IP Lookup: Find the Location, Owner, and Network Behind Any IP Address

What You Actually Get from an IP Lookup

Run an IP lookup on any address and you get back a specific set of data points: the approximate geographic location (country, region, city), the Internet Service Provider or hosting company, the Autonomous System Number (ASN) that routes the address, the organization registered as the owner, and often an abuse contact email. Depending on the data source, you may also get a time zone, a postal code estimate, and coordinates with a confidence radius.

This is the foundation of network investigation. When a login attempt comes from an unexpected IP, when a scraper hammers your API, when you need to verify that a CDN node is where it claims to be, the IP lookup is the first step. It answers: who controls this address, where does it appear to be, and who do I contact if something is wrong?

But the data is only useful if you understand its limits. Geolocation is probabilistic, not deterministic. Ownership records can be stale. And the difference between what people expect from an IP lookup and what it actually delivers is where most mistakes happen.

What an IP Address Actually Tells You

People searching for an IP lookup often expect to find an exact street address, the name of the person sitting at the keyboard, or the physical location of a device within meters. That is not how IP addresses work. An IP address identifies a network interface, not a person or a building. The address is assigned by an ISP or hosting provider, and the geolocation you see maps to where that provider's infrastructure is, not where the end user physically sits.

For a residential broadband connection, the city-level geolocation is usually correct because ISPs serve specific metropolitan areas from local POPs (points of presence). If Comcast assigns you an IP from their Chicago block, geolocation databases will say Chicago, and that is probably right within a 20-50 km radius. But they will not tell you the street or apartment number. The coordinates you see in lookup results typically point to the geographic center of the identified city or to the ISP's local office.

For data center and cloud IPs, the geolocation tells you where the server rack is, which is often a different country from the person who rented it. An attacker in São Paulo running scripts from a DigitalOcean droplet in Frankfurt will appear to be in Frankfurt. For mobile IPs, the situation is worse: carriers often route traffic through centralized gateways, so a mobile user in Denver might show up as being in Dallas because that is where T-Mobile's CGNAT gateway sits.

How IP Geolocation Databases Work

There is no central authority that maps IP addresses to physical locations. Instead, commercial geolocation providers build and maintain their own databases using three primary methods, each with different strengths.

BGP Routing Tables and RIR Allocations

The starting point is public data. Regional Internet Registries (RIRs) publish which IP blocks are allocated to which organizations, and BGP routing tables show which Autonomous Systems announce which prefixes. If ARIN records show that 198.51.100.0/24 is allocated to "Acme Corp" in Dallas, Texas, that becomes the baseline geolocation for every address in that range. This method is free and covers the entire IPv4 and IPv6 space, but it is coarse. The registered address of an organization might be its headquarters in New York while the actual servers are in Virginia.

Latency Triangulation

Providers like MaxMind and IP2Location run active measurement campaigns. They send probes from known locations and measure round-trip times. If a ping from London takes 2ms, from Paris takes 8ms, and from Frankfurt takes 15ms, triangulation places the target somewhere near London. This works well for stationary infrastructure but fails for anycast IPs (where the same address exists in multiple locations) and for paths with asymmetric routing. The accuracy depends on having enough probe points, and providers typically maintain hundreds to thousands of vantage points worldwide.

Ground-Truth User Data

The most accurate method comes from real user signals. When someone grants location permission to a website or app, that GPS coordinate can be paired with their current IP address. Aggregated across millions of users (with consent), this produces a high-confidence mapping. MaxMind's GeoIP2, IP2Location, and DB-IP all incorporate user-contributed data. This is why geolocation accuracy has improved significantly over the past decade: more mobile devices sharing location data means more ground-truth corrections. MaxMind's GeoLite2 free database contains over 6 million location entries, while their commercial GeoIP2 database covers the full routed address space.

Accuracy: What You Can Trust and What You Cannot

Let's put hard numbers on this. Independent studies and MaxMind's own accuracy reports consistently show:

• Country-level accuracy: 99.5%+ for most providers. If a lookup says the IP is in Germany, it almost certainly is.
• Region/state-level accuracy: roughly 85-90% for well-connected countries, lower for regions with sparse infrastructure.
• City-level accuracy: approximately 55-80%, depending on the country and ISP. Urban areas in the US and Europe hit the higher end; rural areas and developing regions are less reliable.
• Postal code accuracy: 20-50%, useful only as a rough indicator. Do not make business decisions based on postal code geolocation alone.
• Coordinates: typically accurate within a 25-50 km radius for residential IPs. The confidence radius varies and should always be checked.

Several common scenarios break geolocation entirely. VPN and proxy users appear to be wherever the VPN exit node is located, not where they physically are. NordVPN, ExpressVPN, and similar services have servers in 60+ countries, and their users' real locations are invisible to IP geolocation. Mobile carrier NAT pools thousands of users behind a single IP, and that IP geolocates to the carrier's gateway, not to any individual user. CDN exit nodes (Cloudflare, Akamai, Fastly) serve traffic from the nearest edge, so an IP associated with a CDN often geolocates to the CDN's data center rather than the origin server or end user. Satellite internet users (Starlink, HughesNet) may geolocate to a ground station hundreds of kilometers away.

IP Ownership: RIR Databases Explained

While geolocation tells you where an IP appears to be, ownership records tell you who controls it. This data comes from the five Regional Internet Registries, each responsible for a geographic region:

• ARIN — North America, parts of the Caribbean. Covers the US, Canada, and several Caribbean nations.
• RIPE NCC — Europe, the Middle East, and Central Asia. Roughly 25,000 member organizations.
• APNIC — Asia-Pacific. Covers everything from Japan and Australia to India and China.
• LACNIC — Latin America and the Caribbean. Serves 33 countries from Mexico to Argentina.
• AFRINIC — Africa. The youngest RIR, operational since 2005.

When an organization needs IP addresses, they request a block from their regional RIR. The RIR records the allocation: which prefix, which organization, the admin and tech contacts, and the date of assignment. This data is queryable via WHOIS (the legacy text protocol) or RDAP (the modern JSON-based replacement that is now the official standard). RDAP responses include structured fields for the registrant name, address, abuse contact, and the network's CIDR range.

IP WHOIS is fundamentally different from domain WHOIS. Domain WHOIS tells you who registered a domain name. IP WHOIS tells you who was allocated a block of addresses by a registry. The ownership chain for an IP goes: IANA (allocates large blocks to RIRs) → RIR (allocates smaller blocks to ISPs and organizations) → ISP (may sub-allocate to customers). Each step in the chain is recorded, and you can trace back from any single IP to the original allocation.

One practical caveat: many IPs are assigned to large hosting providers (AWS, Google Cloud, Azure, OVH) who then provision them to individual customers. The WHOIS record will show Amazon or Google as the owner, not the actual customer running the server. To identify the real operator behind a cloud IP, you need to combine IP ownership data with reverse DNS, HTTP headers, and SSL certificate information.

Abuse Contacts and Threat Intelligence

Every IP block registered with an RIR should have an associated abuse contact. This is the email address you use when an IP is involved in spam, DDoS attacks, credential stuffing, or other malicious activity. The abuse contact is typically formatted as abuse@isp-or-org.com and is included in the RDAP/WHOIS response under the "abuse" role.

Finding the right abuse contact matters. Sending a complaint to the wrong ISP wastes time. If the IP belongs to a cloud provider, you want the cloud provider's abuse desk (abuse@amazonaws.com, abuse@google.com), not the upstream transit provider. RDAP makes this easier than legacy WHOIS because it returns structured data with explicit role types, so you can programmatically extract the abuse contact without parsing free-form text.

Beyond abuse contacts, IP threat intelligence adds another layer. Blacklist databases (Spamhaus, AbuseIPDB, Barracuda, Spamcop) maintain lists of IPs with a history of malicious behavior. Checking an IP against these lists tells you whether it has been reported for spam, brute-force attacks, malware distribution, or botnet participation. Spamhaus alone tracks over 9 million IPs in their various blocklists at any given time. AbuseIPDB crowdsources reports and provides a confidence score from 0-100 indicating how likely an IP is to be malicious.

For incident response, the IP lookup sequence is: (1) identify the IP from logs, (2) determine the owning organization and ASN, (3) check blacklists for prior reports, (4) find the correct abuse contact, (5) file a report with evidence. Doing this efficiently means having all the data in one lookup rather than querying five different tools.

Practical IP Lookup Workflow

Here is the step-by-step process for investigating an IP address properly, whether you are doing incident response, fraud analysis, or infrastructure mapping.

Step 1: Run the Lookup

Start with a comprehensive IP lookup that returns geolocation, ASN, organization, and ISP data in a single query. You want the full picture before you start drilling into specifics. If you are doing this programmatically, the IP Lookup API returns structured JSON that you can feed directly into your security pipeline or SIEM.

Step 2: Note the ASN and Organization

The ASN tells you which network operates the IP. AS13335 is Cloudflare. AS16509 is Amazon. AS15169 is Google. If the ASN belongs to a cloud or hosting provider, you are looking at a server, not an end user's home connection. If it belongs to a residential ISP (Comcast AS7922, Deutsche Telekom AS3320, BT AS2856), someone's device is behind that address. This distinction shapes your entire investigation: a brute-force attack from a cloud IP means someone spun up a VM; the same attack from a residential IP may mean a compromised device in a botnet.

Step 3: Check Geolocation Confidence

Do not take the city at face value. Check whether the provider includes a confidence score or accuracy radius. If the result says "Chicago" with a 500 km radius, that IP could be anywhere in the Midwest. If it says "Chicago" with a 10 km radius, it is far more actionable. Country-level data you can rely on for almost any purpose; city-level data requires corroboration for high-stakes decisions like fraud blocking.

Step 4: Cross-Reference with Reverse DNS

A reverse DNS (PTR) lookup on the IP often reveals the hostname the operator assigned. This can confirm or contradict the other data. An IP that WHOIS says belongs to AWS but has a PTR record of mail.example.com tells you who is actually using that address. An IP with a PTR like pool-71-123-45-67.washdc.fios.verizon.net confirms it is a Verizon FiOS residential connection in the Washington DC area. Use the Reverse IP API to also discover all domains that resolve to the address — this reveals shared hosting relationships and can expose the infrastructure behind phishing campaigns.

Step 5: Check Blacklists If Relevant

If you are investigating potentially malicious activity, check the IP against DNS-based blacklists (DNSBLs) and threat intelligence feeds. A hit on Spamhaus SBL means the IP is a known spam source. A hit on their XBL means it is part of an exploited system. The domain reputation tool can help contextualize an IP's standing within the broader trust landscape of associated domains.

Example IP Lookup Output

Here is what a structured IP lookup response looks like for a real-world cloud IP address. This is the kind of data DomScan returns through the IP Lookup API.

{
  "ip": "159.69.42.118",
  "type": "IPv4",
  "geolocation": {
    "country": "DE",
    "countryName": "Germany",
    "region": "BY",
    "regionName": "Bavaria",
    "city": "Nuremberg",
    "postalCode": "90403",
    "latitude": 49.4529,
    "longitude": 11.0768,
    "timezone": "Europe/Berlin",
    "accuracyRadius": 20
  },
  "network": {
    "asn": 24940,
    "asnOrg": "Hetzner Online GmbH",
    "isp": "Hetzner Online GmbH",
    "org": "Hetzner Online GmbH",
    "cidr": "159.69.0.0/16"
  },
  "reverseDns": {
    "hostname": "static.118.42.69.159.clients.your-server.de"
  },
  "abuse": {
    "email": "abuse@hetzner.com",
    "phone": "+49-9831-505-0"
  },
  "rir": "RIPE NCC",
  "isProxy": false,
  "isHosting": true,
  "isMobile": false
}

From this single response you know: the server sits in Hetzner's Nuremberg data center, it is a hosting IP (not residential), RIPE NCC is the authoritative registry, the abuse desk is abuse@hetzner.com, and the reverse DNS confirms Hetzner's naming convention. If this IP showed up in your access logs doing something suspicious, you already have everything needed to file an abuse report.

When IP Lookup Matters Most

IP lookup is not something you do once for curiosity. It is a core step in several professional workflows:

• Incident response: When your IDS flags an intrusion attempt, the IP lookup identifies the source network, the owning organization, and where to send the abuse report. Speed matters here — having ASN, geolocation, and abuse contact in one call saves minutes per incident.
• Fraud investigation: Payment processors check whether the IP of a transaction matches the billing country. A credit card with a US billing address but an IP geolocating to Nigeria is a strong fraud signal.
• Geo-compliance and content licensing: Streaming services, gambling platforms, and financial services must restrict access by jurisdiction. IP geolocation is the primary enforcement mechanism. When regulators audit, they expect evidence that geo-blocking uses a reputable database and accounts ...
• Infrastructure mapping: Security teams use IP lookups to inventory their own attack surface. Every public IP your organization exposes should map to a known ASN, a known hosting provider, and a known service.
• Email authentication: When an email arrives, the receiving server checks the sending IP against SPF records, blacklists, and reputation databases. An IP lookup confirms whether the sender's IP belongs to a legitimate mail provider or a compromised residential connection.

The common thread is context. An IP address by itself is just a 32-bit (or 128-bit) number. The lookup wraps that number in actionable intelligence: who, where, which network, and what is the address's reputation. When you need to make a decision — block or allow, investigate or ignore, report or dismiss — that context is what lets you act with confidence rather than guessing.

DomScan's IP lookup tool combines geolocation, ASN/org data, reverse DNS, and hosting detection in a single query. For automated workflows, the IP Lookup API returns structured JSON that integrates directly into SIEMs, fraud engines, and infrastructure monitoring pipelines.