How to check domain nameservers with whois

During a DNS provider move, the nameservers in registration data decide where the parent zone delegates a domain. Checking those fields before editing records prevents chasing the wrong DNS provider when the registrar or registry still points the domain at older authoritative servers.

WHOIS output depends on the server being queried. A plain lookup can stop at IANA or a thin referral on some systems, while the TLD registry WHOIS server returns the domain record with Name Server lines. For gTLDs where WHOIS is limited or unavailable, RDAP is the current registration-data source for the same nameserver fields.

Compare registration data with live DNS when the result controls a launch, migration, or incident. Matching WHOIS and DNS NS sets mean the registration record and resolver view agree; a mismatch tells you whether to check registrar state, parent delegation, resolver cache timing, or the authoritative DNS service.

Tool: WHOIS / RDAP Lookup
Tool: Nameserver Health Check

Related: How to compare DNS and whois records
Related: How to query a domain with whois

Steps to check domain nameservers with whois:

  1. Query the registry WHOIS server that holds the domain record. 
    $ whois -h whois.verisign-grs.com example.com
   Domain Name: EXAMPLE.COM
##### snipped #####
   Name Server: ELLIOTT.NS.CLOUDFLARE.COM
   Name Server: HERA.NS.CLOUDFLARE.COM
   DNSSEC: signedDelegation

    The example uses the .com registry. Use the matching registry WHOIS server for another TLD, or use RDAP when WHOIS does not publish nameserver fields.

    Related: How to find a TLD WHOIS server
    Related: How to query RDAP for a domain

  2. Save the nameserver hostnames as a set.

    Ignore case, order, and one trailing dot. ELLIOTT.NS.CLOUDFLARE.COM and elliott.ns.cloudflare.com. are the same DNS name.

  3. Query live DNS for the domain NS records. 
    $ dig +short NS example.com
elliott.ns.cloudflare.com.
hera.ns.cloudflare.com.
  4. Compare the normalized WHOIS and DNS sets.

    Matching sets show that the registration record and recursive DNS view agree. Missing, extra, or different nameserver hostnames point to registrar or registry state, resolver cache timing, or a partial provider move.

    Related: How to compare DNS and whois records

  5. Ask the parent zone directly when the recursive answer differs or a change is in progress. 
    $ dig +norecurse @a.gtld-servers.net NS example.com
##### snipped #####
;; AUTHORITY SECTION:
example.com.		172800	IN	NS	hera.ns.cloudflare.com.
example.com.		172800	IN	NS	elliott.ns.cloudflare.com.
##### snipped #####

    For another TLD, replace a.gtld-servers.net with an authoritative nameserver for that parent zone.

  6. Check that one listed nameserver answers for the zone. 
    $ dig +short SOA example.com @hera.ns.cloudflare.com
elliott.ns.cloudflare.com. dns.cloudflare.com. 2405749864 10000 2400 604800 1800

    A matching nameserver set does not prove that the DNS service is answering. A timeout, SERVFAIL, or missing SOA from a delegated server points to authoritative DNS service or zone hosting.

  7. Check address records when a listed nameserver is under the same domain. 
    $ dig +short A ns1.example.com
$ dig +short AAAA ns1.example.com

    Run this only for in-domain nameservers, such as ns1.example.com for example.com. Parent-side glue may be required before resolvers can reach that nameserver.

  8. Record the delegation state.

    The check is complete when the WHOIS nameserver set matches the intended provider, live DNS returns the same normalized NS set, and at least one delegated nameserver answers for the zone.