During a DNS provider move, the nameservers in registration data decide where the parent zone delegates a domain. Checking those fields before editing records prevents chasing the wrong DNS provider when the registrar or registry still points the domain at older authoritative servers.
WHOIS output depends on the server being queried. A plain lookup can stop at IANA or a thin referral on some systems, while the TLD registry WHOIS server returns the domain record with Name Server lines. For gTLDs where WHOIS is limited or unavailable, RDAP is the current registration-data source for the same nameserver fields.
Compare registration data with live DNS when the result controls a launch, migration, or incident. Matching WHOIS and DNS NS sets mean the registration record and resolver view agree; a mismatch tells you whether to check registrar state, parent delegation, resolver cache timing, or the authoritative DNS service.
Tool: WHOIS / RDAP Lookup
Tool: Nameserver Health Check
Related: How to compare DNS and whois records
Related: How to query a domain with whois
Steps to check domain nameservers with whois:
- Query the registry WHOIS server that holds the domain record.
$ whois -h whois.verisign-grs.com example.com Domain Name: EXAMPLE.COM ##### snipped ##### Name Server: ELLIOTT.NS.CLOUDFLARE.COM Name Server: HERA.NS.CLOUDFLARE.COM DNSSEC: signedDelegation
The example uses the .com registry. Use the matching registry WHOIS server for another TLD, or use RDAP when WHOIS does not publish nameserver fields.
Related: How to find a TLD WHOIS server
Related: How to query RDAP for a domain - Save the nameserver hostnames as a set.
Ignore case, order, and one trailing dot. ELLIOTT.NS.CLOUDFLARE.COM and elliott.ns.cloudflare.com. are the same DNS name.
- Query live DNS for the domain NS records.
$ dig +short NS example.com elliott.ns.cloudflare.com. hera.ns.cloudflare.com.
- Compare the normalized WHOIS and DNS sets.
Matching sets show that the registration record and recursive DNS view agree. Missing, extra, or different nameserver hostnames point to registrar or registry state, resolver cache timing, or a partial provider move.
Related: How to compare DNS and whois records
- Ask the parent zone directly when the recursive answer differs or a change is in progress.
$ dig +norecurse @a.gtld-servers.net NS example.com ##### snipped ##### ;; AUTHORITY SECTION: example.com. 172800 IN NS hera.ns.cloudflare.com. example.com. 172800 IN NS elliott.ns.cloudflare.com. ##### snipped #####
For another TLD, replace a.gtld-servers.net with an authoritative nameserver for that parent zone.
- Check that one listed nameserver answers for the zone.
$ dig +short SOA example.com @hera.ns.cloudflare.com elliott.ns.cloudflare.com. dns.cloudflare.com. 2405749864 10000 2400 604800 1800
A matching nameserver set does not prove that the DNS service is answering. A timeout, SERVFAIL, or missing SOA from a delegated server points to authoritative DNS service or zone hosting.
- Check address records when a listed nameserver is under the same domain.
$ dig +short A ns1.example.com $ dig +short AAAA ns1.example.com
Run this only for in-domain nameservers, such as ns1.example.com for example.com. Parent-side glue may be required before resolvers can reach that nameserver.
- Record the delegation state.
The check is complete when the WHOIS nameserver set matches the intended provider, live DNS returns the same normalized NS set, and at least one delegated nameserver answers for the zone.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
