WHOIS IP: How to Find Who Owns an IP Address

When someone says "WHOIS," most people think of domain registration lookups. Type in a domain name, get back the registrar, creation date, and nameservers. But there is a parallel WHOIS system that most people never encounter until they need it: IP WHOIS. It queries completely different databases, uses different servers, and returns different data. Domain WHOIS talks to registrars like GoDaddy and Namecheap. IP WHOIS talks to Regional Internet Registries like ARIN and RIPE NCC. The two systems share a name and a protocol, but almost nothing else.

If you need to know who controls a specific IP address — because it is attacking your server, because you are investigating a phishing campaign, because you need to report abuse, or because you are mapping infrastructure — you need IP WHOIS. This guide covers how IP allocation works from the top down, how to query each of the five RIRs, how to read the output, and why RDAP is gradually replacing the legacy WHOIS protocol for IP queries.

How IP Address Allocation Works

IP address space does not appear out of nowhere. Every routable IPv4 and IPv6 address traces back to a hierarchical allocation chain that starts with IANA, the Internet Assigned Numbers Authority. IANA is the global coordinator. It does not assign addresses to individual companies or ISPs. Instead, it carves the total address space into large blocks and delegates them to five Regional Internet Registries. Each RIR then sub-allocates to Local Internet Registries (LIRs) and ISPs within its region, and those organizations assign individual addresses or smaller blocks to their customers.

The chain looks like this: IANA allocates a /8 block (16.7 million IPv4 addresses) to ARIN. ARIN allocates a /16 (65,536 addresses) to Comcast. Comcast assigns a /32 (single address) to a residential customer in Chicago. At each level, the allocating body records who received the block, when, and under what policy. These records are what IP WHOIS queries return.

There is an important historical wrinkle. Before the RIR system existed, IANA handed out large blocks directly to organizations. MIT holds 18.0.0.0/8 (the entire 18.x.x.x range — 16.7 million addresses). Apple owns 17.0.0.0/8. The US Department of Defense holds multiple /8 blocks. These "legacy" allocations predate modern policy and often have incomplete WHOIS records because the holders were never required to maintain detailed registration data. When you run an IP WHOIS query and get sparse results, a legacy allocation is often the reason.

IPv4 exhaustion changed the dynamics fundamentally. IANA allocated its last IPv4 /8 blocks in February 2011. APNIC was the first RIR to exhaust its free pool (April 2011), followed by RIPE NCC (September 2012), LACNIC (June 2014), and ARIN (September 2015). AFRINIC still has limited space. New IPv4 addresses now come from transfers — one organization selling or leasing blocks to another — and these transfers create additional WHOIS records that document the chain of custody.

The Five Regional Internet Registries

Each RIR covers a geographic region and operates its own WHOIS database with its own query format, output structure, and policies. Understanding which RIR manages a given IP block is the first step in any IP WHOIS investigation.

• ARIN covers the United States, Canada, and parts of the Caribbean. WHOIS server: whois.arin.net. Largest source of legacy allocations due to early internet adoption.
• RIPE NCC covers Europe, the Middle East, and Central Asia. WHOIS server: whois.ripe.net. Over 30,000 member LIRs. Known for detailed, structured WHOIS records.
• APNIC covers the Asia-Pacific region including Australia, Japan, China, and India. WHOIS server: whois.apnic.net. First RIR to exhaust its IPv4 free pool.
• LACNIC covers Latin America and the Caribbean. WHOIS server: whois.lacnic.net. Manages allocations for 33 countries from Mexico to Argentina.
• AFRINIC covers the entire African continent. WHOIS server: whois.afrinic.net. Youngest RIR (founded 2004) and the only one with remaining IPv4 space.

You do not always need to know which RIR to query in advance. Most WHOIS clients will follow referrals automatically. Query whois.iana.org with any IP, and it tells you which RIR holds the allocation. Then query that RIR's server for the detailed record. Tools like DomScan's IP lookup handle this routing transparently — you provide an IP, and the system queries the correct registry behind the scenes.

Reading IP WHOIS Output

IP WHOIS output is dense and uses field names that are not self-explanatory. Let's walk through a real example. Run `whois 8.8.8.8` from a terminal and you get output from ARIN that looks like this:

NetRange:       8.8.8.0 - 8.8.8.255
CIDR:           8.8.8.0/24
NetName:        LVLT-GOGL-8-8-8
NetHandle:      NET-8-8-8-0-2
Parent:         NET8 (NET-8-0-0-0-0)
NetType:        Reallocated
OriginAS:       AS15169
Organization:   Google LLC (GOGL)
RegDate:        2023-12-28
Updated:        2023-12-28
Ref:            https://rdap.arin.net/registry/ip/8.8.8.0

OrgName:        Google LLC
OrgId:          GOGL
Address:        1600 Amphitheatre Parkway
City:           Mountain View
StateProv:      CA
PostalCode:     94043
Country:        US
RegDate:        2000-03-30
Updated:        2019-10-31

OrgAbuseHandle: ABUSE5250-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-650-253-0000
OrgAbuseEmail:  network-abuse@google.com
OrgAbuseRef:    https://rdap.arin.net/registry/entity/ABUSE5250-ARIN

OrgTechHandle:  ZG39-ARIN
OrgTechName:    Google LLC
OrgTechPhone:   +1-650-253-0000
OrgTechEmail:   arin-contact@google.com
OrgTechRef:     https://rdap.arin.net/registry/entity/ZG39-ARIN

Here is what each section means. The NetRange and CIDR fields define the IP block: 8.8.8.0 through 8.8.8.255, which is a /24 (256 addresses). NetName is an internal identifier — LVLT-GOGL-8-8-8 suggests this block was originally part of Level 3's space and reallocated to Google. NetType: Reallocated confirms this: the block was assigned to one organization and then reassigned to another. OriginAS: AS15169 is Google's Autonomous System Number, the BGP identifier for the network that announces this prefix to the internet.

The Organization section gives you the entity that controls the block: Google LLC, headquartered at 1600 Amphitheatre Parkway, Mountain View. The OrgId (GOGL) is ARIN's unique handle for this organization. The RegDate fields show two things: when the IP block was registered (2023-12-28, indicating a recent re-registration) and when the organization record was created (2000-03-30, when Google first registered with ARIN).

The most operationally important fields are the abuse contacts. If this IP is sending spam, launching attacks, or hosting malicious content, network-abuse@google.com is where you send the report. Every properly maintained IP WHOIS record includes an abuse contact. If it does not, the block is likely a legacy allocation with incomplete records, and you should escalate to the RIR directly.

IP WHOIS vs Domain WHOIS

Because both systems use the term "WHOIS," people assume they work the same way. They do not. The differences are significant enough that treating them interchangeably will lead you to the wrong database, the wrong query syntax, and the wrong conclusions.

• Database source: Domain WHOIS queries registrar databases (Verisign, GoDaddy). IP WHOIS queries Regional Internet Registries (ARIN, RIPE NCC, APNIC, LACNIC, AFRINIC).
• Query input: Domain WHOIS takes a domain name (example.com). IP WHOIS takes an IP address (8.8.8.8) or a CIDR block (8.8.8.0/24).
• Data returned: Domain WHOIS shows registrar, registrant, creation date, expiry, nameservers. IP WHOIS shows network range, organization, ASN, abuse contact, allocation type.
• Privacy rules: Domain WHOIS is heavily redacted post-GDPR. Registrant names and emails are hidden behind privacy proxies. IP WHOIS has far less redaction because abuse contacts must remain public for the internet to function.
• Protocol: Both traditionally use TCP port 43, but query different servers. Domain WHOIS starts at the TLD's thin WHOIS, then follows referrals to the registrar. IP WHOIS starts at IANA and follows referrals to the responsible RIR.
• Update frequency: Domain WHOIS records change when the registrant modifies them. IP WHOIS records change when blocks are allocated, reallocated, or transferred — much less frequently.

The privacy difference is the most practically important. After GDPR took effect in 2018, domain WHOIS became nearly useless for identifying registrants. Names, emails, phone numbers, and addresses are redacted for domains registered by EU persons. IP WHOIS, by contrast, still exposes organization names, addresses, and abuse contacts. The rationale is operational necessity: if an IP block is used for abuse, the internet community needs a way to reach the responsible party. RIRs have resisted pressure to redact this data, arguing that network stability depends on it.

Use DomScan's WHOIS lookup for domain registration data, and the IP lookup tool when you need to trace IP ownership. They query entirely different systems and return different information.

RDAP for IP Queries

The legacy WHOIS protocol (RFC 3912) is a plain-text, unstructured format from the 1980s. Every RIR formats its output differently. Parsing WHOIS output programmatically means writing fragile regex patterns that break when a registry changes its template. RDAP — Registration Data Access Protocol — is the modern replacement, standardized in RFC 9224.

RDAP serves the same data as WHOIS but over HTTPS with structured JSON responses. Instead of scraping text, you get machine-readable objects with consistent field names. Here is how to query ARIN's RDAP endpoint for the same 8.8.8.8 address:

curl -s https://rdap.arin.net/registry/ip/8.8.8.8 | jq '.name, .handle, .startAddress, .endAddress'

The response is a JSON document with fields like `name`, `handle`, `startAddress`, `endAddress`, `entities` (containing the organization and contacts), and `links` (containing references to related objects). Every RIR now operates an RDAP endpoint: rdap.arin.net, rdap.db.ripe.net, rdap.apnic.net, rdap.lacnic.net, and rdap.afrinic.net.

RDAP has three major advantages over legacy WHOIS. First, structured output: JSON with defined schemas means you do not need custom parsers for each RIR. Second, bootstrapping: a central IANA bootstrap file maps IP ranges to the correct RDAP server, so clients can automatically route queries without manual configuration. Third, access control: RDAP supports authenticated queries and differentiated access, allowing RIRs to provide more data to verified users while rate-limiting anonymous queries.

DomScan's RDAP lookup tool leverages these structured responses to normalize data across all five RIRs into a consistent format. The IP Lookup API uses RDAP as its primary data source, falling back to legacy WHOIS only when RDAP is unavailable.

Common IP WHOIS Use Cases

IP WHOIS is not a curiosity tool. It is embedded in critical workflows across security, compliance, and network operations. Here are the scenarios where it matters most.

• Abuse reporting: When an IP is sending spam, scanning your ports, or hosting a phishing page, the WHOIS abuse contact is where you send the report. Without it, you have no path to the responsible network operator.
• Incident response: During a breach investigation, every attacker IP gets a WHOIS lookup. The ASN, organization, and country tell you whether the source is a compromised residential host, a bulletproof hosting provider, or a cloud instance.
• Network peering decisions: Before establishing a BGP peering session, network engineers verify the counterparty's ASN and IP allocations through RIR WHOIS records to confirm legitimacy.
• Data residency compliance: Regulations like GDPR require knowing where data is stored. IP WHOIS confirms whether a server's IP belongs to a provider with data centers in the required jurisdiction.
• Vendor and supply chain verification: When a third-party service gives you an IP to whitelist, WHOIS confirms that the IP actually belongs to that vendor and not to an unrelated or malicious entity.

In each case, the value is attribution. An IP address is just a number. WHOIS wraps it in organizational context: this number belongs to this entity, in this country, reachable at this abuse contact. That context turns a raw indicator into actionable intelligence.

Limitations of IP WHOIS

IP WHOIS is authoritative for who holds an allocation, but it has blind spots that matter in practice. Understanding these prevents you from drawing wrong conclusions.

Sub-allocations are not always visible. A large ISP might hold a /16 block and assign portions to business customers, but those sub-assignments may not appear in the RIR database. The WHOIS record still shows the ISP as the holder. To find the actual user, you need to contact the ISP directly. RIPE NCC requires more granular reporting than ARIN, so European IP space tends to have better sub-allocation visibility.

Cloud IPs show the provider, not the customer. If you WHOIS an AWS EC2 IP address, you get Amazon as the organization. If you WHOIS a Google Cloud IP, you get Google. The actual customer who rented the instance is invisible in the WHOIS record. Cloud providers will sometimes respond to abuse reports and forward them to the customer, but the WHOIS data itself does not reveal the end user. The same applies to CDNs: a Cloudflare IP identifies Cloudflare, not the website behind it. To find the origin, you need reverse IP lookups or certificate transparency logs.

CGNAT hides individual users. Carrier-grade NAT places thousands of mobile or residential users behind a single public IP address. The WHOIS record shows the carrier (T-Mobile, Vodafone, Jio), but there is no way to determine which individual user was behind that IP at a given time without carrier cooperation and a court order. This is increasingly common as IPv4 scarcity forces more providers to deploy CGNAT.

Stale records exist. Organizations change names, merge, go bankrupt. Their IP allocations may not be updated promptly. Legacy holders from the 1980s and 1990s sometimes have WHOIS records listing addresses and contacts that have been defunct for decades. ARIN periodically runs accuracy campaigns to clean up stale data, but compliance is uneven.

Rate limiting restricts bulk queries. Every RIR rate-limits WHOIS queries to prevent abuse. ARIN allows about 50 queries per minute from a single IP before throttling. RIPE NCC is more generous but will block sustained high-volume access. If you need bulk IP WHOIS data, use the RIR's bulk download files (ARIN publishes nightly database dumps) or RDAP's authenticated access for higher rate limits.

Running IP WHOIS Queries Effectively

For one-off queries, the command line works well. On Linux and macOS, the `whois` command is typically pre-installed. On Windows, you can use the Sysinternals `whois` tool or query through a web interface. But for operational use — parsing results, integrating with alerting, or enriching logs — you want structured data from an API.

DomScan's IP Lookup API returns structured JSON combining RDAP data, geolocation, ASN information, and reverse DNS in a single call. Instead of querying the RIR, parsing the text, then querying a geolocation database separately, you get everything normalized and ready to consume. For bulk operations, the Reverse IP API maps IPs to hosted domains, which is useful for investigating shared hosting environments or CDN configurations.

Whether you use the command line, a web tool, or an API, the key is knowing what IP WHOIS can and cannot tell you. It identifies the organization that holds an allocation and provides a path to reach them. It does not identify individual users, it does not guarantee the physical location of the hardware, and it does not replace a subpoena when you need to trace activity to a person. Used within those boundaries, IP WHOIS is one of the most reliable sources of network attribution available.