--- title: "How to Perform a WHOIS IP Lookup" slug: "/resources/tutorial/how-to-perform-a-whois-ip-lookup" description: "Perform IP WHOIS lookups for any IPv4/IPv6 address. Discover ownership, ISP, ASN, network details, and abuse contacts instantly." --- # How to Perform a WHOIS IP Lookup Written By [Qasim](https://pk.linkedin.com/in/qasimleoo), WhoisFreaks Team Published: June 05, 2026, Last Updated: June 05, 2026 ## Introduction Every device on the internet has an IP address, and each IP is assigned to an organization, ISP, hosting provider, or network operator through a Regional Internet Registry (RIR). An **IP WHOIS lookup** is used to identify the owner of an IP address. It works through the WHOIS protocol, which queries databases containing registration details for internet resources like IP addresses, domains, and networks. IP WHOIS is different from both **domain WHOIS** and **IP geolocation**. Domain WHOIS deals with domain registrars and domain ownership, while geolocation estimates physical location. IP WHOIS specifically reveals allocation and ownership information. "WHOIS" simply means "who is," referring to the question of who is responsible for a given internet resource. In this post we will talk about: * What IP WHOIS is and how it works * The five Regional Internet Registries and what they cover * How to perform an IP WHOIS lookup step by step using the free tool and the API * What data an IP WHOIS lookup returns ## What Is an IP WHOIS Lookup? An IP WHOIS lookup retrieves the registration and ownership information for an IP address or IP range (subnet) by querying databases to retrieve information about the registered users of internet resources. When an organization needs IP addresses, whether it is a major ISP, a cloud provider, a university, or a business, it applies to one of the world’s five Regional Internet Registries (RIRs) for an allocation. The RIR records the organization’s details, the allocated IP range, and relevant contact information in a publicly accessible WHOIS database. An IP WHOIS lookup initiates a WHOIS query to that database and returns the record, allowing users to obtain information about the assigned resources. This is fundamentally different from domain WHOIS. Domain WHOIS records who registered a domain name with a registrar, while IP WHOIS records who was allocated an IP address block by an RIR. Both use the WHOIS protocol to obtain information from the whois database. A single organization may own thousands of IP addresses under one allocation but operate hundreds of different domain names. The WhoisFreaks IP WHOIS API provides detailed insights into IP ownership, routing, and peer relationships across all Regional Internet Registries, allowing users to perform a WHOIS query to obtain information about IP address ownership. Understanding IP WHOIS starts with understanding where the data comes from, and that means understanding the RIR system. WHOIS services are offered by all the Regional Internet Registries (RIRs) and most domain name registries and registrars. ## The Five Regional Internet Registries (RIRs) IP address allocations are not managed by a single central authority. Instead, the internet is divided into five geographic regions, each with its own RIR responsible for managing IP address allocation within that region. Regional rules set by each RIR govern how IP addresses are allocated and managed, ensuring that the distribution of internet number resources follows specific policies for each region. When you perform an IP WHOIS lookup, the data comes from whichever RIR manages the block containing the queried IP. The data comes from Regional Internet Registries such as ARIN for North America, RIPE NCC for Europe, APNIC for Asia-Pacific, LACNIC for Latin America, and AFRINIC for Africa. Each IP address is associated with a specific country or region based on the RIR's policy, and these policies are developed through public, transparent governance processes. When you use the lookup tool, it helps identify IP address ownership and the allocation of internet number resources, including the assignment of IP addresses allocated to ISPs and end user organizations. The IP address's location shown in WHOIS data refers to the region or country of the allocating RIR, not necessarily the physical location of the device using the IP. #### Here is a breakdown of each: | **RIR** | **Full Name** | **Region Covered** | **WHOIS Server** | | --- | --- | --- | --- | | **ARIN** | American Registry for Internet Numbers | North America, parts of the Caribbean | [whois.arin.net](http://whois.arin.net) | | **RIPE NCC** | Reseaux IP Europeans Network Coordination Centre | Europe, Middle East, Central Asia | [whois.ripe.net](http://whois.ripe.net) | | **APNIC** | Asia-Pacific Network Information Centre | Asia-Pacific | [whois.apnic.net](http://whois.apnic.net) | | **LACNIC** | Latin America and Caribbean Network Information Centre | Latin America, Caribbean | [whois.lacnic.net](http://whois.lacnic.net) | | **AFRINIC** | African Network Information Centre | Africa | [whois.afrinic.net](http://whois.afrinic.net) | When you run an IP WHOIS lookup through WhoisFreaks, the tool performs real-time queries against live RIR databases and delivers well-structured results for both IPv4 and IPv6. You do not need to know which RIR manages a given IP. The tool handles the routing automatically and returns the correct record from the right source. ## How to Perform an IP WHOIS Lookup: Step-by-Step Guide A WHOIS IP lookup tool allows users to retrieve information and obtain information about IP addresses by querying standardized databases using a response protocol, such as the one defined in RFC 3912 over TCP port 43. There are three ways to perform an IP WHOIS lookup with WhoisFreaks: the free web tool, the IP WHOIS API for programmatic access, and bulk lookup for processing large IP lists. Additionally, RDAP (Registration Data Access Protocol) is a modern protocol developed to offer a standardized way to query and retrieve registration data and is intended to eventually replace traditional WHOIS. ### Method 1: Using the WhoisFreaks IP WHOIS Lookup Tool (Free) The quickest way to look up any IP address is through the WhoisFreaks free web tool. No account or API key is needed. #### Step 1: Navigate to the Tool Go to [https://whoisfreaks.com/tools/ip-whois/lookup](https://whoisfreaks.com/tools/ip-whois/lookup) #### Step 2: Enter the Given IP Address Type the given IP address you want to look up into the search field. The tool supports both IPv4 (e.g., 8.8.8.8) and IPv6 addresses (e.g., 2001:4860:4860::8888). ##### For example: ``` 8.8.8.8 ``` ##### or an IPv6 address: ``` 2001:4860:4860::8888 ``` #### Step 3: Click Search Click Search to run the lookup. WhoisFreaks queries the appropriate live RIR database in real time and returns the structured WHOIS record. #### Step 4: Review the Results The results page displays all IP WHOIS fields in a structured, readable format including the organization name, IP block range, CIDR notation, ASN, country, RIR source, and all administrative, technical, and abuse contacts. #### Step 5: Sign In for Latest Data For the most up-to-date records, [sign into](https://billing.whoisfreaks.com/login) your WhoisFreaks account. Signed-in users receive live, real-time data directly from the RIR databases rather than cached results. ### Method 2: Using the WhoisFreaks IP WHOIS API (Programmatic) For security automation, SIEM enrichment, or building IP intelligence into your own applications, the IP WHOIS API is the right approach. The IP WHOIS API provides detailed IP address information including registration data, organization details, administrative, technical, and abuse contacts, as well as routing and network information. The API utilizes the Registration Data Access Protocol (RDAP) to provide standardized registration data from various registries. RDAP responses are returned in JavaScript Object Notation (JSON), a machine-readable format, or in XML. #### API Endpoint: ``` https://api.whoisfreaks.com/v1.0/ip-whois?apiKey=YOUR_API_KEY&ip=1.1.1.1 ``` **Key Parameters:** | Parameter | Description | Example | | --- | --- | --- | | ip | The IPv4 or IPv6 address to query | 8.8.8.8 | | apiKey | Your API key for authentication | YOUR_API_KEY | | format | Response format (JSON or XML) | json | Two formats are available: JSON and XML. If you do not specify the format parameter, the default format will be JSON. #### Authentication: Getting Your API Key Every request to the WhoisFreaks API requires authentication using an **API key**. Here is how to get started: **Step 1: Create a Free Account** Visit [**https://billing.whoisfreaks.com/signup**](https://billing.whoisfreaks.com/signup) and sign up for a free account. New accounts receive **500 free API credits** with no credit card required. **Step 2: Access Your API Key** After signing in, navigate to [API Solutions](https://billing.whoisfreaks.com/api-solutions/credits) under PRODUCTS and then to the API Keys section. Your unique/primary API key will be displayed there. Copy it and store it securely. For further details on account creation and getting the API key, you can follow tutorial: [**Getting Started with WhoisFreaks**](https://whoisfreaks.com/resources/tutorial/getting-started-with-whoisfreaks-how-to-sign-up-and-get-your-api-key)**.** **Step 3: Add Your API Key to Requests** Append your API key to every request as a query parameter: ``` ?apiKey=YOUR_API_KEY ``` **Sample Response:** ``` { "status": true, "ip_address": "1.1.1.1", "query_time": "2026-05-18 09:35:07", "whois_server": "whois.apnic.net", "inet_nums": [ { "start_ip": "1.1.1.0", "end_ip": "1.1.1.255", "cidr": [ "1.1.1.0/24" ], "net_name": "APNIC-LABS", "description": [ "APNIC and Cloudflare DNS Resolver project", "Routed globally by AS13335/Cloudflare", "Research prefix for APNIC Labs" ], "countries": [ "AU" ], "status": "ASSIGNED PORTABLE", "organization": "ORG-ARAD1-AP", "remarks": [ "---------------", "All Cloudflare abuse reporting can be done via", "resolver-abuse@cloudflare.com", "---------------" ], "mnt_by": [ "APNIC-HM" ], "mnt_lower": [ "MAINT-APNICRANDNET" ], "mnt_routes": [ "MAINT-APNICRANDNET" ], "mnt_irt": [ "IRT-APNICRANDNET-AU" ], "date_updated": "2023-04-26", "source": "APNIC" } ], "irt": { "handle": "IRT-APNICRANDNET-AU", "address": [ "PO Box 3646", "South Brisbane, QLD 4101", "Australia" ], "state": "QLD", "zip_code": "4101", "country": "AUSTRALIA", "email": [ "helpdesk@apnic.net" ], "abuse_mailbox": [ "helpdesk@apnic.net" ], "admin_contacts": [ "AR302-AP" ], "tech_contacts": [ "AR302-AP" ], "remarks": [ "helpdesk@apnic.net was validated on 2021-02-09" ], "mnt_by": [ "MAINT-APNICRANDNET" ], "date_updated": "2025-11-18", "source": "APNIC" }, "organization": { "handle": "ORG-ARAD1-AP", "name": "APNIC Research and Development", "type": "LIR", "address": [ "6 Cordelia St" ], "street": "Cordelia St", "country": [ "AU" ], "email": [ "helpdesk@apnic.net" ], "phone": [ "+61-7-38583100" ], "fax_no": [ "+61-7-38583199" ], "mnt_ref": [ "APNIC-HM" ], "mnt_by": [ "APNIC-HM" ], "date_updated": "2023-09-05", "source": "APNIC" }, "administrative_contacts": [ { "handle": "AIC3-AP", "name": "APNICRANDNET Infrastructure Contact", "address": [ "6 Cordelia St", "South Brisbane", "QLD 4101" ], "street": "Cordelia St", "state": "QLD", "zip_code": "4101", "country": "AU", "email": [ "research@apnic.net" ], "phone": [ "+61 7 3858 3100" ], "admin_contacts": [ "AIC3-AP" ], "tech_contacts": [ "AIC3-AP" ], "mnt_by": [ "MAINT-APNICRANDNET" ], "date_updated": "2024-07-18", "source": "APNIC" } ], "technical_contacts": [ { "handle": "AIC3-AP", "name": "APNICRANDNET Infrastructure Contact", "address": [ "6 Cordelia St", "South Brisbane", "QLD 4101" ], "street": "Cordelia St", "state": "QLD", "zip_code": "4101", "country": "AU", "email": [ "research@apnic.net" ], "phone": [ "+61 7 3858 3100" ], "admin_contacts": [ "AIC3-AP" ], "tech_contacts": [ "AIC3-AP" ], "mnt_by": [ "MAINT-APNICRANDNET" ], "date_updated": "2024-07-18", "source": "APNIC" } ], "abuse_contacts": [ { "handle": "AA1412-AP", "name": "ABUSE APNICRANDNETAU", "address": [ "PO Box 3646", "South Brisbane, QLD 4101", "Australia" ], "state": "QLD", "zip_code": "4101", "country": "ZZ", "email": [ "helpdesk@apnic.net" ], "abuse_mailbox": [ "helpdesk@apnic.net" ], "phone": [ "+000000000" ], "admin_contacts": [ "AR302-AP" ], "tech_contacts": [ "AR302-AP" ], "remarks": [ "Generated from irt object IRT-APNICRANDNET-AU", "helpdesk@apnic.net was validated on 2021-02-09" ], "mnt_by": [ "APNIC-ABUSE" ], "date_updated": "2025-05-28", "source": "APNIC" } ], "routes": [ { "route": "1.1.1.0/24", "origin": "AS13335", "description": [ "APNIC Research and Development", "6 Cordelia St" ], "mnt_by": [ "MAINT-APNICRANDNET" ], "date_updated": "2023-04-26", "source": "APNIC" } ], "whois_raw_response": "DETAILED_RAW_RESPONSE" } ``` To query a different IP, simply replace **8.8.8.8** with any IPv4 or IPv6 address you wish to investigate. ## Method 3: IP WHOIS Database (Bulk Data Access) For large-scale analysis, offline processing, or building internal threat intelligence systems, you can use the WhoisFreaks IP WHOIS Database. This option provides downloadable datasets containing historical and structured IP WHOIS records. #### Database access and pricing: [https://whoisfreaks.com/pricing/ip-whois-database](https://whoisfreaks.com/pricing/ip-whois-database) #### Sample dataset download: [https://files.whoisfreaks.com/v3.3/download/snapshot/ip/whois/sample](https://files.whoisfreaks.com/v3.3/download/snapshot/ip/whois/sample) #### What It's Used For * Bulk IP intelligence analysis * Security and threat hunting * SIEM / SOC data enrichment * Historical WHOIS record tracking * Offline processing pipelines ## What Does an IP WHOIS Record Contain? The IP WHOIS database contains ownership details, registration information, and abuse contact details for each IP block. When you perform a lookup, the IP WHOIS information you receive includes registration information such as the registered organization or individual's details, mailing address, registration dates, and abuse contact details. This data is essential for identifying the owner of an IP address, understanding its allocation history, and reporting malicious activity. Here is a full breakdown of every field you will see in an IP WHOIS response: | Field | Description | Why It Matters | | --- | --- | --- | | IP Address | The queried IP address | Primary identifier for lookup | | Network Name | Name assigned to the IP block or netrange | Helps identify the allocation at a glance | | IP Range | Start and end IP addresses of the allocation | Defines the full scope of the block | | CIDR Notation | Compact representation of the IP range (e.g., /24) | Used in routing, filtering, and firewall rules | | Organization | Entity or company holding the IP allocation | Identifies ownership or responsibility | | Organization Handle | Registry identifier for the organization | Used for cross-referencing in WHOIS databases | | Country | Country associated with the IP allocation | Provides geographic context | | ASN | Autonomous System Number associated with the network | Identifies routing domain on the internet | | RIR Source | Regional Internet Registry managing the allocation | Indicates authority over the IP block | | Abuse Contact | Email or phone for reporting abuse | Used for security and abuse reporting | | Administrative Contact | Contact responsible for administrative matters | For policy and ownership changes | | Technical Contact | Contact responsible for technical operations | For network and infrastructure issues | | Registration Date | Date the IP block was first registered | Helps understand allocation history | | Last Updated | Date of most recent WHOIS update | Indicates freshness of record data | | Status | Allocation status (e.g., assigned, allocated, reserved) | Shows how the IP block is currently used | ## Conclusion An IP address on its own is just a number. An IP WHOIS lookup turns that number into actionable intelligence: the owning organization, the ISP, the ASN, the network block, and the abuse contact, all sourced directly from the official Regional Internet Registry that manages that address space. For security analysts, it is the first pivot after a suspicious IP is flagged. For network engineers, it is the ground truth for routing verification. For abuse teams, it is the direct line to the right contact. For OSINT investigators, it is a key link in the chain between digital infrastructure and real-world attribution. The WhoisFreaks IP WHOIS API delivers detailed IP address information including registration data, organization details, administrative, technical, and abuse contacts, as well as routing and network information, all returned in well-structured JSON or XML format. This makes it easy to integrate into any workflow, from a quick manual lookup to a fully automated security pipeline processing thousands of IPs from live threat feeds. The answer to "who owns this IP?" is always one lookup away. #### Ready to perform an IP WHOIS lookup? [**Try the free IP WHOIS Lookup tool**](https://whoisfreaks.com/tools/ip-whois/lookup) ## Frequently Asked Questions Explore frequently asked questions to better understand our features, functionality, and usage. ### What is an IP WHOIS lookup? An IP WHOIS lookup retrieves the registration and ownership information for an IP address or IP range. It returns details about the organization that owns the IP block, the ISP, the ASN, the abuse contact, and the Regional Internet Registry that manages the allocation. ### What information does an IP WHOIS lookup return? An IP WHOIS record typically includes the organization or ISP that owns the IP block, the allocated IP range in CIDR notation, abuse contact email and phone, the RIR that manages the block, country of allocation, and creation and updated dates. ### Does IP WHOIS support IPv6? Yes. The IP WHOIS Lookup tool supports both IPv4 (e.g., 8.8.8.8) and IPv6 addresses (e.g., 2001:4860:4860::8888). ### Where does IP WHOIS data come from? The data comes from Regional Internet Registries such as ARIN for North America, RIPE NCC for Europe, APNIC for Asia-Pacific, LACNIC for Latin America, and AFRINIC for Africa. WhoisFreaks queries these live registries in real time to return up-to-date results. ### How is IP WHOIS useful for cybersecurity? When an alert fires for a suspicious IP in your firewall logs, SIEM, or intrusion detection system, IP WHOIS is the first pivot. It tells you who owns the IP block, which ISP or hosting provider it belongs to, and how to report abuse. It is a foundational tool for incident response, threat attribution, and abuse reporting. ### Is the WhoisFreaks IP WHOIS API free? Yes, it's tool on WhoisFreaks website is free to use and gives a detailed look up for free. But it has rate limit so you can sign up and new accounts receive 500 free API credits upon signing up at WhoisFreaks with no credit card required along with no limit. Each IP WHOIS lookup consumes 1 credit. For higher volume use cases, paid API credit plans are available. ### What is the IP WHOIS API response format? The IP WHOIS API returns detailed IP address information including registration data, organization details, administrative, technical, and abuse contacts, as well as routing and network information, all in well-structured JSON or XML format.