What is a "bogon" IP?

A **bogon** is an IP address that **should never appear** as a source on the public internet. It includes: **RFC1918 private** ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), **CGNAT** (100.64.0.0/10), **link-local** (169.254.0.0/16 for v4, fe80::/10 for v6), **loopback** (127.0.0.0/8, ::1), **multicast** (224.0.0.0/4, ff00::/8), **documentation** ranges (192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 2001:db8::/32), and **reserved-for-future-use** (240.0.0.0/4). If a request to your public site has a **bogon source IP**, your network is misconfigured or someone is spoofing. Bogons are useful to detect: they tell you immediately the IP is not routable on the internet, so you can skip Tor / geo / WHOIS lookups for it.

What does CGNAT mean and why is it flagged separately?

**CGNAT** stands for **Carrier-Grade NAT** (RFC6598, range **100.64.0.0/10**). When an ISP does not have enough public IPv4 to give each customer their own, they put **hundreds of customers behind a single shared public IP** using a second layer of NAT. Inside the carrier network, those customers see addresses like 100.64.x.x. CGNAT is very common on **mobile carriers** and **fibre ISPs in countries with tight IPv4 supply** (India, Brazil, parts of Eastern Europe). Why flag it: a CGNAT IP **identifies an ISP's shared pool, not a single user**. Blocking it can lock out many innocent people, and any geo data for it is essentially "where the ISP put their NAT box".

How do you detect a Tor exit node?

The Tor project publishes a **bulk list of all current exit nodes** at `https://check.torproject.org/torbulkexitlist`. We fetch this list **at most once every 24 hours**, cache it in server memory, and check whether the IP you submit is in the set. The check is **exact-match by IP** (not by ASN), so it covers Tor exits running on residential connections too. A "tor: yes" verdict means the IP **acted as a Tor exit in the last few hours** (the list refreshes about once an hour upstream). If the answer is no but the IP comes from a hosting ASN, the address could still be a Tor relay or a private VPN.

How do you detect a datacenter / hosting IP?

We keep a **curated list of around 30 of the biggest hosting / cloud ASNs** (Cloudflare, AWS, GCP, Azure, Hetzner, OVH, DigitalOcean, Linode, Vultr, Alibaba Cloud, Tencent Cloud, etc.). When the Team Cymru ASN lookup returns one of these ASNs, we flag the IP as **datacenter**. This is **deliberately a small, high-signal list**: rather than chasing 10,000 niche VPS providers, we focus on the networks that account for the **vast majority of automated traffic**. If a strange IP turns out to be on a major cloud ASN, you can usually treat it as "bot" or "non-human" with high confidence.

When should I look up an IP at all?

The common triggers: **(1)** a login or API call from an unknown IP shows up in your logs and you want context before you alert, **(2)** an automated system rejected a real customer and you want to know what tripped the filter, **(3)** you are writing an **abuse report** and need the operator name + country to send it to the right registry, **(4)** you are **investigating spam, scraping or comment-form abuse** and want to know whether to block a single IP or an entire subnet, **(5)** you migrated infrastructure and want to verify the new ASN announces your IP, **(6)** a customer says "I cannot reach your site" and you want to see whether they are behind CGNAT or Tor.

How accurate is the geolocation data?

**Country-level**: usually right, around **95 to 99 percent** accuracy on residential IPs. **City-level**: often wrong, **maybe 60 to 80 percent**. **Coordinates**: typically a rough centroid of the city, **not the user's actual location**. Geo databases are built from a mix of WHOIS data, ISP-published mappings, latency triangulation and customer feedback, and they **lag months behind reality**: an IP allocated to Berlin in 2019 may still show "Berlin" three years after the ISP moved it. **VPNs, Tor and mobile carriers** wreck geo accuracy entirely. Treat geo as a hint that suggests a hypothesis, never as evidence on its own.

Why does the reverse DNS column sometimes look like gibberish?

Reverse DNS (**PTR record**) is set by the owner of the IP block. **Some owners set meaningful names** (`dns.google`, `one.one.one.one`, `smtp.example.com`). **Many set generic templates**: `ec2-3-x-y-z.compute-1.amazonaws.com`, `server.hostingprovider.com`. Some set **nothing** (the lookup returns no result). Some set **misleading or stale values** that no longer reflect reality. A reverse DNS hit is great when it exists and looks meaningful, but absence does not mean anything is wrong: it is just an optional convention.

**Yes, fully.** The ASN lookup uses Team Cymru's **origin6.asn.cymru.com** service for IPv6, the bogon detector recognises **::1 (loopback), fc00::/7 (ULA), fe80::/10 (link-local), ff00::/8 (multicast) and 2001:db8::/32 (documentation)**, and reverse DNS works the same way as for v4. The geo and Tor data sets cover IPv6 too, with one caveat: the **datacenter ASN list** is the same for v4 and v6, so an IPv6 hosted on AWS still gets flagged as datacenter.

Do you store the IPs I look up?

**No.** Every lookup runs end to end **inside the request lifecycle**, hits Team Cymru DNS / ip-api / the Tor list, returns the result to your browser and then forgets the input. There is **no database, no log of looked-up IPs, no analytics tag** on the request. The only state we keep is the **module-scoped rate-limit counter** for your requester IP (resets every hour) and the **Tor exit list cache** (one shared global list, not per user).

IP Info / ASN Lookup - free

IP Info / ASN lookup: who owns this address, where it lives, what kind of host it is

Paste any IPv4 or IPv6 address and in one second you get the full background check on it: which network operator (ASN) announces it to the internet, which country and registry assigned it, what reverse DNS name it carries, what city the geo databases place it in, and whether it is a bogon, private, CGNAT, Tor exit node or a known datacenter.

This is what abuse desks, security teams, and curious developers do when an unknown IP shows up in their logs. You do not need to install whois, type ARIN queries by hand, or trust a single commercial geo provider: the tool combines Team Cymru's ASN service, the OS reverse DNS resolver, the public Tor exit list and a curated list of cloud / hosting ASNs to give you a clear, multi-signal verdict.

Use it the moment a strange IP shows up in your server logs, a comment-spam IP needs context, a customer complains "I am being blocked", or you just want to know whether a given IP is a regular home connection or an AWS EC2 instance.

How to use it

Paste an IP address in any form: IPv4 like `8.8.8.8`, IPv6 like `2606:4700:4700::1111`. The field validates as you submit, no `http://`, no port, just the address.
Click Lookup. The tool runs all checks in parallel: ASN lookup via Team Cymru DNS, reverse DNS via the OS resolver, geo via a public API, bogon / CGNAT / multicast checks via local bitmask matching, and Tor exit check against a cached daily list.
Use the sample IP chips to try common test cases instantly: `8.8.8.8` (Google DNS, datacenter), `1.1.1.1` (Cloudflare), `192.168.1.1` (RFC1918 private), `100.64.0.1` (CGNAT).
Read the flag badges at the top: family (v4 / v6), public vs bogon, datacenter, Tor. Red badges mean "do not treat this as a normal client IP".
Identity card: shows the IP, family and reverse DNS (PTR). A reverse like `dns.google` is a strong hint the IP belongs to that organisation.
ASN card: ASN number, registry name (ARIN, RIPE, APNIC...), allocated prefix and the network owner (CLOUDFLARENET, AMAZON-02, GOOGLE).
Geo card: country, region, city, coordinates, timezone, ISP and organisation. Treat city-level data as a hint, not a fact, especially for cellular networks and VPN exits.
Flag card: explicit verdicts for bogon / Tor / datacenter, plus the age of the Tor list cache so you know how fresh the answer is.

When this is useful

Six concrete situations where this tool replaces "I will just google the IP":

Triage of suspicious traffic in server logs. A login from `45.61.x.x` looks weird. You paste it: the ASN is a known hosting provider, the reverse DNS is a generic VPS hostname, and the tool flags it datacenter. That single hit is enough to tighten your rate limits or trigger MFA.
Tor exit detection for fraud / abuse policies. Someone abused your free tier from `185.220.x.x`. You paste the IP, the tool returns tor: yes with a Tor list refreshed within the last 24h. You add a policy "block signups from Tor exits, allow login through them" and you are done.
Customer complains they cannot reach you. They send their IP. You see CGNAT, ASN is a mobile carrier, country matches what they say. Their issue is likely on their NAT (port range), not your service.
Investigating spam comments / form abuse. The IP shows up as datacenter (DigitalOcean) in São Paulo, the reverse DNS is a generic droplet name. That tells you to block the entire subnet on the front edge instead of playing whack-a-mole.
Verifying a "private IP" before reporting it. You see `100.64.5.10` in a bug report. The tool flags it CGNAT (not a real public IP) and you ask the user to share their public IP from another site.
Sanity-checking a network change. You changed the upstream provider on a server. After the cutover you paste your server's IP into the tool. The ASN should now be the new provider. If it still shows the old ASN you know route advertisement has not finished propagating.

Questions and answers

ASN stands for Autonomous System Number. The internet is not one big network: it is roughly 100,000 separate networks (ISPs, hosting providers, large companies, universities) that each operate independently. Each one has a number, e.g. AS15169 is Google, AS16509 is Amazon AWS, AS13335 is Cloudflare. Every IP on the public internet is announced by one of these ASNs. The ASN tells you "this IP belongs to network X", which is far more reliable than country-level geo when you want to know "who controls this address". For example, if the ASN is a known consumer ISP, the IP is almost certainly a home user; if the ASN is AWS, it is almost certainly a server.

IP Info / ASN lookup: who owns this address, where it lives, what kind of host it is

How to use it

Paste an IP address in any form: IPv4 like `8.8.8.8`, IPv6 like `2606:4700:4700::1111`. The field validates as you submit, no `http://`, no port, just the address.

Click Lookup. The tool runs all checks in parallel: ASN lookup via Team Cymru DNS, reverse DNS via the OS resolver, geo via a public API, bogon / CGNAT / multicast checks via local bitmask matching, and Tor exit check against a cached daily list.

Use the sample IP chips to try common test cases instantly: `8.8.8.8` (Google DNS, datacenter), `1.1.1.1` (Cloudflare), `192.168.1.1` (RFC1918 private), `100.64.0.1` (CGNAT).

Read the flag badges at the top: family (v4 / v6), public vs bogon, datacenter, Tor. Red badges mean "do not treat this as a normal client IP".

Identity card: shows the IP, family and reverse DNS (PTR). A reverse like `dns.google` is a strong hint the IP belongs to that organisation.

ASN card: ASN number, registry name (ARIN, RIPE, APNIC...), allocated prefix and the network owner (CLOUDFLARENET, AMAZON-02, GOOGLE).

Geo card: country, region, city, coordinates, timezone, ISP and organisation. Treat city-level data as a hint, not a fact, especially for cellular networks and VPN exits.

Flag card: explicit verdicts for bogon / Tor / datacenter, plus the age of the Tor list cache so you know how fresh the answer is.

When this is useful

Six concrete situations where this tool replaces "I will just google the IP":

Triage of suspicious traffic in server logs. A login from `45.61.x.x` looks weird. You paste it: the ASN is a known hosting provider, the reverse DNS is a generic VPS hostname, and the tool flags it datacenter. That single hit is enough to tighten your rate limits or trigger MFA.
Tor exit detection for fraud / abuse policies. Someone abused your free tier from `185.220.x.x`. You paste the IP, the tool returns tor: yes with a Tor list refreshed within the last 24h. You add a policy "block signups from Tor exits, allow login through them" and you are done.
Customer complains they cannot reach you. They send their IP. You see CGNAT, ASN is a mobile carrier, country matches what they say. Their issue is likely on their NAT (port range), not your service.
Investigating spam comments / form abuse. The IP shows up as datacenter (DigitalOcean) in São Paulo, the reverse DNS is a generic droplet name. That tells you to block the entire subnet on the front edge instead of playing whack-a-mole.
Verifying a "private IP" before reporting it. You see `100.64.5.10` in a bug report. The tool flags it CGNAT (not a real public IP) and you ask the user to share their public IP from another site.
Sanity-checking a network change. You changed the upstream provider on a server. After the cutover you paste your server's IP into the tool. The ASN should now be the new provider. If it still shows the old ASN you know route advertisement has not finished propagating.

Questions and answers

IP Info / ASN Lookup

IP Info / ASN lookup: who owns this address, where it lives, what kind of host it is

How to use it

When this is useful

Questions and answers

Related tools

What's my IP

DNS Lookup

WHOIS Lookup

Reverse DNS (PTR) Lookup

CIDR / Subnet Calculator

IP Info / ASN Lookup

IP Info / ASN lookup: who owns this address, where it lives, what kind of host it is

How to use it

When this is useful

Questions and answers

Related tools

What's my IP

DNS Lookup

WHOIS Lookup

Reverse DNS (PTR) Lookup

CIDR / Subnet Calculator