Where the data comes from.

Most lookup tools quietly proxy a handful of third-party APIs and call it a day. We've tried to be more explicit. This page lists every dataset we draw on, why we chose it, and how often it refreshes — so you can judge the freshness and provenance of any answer the site gives you.

IP geolocation & ASN

MaxMind GeoLite2 is the primary source for country, region, city, postal code, coordinates, timezone, and Autonomous System Number lookups. We host the .mmdb files ourselves on Cloudflare R2 and read them at the edge with mmdb-lib. There is no per-request call to an external geolocation API on the hot path; the lookup is a binary tree walk in memory.

Three databases are loaded:

• GeoLite2-Country — fast country-level fallback (~7 MB).
• GeoLite2-City — region, city, postal code, lat/lon, timezone, accuracy radius (~70 MB).
• GeoLite2-ASN — autonomous system number and the registered organization name (~9 MB).

Refresh cadence is weekly. A separate Cloudflare Worker runs every Sunday at 04:00 UTC, downloads the current .tar.gz for each edition from MaxMind's permalink, and writes the new .mmdb back to the R2 bucket. MaxMind themselves publish updates on Tuesdays and Fridays; weekly refresh keeps us well within their licensing requirement to update at least every 30 days.

Per MaxMind's licensing terms:

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

DNS

Cloudflare DNS over HTTPS (cloudflare-dns.com) is queried for the DNS records tool, propagation checker, SPF / DMARC / DKIM / DNSSEC / CAA lookups, and the DoH whoami probe in the DNS leak test. Cloudflare's 1.1.1.1 resolver does not log query IPs per their stated policy. Google DoH (dns.google) is used as the secondary resolver for the DNS leak test.

WHOIS & domain registration

The WHOIS lookup and the registration panel of the Domain Health report use RDAP — the Registration Data Access Protocol (RFC 9082–9083), the structured-JSON successor to legacy port-43 WHOIS (ICANN-mandated for gTLDs, with ccTLD adoption still uneven). We resolve the authoritative RDAP server for each domain, IP range, or ASN through IANA's public bootstrap registries (data.iana.org/rdap), then query that registry or registrar over HTTPS and cache successful responses at the edge. TLDs that don't publish an RDAP endpoint aren't covered.

Certificate Transparency

crt.sh, operated by Sectigo, is the public Certificate Transparency log aggregator we query for the CT search tool. crt.sh indexes across every publicly-trusted CT log (Google, Cloudflare, DigiCert, Let's Encrypt, and others) so a single query covers the lot. The API is rate-limited; we cache responses for ten minutes at the edge to reduce upstream load.

MAC addresses

The IEEE OUI registry is the authoritative source for MAC-to-manufacturer mappings. We bundle the oui-data npm package directly into the Worker — about 39,000 entries covering MA-L (24-bit), MA-M (28-bit), and MA-S (36-bit) blocks. The lookup is a hash-table hit in memory; no upstream call per request. The list is updated on each Worker deploy from the latest IEEE publication.

Ports

Port assignments come from IANA's Service Name and Transport Protocol Port Number Registry, supplemented with nmap's nmap-services for frequency data. For commonly-used ports (HTTP/443, SSH/22, SMTP/25, etc.) we maintain hand-written editorial content layered on top of the IANA assignment.

IP reputation & risk classification

The IP reputation tool and the reputation panel of IOC Enrichment are built entirely from first-party and openly-licensed signals — there is no third-party abuse-score feed:

• Network / infrastructure classification — our own curated map of cloud, hosting, CDN, VPN, and transit ASNs, derived from the GeoLite2 ASN data above. This is Network Lookup's own analysis: it labels an address as datacenter vs residential and names the operator.
• Tor exit status — the Tor Project publishes a public list of current exit relays at check.torproject.org/torbulkexitlist. We cache it for 24 hours and check each looked-up IP against it.

We deliberately do not use feeds whose free tier forbids commercial use on an ad-supported site. That rules out AbuseIPDB's free tier (so we show no community “abuse score”) and Shodan's InternetDB (so we don't offer an open-ports / exposure lookup).

IP blacklist (DNSBLs)

The blacklist checker queries a curated set of IPv4 blocklists in parallel — SpamCop, PSBL, DroneBL, GBUdb Truncate, SpamEatingMonkey, Interserver, and JustSpam. We don't editorialise on whether a listing is "correct" — we surface what each list says, with its own delisting link where one is published. Results are edge-cached briefly (about five minutes per address) to stay within fair-use limits.

Several once-common lists were deliberately dropped in a June 2026 licensing review because their terms don't permit use on an ad-supported site, or because they refuse queries from public resolvers: Spamhaus (its free Data Query Service is licensed for non-commercial use only, and the public mirror blocks public resolvers), Barracuda (requires registering the querying resolver), URIBL and SURBL (block public DNS), Abusix and Invaluement (paid keys), SpamRATS / UCEPROTECT / Backscatterer (non-commercial or pay-to-delist), Mailspike (commercial subscription), and CBL (folded into Spamhaus). Domain-reputation checking was retired along with Spamhaus, since its DBL was the only commercial-OK list backing it. The SORBS and NiX Spam zones shut down in 2024–2025 and are not queried.

Email validation

Disposable-domain detection uses the disposable-email-domains npm package — about 121,000 exact-match domains plus 399 wildcard patterns covering Mailinator, Guerrilla Mail, Temp Mail, Yopmail, and the long tail of throwaway providers. List updates ship with each deploy. MX, SPF, and DMARC checks for the validator use Cloudflare DoH as above.

Protocol specifications

Where our tools claim to implement a protocol, the corresponding RFC is the source of truth. The implementations follow:

• SPF — RFC 7208 (sender policy framework), 10-lookup ceiling enforced
• DMARC — RFC 7489 (policy + alignment + reporting)
• DKIM — RFC 6376 (signature, canonicalisation, key publication)
• DNSSEC — RFC 4033 / 4034 / 4035 (chain of trust, key types, signatures); key-tag computation per RFC 4034 Appendix B
• CAA — RFC 8659 (certificate-issuance authorisation, hierarchy walk)
• Certificate Transparency — RFC 6962 (Merkle log structure, SCTs)
• HTTP security headers — MDN / W3C specifications for CSP (Level 3), HSTS (RFC 6797), Referrer-Policy, Permissions-Policy

Infrastructure

The site runs on Cloudflare Pages with Pages Functions for the dynamic routes. The cron Worker that refreshes the geolocation databases runs on Cloudflare Workers. The .mmdb files live in Cloudflare R2.

This means a single provider sees a lot of the request lifecycle. We make this trade-off deliberately — it gives us free TLS, a global edge, native bindings to R2, and good ergonomics for cron jobs — but it's worth knowing. If you'd rather not query Cloudflare, you can run any of these lookups locally with the same datasets.

What we don't use

We do not use any IP-to-identity providers, fingerprinting services, or paid geolocation APIs that promise “~99% accuracy” via undisclosed methods. Geolocation of an IP address is a registry-level signal, not a precise location lookup, and we'd rather show you the limits of that signal than dress it up.

Reporting data issues

If a lookup returns wrong or stale data, the cause is almost always upstream — MaxMind has the IP allocated to a different geography than the operator currently uses, or the registered ASN organization name lags real-world ownership changes. You can submit corrections directly to MaxMind via their GeoIP correction form; their corrections eventually flow through to us via the weekly refresh.

For anything else — tooling bugs, missing fields, reproducible inaccuracies — please contact us.