Look up the country, region, city, ISP, organisation, and Autonomous System Number for any IPv4 or IPv6 address. The tool auto-resolves domains to IPs first, then queries authoritative geolocation data. Server-side, no JavaScript required.
The IP Address Lookup tool returns geolocation and network ownership data for any IPv4 or IPv6 address — country, region, city, postal code, timezone, latitude/longitude coordinates, ISP, organisation, and Autonomous System Number (ASN). If you submit a domain instead of an IP, the tool resolves it to an IP first via DNS lookup and then runs the geolocation query against the resolved address. Both the IP and the resolved-from domain appear in the results so you have full traceability.
What is different about this tool: it returns ASN and organisation data alongside geolocation. Many free IP lookups give you just the country and city, which is interesting but not actionable. The ASN tells you which network operator owns the IP block — Cloudflare, AWS, Google Cloud, a Russian hosting company, a residential ISP — which is the field that matters most for security analysis. "This IP is in California" tells you almost nothing; "this IP is in AS13335 (Cloudflare)" tells you everything you need about how to interpret the connection.
How it works under the hood
When you submit a query, the tool first checks whether it's already a valid IP address using PHP's filter_var() with FILTER_VALIDATE_IP. If it's a domain instead, the tool resolves it to an IPv4 address via gethostbyname() — the standard PHP DNS resolver that uses the system resolver chain.
Geolocation query. The resolved IP is then queried against ip-api.com, a free no-key geolocation service that returns JSON-formatted location and network data. The query is rate-limited to 45 requests per minute per source IP — well within the budget for normal interactive use, and our one-hour result cache means popular IPs hit the cache rather than the upstream service.
Two result cards. The response is split into two cards for readability. The Geolocation card shows country, region, city, ZIP code, timezone, and coordinates. The Network Information card shows ISP, organisation, and AS number — these are the security-relevant fields. The geolocation fields tell you where the IP is registered (or claimed to be); the network fields tell you who actually owns and operates it.
Why ASN matters more than country. An IP in Iceland might be a Reykjavik resident, an OVH datacentre customer, a Cloudflare edge node, or a Tor exit. The country tells you the location of the rack; the ASN tells you the operational context. AS13335 (Cloudflare) means traffic is being proxied through Cloudflare's CDN — the actual origin server is somewhere else entirely. AS16509 (AWS) means it's a cloud-hosted server. AS396982 (Google Cloud) means GCP. Knowing the AS is the difference between guessing and knowing.
Geolocation accuracy varies dramatically. Country-level accuracy is around 95-98% for most public IP databases. City-level accuracy drops to 50-80% depending on whether the ISP publishes geolocation data. Coordinates are usually a centroid for the city or even the region — never assume coordinates pinpoint an actual user. The displayed lat/lon are useful as a sanity check ("is this where I expected?") but should not be treated as personally identifying information.
What this tool does NOT do. It does not query Whois for the IP allocation directly (use ARIN, RIPE, or APNIC for that). It does not check whether the IP is on any blocklist (use Spamhaus, AbuseIPDB). It does not run a port scan against the IP — for that, use the Port Scanner. And it does not do reverse-DNS to find the PTR record. Combine multiple tools for full IP investigation; this one gives you the geolocation + ASN baseline.
Five real-world use cases
Investigate the source of suspicious login attempts
Your application logs show failed logins from an IP you don't recognise. Run it through the lookup. Three fields tell you most of what you need. (1) Country: a login attempt from a country with no business presence and no roaming user is suspicious by default. (2) ASN: a login from a datacentre ASN (AWS, GCP, OVH, etc.) for a consumer application is almost certainly automated. (3) ISP/Organisation: residential ISPs are normal; hosting providers, VPN services, and Tor relays are flags. Three fields, ten seconds, much better signal than the IP alone.
203.0.113.42
Trace the hosting provider behind a suspicious domain
You've identified a phishing domain via WHOIS or the URL scanner. Next step is figuring out where it's actually hosted. Submit the domain to this tool — it resolves to an IP and shows the AS Number. Many phishing campaigns cluster on a small number of bulletproof hosting providers; once you've identified one, you can hunt for related infrastructure on the same ASN. For takedown requests, the AS number identifies who to file the abuse complaint with — the hosting provider, not the registrar.
suspicious-domain.com
Verify a CDN is fronting your origin server
You set up Cloudflare (or AWS CloudFront, Fastly, etc.) in front of your origin. Confirm it's actually working: paste your domain into the tool. If the AS Number returned is AS13335 (Cloudflare) or the equivalent for your CDN, the proxy is in place. If you see your origin's hosting provider directly, your CDN is bypassed — DNS isn't pointing through the proxy. This 30-second check is a sanity test for any CDN deployment.
yourdomain.com
Identify the data centre region for performance debugging
Users complain a site feels slow. One factor is geographic distance — if your servers are in Virginia and a complaining user is in Singapore, the round-trip latency alone is 200ms+. Run the user's IP through the tool to get the country and city, then run your origin's IP. Geographic mismatch alone isn't always the bottleneck (good CDN coverage neutralises it) but it's the first thing to rule out before chasing more complex performance issues.
Bug bounty: discover infrastructure on the same hosting provider
When recon expands a target's surface area, IP/ASN data helps confirm relationships. If two suspected target subdomains both resolve to IPs in the same /24 block on the same ASN, they're almost certainly the same infrastructure (and same owner). This is faster than running a full ASN-wide scan and a useful first cut before deeper enumeration. Combined with the WHOIS Lookup for the registered owner, you build a confident map of in-scope infrastructure.
Common mistakes & edge cases
Treating geolocation as authoritative for legal location
IP geolocation is approximate. Country-level accuracy is high (95%+) but city-level accuracy is much weaker, and the displayed coordinates are usually a city or regional centroid, not an actual address. Never use IP geolocation as proof of someone's physical location for any consequential decision (legal, fraud, identity verification). It's a useful signal, not evidence.
Country-blocking as your primary defence against attack traffic
Country-blocking is easy to bypass — every commercial VPN gives users an IP in any country they want, and credential-stuffing operators use residential proxy networks distributed across hundreds of countries. ASN-based filtering (block or challenge datacentre ASNs for consumer-facing logins) catches far more attack traffic with fewer false positives. Country blocks have their place (sanctions compliance, GDPR-only services) but they're a regulatory tool, not a security one.
Confusing the geolocated location with the user\u2019s home address
An IP geolocated to "Atlanta, Georgia" doesn't mean the user lives in Atlanta — it means their ISP assigned them an IP from a pool registered to Atlanta. Mobile users get geolocated to the carrier's regional gateway (often hundreds of miles from the user). Corporate users get geolocated to the company's network edge. Treating the displayed city as the user's home is wrong and sometimes invasive.
Ignoring the AS number because it looks technical
The AS number is the most security-relevant field on the page. Get familiar with the major ASNs in your normal traffic: AS13335 (Cloudflare), AS16509 (AWS), AS15169 (Google), AS8075 (Microsoft Azure), AS24940 (Hetzner), AS16276 (OVH), AS14061 (DigitalOcean). Once you recognise the regulars, anomalies stand out — a login attempt from AS396982 (Google Cloud Platform) for a consumer e-commerce site is much more likely to be automated than a login from a residential ISP ASN.
Not checking whether a CDN is masking the real origin
If a site is behind Cloudflare, AWS CloudFront, or Fastly, this tool returns the CDN's IP — not the origin server's IP. That's correct (the CDN is genuinely what's serving the request) but it means you can't directly determine the origin from this tool when a CDN is in front. To find a hidden origin, look for historical DNS records, certificate transparency logs (crt.sh), or unprotected subdomains that bypass the CDN.
Querying private/reserved IP ranges
RFC 1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), link-local (169.254.0.0/16), and other reserved ranges are not routable on the public internet and have no public geolocation. The tool will either error or return empty data for these. If you're investigating a private-network IP, you're looking at a different problem — internal asset discovery — and need internal documentation or network management tools, not public lookups.
Frequently Asked Questions
Paste the IP into the lookup above. The tool returns the country, region, city, postal code, timezone, and approximate coordinates. Country-level accuracy is around 95%; city-level is significantly less reliable. Geographic mapping is approximate — never use IP geolocation as evidence of someone's actual physical address.
Country-level: 95-98% accurate. Region-level: around 80-90%. City-level: 50-80% depending on the ISP's geolocation publishing. Coordinates are city or regional centroids, not actual addresses. Mobile users geolocate to carrier gateways (often hundreds of miles from the user). VPN/proxy users geolocate to the VPN endpoint, not their real location. Use it as a signal, never as proof.
An Autonomous System Number identifies a single network on the internet — typically an ISP, hosting provider, large enterprise, or content network. ASN13335 is Cloudflare, ASN16509 is AWS, ASN15169 is Google. Every IP belongs to exactly one ASN at any given time. The ASN tells you who operates the network the IP is on — much more security-relevant than the geographic location.
An IP address identifies a single host on the internet (a server, a phone, a router). An ASN identifies the network organisation that owns the block of IPs the address belongs to. Multiple IPs share an ASN; an ASN can own millions of IPs. For security analysis, the IP tells you the specific endpoint and the ASN tells you who operates the network it sits on.
No. IP geolocation gives you city-level accuracy at best, often only the location of an ISP gateway hundreds of miles from the user. Law enforcement can subpoena ISPs to map an IP to a customer account at a specific time, but that requires legal process — public IP lookup tools cannot do this. Anyone claiming a free tool returns physical addresses from IPs is misleading you.
Several common causes: (1) your ISP assigned you an IP from a regional pool registered to a different city than your house; (2) you're on mobile data and geolocate to your carrier's regional gateway; (3) you're on a corporate network that egresses through a different city; (4) you're using a VPN, which intentionally shows the VPN endpoint location; (5) the geolocation database is outdated. ISPs reallocate IP blocks regularly and databases lag behind by weeks or months.
Yes. IP addresses are not personal data in most jurisdictions when looked up via public databases — they identify a network endpoint, not a person. GDPR treats IPs as personal data only when you can combine them with other data to identify an individual (which a pure IP lookup cannot do). Using IP lookup for legitimate purposes (security analysis, fraud investigation, network operations) is unambiguously legal everywhere I know of.
From a browser, search Google for "my IP" or visit a site like icanhazip.com or ifconfig.me. From a terminal: curl ifconfig.me. From a Linux command line for the local interface: ip addr show. Note that your public IP (what the world sees) differs from your private IP (what your local network sees) if you're behind NAT, which most home and office networks are.
Yes — submit the full IPv6 address in standard notation (2606:4700:4700::1111 for example, which is one of Cloudflare's public DNS resolvers). The tool handles both IPv4 and IPv6 input; the underlying ip-api.com service supports both. Note that IPv6 geolocation databases are generally less complete than IPv4 — coverage is improving but expect occasional Unknown results for less-common IPv6 ranges.
WHOIS shows the registered country of the IP block owner — typically the ISP or hosting provider's headquarters. IP geolocation databases attempt to identify where the IP is actually being used right now, which can be a different country if the operator deploys IPs internationally. For example, a US-headquartered hosting provider might allocate IPs to its European data centres — WHOIS shows US, geolocation shows the actual data centre location.