Introduction
For many years, domain registration data provided by the Whois protocol has been a crucial source of intelligence for cyber threat researchers. Details such as a registrant’s email address, phone number, and affiliate organization can be critical pivot points for investigators, eventually leading to a more complete answer to the Who, What, When, Where, and Why. In 2025, this information is available in an entirely new format that enhances data accuracy, accessibility, and compliance. Luckily for cybersecurity professionals, this format has a catchy new acronym – welcome, RDAP!
What is RDAP?
Registration Data Access Protocol, or RDAP, is the successor to Whois, which has delivered domain registration information for over 40 years. Though its data is highly valuable, the text-file format of Whois has made automation, ingestion, and analysis somewhat challenging for the modern analyst’s toolkit. This is where RDAP comes in. By swapping out a text file format for machine readable JSON, RDAP provides several key advantages such as differentiated access, enhanced security, and more, all while supporting the same important data fields as Whois.
So why now? Despite appearances, RDAP is not a new concept, having been standardized by the Internet Engineering Task Force (IETF) in 2015. While global adoption was slow at first, Internet management organizations such as the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Assigned Numbers Authority (IANA) have continually driven RDAP’s implementation. Most recently, ICANN lifted the obligation for its registries and registrars to provide Whois data as of January 28, 2025, with the ultimate goal of sunsetting this protocol in favor of RDAP.
With all of these advantages and a global adoption driven by ICANN, Whois will disappear across domain space, right? Not quite – while ICANN’s TLDs are encouraged to adopt RDAP, there is no such requirement for TLDs outside of ICANN’s purview. These include country code TLDs such as .ru or .it. Because of this, analysts will need to access and examine data from both RDAP and Whois for the foreseeable future.
Before we talk about RDAP in practice, we’re going to discuss why these protocols are so important, particularly for the cyber threat intelligence community. Whether it comes through Whois or RDAP, registration data is necessary to form domain intelligence (AKA, an analyst’s best friend).
What is Domain Intelligence?
Domain intelligence is the meaningful combination of details about a website, which includes registration information and other attributes such as the IP address/addresses, creation date and expiration date, SSL certificate, and name servers. This information can lead to significant breakthroughs in an investigation and provide important context around DNS-based incidents. DNS abuse is a consistent part of malicious cyber activity, which makes it even more important that accurate domain information is accessible, compliant, and compatible with modern security solutions and standards. So how can we apply these standards to everyday intelligence work?
How RDAP Enhances Domain Intelligence
The answer lies in RDAP. Here are some of its key features:
- Improved Data Accessibility
- Enhanced Privacy and Security
- Real-Time Data Updates
- Support for Automation and Integration
Let’s take a closer look at each point, keeping in mind that they pertain mostly to how domain registration data can be delivered, displayed, and ingested, not necessarily what data is shown to the end user.
Improved Data Accessibility
While the text file-based display output of Whois is just fine for human beings, its varying schema among registries and registrars can make bulk ingestion and automated processing a tricky task. RDAP’s standardization promises to make this easier, though implementation details will still vary as registrar/registry parsing is required.
Enhanced Privacy and Security
A particularly important aspect of RDAP for regulators and registrars is its enhanced privacy and security features, which better align with global privacy regulations such as GDPR. One of these features is support for differentiated access, which would technically allow administrators to choose which groups or user types have access to particular domain information. However, this differentiated access is implemented through a process called Registration Data Request Service (RDRS), whose support is optional among registrars.
Additionally, RDAP uses HTTP over TLS, which encrypts traffic sent between a client and server and prevents unwanted eavesdropping. This is another improvement over Whois, whose queries and responses are unencrypted.
Real-Time Data Updates
Another RDAP enhancement is its ability to provide near-instantaneous access to the most current domain registration data. While Whois can sometimes have delays in data alterations, RDAP returns results that are up-to-date and thus more reliable. Context is everything in domain intelligence, and this is more easily achieved and understood with access to timely, accurate information.
Support for Automation and Integration
Lastly, RDAP’s support for automation allows for integration with APIs and other tools for enhanced efficiency. Automated processes equal less manual intake and analysis for researchers, leaving more time for them to focus on their investigations rather than trying to figure out how to neatly ingest 1,000+ malicious domains with non-standard registration information output – phew!
How DomainTools Leads in RDAP-Driven Domain Intelligence
To keep up with this important shift, the DomainTools enterprise products have been updated to support both RDAP and Whois. While we continue to pull Whois records as they are still available, we are also gathering RDAP records from over 770 registries and registrars across more than 1,100 TLDs worldwide. In practice, this means that Iris Investigate, Enrich, and Detect users can view both RDAP and Whois data for domains when available.
If a registrar provides both record types, we will display either the most recent record OR, if both records have the same timestamp, the one which provides more data (RDAP currently has the tiebreaker). And the best part – all of this registration data appears in the same places you would normally view or consume via API. No action required for Iris users; we’ve already gathered and centralized the information for you!
For more information on how RDAP is implemented in DomainTools products, check out this helpful blog from our Principal Product Manager, Grant Cole.
Conclusion
In short, RDAP is the next big step in domain intelligence thanks to its many improvements over Whois. Even if Whois never entirely goes away, the transition is a significant jump forward for cybersecurity efforts and making the Internet a safer place.
Now that you’ve got a good grasp on what RDAP is, why not explore DomainTools enterprise products to see the new protocol in action? Click here to request a demo today, and as always, please feel free to contact us at [email protected] with any questions!
