A few fancy network-engineer terms are useful in brand protection.
In the last post I wrote about new BrandCat features, I tried to keep it short. The problem is that all that compression made me throw a bunch of jargon and acronyms into one sentence in rapid-fire mode 😁
IP, IP range, ASN, nameservers, DNS, WHOIS, RDAP, redirects, and a few others.
So, here is a bit of domain vocabulary for anyone who is not a network engineer and/or a domainer by profession.
Not a PhD-level explanation. Just enough to understand what these things are and why they can matter when reviewing domain matches, copycat websites, suspicious redirects, phishing pages, counterfeit stores, affiliate abuse, or other brand-related domain activity.
WHOIS
WHOIS is a lookup system for domain names and IP addresses.
For a domain name, it can show basic information such as:
- when the domain was registered
- when it expires
- when it was last updated
- which registrar it uses
- which nameservers it uses
- the domain status
- registrar abuse contact details
- sometimes, owner contact information
When you ask for WHOIS for a domain name, you will often get information in two parts.
The first part comes from the Registry. For example, it may show when the domain was registered, when it expires, which nameservers are set, and which registrar the domain is registered with.
The second part comes from the Registrar. In ye olden days, this part would often show the domain owner's name, address, phone number and email address. Nowadays, mostly because of privacy laws such as GDPR, CCPA and registrar privacy services, this information is often hidden or replaced with privacy-protected contact details.
That does not make WHOIS useless.
Even when the domain owner's private information is hidden, WHOIS can still show useful data for review: registration date, registrar, nameservers, expiration date, status and abuse contacts.
Domain Registry
A domain registry should not be mixed up with a registrar.
Think of the registry as something like a central bank of domain names, but for a specific domain extension.
For example, the registry for .com and .net is Verisign. The registry keeps the central record of which domains exist under those extensions.
When you register a .com domain, the registry is involved behind the scenes. You do not normally work with the registry directly as a normal customer. Instead, registries authorize registrars to sell and manage domains for customers.
Domain Registrar
If the registry is the central bank, registrars are the banks that work directly with customers.
You or your company register a domain through a registrar. The registrar then tells the registry that the domain exists and which nameservers it should use.
Examples of registrars include GoDaddy, Network Solutions, Dynadot, NameSilo, NameBright and many others.
For brand protection, the registrar matters because registrar abuse contacts are often used when reporting domain abuse, impersonation, phishing, counterfeit stores or similar issues.
ICANN
ICANN stands for Internet Corporation for Assigned Names and Numbers.
In very practical terms, ICANN is the organization that helps coordinate the global domain name system and accredits registrars for many generic domain extensions.
You will often see ICANN links inside WHOIS records, especially in domain status lines such as:
Domain Status: ok https://icann.org/epp#okThose status codes can show whether a domain is active, locked, expired, in redemption, pending deletion, or in some other registry/registrar state.
For example, a domain might show statuses like:
renewPeriod
redemptionPeriod
pendingDeletewhen it is expired or moving through the deletion process.
You can find the full ICANN list here:
https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en
RDAP
RDAP is similar to WHOIS, but more modern.
WHOIS usually returns plain text. RDAP is made in a more structured way, so computers can parse it more easily.
So, for normal practical use:
- WHOIS is the older lookup system
- RDAP is the newer structured lookup system
- both can be used to retrieve domain registration data
Some domain extensions rely heavily on RDAP. For example, some extensions may not support traditional WHOIS in the same way older extensions do, so RDAP becomes the more useful lookup method.
For BrandCat users, the technical distinction is not the important part. The useful part is that BrandCat can take WHOIS/RDAP data and show the relevant fields in the domain evidence view.
IP / IP Address
To oversimplify, an IP address is like an address on the internet.
It can belong to your computer, your home or office router, a server, or some other internet-connected device.
For our purposes, websites resolve to IP addresses. Multiple websites can also share the same IP address, which can sometimes help when reviewing groups of connected websites.
For example, this is the IP address of BrandCat.io:
65.108.217.26And this is one of the IP addresses used by Brandinium.com:
157.180.23.99An IPv4 address has four numbers separated by dots. Each number can go from 0 to 255. The first number cannot be zero for normal public internet addresses.
IP addresses also have WHOIS data. IP WHOIS usually contains information about the internet provider, hosting provider or network that controls that IP range. It very rarely tells you the actual website owner directly.
IP Range
If an IP address is an address, an IP range is the neighborhood.
If BrandCat's server IP address is:
65.108.217.26then nearby addresses such as:
65.108.217.25
65.108.217.27are its close neighbors in the most basic sense.
That does not automatically mean those IPs are controlled by the same person or used for the same purpose. Hosting networks are more complicated than that.
But in brand protection work, IP ranges can still be useful. A network of websites owned or operated by the same person or company may spread across multiple IP addresses, while still remaining in the same hosting region, IP range or network.
This is also common in SEO setups. It can also happen with scammers, copycats and other kinds of domain abuse. They may use many IPs, sometimes hundreds or thousands, but the IP data can still help you group and review patterns.
ASN
ASN stands for Autonomous System Number.
This is one of those terms that sounds more intimidating than it really is.
For IP addresses, ASN can help show which network or internet provider is announcing that IP address to the rest of the internet.
Routers use this information to route traffic. For brand protection review, you can use it as a clue about which internet provider, hosting company or network a website is using.
A single IP address is very specific. ASN is a bit more zoomed out.
If several domains do not share the exact same IP, but they all sit under the same ASN, same hosting provider or same network, that may be useful when reviewing whether they are connected.
It does not prove they are connected. Large hosting companies serve millions of unrelated websites.
But when ASN is combined with similar content, similar registration dates, same registrar, same nameservers, same redirects or similar page templates, it can help you spot groups of websites that may be working together.
Nameservers
Nameservers are often casually called DNS servers, although that is not always the cleanest wording.
Nameservers are the machines that answer DNS questions for a domain name.
For example, when someone opens:
brandcat.io
brandinium.comDNS eventually helps translate those names into technical records that tell the browser where to go. Often, that means finding IP addresses such as:
65.108.217.26
157.180.23.99Nameservers matter because groups of domains sometimes use the same nameservers.
That does not always mean much. Many unrelated websites use the same big DNS providers.
But custom nameservers, repeated nameserver patterns, or many matched domains using the same unusual nameserver setup can be useful review clues.
For example, BrandCat and Brandinium use different nameservers. If many domains you are reviewing all use the same custom nameservers, that may be a reason to look at them together.
Redirection
Many website owners keep more than one domain name and redirect them all to the same website.
For example, Facebook started as:
TheFacebook.comAfter Facebook acquired:
Facebook.comthe old domain was redirected to the newer one.
In other words, when someone typed TheFacebook.com into the browser, they would end up on Facebook.com.
This is normal. Many legitimate companies do it.
But redirects are also useful in brand protection because the first domain you see is not always the final destination.
A domain may redirect to:
- the brand's real website
- a parked page
- a marketplace listing
- an affiliate page
- a fake login page
- another suspicious domain
- a long redirect chain
BrandCat tracks redirects because they can help find connected domains.
If ten different domains all redirect to the same final website, or all follow the same redirect pattern, that is useful review context.
Example: WHOIS for Brandinium.com
Now that the definitions are out of the way, let's look at a real example.
Here is WHOIS information for our Brandinium project domain:
BRANDINIUM.COMThis first part is produced by the registry, in this case Verisign:
Domain Name: BRANDINIUM.COM
Registry Domain ID: 3042806304_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namebright.com
Registrar URL: http://www.NameBright.com
Updated Date: 2025-12-20T23:52:43Z
Creation Date: 2025-11-27T20:23:20Z
Registry Expiry Date: 2026-11-27T20:23:20Z
Registrar: DropCatch.com 870 LLC
Registrar IANA ID: 2629
Registrar Abuse Contact Email: support@namebright.com
Registrar Abuse Contact Phone: 17204960020
Domain Status: ok https://icann.org/epp#ok
Name Server: NS1.BRANDINIUM.COM
Name Server: NS2.BRANDINIUM.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2026-05-29T14:22:05Z <<<A few important lines from this:
Registrar URL: http://www.NameBright.comThis tells us the registrar the domain is registered with. In this case, NameBright.
Creation Date: 2025-11-27T20:23:20ZThis tells us the domain was registered on 27 November 2025 at 20:23 GMT/Zulu time.
Zulu time is an aviation/military-style way of saying UTC. For normal business purposes, you can think of it as roughly GMT / UK time, ignoring daylight-saving complications.
Updated Date: 2025-12-20T23:52:43ZThis reflects a later change made to the domain. In our case, that was likely around the time we set or changed nameservers.
Domain Status: ok https://icann.org/epp#okThis means the domain is in a normal active state. It does not mean the website is good or bad. It just means the domain itself is not in a special expired/deleting/locked state. Normally registered domains can also be in the state of clientTransferProhibited. For full list, you can check out this ICANN page.
Why domain age matters
If you find a domain that may conflict with your or your client's brand name, the registration date is often useful.
A domain registered ten years ago is more likely to be a normal old website than a domain registered yesterday as part of a fast-moving phishing or copycat campaign.
That is not a law of nature, of course, just a rule of thumb :-)
But as a rule of thumb, fraudulent websites often appear and disappear quickly, like mushrooms after rain.
So registration date is one of the first fields worth checking.
Registrar WHOIS example
Next is the part produced by the domain's own registrar, in our case NameBright:
Domain Name: BRANDINIUM.COM
Registry Domain ID: 3042806304_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.NameBright.com
Registrar URL: https://www.NameBright.com
Updated Date: 2025-12-20T23:52:43.265Z
Creation Date: 2025-11-27T20:23:20.000Z
Registrar Registration Expiration Date: 2026-11-27T20:23:20.000Z
Registrar: DropCatch.com 870 LLC
Registrar IANA ID: 2629
Registrar Abuse Contact Email: abuse@NameBright.com
Registrar Abuse Contact Phone: +1.7204960020
Domain Status: ok https://www.icann.org/epp#ok
Registry Registrant ID: Not Available From Registry
Registrant Name: Redacted for Privacy
Registrant Organization: NameBrightPrivacy.com
Registrant Street: 2635 Walnut Street
Registrant City: Denver
Registrant State/Province: CO
Registrant Postal Code: 80205
Registrant Country: US
Registrant Phone: +1.7204960020
Registrant Email: www.namebright.com/contact/BRANDINIUM.COM
Name Server: NS1.BRANDINIUM.COM
Name Server: NS2.BRANDINIUM.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2025-12-20T23:52:43.265Z <<<As you can see, most owner information is hidden. That is expected.
BrandCat and Brandinium are based in Europe, and NameBright is following privacy rules by masking our real physical address behind privacy-protected contact details.
Sometimes WHOIS will still show real owner information. Often it will not.
But even with privacy redaction, this record still gives us useful review data:
- registrar
- registrar IANA ID
- registrar abuse email
- registrar abuse phone
- creation date
- expiration date
- updated date
- nameservers
- domain status
That is exactly the kind of information BrandCat tries to surface in a cleaner form when reviewing matched domains.
Putting the evidence together
None of these fields proves anything on its own.
A new domain is not automatically abusive.
A privacy-protected WHOIS record is not suspicious by itself.
A shared IP address does not prove two websites are operated by the same person.
A redirect can be perfectly normal.
The useful part is seeing several clues together.
For example, when reviewing a group of domains, it is useful to know whether they share:
- similar domain patterns
- similar registration dates
- the same registrar
- the same nameservers
- the same resolved IP
- the same IP range
- the same ASN
- the same hosting provider
- the same final redirect target
- the same page content or page template
That is why BrandCat now collects and displays more domain evidence.
It helps turn a raw list of matching domains into something easier to review, filter and group.
Quick reference
| Term | Plain-English version | Why it matters |
|---|---|---|
| WHOIS | Lookup data for a domain name or IP address | Shows registrar, dates, nameservers, status and sometimes contact details |
| RDAP | Newer structured version of registration lookup data | Easier for software to parse and normalize |
| Registry | Organization that runs a domain extension | Keeps the central record for domains under that extension |
| Registrar | Company where customers register domains | Useful for abuse contacts and domain-level escalation |
| ICANN | Organization coordinating much of the domain name system | Status codes and registrar rules often reference ICANN |
| IP address | Numeric internet address for a server/device | Helps show where a website resolves |
| IP WHOIS | WHOIS-style lookup for an IP address or IP range | Often shows hosting provider or network operator |
| IP range | A block or neighborhood of IP addresses | Can help group related infrastructure |
| ASN | Network identifier used for internet routing | Helps identify hosting/network provider patterns |
| DNS | System that translates domain names into technical records | Explains how domains point to websites |
| Nameservers | Servers that answer DNS questions for a domain | Repeated nameservers can be a useful grouping clue |
| Redirect | One URL sending visitors to another URL | Reveals final destinations and connected domain setups |
Start reviewing domains with more context
BrandCat monitors domains matching your brand keywords and websites detected through content similarity.
Instead of showing only a raw domain list, BrandCat can enrich matches with screenshots, final URLs, redirects, WHOIS/RDAP, registrar contacts, hosting/IP data, country, ASN, nameservers, domain status and abuse contacts where available.
Or contact us to discuss your monitoring needs:
