When you want to know who really owns an IP address — not just where it’s geolocated, but the actual organization that holds the allocation — you do a WHOIS lookup. WHOIS predates the modern web; it’s been the registry-of-record for IPs and domains since 1982. In 2026 it’s still the authoritative source, even though the data layout is awkward and the protocol shows its age.
This post explains what WHOIS is, what an IP WHOIS record actually contains, how it relates to ASN data, and how to use it in practice for fraud investigation, abuse handling, and network research.
What WHOIS Is
WHOIS is a TCP protocol (port 43) and a data model. You send a query — typically just the resource you want to look up — and the server returns a text record. The data was originally maintained by SRI-NIC; today it’s split across:
- Five Regional Internet Registries (RIRs): ARIN (North America), RIPE NCC (Europe / Middle East / Central Asia), APNIC (Asia-Pacific), LACNIC (Latin America), AFRINIC (Africa).
- Domain registrars for domain WHOIS data.
- Aggregators like ARIN’s RDAP gateway, RIPEstat, BGP toolkits that proxy and normalize the data.
For IP addresses, the relevant authority is the RIR that allocated the block. You query whichever RIR is correct for the IP — most modern tools handle the routing for you.
What a WHOIS Record Contains
An IP WHOIS record describes the block the IP belongs to, not the IP individually. Typical fields:
- NetRange / CIDR — The range of IPs covered. Example:
8.8.8.0 - 8.8.8.255or8.8.8.0/24. - NetName — A short identifier for the block.
LVLT-GOGL-8-8-8for Google’s 8.8.8.0/24. - NetHandle — RIR-internal identifier for the registration.
- OrgName / OrgID — The owning organization.
Google LLC. - OrgAddress / Country — Registered postal address. Often a headquarters address, not where the IPs are physically used.
- RegDate / Updated — When the block was assigned and last updated.
- Origin AS — The ASN currently announcing the prefix.
- Abuse contact — Email address for reporting abuse from this network.
- Tech / admin contacts — Operational and administrative POCs.
A sample for 8.8.8.8:
NetRange: 8.8.8.0 - 8.8.8.255
CIDR: 8.8.8.0/24
NetName: LVLT-GOGL-8-8-8
NetHandle: NET-8-8-8-0-1
OriginAS: AS15169
Organization: Google LLC (GOGL)
RegDate: 2014-03-14
Updated: 2014-03-14
OrgAbuseEmail: [email protected]This tells you: the IP is in a Google-owned /24, registered in 2014, originated from AS15169 (Google), abuse complaints go to [email protected]. That’s a complete picture, and you got it from one query.
WHOIS vs RDAP
WHOIS is being slowly replaced by RDAP (Registration Data Access Protocol). RDAP returns structured JSON instead of free-form text, supports proper authentication, and has well-defined queries. All five RIRs run RDAP services in parallel with their legacy WHOIS.
If you’re building tooling in 2026, prefer RDAP:
GET https://rdap.arin.net/registry/ip/8.8.8.8
{
"objectClassName": "ip network",
"handle": "NET-8-8-8-0-1",
"startAddress": "8.8.8.0",
"endAddress": "8.8.8.255",
"name": "LVLT-GOGL-8-8-8",
"entities": [...]
}JSON is much friendlier than free-form WHOIS text. The data layer is the same; the format is just modern.
How WHOIS Relates to IP Geolocation
WHOIS tells you who owns an IP block. IP geolocation tells you where the IP is used. These are different — sometimes very different.
A US-headquartered company like Cloudflare owns IP blocks used worldwide. WHOIS will say “Cloudflare, San Francisco.” Geolocation will tell you the actual user’s region (Tokyo, Berlin, São Paulo). For an anycast IP, WHOIS gives the operator; geolocation gives a different answer depending on the user.
The pair is more powerful than either alone:
- WHOIS → who runs this network, who to contact for abuse
- Geolocation → where the IP is being used right now
For fraud detection and abuse handling, you usually want both.
Common Uses for WHOIS
Abuse handling
A spam or DDoS attack from an IP — you look up WHOIS to find the abuse contact and send a complaint. This is the original use case and still the most important.
Network research
“Who owns this prefix? Which AS is announcing it? When was it last updated?” Useful for security researchers, BGP analysis, and incident response.
Verifying ownership
Before assuming an IP belongs to a particular company, check WHOIS. A scammer claiming to be “Amazon AWS” might be using IPs that actually belong to a residential ISP.
Geographic context
WHOIS country is often more reliable than geolocation country for the operator’s country (especially for cloud and hosting), even if it doesn’t match the user’s country.
Compliance and audit
For regulated environments, the registered owner of an IP is a documented fact, not a database guess. WHOIS data is what you cite in audit reports.
Querying WHOIS in Practice
Command line
The whois CLI is on every Unix system:
whois 8.8.8.8It auto-routes to the right RIR and prints the record. Fast, works offline once you have an internet connection.
Programmatically (Node.js)
import { exec } from 'node:child_process'
import { promisify } from 'node:util'
const run = promisify(exec)
async function whoisLookup(ip) {
const { stdout } = await run(`whois ${ip}`)
return stdout
}Or use a library like node-whois for a programmatic API without shelling out.
Programmatically (Python)
import subprocess
def whois_lookup(ip: str) -> str:
result = subprocess.run(['whois', ip], capture_output=True, text=True)
return result.stdoutOr python-whois from PyPI for the same without subprocess.
Through an API
For production, calling whois per-request is slow and rate-limited by RIRs. Instead use an IP intelligence API that includes WHOIS-derived data. The Ip2Geo API returns ASN + organization name inline with every geo lookup — much of what you’d want from WHOIS without the parsing overhead.
WHOIS Rate Limits
Every RIR rate-limits WHOIS queries. Hammer ARIN with thousands of queries per second from a single IP and you’ll get blocked. Practical limits in 2026:
- ARIN: ~100 queries/minute per IP
- RIPE: Similar, with bulk APIs available
- APNIC / LACNIC / AFRINIC: Lower, ~30-60/min
For production-scale WHOIS lookups, you need to cache results aggressively (the data changes monthly at most) and consider mirroring RIR bulk dumps (RIPE’s database is downloadable in bulk; ARIN has bulk WHOIS access with a contract).
Most teams just use a hosted API and avoid the rate-limit dance entirely.
What WHOIS Doesn’t Tell You
A common confusion: WHOIS shows the registered contact, not necessarily who’s operating the network right now.
- Reassignments are common. A large ISP might assign a /22 to a downstream customer; WHOIS shows the customer at the leaf level but the upstream ISP at the higher level. You may need to query both.
- Stale data is common. A company gets acquired; WHOIS still shows the old name for years. The org went out of business; the IPs are now used by a successor without WHOIS being updated.
- Privacy redaction in some RIRs (especially RIPE, post-GDPR) removes personal contact info. You get the organization but not the individuals.
- Subleases and IP transfers happen between organizations without WHOIS reflecting them in real time.
For accurate “who’s announcing this prefix right now,” BGP data (RouteViews, RIPE RIS) is more authoritative than WHOIS.
Domain WHOIS vs IP WHOIS
There are two distinct WHOIS systems:
- Domain WHOIS — Queries registrars about domain names. Returns owner, registrar, nameservers, registration dates.
- IP WHOIS — Queries RIRs about IP allocations. Returns owner organization, ASN, abuse contacts.
They use the same protocol but different servers and different data models. Don’t confuse them. A whois example.com and whois 93.184.216.34 return very different things.
For a domain → IP, see How to find a domain’s IP. For domain ownership, see your registrar’s WHOIS records (post-GDPR these are often redacted for individuals).
Privacy and GDPR
Since 2018, WHOIS data has been complicated by GDPR. RIPE (Europe) heavily redacts personal contact info in WHOIS results — you get the organization name but not individual names or direct contacts. ARIN (North America) is less aggressive. APNIC, LACNIC, AFRINIC vary.
For abuse handling, the abuse-c contact (typically a role address like [email protected]) is generally still published, because handling abuse is a legitimate purpose under GDPR. So you can usually still send abuse reports even when other contact details are redacted.
For IPs themselves, geolocation data has its own GDPR considerations.
Tools and Resources
A few useful WHOIS-adjacent tools:
whoisCLI — Universal, free, handles auto-routing.- RIR web interfaces — ARIN, RIPE, APNIC, etc. all have search UIs at their main sites.
- RDAP gateways — Modern JSON alternative to WHOIS.
- BGP toolkits — bgp.he.net, RIPEstat — combine WHOIS, BGP, and geolocation in one view.
- Hosted IP intelligence APIs — Return WHOIS-derived org/ASN data alongside geolocation.
For most production use cases, an API that returns ASN + organization name inline (like Ip2Geo) is the right level of abstraction — you get the useful WHOIS data without parsing free-form text or hitting rate limits.
TL;DR
- WHOIS is the authoritative record of who owns an IP block, maintained by the five RIRs.
- You get organization, ASN, abuse contact, registration dates — useful for abuse handling and network research.
- RDAP is the modern JSON replacement. Prefer it when building tooling.
- WHOIS owner ≠ IP geolocation user location. They answer different questions; use both for completeness.
- Rate limits are strict. Cache aggressively or use an aggregator API.
- Post-GDPR, personal data is often redacted. Organization and abuse-c contact usually still available.
WHOIS isn’t going away — it’s the foundation of internet governance for IPs. For most application-layer use cases (fraud detection, geo lookup, abuse handling) you don’t query WHOIS directly; you use an IP intelligence API that returns the derived fields you need. WHOIS is what’s powering those fields underneath.