Port 43: WHOIS — The Internet's First Phonebook

Port 43 carries the WHOIS protocol. When you type whois google.com into a terminal, your computer opens a TCP connection to port 43 on a registry server, sends a query, and receives back the name, address, and contact information of whoever registered that domain. It is the Internet's original directory service, the first answer to a question that still matters: who is this?

What WHOIS Does

The WHOIS protocol is almost absurdly simple. A client connects to port 43 on a WHOIS server. The client sends a query terminated by a carriage return and line feed. The server sends back text. The server closes the connection. That's it.¹

There is no authentication. No encryption. No standardized response format. The server just sends you text until it's done, then hangs up. The connection closing IS the end-of-message signal.

This simplicity is intentional. RFC 812 explicitly states that responses are "not currently intended to be machine-readable; the information is meant to be passed back directly to a human user."² The protocol was designed for humans to look up other humans, in an era when the entire Internet was small enough that you might actually know the person on the other end.

The Woman Behind WHOIS

In 1972, Elizabeth Jocelyn Feinler joined Douglas Engelbart's Augmentation Research Center at SRI International. Her first task was to write a Resource Handbook for the first public demonstration of the ARPANET. By 1974, she was running the Network Information Center (NIC), the central authority that coordinated the early Internet.³

Feinler, known as "Jake" since childhood (her sister's toddler pronunciation of "Betty Jo" came out as "Baby Jake"), had trained as a biochemist but developed an obsession with organizing information while working at Chemical Abstracts Services.⁴ At SRI, that obsession became infrastructure.

Her team maintained the "white pages" (a directory of people), the "yellow pages" (a list of services), and the protocol handbook. They recorded two contacts for every computer on the network: a technical contact and an administrative contact. They answered phones and mail. They were, in Feinler's words, "the prehistoric Google."⁵

By 1979, the network was growing faster than manual methods could handle. In 1982, Ken Harrenstien and Vic White, working in Feinler's group, defined an Internet protocol to access the directory of people electronically. They called it NICNAME, though most sites preferred the more memorable "WHOIS."⁶

The same team went on to create the Domain Name System's original top-level domains: .com, .edu, .gov, .mil, .org, and .net. The architecture of Internet naming runs through Jake Feinler's office at SRI International.

How It Actually Works

The protocol specification fits on a single page:¹

1. The client opens a TCP connection to port 43
2. The client sends a single line of text ending with CR LF
3. The server sends back text (possibly many lines)
4. The server closes the connection

The query format depends on the server. You might send a domain name, an IP address, a person's name, or a handle. The original RFC 812 supported wildcards (appending "..." to match partial names) and prefixes ("!" for handle-only searches, "." for name-only searches, "*" for organization membership).²

The response format also depends on the server. There is no standard. Most servers return something resembling "Header name: Header data" but the actual fields, their names, and their order vary by registry. A WHOIS lookup for a .com domain returns different fields in a different format than a lookup for an IP address block.

This lack of standardization is one of many reasons WHOIS has been difficult to replace. Every implementation has evolved its own dialect.

The Security Problem

WHOIS has no security model. RFC 3912 states this plainly: "WHOIS lacks mechanisms for access control, integrity, and confidentiality."¹

No access control: Anyone can query any WHOIS server. There is no authentication, no rate limiting in the protocol itself (though servers may implement their own), no concept of permissions.

No integrity: WHOIS responses are unsigned. There is no cryptographic way to verify that a response actually came from a legitimate server. In September 2024, security researcher Benjamin Harris demonstrated this catastrophically by registering an expired domain that had previously been used as the authoritative WHOIS server for the .mobi TLD. His rogue server received 2.5 million queries from 135,000 unique systems, including government agencies, certificate authorities, and major tech companies.⁷

No confidentiality: Everything flows in plaintext. Anyone on the network path can see both the query and the response.

The rogue WHOIS server incident revealed an even more devastating attack: certificate authorities use WHOIS to determine who owns a domain when validating certificate requests. By controlling what the WHOIS server returned, Harris could have directed certificate validation emails to addresses he controlled, allowing him to obtain fraudulent TLS certificates for any .mobi domain.⁸

The Privacy Problem

For decades, WHOIS was a goldmine for spammers, data brokers, and attackers. Register a domain, and your name, address, phone number, and email were immediately published to the world. Automated scrapers harvested this data continuously, building massive databases for "marketing" (spam) and social engineering.⁹

The 2018 implementation of GDPR forced a reckoning. Registrars began redacting personal data from WHOIS responses for EU residents. The result was a significant reduction in spam and robocalls for domain registrants, but also a 41% decrease in security researchers' ability to detect malicious domains and a 70% increase in response times for takedown requests.¹⁰

This is the core tension of WHOIS: the same transparency that enables accountability also enables abuse.

The Sunset

On January 28, 2025, ICANN officially deprecated the WHOIS protocol on port 43.¹¹ The successor is RDAP (Registration Data Access Protocol), which addresses many of WHOIS's architectural failures:

HTTP-based: RDAP runs over HTTPS on port 443, meaning encrypted connections with verified server certificates Standardized format: Responses are JSON with a defined schema Access control: Built-in support for differentiated access levels Internationalization: Full Unicode support for non-ASCII data Bootstrap: A standardized mechanism for discovering which server is authoritative for a given query

RDAP doesn't solve the privacy-versus-transparency tradeoff. But it at least provides the technical mechanisms for registries to implement nuanced access policies.

What Flows Through Port 43

Every domain name on the Internet has a story behind it. Someone registered it. They had a reason. They entered their name, or a privacy proxy's name, into a form. That data flows through port 43 when you ask who owns connected.app or google.com or that suspicious domain in a phishing email.

WHOIS carries the questions of investigators tracking down fraud, journalists tracing shell companies, lawyers enforcing trademarks, security researchers mapping botnets, and curious people wondering who's behind a website. It carries the answers too: sometimes a name and address, sometimes a privacy shield, sometimes a lie.

For 43 years, this protocol has been the Internet's answer to "who is this?" It was designed for a network small enough that knowing the person on the other end mattered. It scaled to a network of billions by refusing to change, and that stubbornness is both its legacy and its limitation.

Port 43 is officially sunsetting now, replaced by something better. But the question it was built to answer still matters. The Internet is still made of people, even when they're hiding.

Related Ports