whois queries the registry data behind a domain name or IP address block: registrar, registrant (when not redacted), name servers, creation/expiry dates, ASN owner, and abuse contact.

In threat-intel work this is bedrock OSINT:

• Newly-registered domain is a strong phishing indicator.
• Same registrant or e-mail across multiple domains exposes attacker infrastructure clusters.
• Abuse contact at the netblock owner is who you e-mail to take down a malicious IP.

Modern WHOIS is being replaced by RDAP (rdap CLI), which returns structured JSON.

• Triaging a phishing domain (age, registrar, contact)
• Finding sibling domains under the same registrant
• Identifying the abuse contact for a malicious netblock