How to Find the Location and ISP of an IP Address
Look up geo-IP, ASN, ISP ownership, and reverse DNS records for any IPv4 or IPv6 address — useful for security triage, traffic analysis, and validating CDN routing.

More utilities that pair well with this guide:
Why this matters
A burst of failed login attempts on your platform comes from 185.220.101.7. Before deciding "auto-block them all", you check the IP. ASN says it's a known Tor exit node. That changes the response: you don't ban legitimate users on residential IPs, but you can rate-limit Tor more aggressively. Geo-IP and ASN context turn raw addresses into actionable signals.
Three real scenarios
Look up the source IP, check ISP and ASN; ban or rate-limit appropriately.
Targeted firewall rule
Resolve your CDN's edge IPs from different regions to confirm the customer is hitting the closest PoP.
Confirm geographic distribution
Check the IP's country and ISP — VPN providers usually have well-known ASNs.
Detect VPN abuse
Walkthrough
Open the IP lookup tool.
Paste an IPv4 or IPv6 address
Both protocols are supported. Hostnames are resolved to their primary A/AAAA records before lookup.
Read geographic data
Country, region, city, latitude/longitude, and a small map.
Read ASN / ISP
The autonomous system number and the operator (e.g. AS15169 — Google LLC). Useful to identify hosting providers, ISPs, or anonymizers.
Reverse DNS / hostnames
PTR records often reveal whether an IP is a residential customer, a server farm, or a known service.
Save the report
Copy the JSON output for inclusion in security tickets or runbooks.
IP
1.1.1.1Output
Country: Australia
Region: Queensland
City: South Brisbane
ASN: AS13335 — Cloudflare, Inc.
PTR: one.one.one.one
Anycast: Yes (popular DNS resolver)
Power tips
- Check anycast addresses carefully. A single IP can map to dozens of locations worldwide. If the city in the result feels off, it might be the closest anycast PoP, not the user.
- Look at WHOIS abuse contacts when reporting malicious traffic; they're embedded in the ASN data.
- Cross-check with reverse DNS. A hosting provider's IP with a residential PTR is suspicious — possibly a compromised host.
- Time-stamp lookups in your tickets. Geo-IP databases drift over time; a result from today may not match the IP's allocation 3 months ago.
Common pitfalls
Common mistake
City-level results have a typical accuracy of ~50km. Coordinates are sometimes the centroid of the assigned block. Don't make precise legal claims based on geo-IP alone.
Common mistake
VPN endpoints look like normal IPs
Commercial VPNs lease residential IPs in some regions. ASN doesn't always flag them. Pair with behavioral signals (impossible travel, fingerprint mismatch).
Common mistake
Private/reserved ranges have no public data
10.x, 192.168.x, 172.16-31.x, IPv6 fc00::/7 — none have geo or ASN data. The tool tells you it's a private range and stops.
When this is the wrong tool
- Real-time threat intelligence feeds — services like Spamhaus and AbuseIPDB give richer reputation context.
- TCP / port reachability checks — use
nmaporncfor that. - TLS certificate validation — the URL parser plus a TLS check in your terminal is more direct.
FAQ
Where does the data come from?
The tool uses public geo-IP and ASN data via the same APIs server-side queries would use, but normalized for browser display. No private data is collected.
Can I look up domains, not just IPs?
Yes. The tool resolves the primary A/AAAA record first.
Is my query logged?
The tool itself does not log queries; the upstream API may keep aggregated request counts but not individual lookups.
Next steps
- Inspect the URL of the suspicious request with the URL parser.
- Check your own browser/system fingerprint with the Browser Info tool.
- Confirm the HTTP status code returned by the upstream system at the HTTP status reference.