WHOIS IP Lookup: Everything an IP WHOIS Reveals (and What It Hides)
A WHOIS IP lookup queries one of five regional internet registries to identify which organisation holds a block of addresses. It returns the network range, the autonomous system number, the registration date and an abuse contact. It does not return the name of the person sitting behind the IP. That information lives with the ISP and only leaves with a court order.
Type whois 8.8.8.8 into a terminal and a wall of text appears. Most of it looks like form data from 1998, because it is. WHOIS is one of the oldest active protocols on the internet, standardised in RFC 3912 as a plain-text query over TCP port 43. Yet the same query still answers a useful question every day: who controls this address?
The answer is rarely the person you imagined. WHOIS reveals the organisation that holds the allocation, not the human renting an IP from that organisation for the evening. Confusing those two has launched countless wrongful complaints and a few wrongful lawsuits. This piece walks through what a WHOIS IP record actually contains, how the data flows from IANA down through the five regional registries, and why a modern lookup often returns less than it used to.
WHOIS for IP versus WHOIS for domain
The same protocol carries two different datasets. A domain WHOIS query returns the registrant of a domain name: who bought example.com, when it expires, the registrar that sold it, and contact details if not redacted. An IP WHOIS query returns the holder of an address block, the network range, the autonomous system that announces it, and an abuse address. The two datasets sit on different servers and follow different rules.
For an IP, the chain starts at IANA, the Internet Assigned Numbers Authority. IANA delegates large blocks to one of five regional internet registries, the RIRs. Each RIR maintains the authoritative WHOIS database for its region. ARIN covers North America, RIPE NCC covers Europe and the Middle East, APNIC covers the Asia-Pacific, LACNIC covers Latin America and the Caribbean, and AFRINIC covers Africa. Their boundaries match the way the internet was built region by region during the 1990s.
The five RIRs at a glance
| Registry | Region | Founded | WHOIS server |
|---|---|---|---|
| ARIN | USA, Canada, parts of the Caribbean | 1997 | whois.arin.net |
| RIPE NCC | Europe, Middle East, Central Asia | 1992 | whois.ripe.net |
| APNIC | Asia-Pacific | 1993 | whois.apnic.net |
| LACNIC | Latin America, most of Caribbean | 2002 | whois.lacnic.net |
| AFRINIC | Africa | 2004 | whois.afrinic.net |
When you query a single global tool like the command-line whois, it usually contacts ARIN first because ARIN's server is configured to forward and redirect. Run whois 193.0.6.139 on a Linux box and ARIN politely points to RIPE, which then returns the actual record because the address sits inside a European allocation. The redirection happens transparently. Power users specify a server directly with whois -h whois.apnic.net 1.1.1.1 to skip the dance.
What an IP WHOIS record actually contains
Strip away the headers and a typical IP WHOIS record holds a small set of fields. Each one tells a different story:
- NetRange or inetnum: the first and last address in the block.
- CIDR: the same range expressed as a slash, like 203.0.113.0/24. The companion article on CIDR notation covers how to read these.
- NetName: a short label chosen by the holder, sometimes useful, often cryptic.
- OrgName: the registered organisation that received the allocation.
- OriginAS or aut-num: the autonomous system number announcing the prefix on BGP, for example AS15169 for Google.
- RegDate: when the block was originally assigned. Vintage allocations from the 1980s still surface.
- abuse-mailbox or OrgAbuseEmail: where to report misuse.
That OrgName is the field most people misread. It identifies the operator of the block, which is often a hosting provider, a mobile carrier, a corporate network, or a tier-one ISP. The end customer renting the address is not listed. If 198.51.100.40 belongs to a residential ISP, the WHOIS shows the ISP, not the household. The household identity sits in the ISP's internal subscriber database and only leaves with a court order or law enforcement request. The piece on who can find you with your IP explores that legal threshold in depth.
Why your name is not in there
Two separate forces erased most personal data from IP WHOIS over the past decade. The first was the General Data Protection Regulation in 2018. RIPE applies GDPR to its database, which means individual end-user data either was never collected or got redacted. ARIN follows a similar pattern under different legal pressure, particularly for residential reassignments. The second was the operational reality that RIRs only ever held data on direct allocation holders. A cable company gets a /16 from ARIN, then slices it into thousands of /29 customer subnets internally. ARIN never sees those subnets and never asked for the customer names. That part of the story is sometimes called downstream allocation or SWIP, and most ISPs never SWIP residential users by name.
π‘ If you want to know what your own IP reveals through WHOIS, run the lookup against your public address. The homepage IP tool shows the public address your traffic carries right now. Drop that number into a WHOIS query and read the OrgName field. The answer is your ISP, not you.
RDAP, the modern replacement
WHOIS over port 43 returns plain text that humans can read but machines parse poorly. Every registry uses slightly different field names and formatting. To fix that, the IETF defined the Registration Data Access Protocol in RFC 7480 through RFC 7485. RDAP runs over HTTPS, returns JSON, supports internationalisation, and applies a consistent schema across all five RIRs.
An RDAP query to ARIN looks like this:
curl https://rdap.arin.net/registry/ip/8.8.8.8- The response is structured JSON with named keys, including entities, events and remarks.
- Parsers can pull out the OrgName, abuse contact and CIDR without writing regular expressions against ten different output formats.
RDAP also handles GDPR more gracefully. Hidden fields appear as redacted objects with a reason, rather than vanishing silently. The transition is slow because legacy WHOIS works, but every major RIR runs both protocols today and ICANN encourages new tooling to start with RDAP.
Reading WHOIS like an analyst
The fields look bureaucratic but they support real investigations. A few patterns repeat:
A WHOIS lookup on a suspicious IP that resolves to a hosting provider with an OrgName like DigitalOcean, Hetzner, OVH or AWS tells you the box sits in a data centre, not a home. That changes the meaning of the connection. A residential IP behaving badly is often a compromised device. A data centre IP behaving badly is often someone renting infrastructure for a campaign, which is the same pattern described in the IP tracking explainer.
The ASN matters too. AS13335 is Cloudflare. AS32934 is Facebook. AS15169 is Google. When the OriginAS does not match the OrgName, the prefix is likely transited or announced through a third party. Combining the WHOIS record with a BGP looking-glass like bgp.he.net gives a fuller picture. Analysts who track abuse or fraud routinely cross-reference WHOIS with reverse DNS to spot mismatches that hint at hijacks or spoofing.
Practical command line
The classic whois binary ships with most Linux distributions and macOS. On Windows it is a free Sysinternals download. Useful examples:
whois 1.1.1.1: returns the APNIC record for Cloudflare's resolver.whois -h whois.cymru.com " -v 8.8.8.8": a third-party service that adds ASN and country in one line.dig +short -x 8.8.8.8: not WHOIS, but pairs well to get the reverse pointer, which often confirms the operator's naming convention.
β οΈ WHOIS data is a snapshot. Allocations move between organisations through transfers, mergers and revocations. A record showing a defunct ISP from 2008 may have been reassigned through ARIN's transfer market in 2021. Always check the most recent updated or last-modified field before drawing conclusions.
What WHOIS will never tell you
Three things are permanently out of scope. The physical address of a residential user, because that lives only with the ISP. The geographic city of the IP at street level, because WHOIS records country and sometimes region but not coordinates. For the real picture of how a city-level guess gets made, the article on geographic location of an IP address is the better read. And the activity of the IP, because WHOIS describes ownership, not behaviour. Behavioural reputation comes from blocklists and threat feeds, which the explainer on domain and IP blacklists covers.
WHOIS remains useful precisely because it answers one question well. It says who is responsible. From there, every other question, including whether to file an abuse report, whether to block a range, or whether to investigate further, gets a clearer starting point. The slow migration to RDAP will not change that. It will only make the data easier to parse.
Reading about IP, VPN and privacy? Lock down yours in 5 minutes
NordVPN ranks first on AV-TEST's privacy benchmark and blocks malware, ads and trackers at the network level. 30-day money-back guarantee, audited no-logs policy.
- 6,400+ servers, 111 countries
- Audited no-logs policy
- Built-in threat protection
- 10 devices per account
Frequently asked questions
What is the difference between an IP WHOIS and a domain WHOIS?
A domain WHOIS returns the registrant of a domain name, including the registrar, expiry date and sometimes contact details if not redacted by privacy services or GDPR. An IP WHOIS returns the organisation that holds an IP address block, the autonomous system number, the registration date and an abuse address. Domain WHOIS data lives at registrars and the ICANN-controlled gTLD registries. IP WHOIS data lives at one of the five regional internet registries: ARIN, RIPE, APNIC, LACNIC or AFRINIC. The protocols look identical but the databases are entirely separate and serve different purposes.
Why does WHOIS not show my real name?
Two reasons. First, regional internet registries only collect data on direct allocation holders, which are ISPs, hosting providers and large enterprises. Residential customers never appear in the registry database because their addresses come from internal ISP pools, not from ARIN or RIPE directly. Second, GDPR and similar privacy frameworks redact personal data even where it was once collected. The information showing up in a WHOIS record points to the operator of the block, not the end user. Your ISP knows which subscriber held a given address at a given time, and that information leaves the ISP only with a legal request.
How did GDPR change IP WHOIS records?
GDPR forced European registries, primarily RIPE NCC, to redact personally identifiable information from publicly returned WHOIS records starting in 2018. Fields that once exposed individual contact names, phone numbers and addresses became either hidden or replaced with generic role-based contacts. The structure of the records did not change but the personal layer disappeared. ARIN applied similar redactions on its own initiative for residential reassignments. The net effect is that modern WHOIS lookups return organisations rather than individuals, abuse mailboxes rather than personal email addresses, and aggregate data rather than household-level detail.
Is RDAP replacing WHOIS?
RDAP runs alongside WHOIS rather than replacing it overnight. All five RIRs operate RDAP servers today and ICANN policy encourages new tooling to default to RDAP. The advantages are structured JSON responses, HTTPS transport, internationalisation support and consistent schemas across registries. WHOIS over port 43 still works and probably will for the next decade because too many legacy tools depend on it. The practical recommendation is to write new code against RDAP and keep WHOIS as a fallback. Browsers and command-line tools increasingly speak RDAP natively, which makes the transition smoother for everyday users.