ZeroTrace OSINT
IP Geolocation
Country, region, city, hosting flag, ISP, ASN, and a static map preview for any IPv4 or IPv6.
IP geolocation answers "where is this IP, who runs it, is it residential or datacenter, what time is it there right now". It is the most-used tool in the Network category for a reason — almost every investigation hits an IP at some point and almost every IP needs the same five facts.
What you get
For any IPv4 or IPv6 address, the tool returns:
| Field | What it tells you |
|---|---|
| Country | Two-letter code + name + flag |
| Region | State, province, or equivalent administrative subdivision |
| City | Best-guess city name |
| Latitude / Longitude | Coordinates, with a static map preview |
| Timezone | IANA timezone, with current local time |
| ISP | Internet service provider name |
| Organisation | The org the IP is registered to (often the same as ISP, sometimes more specific) |
| ASN | Autonomous-system number serving the IP |
| Hosting flag | Datacenter / hosting / residential / mobile classification |
| Reverse DNS | PTR record for the IP, auto-fetched |
| rDNS pattern hints | Hosting-provider patterns recognised in the PTR string |
The hosting flag
The single most useful field for triage. Distinguishes:
- Hosting / datacenter — IP belongs to a cloud provider, VPS host, or dedicated colocation. Almost certainly not a real person at a keyboard.
- Residential — IP belongs to a consumer ISP (Comcast, BT, Deutsche Telekom, etc.). Likely a real user.
- Mobile — IP belongs to a mobile carrier. Real user, but on a phone — different forensic implications.
- Anonymous proxy / VPN — IP belongs to a known commercial VPN exit (Mullvad, Mullvad, NordVPN, ExpressVPN, etc., curated list).
For SOC triage and fraud investigation, this single classification kills entire categories of false positive.
rDNS pattern recognition
The tool parses the PTR record for known hosting-provider patterns. Examples:
| PTR pattern | Detected as |
|---|---|
ec2-...amazonaws.com | AWS EC2 |
googleusercontent.com | Google Cloud / Workspace |
azure-cloud.net / azurewebsites.net | Microsoft Azure |
cloudfront.net | AWS CloudFront |
digitalocean.com | DigitalOcean Droplet |
linode.com | Linode |
vultr.com | Vultr |
hetzner.com | Hetzner |
This catches cloud-provider attribution even when the WHOIS / ASN is generic ("NTT Communications" for an AWS-hosted IP, for instance).
Map preview
The tool renders a static map tile around the lat/lon. The map is fetched from OpenStreetMap and rendered locally — the tile request is named in the source-attribution chip on the result.
For a city-level IP, the map is illustrative. For a residential ISP IP, it shows the ISP's network centre rather than the user's actual home — IP geolocation accuracy degrades quickly inside a country.
Treat IP geolocation as country-accurate, region-mostly-accurate, city-best-guess. A claim like "the user was in Berlin" based purely on IP geolocation is overconfident — "the IP geolocates to a Deutsche Telekom block in northern Germany" is what the data actually supports.
Pivots from an IP geo result
| Click on... | Pivot to |
|---|---|
| The IP itself | Reverse DNS, WHOIS (RDAP for IPs), ASN lookup, IP reputation, exposed services |
| ASN number | ASN lookup |
| ISP / org name | (no pivot — copy and paste) |
| Reverse DNS hostname | DNS lookup, WHOIS on the parent domain |
Bulk geolocation
Bulk paste runs many IPs through the geolocation tool in parallel (with rate-limiting against the public source). The aggregate result table shows country, hosting flag, ASN, and ISP — perfect for triaging a log file's worth of source IPs.
Distance from you
If you grant the toolkit your browser geolocation in settings, the tool can show "distance from your current location" alongside the result. Useful for fraud cases ("the user reports they were in Paris; this IP geolocates 5,000 km away").
Sources
- IP-API.com (free tier) for the bulk of fields including hosting flag.
- Reverse-DNS lookup against the system resolver for PTR.
- A curated rDNS-pattern catalog is shipped with the toolkit and matched locally.
- A curated VPN exit-IP catalog (Mullvad, NordVPN, etc.'s public lists) is shipped and matched locally.
- OpenStreetMap tile server for the map preview.
Every source is named on the result.