domain2Social
All posts

domains · 2 min read

RDAP vs WHOIS: how domain availability actually works

by domain2social

"Is this domain available?" sounds like a yes/no question with a yes/no answer. It isn't. Getting it right means asking two different systems and knowing which one to trust when they disagree.

WHOIS is on the way out

For decades, WHOIS was the answer: a plain-text protocol you queried to see who owned a domain. It's being phased out in favour of RDAP (Registration Data Access Protocol) — a modern, JSON-based API that returns structured data with consistent status codes. RDAP is what registries actively maintain now, so it's what we lead with.

The rdap.org trap

The obvious shortcut is to send every lookup to rdap.org, a public aggregator. It's also a trap: rdap.org 404s for .io and .co, and a naive checker reads that 404 as "no registration found" — reporting every .io domain on earth as available. That's not a small bug; it's the difference between a tool you can trust and one you can't.

The fix is to route each TLD to its authoritative endpoint:

  • .comrdap.verisign.com
  • .orgrdap.publicinterestregistry.org
  • .ai / .iordap.identitydigital.services
google.iotaken openai.aitaken nike.cotaken

Why DNS is the second opinion

Some TLDs — .co is the classic example — don't expose a clean RDAP endpoint at all. And some domains are registered but never delegated: they exist, but they have no nameservers yet, so RDAP might be quiet about them. That's where a DNS-over-HTTPS lookup earns its place. We ask Google's DNS resolver for the domain's NS records:

  • NXDOMAIN (no such name) → a strong "available" signal.
  • NS records present → definitely taken.

The combined rule: taken wins

Put the two together and the rule is simple: if either signal says taken, it's taken. RDAP catches the registered-but-parked domains that DNS misses; DNS covers the TLDs RDAP won't answer for. Neither alone is enough — together they're right.

Bonus: catching a domain the day it drops

RDAP also returns EPP status codes, and those tell you when a domain is on its way out: redemptionPeriod, pendingDelete, or simply expiring soon. Surface that, and "taken" turns into "taken — but watch it," so you can grab it the moment it drops.

Want the layered check without wiring up three registry APIs yourself? domain2social does it in one scan — RDAP, DNS, and the combined verdict, right in your browser.