Investigator Use
Who.is is a WHOIS lookup service that aggregates registration data from multiple domain registries and regional internet registries into a single, clean interface. It provides current registration data for domain names across all TLDs, IP address allocation records, and ASN information, making it a convenient first-stop for basic domain and IP investigation.
What investigators use Who.is for: quickly retrieving WHOIS data for any domain or IP address, identifying registrars, name servers, and registration dates, cross-referencing multiple TLD registries without knowing which registry to query, and obtaining basic contact information when privacy protection has not been applied.
What Who.is exposes: registrant, technical, and administrative contact data (where not privacy-protected), registration and expiration dates, registrar and sponsoring organization, name server configuration, IP allocation records from regional internet registries, and ASN registration data for network blocks.
Who.is queries multiple WHOIS servers automatically, making it particularly useful for unusual TLDs where the correct WHOIS server is not immediately obvious. Submit a domain with an unfamiliar extension and Who.is routes the query to the appropriate registry without requiring the investigator to know which WHOIS server to contact.
Privacy protection limitations: the majority of domains registered today use WHOIS privacy protection services that replace registrant contact information with proxy data. Who.is returns whatever the registry provides — which for privacy-protected domains means the proxy service's contact details rather than the actual registrant. Historical WHOIS data from before privacy protection was applied requires specialized services like DomainTools or WhoisFreaks.
IP WHOIS lookups: in addition to domain registrations, Who.is supports IP address WHOIS queries, routing them to the appropriate regional internet registry (ARIN, RIPE, APNIC, LACNIC, or AFRINIC) based on the IP range. This makes it a convenient unified interface for both domain and IP attribution work.
In a workflow: use Who.is for quick initial WHOIS lookups at the start of domain or IP investigations. If the registration is privacy-protected, move to historical WHOIS services like DomainTools or SecurityTrails to find records predating privacy protection. Supplement with SecurityTrails subdomain data and Shodan for infrastructure enumeration.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
ARIN
Domain OSINT
ARIN is a nonprofit, member-based organization that administers IP addresses & ASNs in support of the operation and growth of the Internet.
Central Ops
Domain OSINT
Free online network tools, including traceroute, nslookup, dig, whois, ping, and our own Domain Dossier and Email Dossier. Works with IPv6.
Cert Graph Crawler
Domain OSINT
An open source intelligence tool to crawl the graph of certificate Alternate Names
DNS History
Domain OSINT
DNS History archives historical DNS records, letting investigators track IP changes, hosting migrations, and infrastructure pivots over time.
DNS twister
Domain OSINT
DNS Twister generates and monitors domain permutations for typosquatting detection, brand protection, and phishing infrastructure discovery.
Domain Tools
Domain OSINT
DomainTools provides WHOIS lookup, IP history, domain ownership records, and reverse WHOIS for domain and infrastructure investigation.