Tutorial
How to Perform a WHOIS IP Lookup
Written By Qasim, WhoisFreaks Team Published: June 05, 2026, Last Updated: June 05, 2026
Tutorial
Written By Qasim, WhoisFreaks Team Published: June 05, 2026, Last Updated: June 05, 2026
Every device on the internet has an IP address, and each IP is assigned to an organization, ISP, hosting provider, or network operator through a Regional Internet Registry (RIR).
An IP WHOIS lookup is used to identify the owner of an IP address. It works through the WHOIS protocol, which queries databases containing registration details for internet resources like IP addresses, domains, and networks.
IP WHOIS is different from both domain WHOIS and IP geolocation. Domain WHOIS deals with domain registrars and domain ownership, while geolocation estimates physical location. IP WHOIS specifically reveals allocation and ownership information.
"WHOIS" simply means "who is," referring to the question of who is responsible for a given internet resource.
In this post we will talk about:
An IP WHOIS lookup retrieves the registration and ownership information for an IP address or IP range (subnet) by querying databases to retrieve information about the registered users of internet resources.
When an organization needs IP addresses, whether it is a major ISP, a cloud provider, a university, or a business, it applies to one of the world’s five Regional Internet Registries (RIRs) for an allocation. The RIR records the organization’s details, the allocated IP range, and relevant contact information in a publicly accessible WHOIS database. An IP WHOIS lookup initiates a WHOIS query to that database and returns the record, allowing users to obtain information about the assigned resources.
This is fundamentally different from domain WHOIS. Domain WHOIS records who registered a domain name with a registrar, while IP WHOIS records who was allocated an IP address block by an RIR. Both use the WHOIS protocol to obtain information from the whois database. A single organization may own thousands of IP addresses under one allocation but operate hundreds of different domain names.
The WhoisFreaks IP WHOIS API provides detailed insights into IP ownership, routing, and peer relationships across all Regional Internet Registries, allowing users to perform a WHOIS query to obtain information about IP address ownership.
Understanding IP WHOIS starts with understanding where the data comes from, and that means understanding the RIR system.
WHOIS services are offered by all the Regional Internet Registries (RIRs) and most domain name registries and registrars.
IP address allocations are not managed by a single central authority. Instead, the internet is divided into five geographic regions, each with its own RIR responsible for managing IP address allocation within that region. Regional rules set by each RIR govern how IP addresses are allocated and managed, ensuring that the distribution of internet number resources follows specific policies for each region. When you perform an IP WHOIS lookup, the data comes from whichever RIR manages the block containing the queried IP.
The data comes from Regional Internet Registries such as ARIN for North America, RIPE NCC for Europe, APNIC for Asia-Pacific, LACNIC for Latin America, and AFRINIC for Africa. Each IP address is associated with a specific country or region based on the RIR's policy, and these policies are developed through public, transparent governance processes.
When you use the lookup tool, it helps identify IP address ownership and the allocation of internet number resources, including the assignment of IP addresses allocated to ISPs and end user organizations. The IP address's location shown in WHOIS data refers to the region or country of the allocating RIR, not necessarily the physical location of the device using the IP.
| RIR | Full Name | Region Covered | WHOIS Server |
|---|---|---|---|
| ARIN | American Registry for Internet Numbers | North America, parts of the Caribbean | whois.arin.net |
| RIPE NCC | Reseaux IP Europeans Network Coordination Centre | Europe, Middle East, Central Asia | whois.ripe.net |
| APNIC | Asia-Pacific Network Information Centre | Asia-Pacific | whois.apnic.net |
| LACNIC | Latin America and Caribbean Network Information Centre | Latin America, Caribbean | whois.lacnic.net |
| AFRINIC | African Network Information Centre | Africa | whois.afrinic.net |
When you run an IP WHOIS lookup through WhoisFreaks, the tool performs real-time queries against live RIR databases and delivers well-structured results for both IPv4 and IPv6. You do not need to know which RIR manages a given IP. The tool handles the routing automatically and returns the correct record from the right source.
A WHOIS IP lookup tool allows users to retrieve information and obtain information about IP addresses by querying standardized databases using a response protocol, such as the one defined in RFC 3912 over TCP port 43. There are three ways to perform an IP WHOIS lookup with WhoisFreaks: the free web tool, the IP WHOIS API for programmatic access, and bulk lookup for processing large IP lists. Additionally, RDAP (Registration Data Access Protocol) is a modern protocol developed to offer a standardized way to query and retrieve registration data and is intended to eventually replace traditional WHOIS.
The quickest way to look up any IP address is through the WhoisFreaks free web tool. No account or API key is needed.
Go to https://whoisfreaks.com/tools/ip-whois/lookup
Type the given IP address you want to look up into the search field. The tool supports both IPv4 (e.g., 8.8.8.8) and IPv6 addresses (e.g., 2001:4860:4860::8888).
8.8.8.82001:4860:4860::8888Click Search to run the lookup. WhoisFreaks queries the appropriate live RIR database in real time and returns the structured WHOIS record.
The results page displays all IP WHOIS fields in a structured, readable format including the organization name, IP block range, CIDR notation, ASN, country, RIR source, and all administrative, technical, and abuse contacts.
For the most up-to-date records, sign into your WhoisFreaks account. Signed-in users receive live, real-time data directly from the RIR databases rather than cached results.
For security automation, SIEM enrichment, or building IP intelligence into your own applications, the IP WHOIS API is the right approach.
The IP WHOIS API provides detailed IP address information including registration data, organization details, administrative, technical, and abuse contacts, as well as routing and network information. The API utilizes the Registration Data Access Protocol (RDAP) to provide standardized registration data from various registries. RDAP responses are returned in JavaScript Object Notation (JSON), a machine-readable format, or in XML.
https://api.whoisfreaks.com/v1.0/ip-whois?apiKey=YOUR_API_KEY&ip=1.1.1.1Key Parameters:
| Parameter | Description | Example |
|---|---|---|
| ip | The IPv4 or IPv6 address to query | 8.8.8.8 |
| apiKey | Your API key for authentication | YOUR_API_KEY |
| format | Response format (JSON or XML) | json |
Two formats are available: JSON and XML. If you do not specify the format parameter, the default format will be JSON.
Every request to the WhoisFreaks API requires authentication using an API key. Here is how to get started:
Step 1: Create a Free Account
Visit https://billing.whoisfreaks.com/signup and sign up for a free account. New accounts receive 500 free API credits with no credit card required.
Step 2: Access Your API Key
After signing in, navigate to API Solutions under PRODUCTS and then to the API Keys section. Your unique/primary API key will be displayed there. Copy it and store it securely.
For further details on account creation and getting the API key, you can follow tutorial: Getting Started with WhoisFreaks.
Step 3: Add Your API Key to Requests
Append your API key to every request as a query parameter:
?apiKey=YOUR_API_KEYSample Response:
{
"status": true,
"ip_address": "1.1.1.1",
"query_time": "2026-05-18 09:35:07",
"whois_server": "whois.apnic.net",
"inet_nums": [
{
"start_ip": "1.1.1.0",
"end_ip": "1.1.1.255",
"cidr": [
"1.1.1.0/24"
],
"net_name": "APNIC-LABS",
"description": [
"APNIC and Cloudflare DNS Resolver project",
"Routed globally by AS13335/Cloudflare",
"Research prefix for APNIC Labs"
],
"countries": [
"AU"
],
"status": "ASSIGNED PORTABLE",
"organization": "ORG-ARAD1-AP",
"remarks": [
"---------------",
"All Cloudflare abuse reporting can be done via",
"[email protected]",
"---------------"
],
"mnt_by": [
"APNIC-HM"
],
"mnt_lower": [
"MAINT-APNICRANDNET"
],
"mnt_routes": [
"MAINT-APNICRANDNET"
],
"mnt_irt": [
"IRT-APNICRANDNET-AU"
],
"date_updated": "2023-04-26",
"source": "APNIC"
}
],
"irt": {
"handle": "IRT-APNICRANDNET-AU",
"address": [
"PO Box 3646",
"South Brisbane, QLD 4101",
"Australia"
],
"state": "QLD",
"zip_code": "4101",
"country": "AUSTRALIA",
"email": [
"[email protected]"
],
"abuse_mailbox": [
"[email protected]"
],
"admin_contacts": [
"AR302-AP"
],
"tech_contacts": [
"AR302-AP"
],
"remarks": [
"[email protected] was validated on 2021-02-09"
],
"mnt_by": [
"MAINT-APNICRANDNET"
],
"date_updated": "2025-11-18",
"source": "APNIC"
},
"organization": {
"handle": "ORG-ARAD1-AP",
"name": "APNIC Research and Development",
"type": "LIR",
"address": [
"6 Cordelia St"
],
"street": "Cordelia St",
"country": [
"AU"
],
"email": [
"[email protected]"
],
"phone": [
"+61-7-38583100"
],
"fax_no": [
"+61-7-38583199"
],
"mnt_ref": [
"APNIC-HM"
],
"mnt_by": [
"APNIC-HM"
],
"date_updated": "2023-09-05",
"source": "APNIC"
},
"administrative_contacts": [
{
"handle": "AIC3-AP",
"name": "APNICRANDNET Infrastructure Contact",
"address": [
"6 Cordelia St",
"South Brisbane",
"QLD 4101"
],
"street": "Cordelia St",
"state": "QLD",
"zip_code": "4101",
"country": "AU",
"email": [
"[email protected]"
],
"phone": [
"+61 7 3858 3100"
],
"admin_contacts": [
"AIC3-AP"
],
"tech_contacts": [
"AIC3-AP"
],
"mnt_by": [
"MAINT-APNICRANDNET"
],
"date_updated": "2024-07-18",
"source": "APNIC"
}
],
"technical_contacts": [
{
"handle": "AIC3-AP",
"name": "APNICRANDNET Infrastructure Contact",
"address": [
"6 Cordelia St",
"South Brisbane",
"QLD 4101"
],
"street": "Cordelia St",
"state": "QLD",
"zip_code": "4101",
"country": "AU",
"email": [
"[email protected]"
],
"phone": [
"+61 7 3858 3100"
],
"admin_contacts": [
"AIC3-AP"
],
"tech_contacts": [
"AIC3-AP"
],
"mnt_by": [
"MAINT-APNICRANDNET"
],
"date_updated": "2024-07-18",
"source": "APNIC"
}
],
"abuse_contacts": [
{
"handle": "AA1412-AP",
"name": "ABUSE APNICRANDNETAU",
"address": [
"PO Box 3646",
"South Brisbane, QLD 4101",
"Australia"
],
"state": "QLD",
"zip_code": "4101",
"country": "ZZ",
"email": [
"[email protected]"
],
"abuse_mailbox": [
"[email protected]"
],
"phone": [
"+000000000"
],
"admin_contacts": [
"AR302-AP"
],
"tech_contacts": [
"AR302-AP"
],
"remarks": [
"Generated from irt object IRT-APNICRANDNET-AU",
"[email protected] was validated on 2021-02-09"
],
"mnt_by": [
"APNIC-ABUSE"
],
"date_updated": "2025-05-28",
"source": "APNIC"
}
],
"routes": [
{
"route": "1.1.1.0/24",
"origin": "AS13335",
"description": [
"APNIC Research and Development",
"6 Cordelia St"
],
"mnt_by": [
"MAINT-APNICRANDNET"
],
"date_updated": "2023-04-26",
"source": "APNIC"
}
],
"whois_raw_response": "DETAILED_RAW_RESPONSE"
}To query a different IP, simply replace 8.8.8.8 with any IPv4 or IPv6 address you wish to investigate.
For large-scale analysis, offline processing, or building internal threat intelligence systems, you can use the WhoisFreaks IP WHOIS Database.
This option provides downloadable datasets containing historical and structured IP WHOIS records.
https://whoisfreaks.com/pricing/ip-whois-database
https://files.whoisfreaks.com/v3.3/download/snapshot/ip/whois/sample
The IP WHOIS database contains ownership details, registration information, and abuse contact details for each IP block. When you perform a lookup, the IP WHOIS information you receive includes registration information such as the registered organization or individual's details, mailing address, registration dates, and abuse contact details. This data is essential for identifying the owner of an IP address, understanding its allocation history, and reporting malicious activity.
Here is a full breakdown of every field you will see in an IP WHOIS response:
| Field | Description | Why It Matters |
|---|---|---|
| IP Address | The queried IP address | Primary identifier for lookup |
| Network Name | Name assigned to the IP block or netrange | Helps identify the allocation at a glance |
| IP Range | Start and end IP addresses of the allocation | Defines the full scope of the block |
| CIDR Notation | Compact representation of the IP range (e.g., /24) | Used in routing, filtering, and firewall rules |
| Organization | Entity or company holding the IP allocation | Identifies ownership or responsibility |
| Organization Handle | Registry identifier for the organization | Used for cross-referencing in WHOIS databases |
| Country | Country associated with the IP allocation | Provides geographic context |
| ASN | Autonomous System Number associated with the network | Identifies routing domain on the internet |
| RIR Source | Regional Internet Registry managing the allocation | Indicates authority over the IP block |
| Abuse Contact | Email or phone for reporting abuse | Used for security and abuse reporting |
| Administrative Contact | Contact responsible for administrative matters | For policy and ownership changes |
| Technical Contact | Contact responsible for technical operations | For network and infrastructure issues |
| Registration Date | Date the IP block was first registered | Helps understand allocation history |
| Last Updated | Date of most recent WHOIS update | Indicates freshness of record data |
| Status | Allocation status (e.g., assigned, allocated, reserved) | Shows how the IP block is currently used |
An IP address on its own is just a number. An IP WHOIS lookup turns that number into actionable intelligence: the owning organization, the ISP, the ASN, the network block, and the abuse contact, all sourced directly from the official Regional Internet Registry that manages that address space.
For security analysts, it is the first pivot after a suspicious IP is flagged. For network engineers, it is the ground truth for routing verification. For abuse teams, it is the direct line to the right contact. For OSINT investigators, it is a key link in the chain between digital infrastructure and real-world attribution.
The WhoisFreaks IP WHOIS API delivers detailed IP address information including registration data, organization details, administrative, technical, and abuse contacts, as well as routing and network information, all returned in well-structured JSON or XML format. This makes it easy to integrate into any workflow, from a quick manual lookup to a fully automated security pipeline processing thousands of IPs from live threat feeds.
The answer to "who owns this IP?" is always one lookup away.
Introduction If you need WHOIS data at scale, individual domain lookups are not enough. A full WHOIS database is required for use cases like cybersecurity, fraud detection, brand protection, digital forensics, and large-scale market research. Instead of querying domains one by one, organizations use bulk WHOIS data to analyze millions of records efficiently and extract actionable intelligence from domain registration patterns. Enterprises such as cybersecurity teams, analysts, and compliance
9 min read
Learn how to check WHOIS history for free using the WhoisFreaks Historical WHOIS Lookup tool and free API. Step-by-step tutorial to find past domain ownership records, registrant details, and nameserver changes in minutes.
8 min read