IP WHOIS | RDAP / WHOIS IP Intelligence Tool

image.png

The platform available at https://dash.niamonx.io/ip_whois โ€” known as IP WHOIS โ€” is an IP intelligence and registration lookup tool within the NiamonX platform. It allows users to search RDAP / WHOIS information for IPv4 and IPv6 addresses, including network ranges, CIDR blocks, IP version, country, network name, allocation type, registration status, events, notices, remarks, related entities, contacts, abuse contacts, administrative contacts, technical contacts, RDAP links, and raw JSON data.

Overview of the Service

IP WHOIS is designed to help users investigate the public registration and network ownership information associated with an IP address. The tool retrieves structured RDAP / WHOIS data and presents it in an analyst-friendly interface.

It is useful for cybersecurity investigations, OSINT research, incident response, SOC triage, abuse reporting, infrastructure mapping, network ownership checks, threat intelligence enrichment, compliance review, and technical due diligence.

Instead of manually querying multiple WHOIS or RDAP endpoints, users can enter a single IP address and receive a structured summary of the network, related objects, contacts, events, statuses, and remarks.

The tool is especially helpful when users need to answer questions such as:


๐Ÿ” How the Tool Works

When a user enters an IPv4 or IPv6 address, IP WHOIS validates the input and performs an RDAP / WHOIS lookup. The result is parsed and displayed in multiple structured sections.

Example query:

IP Address: 1.1.1.1

Example result summary:

Range: 1.1.1.0 - 1.1.1.255
CIDR: 1.1.1.0/24
Name: APNIC-LABS
Type: ASSIGNED PORTABLE
Country: AU
IP Version: v4
Objects: 3

The tool may display:


๐Ÿงฉ Supported Input

IP WHOIS supports direct lookup of IP addresses only.

Supported input types:

Valid examples:

1.1.1.1
8.8.8.8
2606:4700:4700::1111
2001:4860:4860::8888

Unsupported examples:

example.com
https://1.1.1.1
1.1.1.1/24
cloudflare.com
localhost
999.999.999.999

Important validation rule:

Only IPv4 or IPv6.

The tool is not intended for domain WHOIS lookups. Domain names, URLs, hostnames, and CIDR ranges should be checked with other dedicated tools.


๐Ÿ“Š Summary Section

The Summary section provides a compact overview of the IP lookup result.

Example:

1.1.1.0 - 1.1.1.255
ASN โ€”
CIDR 1.1.1.0/24
Entities: 0
22:42:09

Typical fields include:

Field Description
Range The IP range containing the queried address
ASN Autonomous System Number, if available
CIDR Network block in CIDR notation
Entities Number of related objects or contacts
Time Lookup or display time

The Summary section is useful for quick triage. It allows analysts to understand the basic network assignment without opening the full raw response.


๐Ÿงพ Query Details

The Query section displays the main lookup data returned for the IP address and associated network.

Example:

Query: 1.1.1.0 - 1.1.1.255
ASN: โ€”
ASN CIDR: โ€”
ASN CC: โ€”
ASN Registry: โ€”
ASN Date: โ€”
ASN Description: โ€”
Entities Count: 0
Network CIDR: 1.1.1.0/24
Start: 1.1.1.0
End: 1.1.1.255
IP Version: v4

This section helps users separate the queried IP from the larger network block it belongs to.


๐ŸŒ Network Information

The network block describes the IP allocation or assignment returned by RDAP / WHOIS.

Example:

Name: APNIC-LABS
Type: ASSIGNED PORTABLE
Network: ASSIGNED PORTABLE
Handle: 1.1.1.0 - 1.1.1.255
Parent: -
CIDR: 1.1.1.0/24
Start: 1.1.1.0
End: 1.1.1.255
Version: v4
Country: AU

Name

The network name identifies the registered network object.

Example:

APNIC-LABS

The name may represent a registry project, organization, network allocation, ISP block, cloud provider range, hosting provider range, enterprise network, research prefix, or another registered resource.


Type

The type field describes the allocation or assignment category.

Example:

ASSIGNED PORTABLE

Common type values may include:

The exact values depend on the registry and RDAP source.


Handle

The handle is the identifier of the network object.

Example:

1.1.1.0 - 1.1.1.255

In some registries, the handle may be a textual object ID. In other cases, it may resemble the network range itself.


Parent

The parent field shows the parent network object if one is available.

Example:

Parent: -

A missing parent value does not necessarily mean that no broader allocation exists. It may simply mean that the source did not expose parent information in the returned object.


CIDR

CIDR shows the network prefix that contains the queried IP address.

Example:

1.1.1.0/24

CIDR is useful for:


Start and End

Start and End define the first and last IP addresses in the returned network range.

Example:

Start: 1.1.1.0
End: 1.1.1.255

This helps users understand whether a suspicious IP belongs to a small network, a large provider allocation, a cloud range, or a specific assigned block.


IP Version

The version field identifies whether the network is IPv4 or IPv6.

Example:

Version: v4

Possible values:

v4
v6

Country

The country field displays the country code associated with the network registration.

Example:

Country: AU

Important note: the country value in WHOIS / RDAP data does not always represent the physical location of the server. It may represent the registration country, registry region, organization address, or administrative contact location.

For accurate infrastructure geolocation, the country field should be compared with IP geolocation, routing data, ASN information, DNS records, latency, and other technical signals.


๐Ÿ›ฐ๏ธ ASN Information

ASN data describes the Autonomous System associated with an IP address, when available.

The tool may display:

Example:

ASN: AS13335
ASN CIDR: 1.1.1.0/24
ASN CC: AU
ASN Registry: APNIC
ASN Date: 2011-08-11
ASN Description: CLOUDFLARENET

In some responses, ASN fields may be unavailable.

Example:

ASN: โ€”
ASN CIDR: โ€”
ASN CC: โ€”
ASN Registry: โ€”
ASN Date: โ€”
ASN Description: โ€”

Missing ASN data does not always mean that the IP is not routed. It may mean that the selected RDAP / WHOIS response did not include ASN enrichment.

For complete routing analysis, ASN data should be verified with BGP, RPKI, route collectors, passive DNS, and external network intelligence sources.


Example:

https://rdap.apnic.net/entity/AIC3-AP

Interface hint:

Hover your cursor over the open link icon to open the link in a new tab.

๐Ÿ“… Events

Events describe registration-related actions associated with the network or contact objects.

Possible event types may include:

Example display:

Events:
action โ€” -
action โ€” -

Some RDAP responses contain complete event dates. Others may return incomplete or minimal event objects.

Events are useful for:

Important note: event availability depends on the source registry. Not every RDAP / WHOIS response includes complete event data.


โœ… Status

The Status section shows the current state of the network object.

Example:

Status: active

Common statuses may include:

Status values depend on the registry and RDAP implementation.

A status such as active usually means the registration object is currently active in the registry database. It does not automatically mean that every IP inside the range is currently reachable, safe, or in use.


๐Ÿ“Œ Notices

Notices contain registry-provided informational messages, legal notices, terms of use, source information, or disclaimers.

Example:

Notices: No

If notices are present, they may include:

Users should review notices when using WHOIS / RDAP data in legal, compliance, or official reporting workflows.


๐Ÿ“ Remarks

Remarks contain additional registry-provided descriptions or notes about the network.

Example:

description:
APNIC and Cloudflare DNS Resolver project,
Routed globally by AS13335/Cloudflare,
Research prefix for APNIC Labs

remarks:
---------------
All Cloudflare abuse reporting can be done via
resolver-abuse@cloudflare.com
---------------

Remarks are often highly valuable because they may contain:

For investigations, remarks should be reviewed carefully. They may contain the correct abuse escalation channel even when the main contact object is generic.


๐Ÿ‘ฅ Objects and Contacts

The Objects section shows related RDAP entities such as organizations, abuse contacts, administrative contacts, technical contacts, NOC contacts, and registrants.

Example:

Objects: 3

Objects may include:

The tool supports searching and filtering objects by role.

Example:

Search...
Role: all

๐Ÿง‘โ€๐Ÿ’ผ Example Contact Object

Example object:

AIC3-AP
APNICRANDNET Infrastructure Contact
Kind: group
Roles:
administrative
technical
E-mails:
research@apnic.net
Phones:
+61 7 3858 3100
Addresses:
6 Cordelia St South Brisbane QLD 4101
Links:
https://rdap.apnic.net/entity/AIC3-AP

A contact object may contain:

Field Description
Handle Unique entity identifier
Name Display name of the entity
Kind Entity type, such as group or org
Roles RDAP roles assigned to the entity
E-mails Contact e-mail addresses
Phones Listed phone numbers
Addresses Postal or office addresses
Links RDAP links for the entity
Status Entity status, if available
Events Entity registration or update events
Remarks Additional registry-provided notes

๐Ÿท๏ธ RDAP Roles

Objects use standard RDAP role designations.

Common roles include:

Role Meaning
registrant Organization or entity associated with the registration
administrative Administrative contact
technical Technical contact
abuse Abuse reporting contact
noc Network Operations Center contact
billing Billing contact
registrar Registrar-related entity
reseller Reseller-related entity
sponsor Sponsoring organization

Example:

Roles:
administrative
technical

Another example:

Roles:
abuse

Roles are important for choosing the correct escalation path. For malicious activity, the abuse role is usually the most relevant contact type.


๐Ÿšจ Abuse Contacts

Abuse contacts are used to report malicious, unauthorized, or harmful activity associated with an IP address or network.

Example:

IRT-APNICRANDNET-AU
Roles:
abuse
E-mails:
helpdesk@apnic.net

Abuse contacts may be used for reports related to:

Before sending an abuse report, users should collect supporting evidence such as timestamps, URLs, logs, packet captures, screenshots, HTTP headers, DNS data, and affected systems.


๐Ÿ“ค Copy and Export Features

IP WHOIS supports data extraction features that help users move results into reports or external workflows.

Available actions may include:

These features are useful for:


๐Ÿ“„ Export Contacts to CSV

The Export contacts to CSV function allows users to export aggregated contact information from the objects section.

The exported data may include:

This is useful when an investigation involves multiple entities and the analyst needs to preserve contact data in a structured format.

Example use cases:


๐Ÿงฌ Raw JSON

The Raw JSON view displays the original structured response returned by the RDAP / WHOIS source.

Raw JSON is useful for:

When accuracy matters, users should compare the visual UI fields with the raw JSON response.


๐Ÿ•“ Local IP History

IP WHOIS stores recent IP lookups locally in the browser.

Example interface section:

IP History
Filter...

History helps users:

Since the history is stored locally, it may be removed when browser data is cleared. It may also not sync between devices or browser profiles.

Security recommendation: clear local history on shared or untrusted devices when investigating sensitive IPs, customer incidents, or confidential infrastructure.


๐Ÿ”Ž Common Use Cases

IP WHOIS supports many practical cybersecurity and OSINT workflows.

IP Ownership Investigation

Identify the registered network, organization, allocation type, and contact objects associated with an IP address.

SOC Alert Triage

Enrich suspicious IP addresses from alerts, logs, firewall events, EDR detections, IDS events, or SIEM correlations.

Abuse Reporting

Find abuse contacts and supporting registration details for reporting malicious activity.

Phishing Infrastructure Analysis

Investigate IP addresses hosting phishing pages, fake login portals, clone websites, or malicious redirects.

Malware Infrastructure Review

Check IP addresses linked to malware delivery, command-and-control servers, botnets, or payload hosting.

Brand Protection

Identify infrastructure behind impersonation websites, fake stores, unauthorized brand pages, or fraudulent campaigns.

Network Troubleshooting

Check which network block an IP belongs to and review registration details.

Threat Intelligence Enrichment

Add WHOIS / RDAP context to indicators of compromise.

Compliance and Audit

Preserve registration data for investigation files, audit trails, incident documentation, or legal review.

OSINT Research

Map public infrastructure, investigate hosting providers, and identify related contact entities.


๐Ÿง  Practical Investigation Workflow

1. Enter a Valid IP Address

Use only IPv4 or IPv6.

Example:

1.1.1.1

Avoid domains, URLs, hostnames, and CIDR input.


2. Review the Summary

Check the returned range, CIDR, ASN, entity count, and lookup time.

Example:

Range: 1.1.1.0 - 1.1.1.255
CIDR: 1.1.1.0/24
Entities: 3

3. Review Network Details

Check the network name, allocation type, country, start IP, end IP, version, and handle.

Example:

Name: APNIC-LABS
Type: ASSIGNED PORTABLE
Country: AU
Version: v4

4. Check ASN Information

Example:

ASN Description: description of the autonomous system.

If ASN data is missing, verify routing information using additional BGP or ASN lookup tools.


5. Review Status and Events

Check whether the network is active and whether registration or update events are available.

Example:

Network Status: active

Events can support timeline analysis and help identify recent changes.


6. Inspect Remarks

Read remarks carefully because they may contain special instructions, abuse reporting information, routing notes, or project descriptions.

Example:

All Cloudflare abuse reporting can be done via resolver-abuse@cloudflare.com

7. Inspect Objects and Roles

Important roles:

abuse
administrative
technical
registrant
noc

For reporting malicious activity, prioritize abuse contacts.


8. Copy or Export Data

Use copy and export features to preserve results.

IP address
Network range
CIDR
Network name
Country
ASN data
Status
Events
Remarks
Contact objects
Abuse e-mails
Raw JSON
Lookup timestamp

9. Validate With Additional Evidence

For professional investigations, combine IP WHOIS data with:

WHOIS / RDAP data is only one part of the investigation.


๐Ÿ“Œ Field Interpretation Guide

ASN Description

The ASN Description field describes the autonomous system, when available.

Example meaning:

Description of the autonomous system.

This may identify an ISP, cloud provider, hosting provider, enterprise network, CDN, or other routing organization.


Network Status

Network Status shows the current status values associated with the network object.

Example:

active

Status values can indicate whether the object is active, allocated, assigned, reserved, or otherwise marked by the registry.


Events

Events show registration and change-related dates when the source provides them.

Possible examples:

registration
last changed
last updated

Events are useful for understanding when the object was created or modified.


Objects

Objects represent entities connected to the network.

Examples:

org
abuse
admin
technical
noc
registrant

Objects follow standard RDAP role designations and may contain names, e-mails, phones, addresses, links, statuses, events, and remarks.


โš ๏ธ Limitations and Important Notes

WHOIS / RDAP data should be interpreted carefully.

Important limitations:

In case of a server-side 500 error, repeat the request.

Example note:

In case of a 500 error on the server side, please repeat your request.

๐Ÿ›ก๏ธ Security, Privacy & Responsible Use

IP WHOIS is intended for lawful cybersecurity, OSINT, compliance, reporting, infrastructure analysis, and network investigation workflows.

Acceptable use cases include:

Users should follow responsible use principles:

WHOIS / RDAP data can support investigations, but it should not be used alone to accuse an organization or individual of malicious activity.


When using IP WHOIS to prepare an abuse report, include enough evidence for the receiving team to understand and verify the issue.

Source IP: 1.1.1.1
Observed activity: phishing / malware / scanning / spam / abuse
Timestamp with timezone: 17.06.2026, 22:42:09
Affected system or URL: relevant target
Evidence: logs, screenshots, headers, URLs, samples
WHOIS range: 1.1.1.0 - 1.1.1.255
CIDR: 1.1.1.0/24
Network name: APNIC-LABS
Abuse contact: listed abuse e-mail
Additional notes: analyst summary

A high-quality abuse report should be factual, concise, and evidence-based.


โš™๏ธ Technical Highlights


๐Ÿ“Œ Usage Hints


๐Ÿ“ฌ Contact Information

support@niamonx.io โ€” Technical Support
other@niamonx.io โ€” General Inquiries
takedown@niamonx.io โ€” Privacy or Data Removal Requests
legal@niamonx.io โ€” Legal and Compliance Matters

Alternative contact channel:

๐Ÿ”— Helpdesk: https://support.niamonx.io/


Summary

NiamonX IP WHOIS is an RDAP / WHOIS lookup tool for IPv4 and IPv6 addresses. It provides structured IP registration intelligence, including network range, CIDR, start and end IP, IP version, network name, allocation type, country, ASN fields, status, events, notices, remarks, RDAP links, related objects, contacts, e-mails, phone numbers, addresses, raw JSON, local history, copy options, and CSV export.

The tool is designed for OSINT research, SOC workflows, incident response, abuse reporting, phishing investigations, malware infrastructure analysis, brand protection, compliance documentation, network troubleshooting, and threat intelligence enrichment. Results should be interpreted as public registration context and combined with additional technical evidence before making conclusions about ownership, infrastructure usage, or attribution.


Revision #1
Created 17 June 2026 20:43:45 by NiamonX Team
Updated 17 June 2026 20:45:04 by NiamonX Team