The first time runs a whois ICANN query and see a different result from what they usually get, it can be pretty confusing. Same domain, but different data, what’s happening here?
Most of the time, the culprit is caching. Third-party Whois tools have their own databases, and those don’t refresh the moment something changes in the actual registry. The ICANN lookup, on the other hand, goes straight to the source and queries the real registry directly.
Why the Whois ICANN Lookup Behaves Differently
ICANN does not maintain its own records for domains. Its whois functionality queries the registry responsible for the relevant top-level domain (TLD) in your query. For instance, Verisign is the registrar for .com domains while Nominet is for .uk domains. There’s an operator for each TLD and the tool ICANN offers essentially connects you with the relevant operator.
The data that the registry provides is not a snapshot of information from last Tuesday or from a week’s worth of updates. It is an up to the moment data.
When domains transfer, registrar change, or contact updates and whois is provided by ICANN, the data is more up to date than other registrar’s data from third-party platforms. The other registrar’s data is based on their internal systems where updates are not reflected instantly to the registry and instead are reflected based on their internal systems time schedule.
What Third-Party Tools Bring to the Table
A free ‘whois’ command exists. Competitors like DomainTools sell access to their platform for several hundred dollars a month. Both are branded as ‘whois tools’ but there is a world of difference between the two.
Where your DomainTools investment pays off is in proprietary data. Whois ICANN can only provide the current state of the world. If you need the owner of a domain from 2018 or that holder’s email before the migrated to a privacy proxy, that information is no longer ‘live’ and exists in the archives that DomainTools and SecurityTrails have been building for years.
Reverse whois is another area of omission. The ICANN tool is one way; you supply a domain, and you get the registrant’s information. Reverse whois is exactly the opposite. Instead, you provide an email or an organization, and you get a list of all the domains associated with that entity. This is widely used by intel teams to follow domain stalkers across their acquisitions. This functionality is completely missing from whois ICANN.
How They Compare
| Feature | Whois ICANN | Regular Whois Tools |
| Where data comes from | Directly from the registry | Registry plus cached and archived data |
| How current is the data | Live, real-time | Depends on the platform’s sync schedule |
| Historical records | No | Yes, on most paid platforms |
| Reverse Whois | No | Yes, usually paid |
| Bulk lookups | No | Yes, via API |
| RDAP protocol | Native | Varies |
| Privacy redaction | Consistent | Inconsistent across tools |
| Cost | Free | Free basic to hundreds per month |
When It Actually Matters Which Tool You Pick
Most tools are relatively acceptable, but they have ranges, and the difference can be substantial.
Take, for instance, a change in ownership brought about by a transfer of a domain between registrars. After transfer completion, the registry can update ownership within a few hours. However, the tools you’re relying on may have ownership data that is a few days old and lacks the new register. You check without seeing the ownership change and, without a second thought, you continue your task.
This is the case for both dropped and expired domains. When a domain expires, is deleted, and is subsequently re-registered, that window can be extremely short. A cached result may show that the domain is still registered or show the previous registrant; however, the domain is now registered under a different owner.
The scenarios where more formality is required, e.g., UDRP, compliance reviews, etc., are exactly where people examine the sources you are using. In those circumstances, using whois ICANN is a little more acceptable. No one questions data pulled directly from ICANN; as a result, you may have to have an unsolicited conversation.
The GDPR Situation Is Still a Mess
Before the changes in the European Union’s GDPR regulations, the whois ICANN reports from registrars disclosed all details about the registrant, including their name, email address, phone number, address, and any other related information. In the registrars’ databases, this information was not protected. Changes in the GDPR regulations modified this.
Registrars can no longer expose the personal contact information for registrants from the EU. Most registrars applied this restriction to all of their registrants, as it was less complicated than determining where a registrant was from. As a result, the majority of whois ICANN reports, which used to display all of the unredacted information related to contact information, now only display the unredacted information for a privacy proxy service to which the registrar has routed that information.
They have the information; they have just decided not to make it available.
ICANN has designed a formalized, structured, and standard request system called SSAD that allows, in particular, law enforcement agencies and IP attorneys, as credentialed access users, to request access to non-public registrant information. Adoption has been slow, and it remains, for now, only operational in a limited form. As a result, some secondary service tools have incomplete datasets from before the GDPR changes, which can actually also be dangerous.
Choosing the Best Option
If you are looking for the registrant information for a domain and you want it accurate, up to date, and from a reliable source, then starting with whois ICANN is your best choice, as it is completely free. It is best to access the source directly, as it comes straight from the source. In case all you need is a quick look at the domain’s nameservers, registrar, or expiration date, then this is the only place you need to visit.
A dedicated research platform is warranted when the work entails determining a domain’s history or infrastructure, or understanding interconnected domains. This is not to say that ICANN’s tool is insufficient, it is fully functional for its primary purpose. The research workflows simply involve a different type of data.
Large-scale domain professionals tend to use both tools seamlessly. The research platform offers a more comprehensive view. Whois ICANN corroborates the status quo before any action is taken.
FAQ
What do I get from an ICANN Whois lookup?
You get information currently in the records, such as registrar name, registration date, expiration date, nameservers, and DNSSEC status. Contact details are included unless redacted. There are no histories, related domains, and only the current record.
Is there a fee?
No. There is no fee, and no login required for lookup.icann.org.
What is RDAP?
It is the protocol that Whois ICANN is built on. It is a descendant of the old Whois protocol that used to return plain text that was poorly formatted. So it has the advantage of returning structured and data that is easily parseable, and has a standard process for redactions for privacy. In practical terms, it may look similar for manual lookups. It is more significant for those that have to process results programmatically.
Why is a lot of contact information concealed?
This is due to the GDPR. Registrars are no longer allowed to display personal contact information for individual domain registrants. Most widespread this globally. The registrar continues to have the information, but it cannot be obtained through a public lookup. Accessing it requires more formal steps and can be subject to additional conditions.
Is it possible to see past owners with Whois ICANN?
No. Whois ICANN reflects the registry’s current status. In order to obtain historical ownership information, there is a need for a third party archiving service. There are several, DomainTools and SecurityTrails for example. Access to those archiving records is typically subject to a paid subscription.
What exactly is reverse Whois and why it is not available in the ICANN tool?
Reverse Whois allows users to conduct registrant-based domain searches. For example, users can conduct searches using an email to find all the domains that are associated with that email address. Unlike such entity-based searches, the ICANN tool is designed to facilitate searches by single domain lookups. Other third-party platforms supplement this tool over time, especially as new use cases, such as in security research, emerge.
Are third-party Whois tools reliable?
Yes, in most cases of domain lookups. Third-party tools can be unreliable when it comes to ensuring the most recent domain ownership changes. This especially matters when the most recent status of things is important. For recent domain ownership transfers, recent expirations, and formal documentation, you should verify the result using ICANN before completely trusting the result.
Are security experts users of both of the tools in modern-day practice?
Yes, as an example. They use a research tool that offers foundational context and analysis of domain and web infrastructure. They also use ICANN Whois to determine current domain ownership. The two tools provide differing insights, such that selecting one does not eliminate the need to use the other.
What Ultimately Determines The Difference?
The ICANN tool offers the most up-to-date and accurate information, while third-party tools focus on providing context, insight into the history of a domain, and the ability to search across numerous domains. For most users, the ICANN tool single-handedly provides almost all the functionality you would ever need when it comes to domain lookups. However, if your needs go beyond the surface, you will most likely need to use both tools.
References
- ICANN. “ICANN WHOIS Lookup.” lookup.icann.org
- ICANN. “Registration Data Access Protocol (RDAP).” icann.org/rdap
- ICANN. “Temporary Specification for gTLD Registration Data.” icann.org
- Internet Engineering Task Force. “RFC 7482: RDAP Query Format.” tools.ietf.org
- ICANN. “Uniform Domain-Name Dispute-Resolution Policy (UDRP).” icann.org
- DomainTools. “Whois Lookup and Domain Research.” domaintools.com
- European Parliament. “General Data Protection Regulation (GDPR) — EU 2016/679.” EUR-Lex
- ICANN. “System for Standardized Access/Disclosure (SSAD).” icann.org
