Every time you open a browser and visit a website, or see a series of numeric addresses in server logs, you are dealing with IP addresses. IP address lookup tools can tell you the information behind the numbers: which country it comes from, which operator it belongs to, whether it's on a blacklist, whether it's a data center or home broadband. This information is critical for network security analysis, anti-fraud, content distribution and user experience optimization.
本文将深入讲解IP地址查询工具背后的技术原理,从IPv4/IPv6的地址结构,到公网与私有IP的区别,再到GeoIP地理定位的实现方式和IP黑名单机制。
IPv4 (Internet Protocol version 4) uses 32-bit addresses, which can theoretically represent approximately 4.3 billion (2³²) unique addresses. For human readability, IPv4 addresses are represented as four decimal numbers between 0-255, separated by dots:
For example: 192.168.1.100
Binary: 11000000.10101000.00000001.01100100
Range: 0.0.0.0 ~ 255.255.255.255Not all IPv4 addresses can be freely used on the public Internet. The following address segments have special purposes:
| address range | use | illustrate |
|---|---|---|
| 0.0.0.0/8 | current network | Means "this machine" or "unspecified address" |
| 127.0.0.0/8 | loopback address | for native testing (127.0.0.1 = localhost) |
| 10.0.0.0/8 | Private address (Class A) | For internal network use, not public network routing |
| 172.16.0.0/12 | Private address (Class B) | 172.16.0.0 ~ 172.31.255.255 |
| 192.168.0.0/16 | Private address (Class C) | 最常见的家庭/办公室内网地址 |
| 224.0.0.0/4 | multicast address | For one-to-many communication (Class D) |
| 240.0.0.0/4 | reserved address | 用于未来扩展(E类) |
| 169.254.0.0/16 | link local | Automatic address allocation when DHCP acquisition fails |
IPv6 uses 128-bit addresses, and the address space is about 3.4×10³⁸—if the amount of IPv4 addresses is a grain of sand, the amount of IPv6 addresses is all the sand on the earth. IPv6 addresses are represented by eight groups of four-digit hexadecimal numbers, separated by colons:
例如:2001:0db8:85a3:0000:0000:8a2e:0370:7334
简写:2001:db8:85a3::8a2e:370:7334(连续的0组可用::替代,但只能用一次)
IPv6地址范围:
链路本地地址:fe80::/10(类似IPv4的169.254.0.0/16)
唯一本地地址:fc00::/7(类似IPv4的私有地址)
全球单播地址:2000::/3(公网可路由地址)| characteristic | IPv4 | IPv6 |
|---|---|---|
| Address length | 32 bit | 128 bit |
| Number of addresses | About 4.3 billion | Approximately 3.4×10³⁸ |
| Expression | dotted decimal | colon hex |
| head size | 20-60 bytes | Fixed 40 bytes |
| broadcast | support | Not supported (use multicast instead) |
| NAT | commonly used | Usually not required |
| security | IPSec可选 | IPSec内置支持 |
| automatic configuration | DHCP | SLAAC + DHCPv6 |
Private IP address (Private IP) is a three-segment address range specified in RFC 1918 and is specifically used for internal networks. They are not routed on the Internet - that is, 192.168.1.1 on two different home networks does not conflict because they are each isolated in the local network.
When an intranet device needs to access the Internet, the router will convert the private IP to a public IP through NAT (Network Address Translation). This process is transparent to the user:
Intranet device 192.168.1.100 access 8.8.8.8
→ The router replaces the source address with the public IP 203.0.113.50
→ The server sees 203.0.113.50 instead of 192.168.1.100
→ When the response arrives, the router replaces the destination address back to 192.168.1.100IP address query tools can tell you:
curl ifconfig.me You can quickly check your public IP address. Runs on Windowsipconfig,在Mac/Linux上运行ifconfig或ip addrYou can check the local IP.GeoIP technology achieves geolocation by mapping IP addresses to geographic locations. It does not directly track your physical location itself, but establishes an IP-geographic location mapping relationship based on the following data sources:
| Hierarchy | Accuracy | Accuracy | data source |
|---|---|---|---|
| National level | nation | 95-99% | RIR allocation record |
| district level | 省/州 | 80-90% | ISP registration information |
| city level | City | 60-80% | ISP + rDNS |
| Precision level | 街区/坐标 | 50-70% | Crowdsourcing + cellular triangulation |
It should be noted that the accuracy of GeoIP is affected by many factors: VPN and proxy servers will show wrong locations; the IP address pool of a large ISP may span multiple cities; CGNAT (carrier-grade NAT) will cause a large number of users to share the same public IP.
IP Blacklist is a database collection that records known malicious IP addresses. When an IP address is found to be involved in malicious activities such as spam sending, DDoS attacks, malware distribution, brute force cracking, etc., it will be added to the blacklist. Mail servers, firewalls, WAF (Web Application Firewall), etc. will refer to these blacklists to intercept malicious traffic.
| Blacklist type | 典型用途 | Well-known services |
|---|---|---|
| Email Blacklist (DNSBL) | Block spam | Spamhaus, SpamCop, Barracuda |
| Threat Intelligence Blacklist | 防火墙/WAF拦截 | AbuseIPDB, AlienVault OTX, Cisco Talos |
| Web blacklist | Block access to malicious websites | Google Safe Browsing, PhishTank |
| 国家/地区黑名单 | Geographical access control | Custom rules |
| 代理/VPN检测 | Anti-fraud | IP2Proxy, IPQualityScore |
IP地址查询工具通常会集成多个黑名单数据库,一键查询一个IP在各大黑名单中的状态。你也可以手动查询:
# 检查邮件黑名单(DNSBL查询)
nslookup your-ip-address.zen.spamhaus.org
# 使用AbuseIPDB API检查
curl "https://api.abuseipdb.com/api/v2/check?ipAddress=1.2.3.4" \
-H "Key: YOUR_API_KEY" -H "Accept: application/json"If your IP is blacklisted by mistake, there are usually the following solution steps:
A comprehensive IP address lookup tool should provide the following information:
Q1: After using VPN, the IP address query shows the location of the VPN server. Is this normal?
Yes, this is how VPN works. The VPN will establish an encrypted tunnel between you and the target server. The IP the target server sees is the IP of the VPN exit server, not your real IP. That’s why using a VPN can hide your true location.
Q2: Can GeoIP be accurate to the street level?
Usually not. Most GeoIP databases have good accuracy at the city level (60-80%), but more precise positioning requires combination with other data sources (such as Wi-Fi positioning, GPS data). Any service that claims to be able to provide street-level location accuracy based solely on IP addresses needs to be treated with caution.
Q3: What is the difference between IPv6 address query and IPv4?
原理相同,但IPv6的GeoIP数据库覆盖率和精度目前仍低于IPv4。这是因为IPv6的部署还相对较新,数据积累较少。不过随着IPv6的普及,差距正在快速缩小。
Q4: Why does the same IP display different geographical locations in different query tools?
Different GeoIP providers use different data sources and algorithms, and the accuracy and results may vary. The IP address pool of a large ISP may cover multiple cities, and different providers may have different judgments on the ownership of the same IP segment. It is recommended to use the results of cross-validation from multiple data sources.
Q5: How long is the IP blacklist valid for?
Different blacklists have different expiration policies. Some will be automatically removed after a fixed period of time (for example, Spamhaus's SBL is usually automatically removed after a period of time after the malicious behavior stops), and some require manual application for removal. IPs that are actively maintained (with a long-term record of no malicious behavior) usually do not stay on the blacklist for long.
This article was originally published by ToolSnap. If you need to reprint, please indicate the source.