Which TLDs still show full WHOIS registrant data?

It varies and changes frequently. Some ccTLDs with more permissive privacy regimes still expose registrant data, including .us (historically full data unless privacy requested), .io, .me, and some smaller ccTLDs. However, even these are gradually tightening. Many European ccTLDs (.de, .fr, .uk) aggressively redact all personal data. gTLDs under ICANN's jurisdiction (.com, .net, .org, etc.) are uniformly redacted under the Registration Data Policy. Always check the specific TLD's current policy, as these change without notice.

WHOIS in 2026: What’s Left After GDPR, and How to Get Registrant Data Anyway

Q: Is WHOIS data still public in 2026?

Partially. Since GDPR took effect in 2018 and ICANN officially sunset WHOIS for gTLDs in January 2025, most registrant personal data (name, address, phone, email) is redacted. What remains publicly visible includes: domain creation/expiration/update dates, registrar name, nameserver records, domain status codes, and sometimes the registrant's country or state. Some ccTLDs (like .us, .io, .me) still expose fuller registrant data depending on their local privacy laws. The replacement protocol RDAP supports tiered access, where authenticated parties (law enforcement, IP holders) can request additional data.

Q: How can I find who owns a domain after GDPR?

Several techniques remain effective. Historical WHOIS databases (like WhoisXML API with 25.5B+ records) contain pre-GDPR registrant data. The Wayback Machine archives old WHOIS pages showing full contact details. Reverse WHOIS searches find all domains registered by the same email, name, or organization. Some ccTLDs still publish registrant data. Website footer, privacy policy, and contact pages often reveal the operator. Certificate Transparency logs show the organization field in SSL certificates. ICANN's Registration Data Request Service (RDRS) provides a formal channel for legitimate access requests.

Q: What is the difference between WHOIS and RDAP?

WHOIS (created 1982) uses plain-text responses with no standard format, no access control, and no encryption. RDAP (standardized 2015, mandatory January 2025) uses structured JSON responses via HTTPS, supports tiered access control (different data for public vs authenticated users), handles internationalized domain names, and provides automatic routing to the correct server. RDAP was developed specifically to address WHOIS limitations and GDPR compliance requirements. Both protocols now return the same redacted data for public queries — RDAP's advantage is primarily in its structured format and potential for authenticated access.

GDPR (2018) and the WHOIS sunset (January 2025) redacted most registrant personal data from public lookups. The replacement protocol RDAP returns structured JSON but the same redacted data for public queries. What remains visible: domain dates, registrar, nameservers, and status codes. What’s gone: registrant name, address, phone, and email. But investigators still have options: historical WHOIS databases (25.5B+ records pre-dating GDPR), reverse WHOIS (find all domains by the same registrant), Wayback Machine archived WHOIS pages, ccTLDs with permissive policies, website content analysis, and Certificate Transparency organization fields. The data isn’t gone — it’s just harder to find.

Jan 2025

WHOIS Sunset for gTLDs

25.5B+

Historical WHOIS Records

374M+

Active Domains Tracked

7,596

TLDs Supported by RDAP

2018

GDPR Took Effect

RFC 7483

RDAP Specification

What Happened: GDPR, ICANN, and the Death of Open WHOIS

For decades, WHOIS was the internet’s open phone book. Created in 1982, the protocol provided anyone with the full contact details of every domain registrant: name, organization, address, phone number, and email. This transparency served legitimate purposes — abuse handling, trademark enforcement, law enforcement — but also enabled spam harvesting, stalking, and privacy violations.

The European Union’s General Data Protection Regulation (GDPR), effective May 2018, classified registrant contact details as personal data subject to strict processing controls. ICANN responded with the Temporary Specification for gTLD Registration Data, requiring registrars to redact personal data from public WHOIS unless the registrant consented to publication. The word “temporary” proved ironic: the specification became permanent via ICANN’s Registration Data Policy. On January 28, 2025, ICANN officially sunset WHOIS for generic top-level domains, replacing it with RDAP (Registration Data Access Protocol) as the definitive lookup protocol. GoDaddy followed in August 2025 by eliminating Administrative, Billing, and Technical contact collection entirely for most domains.

WHOIS vs RDAP: What Actually Changed

Feature	WHOIS (1982–2025)	RDAP (2015–present)
Data format	Unstructured plain text	Structured JSON via HTTPS
Standardization	No standard format; varies by registrar	Uniform JSON schema (RFC 7483)
Access control	None — same data for everyone	Tiered access (public vs authenticated)
Security	Plain text (port 43), no encryption	HTTPS with TLS encryption
Internationalization	ASCII only	Full Unicode/IDN support
Server discovery	Manual (must know correct server)	Automatic routing via bootstrap
Registrant data (public)	Redacted since 2018	Redacted (same policy)
Registrant data (authenticated)	No mechanism	Possible via RDRS or registrar policies

The critical point: RDAP doesn’t restore registrant data visibility. Public RDAP queries return the same redacted fields as post-GDPR WHOIS. RDAP’s advantage is structural — JSON format, proper authentication framework, Unicode support — and its potential for tiered access, where authenticated parties (law enforcement, IP holders) can request fuller data through channels like ICANN’s Registration Data Request Service (RDRS).

What Data Is Still Publicly Visible

Despite redaction of personal data, significant operational metadata remains accessible through RDAP (and legacy WHOIS where still available). Domain creation, expiration, and last-update timestamps are always visible and forensically valuable for establishing domain age and registration patterns. The sponsoring registrar name identifies who manages the domain. Nameserver records reveal the DNS infrastructure. Domain status codes (like clientTransferProhibited or serverHold) indicate the domain’s operational state. And in some cases, the registrant’s country or state/province is still published.

Where Registrant Data Still Leaks

ccTLDs with Permissive Policies

Not all top-level domains follow ICANN’s gTLD redaction rules. Country-code TLDs (ccTLDs) are governed by their national registries, each with its own privacy policies. Some ccTLDs still publish fuller registrant data: .us has historically required real contact data and published it openly (though privacy options exist), .io and .me have more permissive data regimes that often expose registrant details, and many smaller ccTLDs default to publishing what the registrant provides. Conversely, European ccTLDs like .de, .fr, and .uk aggressively redact all personal data at the registry level. These policies change without notice — always verify the current behavior for any specific TLD.

Thick vs Thin Registries

Registry architecture affects data availability. In a thick registry, the registry itself stores all registrant contact data and serves it directly. In a thin registry, the registry stores only basic domain and nameserver information, referring WHOIS queries to the sponsoring registrar for contact details. Historically, .com and .net were the only major gTLDs using thin registries — though .com transitioned to thick in 2018. The distinction matters for investigators because thick registries provide a single authoritative source, while thin registries required chasing referrals to individual registrars, each with different disclosure policies.

Six Techniques for Finding Domain Owners in 2026

1. Historical WHOIS Databases

The single most powerful tool for post-GDPR domain investigation. Services like WhoisXML API (25.5B+ historical records), DomainTools, and Whoxy have been crawling and archiving WHOIS data since before GDPR. Pre-May 2018 records contain full registrant contact details for millions of domains. Even post-GDPR records are valuable: they show when registrant data changed, when privacy protection was added, and which registrar took over. Our WHOIS History tool leverages the Wayback Machine to recover archived WHOIS pages containing pre-GDPR registrant data.

2. Wayback Machine WHOIS Archaeology

The Internet Archive has archived WHOIS lookup pages from services like who.is, whois.domaintools.com, and registrar WHOIS pages going back to the early 2000s. Searching for who.is/whois/example.com in the Wayback Machine often reveals complete registrant records from before GDPR redaction. This technique is entirely passive and free. Our WHOIS History tool automates this process, querying the CDX API for archived WHOIS pages and extracting registrant details from the snapshots.

3. Reverse WHOIS Lookup

Reverse WHOIS works in the opposite direction from standard lookups: given a registrant name, email address, or organization, it returns all domains registered using those details. This is invaluable for mapping an entity’s complete domain portfolio. Even in the post-GDPR era, reverse WHOIS searches against historical databases remain effective because they query archived data. Services like ViewDNS.info (free, limited), Whoxy, and WhoisXML API offer reverse WHOIS functionality. A single email address from a pre-GDPR record can reveal dozens or hundreds of related domains.

4. Website Content Analysis

When WHOIS fails, the website itself often reveals the operator. Contact pages, privacy policies (legally required to identify the data controller under GDPR), terms of service, about pages, footer copyright notices, and social media links all provide ownership signals. For organizations, the legal entity name in the privacy policy is often more reliable than WHOIS data ever was, since GDPR itself requires this disclosure. Job posting pages reveal the operating company, and press releases or news articles mentioning the domain can identify its owner.

5. Certificate Transparency Organization Field

SSL/TLS certificates — especially Organization Validated (OV) and Extended Validation (EV) certificates — contain the organization name and sometimes the address in the Subject field. These are logged permanently in Certificate Transparency logs. Querying crt.sh for a domain reveals the issuing organization, providing a strong signal for domain ownership even when WHOIS is fully redacted. DV (Domain Validated) certificates contain only the domain name and are less useful for this purpose.

6. ICANN’s Registration Data Request Service (RDRS)

For parties with a legitimate interest — law enforcement, intellectual property holders, cybersecurity researchers — ICANN’s RDRS provides a formal channel to request non-public registration data from participating registrars. The service doesn’t guarantee disclosure, as each registrar decides whether to fulfill requests based on their own policies. However, it standardizes the request process and logs all interactions, creating an audit trail that demonstrates due diligence for legal proceedings.

Key Terminology

WHOIS: A protocol created in 1982 for querying domain registration data. Used plain text over TCP port 43. Officially sunset for gTLDs on January 28, 2025, replaced by RDAP. Some ccTLDs and registrars continue to offer WHOIS access.
RDAP (Registration Data Access Protocol): IETF-standardized replacement for WHOIS (RFC 7480–7484). Uses JSON over HTTPS, supports tiered access control, Unicode, and automatic server routing. Mandatory for all gTLD registries and registrars since January 2025.
GDPR (General Data Protection Regulation): EU regulation effective May 2018 that classifies domain registrant contact details as personal data. Triggered mass redaction of WHOIS records and ultimately drove the transition to RDAP with tiered access controls.
Registrant: The individual or organization that registered a domain name. Previously visible in WHOIS records; now redacted for gTLDs unless the registrant consents to publication or a legitimate requester accesses data through RDRS.
Reverse WHOIS: A lookup technique that takes a registrant identifier (name, email, organization) and returns all domains registered using that information. Essential for mapping domain portfolios. Most effective when querying historical databases.
Thick Registry: A domain registry that stores complete registrant contact data alongside domain/nameserver records. Serves as a single authoritative source for all registration data. Most gTLDs now use thick registries.
Thin Registry: A domain registry that stores only domain names, nameservers, and registrar references. Contact data is held exclusively by the sponsoring registrar. Historically used by .com and .net before .com’s 2018 transition to thick.
RDRS (Registration Data Request Service): ICANN service providing a standardized channel for requesting non-public gTLD registration data from participating registrars. Available to law enforcement, IP holders, and researchers with legitimate interest. Registrar compliance is voluntary.

Sources

ICANN — Launching RDAP, Sunsetting WHOIS (Jan 2025). Abion — Goodbye WHOIS, Hello RDAP (2025). WHOIS JSON API — WHOIS and GDPR Explained (Jan 2026). WHOIS JSON API — Why Data Is Redacted (2026). Strategic Revenue — GoDaddy WHOIS Data Shrinks (Jun 2025). HYAS — Understanding RDAP (2025). WhoisXML API Reverse WHOIS (25.5B+ historical records). ICANN RDAP Lookup.

Frequently Asked Questions

Is WHOIS data still public in 2026?

Partially. Registrant personal data (name, address, phone, email) is redacted for gTLDs since GDPR (2018) and the WHOIS sunset (Jan 2025). What remains visible: domain dates, registrar, nameservers, status codes, and sometimes country/state. Some ccTLDs still expose fuller data. RDAP supports tiered access for authenticated parties.

How can I find who owns a domain after GDPR?

Six techniques: (1) Historical WHOIS databases with pre-GDPR records, (2) Wayback Machine WHOIS archaeology, (3) Reverse WHOIS searches, (4) Website content analysis (privacy policies, footers), (5) Certificate Transparency organization fields, (6) ICANN’s RDRS for formal requests. Some ccTLDs also still expose data.

What is the difference between WHOIS and RDAP?

WHOIS (1982): plain text, no standard format, no access control, no encryption. RDAP (2015, mandatory Jan 2025): structured JSON via HTTPS, tiered access control, Unicode support, automatic server routing. Both return the same redacted data for public queries — RDAP’s advantage is structure and potential for authenticated access.

Which TLDs still show full registrant data?

Some ccTLDs with permissive privacy regimes: .us (historically), .io, .me, and smaller ccTLDs. European ccTLDs (.de, .fr, .uk) aggressively redact. All gTLDs (.com, .net, .org) are uniformly redacted. Policies change frequently — always verify the current TLD behavior.