rules are still stricter than .com — for example, .gov.pk and .edu.pk are restricted to verifiable government and educational entities only.

Premium and trademarked names are pre-reserved. The .pk WHOIS, while often less detailed than gTLDs, still shows registrar, status, dates and nameservers — the essentials for diagnosing a domain’s health.

Until 2018, public WHOIS for most gTLDs returned full registrant contact information — name, email, phone, postal address. The GDPR forced ICANN to redact personal data for European registrants by default; in practice almost every registrar chose to redact globally rather than maintain two policies. As a result, most modern WHOIS records for .com, .net, .org and similar show ‘REDACTED FOR PRIVACY’ in the contact fields.

What is still public: registration date, expiry date, last update date, registrar name, domain status codes, and nameservers. That is enough to verify legitimacy, plan migrations, and detect imminent expiry — which is what most of us actually need WHOIS for.

ccTLDs make their own decisions. .pk WHOIS retains more detail for business registrants; .uk redacts heavily; .de essentially blocks public contact data. The tool above shows whichever fields the relevant registry chose to publish.

Even outside GDPR, registrars sell WHOIS privacy as an add-on. Instead of your name and address, the public record shows the privacy provider’s details — typically WhoisGuard (Namecheap), Domains by Proxy (GoDaddy), or Cloudflare’s free service. Your real identity is held by the registrar and only revealed via legal process.

For most personal sites and small businesses, privacy protection is a no-brainer — it stops scrapers, spam, and stalkers without affecting any legitimate use. For corporate brand protection or trust-sensitive use cases (banks, government suppliers), public registration is sometimes preferred precisely because it demonstrates accountability.

Cloudflare Registrar is notable for including privacy free at cost-price registration. PKNIC does not currently offer a built-in privacy service for .pk; many registrants there list a business address by default.

A domain’s life follows predictable stages. Active: registered and resolving normally; expiry date in the future. Auto-renew grace (~30 days after expiry for most gTLDs): registrar may try to auto-renew; domain often still resolves. Redemption period (30 more days): domain stops working, owner can still recover for a hefty fee (usually $80–200 plus the renewal cost). Pending delete (5 days): final waiting period.

After pending delete, the name drops back into the public pool and anyone can register it again. Premium drop-catching services (DropCatch, SnapNames, NameJet) compete to grab valuable names within milliseconds of release. For .pk, the timeline differs — PKNIC publishes its own grace and deletion schedule, generally more lenient.

Knowing where in the lifecycle a domain sits is the first thing to check before buying or migrating. The status field in the WHOIS panel tells you immediately.

WHOIS shows one or more status codes for every domain. They look cryptic but each one is actionable. ‘ok’ or ‘active’ means everything is normal. ‘clientTransferProhibited’ means your registrar has set a transfer lock — good for security, must be removed before changing registrars.

‘clientHold’ or ‘serverHold’ means the registry has stopped publishing the domain in DNS — typical for unpaid renewals, abuse complaints, or court orders. ‘pendingDelete’ means the domain is heading for the drop pool. ‘pendingTransfer’ means a registrar change is in progress and needs the auth code from the gaining side.

Understanding these codes turns ‘why doesn’t my site work?’ into ‘the registrar suspended the domain because of a billing issue’ in two minutes. Always check status codes first when a domain stops resolving.

Moving a domain between registrars uses the EPP transfer protocol. The losing registrar generates an auth code (also called EPP code or transfer secret) and shares it with the registrant. The gaining registrar accepts the code, charges the renewal, and the registry processes the transfer — usually with a five to seven day automated approval window.

Common gotchas: clientTransferProhibited must be off, the domain must be at least 60 days past registration or last transfer, contact email must be reachable for confirmation messages, and DNSSEC keys must be removed and re-added at the new registrar to avoid validation failures during the gap.

For .pk transfers between PKNIC-authorised resellers, the process is similar but often involves manual approval steps and identity verification. Plan transfers at least two weeks ahead of any critical event.

Before buying a domain — whether at auction or from a private seller — WHOIS is your friend. Check the registration date: very new domains sold at premium prices are often dropped junk re-registered hoping to fool buyers. Check the registrar: reputable, easy-to-transfer registrars are safer than obscure resellers.

Check the expiry date: a name that expires next month is one renewal cycle away from leaving the seller’s hands; you want at least a year of runway. Check the historical registrant where possible (DomainTools, Whoisology) — a domain that has cycled through ten owners in five years carries more SEO baggage than a long-held one.

And always do a trademark search alongside the WHOIS check. A domain that incorporates someone else’s brand can be claimed back through UDRP or court action no matter how much you paid for it.

Domain hijacking is when an attacker gains control of a domain you own — typically by compromising your registrar account email, social-engineering customer support, or stealing the auth code. The damage can be catastrophic: email rerouted, traffic stolen, brand reputation destroyed.

Prevention is mostly registrar hygiene. Use a unique, long password and a hardware key or TOTP for the registrar account. Keep the contact email on a domain you control (never an account on the domain itself — circular dependency). Enable Registrar Lock (clientTransferProhibited and clientUpdateProhibited). For high-value names, ask the registrar about Registry Lock — a manual hold that requires phone confirmation to unlock.

Detection is daily monitoring. Subscribe to domain status alerts; many registrars and third-party services email you any time a record changes. Recovery, if it happens, is a race: file with ICANN’s Transfer Dispute Resolution Policy, contact both registrars immediately, and prepare evidence of ownership.

When DNSSEC is enabled on a domain, the registrar uploads DS (Delegation Signer) records to the registry, which publishes them. The DS records appear in WHOIS and RDAP responses and form the trust anchor that lets validating resolvers verify your DNS responses cryptographically.

Seeing a DS record in WHOIS confirms DNSSEC is active. Its absence is silent — DNSSEC simply doesn’t protect that domain. If you turn on DNSSEC at your DNS provider but the DS record never appears in WHOIS, the chain is broken and validators will treat your responses as untrusted (resulting in resolution failures for users on validating resolvers like 1.1.1.1).

When transferring a DNSSEC-signed domain between registrars, plan to disable DNSSEC at the losing registrar a week before the transfer, transfer, then re-enable at the new registrar with new DS records. Skipping this step is the most common cause of post-transfer outages.

The premium domain aftermarket is a multi-billion-dollar industry. Short, dictionary, brandable names sell for hundreds to millions. Sedo, Afternic, Dan, GoDaddy Auctions and Atom (formerly Squadhelp) are the largest marketplaces. For .pk, the secondary market is smaller but active for short and city-name domains.

WHOIS history (DomainTools, Whoxy, Whoisology) shows every time the registrant changed and lets you trace ownership chains. This is gold for trademark enforcement, brand protection, and avoiding re-purchasing a name with abuse history.

When evaluating an aftermarket purchase, combine WHOIS history with archive.org snapshots and Majestic/Ahrefs backlink data. A clean history with steady traffic and quality backlinks justifies a premium; a history of spam, parking, and adult content does not.

Pakistani banks use WHOIS to monitor look-alike domains (hbi-bank.com, alfaIah.com — note the I instead of l). Brand-protection services (MarkMonitor, Corsearch) automate this at scale, but a small business can do the same manually with weekly WHOIS checks.

Freelancers and agencies in Pakistan often manage 50+ client domains. A WHOIS audit (registrar, expiry, lock status, contact email) once a quarter prevents the embarrassment of a client’s domain expiring on your watch — by far the most common cause of involuntary client-relationship damage.

Government and educational institutions on .gov.pk and .edu.pk have stricter policies. Renewals must come from verified institutional accounts; transfers between registrars require additional documentation. Plan further ahead than for commercial domains.

Phishing kits depend on freshly-registered look-alike domains: hbI-pk.com (capital I), pa.ystdr.com, b1zz-pakistan.org. WHOIS gives you instant red flags. A domain registered in the last 30 days that mimics a brand, registered through a privacy proxy, with a free email contact, is overwhelmingly likely to be malicious.

Anti-fraud teams at banks and large e-commerce sites use scripts that monitor newly-registered domains containing brand keywords and check WHOIS metadata for risk signals. The output goes into takedown queues that contact registrars and hosting providers within hours.

For individual users, the rule of thumb is simple: when an email or SMS asks you to log in via an unfamiliar URL, copy the domain into the panel above. If it was registered yesterday and is privacy-proxied, you have your answer.

If you hold a portfolio of domains — for branding, defensive registrations, or speculation — manual checks do not scale. Tools like DomainTools, WhoisXML API, Whoxy and our own /api/whois endpoint let you query hundreds of domains programmatically and feed the results into a spreadsheet or alerting system.

Common alerts: 30-day expiry warning, transfer-prohibited unset (potential hijack precursor), nameserver change (potential DNS hijack), DNSSEC DS record removed. Each of these is a sign that something needs human attention before damage spreads.

Rate-limit etiquette matters. Registries publish acceptable-use limits — generally a few queries per second per source IP — and aggressive scraping triggers temporary blocks. Use APIs that already cache results rather than hammering port 43 directly.

When investigating fraud, IP theft, or abuse, WHOIS provides the official record of who is responsible for a domain — even when redacted, the registrar field tells you who to escalate to. Every accredited registrar must publish an abuse contact email and respond to documented abuse reports within reasonable timeframes (ICANN policy requires acknowledgement within 24 hours and action within reasonable diligence).

For legal action, Court orders go to the registrar, who can then suspend the domain (clientHold) regardless of the registrant’s wishes. In Pakistan, FIA Cyber Crime Wing and PTA both issue such requests and the major registrars comply.

For trademark disputes, ICANN’s UDRP (Uniform Domain-Name Dispute-Resolution Policy) and the URS (Uniform Rapid Suspension) provide structured processes. WIPO and the National Arbitration Forum are the most-used providers. WHOIS is the entry point of every UDRP filing.

The classic command-line whois tool is bundled with macOS and Linux and downloadable for Windows. ‘whois example.com’ returns the raw record. For RDAP, curl https://rdap.org/domain/example.com returns clean JSON. Both are zero-cost ways to get the same data the panel above uses.

DomainTools, Whoxy, ViewDNS and SecurityTrails offer historical WHOIS — invaluable for due diligence and abuse investigation. archive.org’s Wayback Machine pairs perfectly with WHOIS history for understanding how a domain was used over time.

For developers, our /api/whois endpoint returns structured JSON for any domain we support and is rate-limited per IP per hour. Free for individual use, contact for bulk.

ICANN is moving toward RDAP-only over the next few years, with WHOIS port 43 eventually being deprecated for gTLDs. The data stays the same; the protocol becomes uniform JSON over HTTPS with proper internationalisation. Registries on legacy WHOIS will support both for a long transition period.

Tiered access — where verified law enforcement and security researchers get more detailed contact data than the general public — is being prototyped (the Standardised System for Access and Disclosure, SSAD). Implementation is slow but likely arrives in some form mid-decade.

On the threat side, AI-generated phishing kits register thousands of look-alike domains per day. Defensive monitoring tools are evolving accordingly, with NLP models flagging brand-similar names automatically and feeding takedown queues continuously.

For owners: lock every domain (Registrar Lock and, for high-value, Registry Lock), enable DNSSEC, use a contact email on a separate domain you also control, set 90-day expiry alerts, and audit your portfolio quarterly with the panel above or our API.

For investigators: combine current WHOIS with historical WHOIS and Wayback snapshots. Cross-reference with DNS records, MX hosts, and IP geolocation for a full picture. Build a checklist and re-use it.

For everyone: when in doubt about a URL, paste it into the panel above before clicking anything. A 24-hour-old privacy-proxied domain claiming to be your bank is almost certainly not your bank.