IP Lookup: Exploring the Top 8 Ways to Perform an IP Address Lookup

reconnaissance

SecurityTrails Blog · Apr 03 · SecurityTrails team

Every machine located within a TCP/IP network (it could be a LAN -local network- or a Wan -the Internet-) has a uniquely assigned Internet Protocol address. This address is known as the IP address, or simply, the IP.

An IP lookup, also known as an IP address lookup or IP checker, is the act of trying to detect the information behind an IP address, for both IPV4 and IPV6 types of IPs.

When you perform an IP address lookup in real time, you will likely be querying and testing against the ARIN (American Registry for Internet Numbers) database. On other occasions, the query will be answered by a passive DNS, domain or IP database server. In either situation, inputting an IP address will show you detailed information about the ISP and web hosting/server provider using that network block.

Most of the time, this sort of information is queried by technical users, system administrators and security researchers performing infosec investigations surrounding phishing domains, spamming, DNS attacks and other illegal activities.

Today we’ll explore the top most effective tools you can use to perform an IP lookup utilizing terminal-based commands and web-based interfaces.

Top Unix/Linux IP lookup tools

While an IP lookup can be performed from Windows operating systems, Unix and Linux are often the ideal platforms to run a full IP lookup and domain and network diagnostics, due to the wide number of tools available and actions you can perform.

Now let’s analyze the most popular terminal-based tools designed for performing a quick domain IP address lookup as well as a WHOIS IP lookup.

Ping

The Ping tool is a cross-platform command available on most modern operating systems. It’s widely used to determine if a network or remote machine is responding to remote network requests—in other words, if it’s “alive” (online).

The Ping command uses the ICMP echo (RFC 792 Internet Control Message Protocol) function to send packets over the network to a specific hostname or IP address. Once the packet has been sent, it will wait for the remote packet response. If the remote host is up, it will return a network packet; if not, it may be a sign that the host is unreachable, down or simply that the ICMP response is disabled by firewall rules on the destination server.

This command is also used to measure the network response speed, packet loss and number of packets sent/received. Ultimately, the main goal of Ping is to resolve the IP address of any host, as you see below:

ping domain.com

This way you can perform a simple domain IP lookup. When you target a balanced domain that is listening on multiple IP addresses (as used in Round Robin DNS, for example), the domain IP lookup will sometimes resolve to different IP addresses.

Microsoft’s DNS zone exemplifies this case:

Microsoft's DNS zone

The Ping command can also be used against IP addresses—just replace the target for any IP address, as shown below:

ping 8.8.8.8

This way, we can get a summary of all the data obtained from this quick IP network lookup:

[research@securitytrails.com ~]$ ping -c4 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=34.10 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=117 time=34.9 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=117 time=34.4 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=117 time=34.9 ms
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 8ms
rtt min/avg/max/mdev = 34.419/34.785/34.963/0.251 ms

And there you have it! That’s the easiest way to perform a domain IP lookup.

Dig

Dig, know as Domain Information Groper, is a popular domain tool and DNS utility used to query DNS name servers while performing IP and DNS lookups.

To run a simple domain IP lookup using Dig, use the following syntax:

dig A domain.com

For example:

[research@securitytrails.com ~]$ dig A securitytrails.com

; <<>> DiG 9.11.5-P4-RedHat-9.11.5-4.P4.fc29 <<>> A securitytrails.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24940
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION
;securitytrails.com. IN A

;; ANSWER SECTION:
securitytrails.com. 283 IN A 151.139.243.5

;; Query time: 28 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Mar 24 22:07:33 -03 2019
;; MSG SIZE rcvd: 63

In the previous example, dig was querying against the A DNS record type, which answered back showing the 151.139.243.5 as the main IP address.

You can see that there is a lot of information that isn’t directly related to the IP address, such as query time, the DNS server that was queried, query status, and other details.

Here’s a simplified way to achieve the same results:

[research@securitytrails.com ~]$ dig +noall +answer securitytrails.com
securitytrails.com. 564 IN A 151.139.243.5

+noall disables stats, comments and other non-useful things, and +answer will only include the answer from the DNS server, the very part we need.

For an even easier way to do it, use the +short option:

[research@securitytrails.com ~]$ dig securitytrails.com +short

151.139.243.5

nslookup

nslookup is another widely-used system and network administration terminal-based tool available on Unix/Linux and Windows systems.

This tool is mostly used while running network diagnostics and system administration tasks, often to query DNS servers as a way to grab the IP address behind a host.

Let’s illustrate how to use nslookup to run a simple domain IP lookup:

nslookup securitytrails.com

Expected output:

[research@securitytrails.com ~]$ nslookup securitytrails.com
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
Name: securitytrails.com
Address: 151.139.243.5

Host

One way to use the host command to perform an IP lookup is to query against an IP address. You can also use it bidirectionally when querying hostnames — host can help security researchers perform DNS lookups to translate hostnames into IP addresses, and vice versa. It supports different lookups for various DNS records such as A, MX or NS records.

To find the IP address of the remote securitytrails.com server, just type:

host securitytrails.com

This will return something like:

[research@securitytrails.com ~]$ host securitytrails.com
securitytrails.com has address 151.139.243.5
securitytrails.com mail is handled by 5 alt1.aspmx.l.google.com.
securitytrails.com mail is handled by 5 alt2.aspmx.l.google.com.
securitytrails.com mail is handled by 10 aspmx2.googlemail.com.
securitytrails.com mail is handled by 10 aspmx3.googlemail.com.
securitytrails.com mail is handled by 1 aspmx.l.google.com.

As you see, you obtained the main IP address (151.139.243.5) from the A-type DNS record, as well as the MX records from Google G-suite.

Let’s see the opposite now with the IP addresses of two [popular DNS servers][blog_dnsservers] such as Cloudflare’s 1.1.1.1 and Google’s 8.8.8.8.

[research@securitytrails.com ~]$$ host 8.8.8.8
8.8.8.8.in-addr.arpa domain name pointer google-public-dns-a.google.com.
[research@securitytrails.com ~]$$ host 1.1.1.1
1.1.1.1.in-addr.arpa domain name pointer one.one.one.one.

In this case, we obtained the rDNS or PTR record from the IP network provider. This is also called reverse IP lookup, or rDNS lookup.

WHOIS

The WHOIS command is one of our favorite terminal commands, as it can reveal a lot of information about any IP address.

As seen in our WHOIS History article, the WHOIS command dates back to the time of ARPANET, and its development has continued to the present day.

When you use WHOIS to perform an IP lookup, your host will try to pick the right WHOIS database server to ask for the information you need. Other times, it will connect to whois.networksolutions.com for NIC handles, or to ARIN at whois.arin.net when you need to perform network and IPv4 lookups.

While it can also be used to fetch domain information, we’ll use it this time to fetch IP information.

The syntax is pretty simple:

whois XX.XX.XX.XX

Output example against Cloudflare’s 1.1.1.1 IP address:

[research@securitytrails.com:~]whois 1.1.1.1
[Querying whois.arin.net]
[Redirected to whois.apnic.net]
[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '1.1.1.0 - 1.1.1.255'

% Abuse contact for '1.1.1.0 - 1.1.1.255' is 'abuse@apnic.net'

inetnum: 1.1.1.0 - 1.1.1.255
netname: APNIC-LABS
descr: APNIC and Cloudflare DNS Resolver project
descr: Routed globally by AS13335/Cloudflare
descr: Research prefix for APNIC Labs
country: AU
org: ORG-ARAD1-AP
admin-c: AR302-AP
tech-c: AR302-AP
mnt-by: APNIC-HM
mnt-routes: MAINT-AU-APNIC-GM85-AP
mnt-irt: IRT-APNICRANDNET-AU
status: ASSIGNED PORTABLE
remarks: ---------------
remarks: All Cloudflare abuse reporting can be done via
remarks: resolver-abuse@cloudflare.com
remarks: ---------------
last-modified: 2018-03-30T01:51:28Z
source: APNIC

irt: IRT-APNICRANDNET-AU
address: PO Box 3646
address: South Brisbane, QLD 4101
address: Australia
e-mail: abuse@apnic.net
abuse-mailbox: abuse@apnic.net
admin-c: AR302-AP
tech-c: AR302-AP
auth: # Filtered
mnt-by: MAINT-AU-APNIC-GM85-AP
last-modified: 2011-09-22T03:53:02Z
source: APNIC

organisation: ORG-ARAD1-AP
org-name: APNIC Research and Development
country: AU
address: 6 Cordelia St
phone: +61-7-38583100
fax-no: +61-7-38583199
e-mail: helpdesk@apnic.net
mnt-ref: APNIC-HM
mnt-by: APNIC-HM
last-modified: 2017-10-11T01:28:39Z
source: APNIC

role: APNIC RESEARCH
address: PO Box 3646
address: South Brisbane, QLD 4101
address: Australia
country: AU
phone: +61-7-3858-3188
fax-no: +61-7-3858-3199
e-mail: research@apnic.net
nic-hdl: AR302-AP
tech-c: AH256-AP
admin-c: AH256-AP
mnt-by: MAINT-APNIC-AP
last-modified: 2018-04-04T04:26:04Z
source: APNIC

% Information related to '1.1.1.0/24AS13335'

route: 1.1.1.0/24
origin: AS13335
descr: APNIC Research and Development
6 Cordelia St
mnt-by: MAINT-AU-APNIC-GM85-AP
last-modified: 2018-03-16T16:58:06Z
source: APNIC

% This query was served by the APNIC Whois Service version 1.88.15-46 (WHOIS-US3)

As you see, this tool gave us a few important details about the IP address, such as the network source (APNIC), the AS number (AS13335), INET number (1.1.1.0 - 1.1.1.255), description of the network (APNIC and Cloudflare DNS Resolver project / Routed globally by AS13335/Cloudflare), abuse email address (abuse@apnic.net / resolver-abuse@cloudflare.com), as well as the full mail address (6 Cordelia St, PO Box 3646, South Brisbane, QLD 4101 - Australia).

Nmap

You’re reading this correctly: Nmap is not only one of the best network mappers and port scanners around, it’s also a useful utility when it comes to IP lookups.

By using Nmap with its powerful NSE scripts, you can also run any IP WHOIS lookup.

The whois-ip NSE script queries the Regional Internet Registries (RIR) WHOIS databases and tries to fetch as much information as possible about the target, such as inetnum, inetname, description, country, organization name and associated email address.

nmap target --script whois-ip

Expected output:

[research@securitytrails.com ~]$ nmap 1.1.1.1 --script whois-ip

Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-25 08:13 -03
Nmap scan report for one.one.one.one (1.1.1.1)
Host is up (0.026s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https

Host script results:
| whois-ip: Record found at whois.apnic.net
| inetnum: 1.1.1.0 - 1.1.1.255
| netname: APNIC-LABS
| descr: APNIC and Cloudflare DNS Resolver project
| country: AU
| orgname: APNIC Research and Development
| organisation: ORG-ARAD1-AP
| email: helpdesk@apnic.net
| role: APNIC RESEARCH
|_email: research@apnic.net

BgpView

BGPView allows any visitor to perform network and IP lookups using a web-based interface, or an API, to view details about IP addresses, ASN, prefix or any resource name on the Internet.

BGPView network and IP lookups

When it comes specifically to IP lookups (in this case bgpview.io/ip/1.1.1.1), it can reveal a lot of information (similar to the whois command), but a handy feature with this tool is its rDNS lookup, and the ability to cross data and jump into related network data such as AS (bgpview.io/asn/13335) or explore the full IP range (1.1.1.0/24).

BGPView CloudFlare lookup

Historical IP Lookup

Nowadays, network, domain and IP history are critical for investigating any infosec incident, offering the information needed to expose useful information such as where the domain was hosted, technical and personal details about the person involved, where the web servers were hosted, or what MX servers were used to send an email.

SecurityTrails IP History is one of the easiest ways you can perform a historical IP lookup. You can do it by using our web-based interface, or by API. Let’s see two practical examples of how you can perform a simple IP lookup.

In less than a second, you’ll have the full IP lookup with all the IPV4 records found for that server, including domain name, Alexa rank, web hosting provider and email provider.

SecurityTrails Historical IP lookup

One of our tool’s handiest features is the IP neighbors function, which lets you find all the neighbors hosted on the same IP address ordered by IP range and number of sites hosted.

SecurityTrails IP neighbors

By using our API you can accomplish the same results. Our API supports a wide range of programming languages and integrations, but for this quick example we will launch a query against our database using the old terminal-based curl utility:

curl  --request GET \

--url  'https://api.securitytrails.com/v1/ips/nearby/8.8.8.8?apikey=your_api_key'

Expected output will show something like this:

"endpoint": "/v1/ips/nearby/8.8.8.8",
"blocks": [
  {
    "sites": 4,
    "ip": "8.8.8.0/32"
  },
  {
    "sites": 13,
    "ip": "8.8.8.1/32"
  },
  {
    "sites": 3,
    "ip": "8.8.8.2/32"
  },
  {
    "sites": 4,
    "ip": "8.8.8.3/32"
  },
  {
    "sites": 15,
    "ip": "8.8.8.4/32"
  },
  {
    "sites": 1,
    "ip": "8.8.8.5/32"
  },
  {
    "sites": 2,
    "ip": "8.8.8.6/32"
  },
  {
    "sites": 6,
    "ip": "8.8.8.7/32"
  },
  {
    "sites": 20888,
    "ip": "8.8.8.8/32",
    "current": true

Our Passive DNS API allows you to fully integrate our intelligent cybersecurity database within your own apps, automating the entire OSINT process in just minutes.

How to perform a passive IP lookup

SurfaceBrowser™ is our enterprise-security OSINT tool that allows you to test, access and correlate domain, DNS and IP data-sets in mere seconds.

Chosen by public and private infosec agencies to perform deep and thorough investigations into all cybersecurity aspects of domain names belonging to any company in the world, it’s also a great way to perform IP research.

IP lookup check

To perform an IP lookup check with SurfaceBrowser, you simply need to follow these steps:

Important: if you don’t have a SecurityTrails account with SurfaceBrowser™ enabled, book a demo today with our Sales team! Or sign up for a 7-day trial for only $49.

  • Login to your SecurityTrails account at [securitytrails.com/app/auth/login][account_login]
  • Move to the SurfaceBrowser™ interface: securitytrails.com/app/sb
  • Enter the IP address you wish to explore.
  • Browse the results and pivot between the ASN, IP and domain data links.

SurfaceBrowser™ IP Lookup

As you can see, by using the IP lookup tool you will be able to access IP details such as associated rDNS, ASN number, Organization, Type of Company and IP route. A real-time map of the geographical IP address origin will be displayed as well.

The same applies to IP ranges—you can extract all the intel about any IP range in the world. In the following example, we’re exploring Cloudflare’s range 1.1.1.0/24:

SurfaceBrowser™ CloudFlare's IP range

If you click ‘Explore nearby IPs’, you will find many additional IP ranges associated with your initial IP search, letting you find sites hosted on each one of those ranges instantly.

SurfaceBrowser™ Explore nearby IP's

SurfaceBrowser™ also allows you to explore all the hosted domains within any IP address, and find details about every one of them. The filter lets you order results by hostname, Alexa rank, computed company name, registrar, expiry date, creation date, mail and hosting provider.

SurfaceBrowser™ hosted domains within IP

It’s an easy and efficient way to cross data and pivot between all information extracted from that single IP address.

Reverse IP lookup verification

A PTR record is also known as reverse DNS, or rDNS. Quite simply, it’s the reverse information shown for the A DNS record.

Usually when you analyze an A record, you’ll find that it points to a domain name. On the other hand, a PTR record will map an IP address to a hostname—just the opposite.

PTR records are not only useful for finding data correlation in your infosec research, but also to protect against spammers and malicious domain names that will try to exploit your mail server. Therefore, most popular email providers always check for PTR records by performing domain and IP lookups before accepting any incoming email from external hostnames.

SurfaceBrowser™ has the ability to show you every PTR record from any company domain name in existence.

In this case, while analyzing cloudflare.com, we were able to get all the associated PTR records from each hostname, as well as the IPs responding to that hostname:

SurfaceBrowser™ CloudFlare PTR record

And for each one of those PTR records, you’ll be able to find critical information such as open ports and associated IP addresses.

PTR record open ports

By clicking the right column, all associated IP addresses belonging to that record will be displayed:

All associated IP addresses from PTR record

Final thoughts

Performing an infosec investigation will always require the use of manual tools (such as ping and dig) when you run isolated tests and tasks. But when you need to accomplish a number of IP lookups, the entire process can become slow and time-consuming.

Fortunately, there’s a solution. By using our daily-updated historical IP database, you’ll be able to avoid using slow manual commands and start fetching results from our API database with your own apps.

Alternatively, SurfaceBrowser™ is a great infosec tool to cross data between your IP lookups, rDNS lookup, open ports, domain and DNS information in an instant.


Get your free API account today, or book a SurfaceBrowser™ demo with our sales team so you can get a deep IP lookup approach against any IP address and domain name in the world!