Guides
ProductDeveloperPartnerPersonal
ProductDeveloperPartnerPersonal

WHOIS Data – Frequently Asked Questions

The Investigate WHOIS data is compiled from information given by domain registrants to domain registrars. Unfortunately, a fair amount of the data given to a registrant is falsified or forged, or simply omitted. In general, the less complete or seemingly authentic the WHOIS data displayed is, the less trustworthy the website associated with that registrar is.

As a result, you may see WHOIS results that look strange, malformed or even corrupt—these results are expected and there are practical reasons for them. The volume of WHOIS data on the internet imposes practical limitations in what we can display in Investigate or return in an Investigate API response.

Frequently Asked Questions (FAQ)

The FAQ answers general questions about how to use WHOIS data.

Q: Why doesn't this domain have an email or nameserver associated with it?

A: In the following example, the domain is missing email information from the WHOIS record. The WHOIS record is incomplete and is likely suspicious. Typically, the email is found between the Created and Updated dates and the Nameserver information. To view the raw WHOIS record, click Raw data.

1337

Q: Why does information under "Show More WHOIS data" appear corrupt or not make any sense?

A: Similar to the previous question, expanding the Show more WHOIS data field shows strange information and as a result, the link to Google Maps may not work as expected. To view the raw WHOIS record, click Raw data. The standards for providing accurate data when registering a domain are quite loose, and depend on the registrar's requirements.

In the following example, you can view the corrupted data in Address field, which includes the name of the registrar in the street address. In the raw record, the address is listed similarly.

1336

There are also examples of forged data that appear in the WHOIS record, especially around malicious sites. An example of this can be found by checking out the malicious site google-verify.com (https://investigate.umbrella.com/domain-view/name/google-verify.com/view). In the following example, the registrant's address lists the street address of the corporate Google offices, but shows the country as Canada.

1181

If the data in the Show More WHOIS data appears incomplete or forged, the domain may be malicious. However, the WHOIS record may contain typos, created when at the time of domain registration.

Q: Why isn't the malicious domain I'm looking at not listed in the 500 email addresses or nameservers displayed?

Investigate only retrieves the first 500 results from the WHOIS database for performance reasons. Some email or nameservers have tens of thousands of domains associated with them. Gathering that data in a single query slows the performance of our systems down significantly, harming your user experience. In some instances, the first 500 domains retrieved for an email or nameserver won't include the domain you're actually looking at.

In this example, consider google-verify.com again. At the top of the results for this domain, there's a red alert bubble indicating it's in the Umbrella block list and regarded as malicious. The email registering the domain ([email protected]) has five associated domains, four of which are malicious. However, the nameservers in this case (ns1.dns-diy.net and ns2.dns-diy.net) have (many) more than 500 domains registered to each of them. Umbrella does a query to the database and gathers the first 500 domains associated with that nameserver. In this example, google-verify.com is not one of the first 500 retrieved from the database.

The following example provides more information about the results. If an email is generic, similar results may occur. An email like [email protected] (https://investigate.umbrella.com/associated-domains-view/emails/[email protected]) may have thousands of domains associated with it, and it's possible the one you're looking at is not in the first 500 results.

In general, if a nameserver or email address is associated with 500 or more domains and enough of them are considered non-malicious to not show up, you can assume that the email is forged by a malicious domain, but is otherwise legitimate. Or, in case of a nameserver, it's a good assumption that the nameserver provides records for legitimate domains and is not a point of interest.

1590

Q: The registration dates for this domain are strange and data seems to be missing from history. What happened in these types of cases?

Some domains were registered, then the registration expired, then the domain was renewed at a later date. During the time when the domain was not registered, there was no WHOIS information and historically, there's a gap in the data. There simply is no WHOIS data when a domain isn't registered and that's reflected in our results. As an example, we can look at google-verify.com:

https://investigate.umbrella.com/domain-view/name/google-verify.com/view

The WHOIS Created date is November 7, 2017. Previously, the domain was last observed being registered to [email protected] until September 26, 2012. Between those two dates, the domain was unregistered and waiting for a new person to come along and register a fake Google domain.

1584

WHOIS Record Information < Investigate WHOIS Data – Frequently Asked Questions > WHOIS – Email View Details

Updated almost 2 years ago