ZeroTrace OSINT
WHOIS Lookup
Domain ownership, registration history, nameservers, abuse contacts, and registrar reputation in one query.
The WHOIS lookup tool answers the question "who runs this domain?" — and a half-dozen related questions about how the domain was registered, where it was registered, and how recently.
It queries both classic WHOIS and RDAP (the modern replacement) and merges the result. You see one structured report regardless of which protocol the registry happens to use.
What you get
For any domain, the tool returns:
| Field | What it tells you |
|---|---|
| Registrar | Which company sold the domain (GoDaddy, Namecheap, Porkbun, etc.) |
| Registrar reputation tier | Curated rating of the registrar's bulk-registration / abuse stance |
| Created date | When the domain was first registered |
| Updated date | When the registration was last modified |
| Expiry date | When the registration expires |
| Domain age | Calculated age in days, with a freshness indicator |
| Days until expiry | Calculated countdown, with a freshness indicator |
| Nameservers | The DNS servers authoritative for the domain |
| Registrant | Owner contact (often privacy-redacted) |
| Admin contact | Administrative contact (often privacy-redacted) |
| Abuse contact | Email address for abuse complaints |
| DNSSEC | Whether the registration claims DNSSEC support |
| Privacy proxy | Detection of WhoisGuard, Domains by Proxy, Contact Privacy, etc. |
| RDAP raw JSON | The unprocessed registry response, available behind a toggle |
Why domain age matters
Age is the single most important field on a phishing-domain triage:
- Less than 30 days — high phishing-risk indicator. Most phishing domains are registered within days of being weaponised.
- 30 to 365 days — medium signal. Combined with other indicators, still notable.
- More than a year — low signal on its own. The domain may still be malicious, but age alone does not flag it.
The tool surfaces age as a coloured chip so you can scan a list of domains and spot the new ones immediately.
Why expiry matters
A domain that is about to expire — particularly one used by a known good service — is a future hijack risk. A domain that has just re-registered after a lapse is a probable repurposing.
The tool surfaces both with the same freshness chip.
Privacy-proxy detection
Most personal-domain registrants use a privacy-proxy service to hide their real contact details. The tool detects the major proxy services (WhoisGuard, Domains by Proxy, Contact Privacy, RedactedForPrivacy) and surfaces a "privacy-proxied" pill so you do not waste time chasing a fake registrant address.
Registrar reputation
Some registrars are aggressively cheap and have looser abuse-handling stances. Others are corporate registrars rarely associated with abuse. The tool ships with a curated reputation tier per major registrar — not a value judgment, just OSINT context.
Registrar reputation is one signal. A perfectly reputable registrar can host a malicious domain; a notorious abuse-friendly registrar can host a legitimate one. Read it as a Bayesian prior, not a verdict.
Pivots from a WHOIS result
| Click on... | Pivot to |
|---|---|
| Nameserver hostname | DNS lookup, IP geolocation |
| Registrant email | Email analyzer, password breach lookup |
| Abuse email | Email analyzer |
| Registrar website | URL parser |
| Date fields | (no pivot — use the freshness chip) |
Bulk WHOIS
Bulk paste mode lets you check dozens to hundreds of domains in one batch. The result table aggregates registrar, age, expiry, nameservers, and privacy status across the batch — perfect for triaging a list of suspicious domains pulled from a phishing report.
RDAP raw view
For domains where the structured fields are not enough, the RDAP raw view shows the full unprocessed response. Useful for:
- Capturing fields the structured view does not parse (extension records, registrar-specific fields).
- Verifying the structured parsing.
- Including the raw response as evidence in a high-stakes report.
Sources
- IANA root WHOIS / RDAP for top-level domain delegation.
- Per-TLD registry RDAP endpoints.
- Per-registrar RDAP / WHOIS where the registry delegates.
- Privacy-proxy detection from a curated catalog.
Every source is named on the result. Every export carries the source list.