WHOIS/RDAP for Security Investigations

Using registration data in phishing and infrastructure tracing.

Overview

Using registration data in phishing and infrastructure tracing.

Key points

  • Combine IANA bootstrap with local indexes for better coverage.
  • Keep WHOIS port 43 fallback for RDAP-less TLDs.
  • Respect registry rate limits; cache aggressively.
  • Expose data source and partial flags in API output.

WHO.GA in practice

WHO.GA (Whoga) provides unified web and JSON API lookup for scenarios like "WHOIS/RDAP for Security Investigations", handling bootstrap routing, registrar referrals, and WHOIS fallback. Try who.ga or api.who.ga/<query>.