top of page
Securing Your DNS from Unknown Networks

IP to ASN Mapping Service

Free. Forever.

Automate and optimize WHOIS lookups to save time and improve security

Simultaneously search thousands of IPs in minutes and gain accurate WHOIS lookup results

Team Cymru is happy to provide various service options dedicated to mapping IP numbers to BGP prefixes and ASNs. Each of the services is based on the same BGP feeds from 50+ BGP peers and is updated at 4-hour intervals.

Whois (TCP 43)

DNS (UDP 53)


Obtain the following information.

  • BGP Origin ASN

  • BGP Peer ASN

  • BGP Prefix

  • Prefix Country Code (assigned)

  • Prefix Registry (assigned)

  • Prefix Allocation date

  • ASN Country Code (assigned)

  • ASN Registry (assigned)

  • ASN Allocation date

  • ASN Description

IP to ASN Mapping is Not a GeoIP Service!

The country code, registry, and allocation date are all based on data obtained directly from the regional registries including: ARIN, RIPE, AFRINIC, APNIC, LACNIC. The information returned relating to these categories will only be as accurate as the data present in the RIR databases.


IMPORTANT NOTE: Country codes are likely to vary significantly from actual IP locations, and we must strongly advise that the IP to ASN mapping tool not be used as an IP geolocation (GeoIP) service.

The exact links for each of the datasets are as follows:

Looking for an IP geolocation service?

If you are looking for an IP geolocation service, please check out one of the following (note: links do not constitute an endorsement):

How is each service used?


The whois daemon acts like a standard whois server would, but with some added functionality. It accepts arguments on the command-line for single whois queries, and it also supports BULK IP submissions when combined with GNU’s netcat for those who wish to optimize their queries. When issuing requests for two or more IPs we strongly suggest you use netcat for BULK IP submissions, or DNS since there is less overhead. As a measure of speed, queries of approximately 10,000 IPs should return in less than a minute given a moderately sized Internet link.


IPs that are seen abusing the whois server with large numbers of individual queries instead of using the bulk netcat interface will be null routed. If at all possible you should consider using the DNS based query interface since it is much more efficient for individual queries. The netcat interface should be used for groups of IP lists at a time in one single TCP query.

There are presently two whois servers available:

  • (

  • (

The server is primarily designed to map an IP address to a BGP Origin ASN and prefix.

The server is designed to map an IP address to the possible BGP peer ASNs that are one AS hop away from the BGP Origin ASN’s prefix. This can be useful at times when you’re looking for a quick view into who an IP’s upstreams might be. Note that this method of finding peers is FAR from perfect and not an exact science. When the Origin ASN is a Tier 1 any concept of ‘upstream’ tends to lose its meaning.


The syntax for whois and netcat whois IP queries is as follows:





enable bulk input mode

(netcat only)


exit the whois/netcat client

(netcat only)

- p


include matching prefix

- q


disable matching prefix (default)

- c


include matching country code

- d


disable country codes (default)

- n


include asnames (default)

- o


disable asnames

- r


display matching registry

- s


disable registry display (default)

- a


enable allocation date

- b


disable allocation date (default)

- t


truncate asnames (default)

- u


do not truncate asnames

- v


enable all flags (-c -r -p -a -u -a)

- e


enable column headings (default)

- f


disable column headings

- w


include asnumber column (default)

- x


disable asnumber column (will not work for IP mappings)

- h


this help message

To use the command-line arguments on a single IP query, be sure to enclose the request in quotes and to have a space before the first argument so that your whois client will not try to interpret the flags locally.

For example, to enable the verbose mode (all flags) one would use:

$ whois -h " -v 2005-12-25 13:23:01 GMT"

AS | IP | BGP Prefix | CC | Registry | Allocated | Info | AS Name

23028 | | | US | arin | 1998-09-25 | 2005-12-25 13:23:01 GMT | TEAM-CYMRU - Team Cymru Inc., US

You may also query for some basic AS information directly:

$ whois -h " -v AS23028"

AS | CC | Registry | Allocated | AS Name

23028 | US | arin | 2002-01-04 | TEAM-CYMRU - Team Cymru Inc., US

We recommend the use GNU’s version of netcat, not nc. (nc has been known to cause buffering problems with our server and will not always return the full output for larger IP lists). GNU netcat can be downloaded from This is the same as gnetcat in FreeBSD ports.

To issue bulk queries, follow these steps:

1. Create a file with a list of IPs or ASNs, one per line. Add the word begin at the top of the file and the word end at the bottom.

Example of list01:




Remember: you can add comments and other flags per the table above if you’d like.


verbose 2005-06-30 05:05:05 GMT 2005-06-30 05:05:05 GMT

... 2005-06-30 05:05:05 GMT


2. Run the list through GNU netcat (NOT the venerable nc).

$ netcat 43 < list01 | sort -n > list02

The file list02 will be sorted by origin AS, and should appear as:

Bulk mode; [2018-08-29 21:04:00 +0000]

701 | | | US | arin | 1992-11-10 | 2005-06-30 05:05:05 GMT | UUNET - MCI Communications Services, Inc. d/b/a Verizon Business, US

6079 | | | US | arin | 1996-11-01 | 2005-06-30 05:05:05 GMT | RCN-AS - RCN, US

23028 | | | US | arin | 2002-03-15 | 2005-06-30 05:05:05 GMT | TEAM-CYMRU - Team Cymru Inc., US

3. The same can be done with a list of ASNs

Example of list02:





And the output:

$ nc 43 < file

Bulk mode; [2020-06-10 13:55:43 +0000]

23028 | US | arin | 2002-01-04 | TEAM-CYMRU, US

4. Bulk queries can contain IPs AND ASNs, however the output may not be ideal:

Example of list03:






$ nc 43 < file

Bulk mode; [2020-06-10 13:57:00 +0000]

3356 | | | US | arin | 1992-12-01 | LEVEL3, US

23028 | US | arin | 2002-01-04 | TEAM-CYMRU, US

Additional help can be obtained by issuing the help command:

$ whois -h help

For additional support or to report an issue, please contact


The DNS daemon is designed for rapid reverse lookups, much in the same way as RBL lookups are done. DNS has the added advantage of being cacheable and based on UDP so there is much less overhead. Similar to the whois TCP based daemon, there are three IPv4 zones available, and one for IPv6:





The zone is used to map an IP address or prefix to a corresponding BGP Origin ASN.

The zone is used to map an IPv6 address or prefix to a corresponding BGP Origin ASN.

The zone is used to map an IP address or prefix to the possible BGP peer ASNs that are one AS hop away from the BGP Origin ASN’s prefix.

The zone is used to determine the AS description of a given BGP ASN.

All DNS-based queries should be made by pre-pending the reversed octets of the IP address of interest to the appropriate zone listed above, demonstrated in the following examples:

$ dig +short TXT

"23028 | | US | arin | 1998-09-25"

The same query could be expressed as:

$ dig +short TXT

"23028 | | US | arin | 1998-09-25"

IPv6 queries are formed by reversing the nibbles of the address, and placing dots between each nibble, just like an IPv6 reverse DNS lookup, except against instead of Note that you must pad out all omitted zeroes in the IPv6 address, so this can get quite long! For example, to look up 2001:4860:b002::68, you would issue the following query:

$ dig +short TXT

"15169 | 2001:4860::/32 | US | arin | 2005-03-14"

You can considerably shorten your query if you assume that the long runs of zeroes are in the host portion of the address (as is often the case with IPv6 addresses:

$ dig +short TXT

"15169 | 2001:4860::/32 | US | arin | 2005-03-14"

To query for a given IP/prefix peer ASNs, one would use the zone as follows:

$ dig +short TXT

"701 1239 3549 3561 7132 | | US | arin | 1998-09-25"

When there are multiple Origin ASNs or Peer ASNs, they will all be included in the same TXT record such as in the example above.

Notice that the format is very similar to the data returned in the verbose whois based query. The major difference is that the AS Description information has been omitted. In order to return the ASN Description and additional info, one use:

$ dig +short TXT

"23028 | US | arin | 2002-01-04 | TEAM-CYMRU - Team Cymru Inc., US"

If a given prefix does not exist in the table, the daemon will return a standard NXDOMAIN response (domain does not exist).


The HTTPS daemon acts as a web based proxy to the whois based service. You can reach the service directly by browsing to:

Simply click on one of the above links and follow the onscreen instructions on how translate IPs to their corresponding BGP ASNs.


The following is small sampling of the public projects and sites that have incorporated these tools:

  • How do I use the reputation feed?
    This is designed to be a near-real-time feed to allow subscribers to monitor for infected computers visiting their networks. Subscribers can utilize the IP Reputation Feed to identify compromised hosts as they access their networks, thus enabling them to monitor or block these infected hosts before they can cause any damage. Combine the other categories we include and you have the most complete list possible. Possible uses include: Banks checking for infected customers at sign-on Companies pro-actively monitoring for exfiltration of data via bots ISPs checking for infected customers and other abuse Vendors importing data for enterprise appliances
  • Where do you get the data?
    This information is gathered through a number of methods, including malware analysis, observation of botnet command and control (C&C) botnets that we have uniquely decoded, and monitoring of dark IP space (darknets).
  • What is the ‘REPUTATION_SCORE’ entry?
    As part of the XML file for this report, each IP has been assigned a “reputation” value derived from various methods. The key used to calculate this value is included in the feed. The intention is that clients determine what issues are most important to them and adapt their policy accordingly. At Team Cymru, we understand that no one can make that determination for you better than you. To facilitate that decision-making capability, we prefer to give you a reputation value to assist you. You may decide that some threats are important, and others are not. This value will help you along the way.
bottom of page