WHOIS Right? An Analysis of WHOIS and RDAP Consistency

TL;DR

This study compares WHOIS and RDAP domain registration data, revealing that despite general consistency, 7.6% of domains show discrepancies in key fields, impacting security applications relying on accurate data.

Contribution

It provides the first large-scale comparison of WHOIS and RDAP data, highlighting the extent and nature of inconsistencies between these protocols.

Findings

7.6% of domains have inconsistent data between WHOIS and RDAP

Discrepancies are significant in fields like IANA ID, creation date, and nameservers

Data consistency varies across different domain registrars and TLDs

Abstract

Public registration information on domain names, such as the accredited registrar, the domain name expiration date, or the abusecontact is crucial for many security tasks, from automated abuse notifications to botnet or phishing detection and classification systems. Various domain registration data is usually accessible through the WHOIS or RDAP protocols-a priori they provide the same data but use distinct formats and communication protocols. While WHOIS aims to provide human-readable data, RDAP uses a machine-readable format. Therefore, deciding which protocol to use is generally considered a straightforward technical choice, depending on the use case and the required automation and security level. In this paper, we examine the core assumption that WHOIS and RDAP offer the same data and that users can query them interchangeably. By collecting, processing, and comparing 164 million WHOIS and RDAP records for a sample of 55 million domain names, we reveal that while the data obtained through WHOIS and RDAP is generally consistent, 7.6% of the observed domains still present inconsistent data on important fields like IANA ID, creation date, or nameservers. Such variances should receive careful consideration from security stakeholders reliant on the accuracy of these fields.