Every developer eventually needs to investigate an IP address. Maybe you're building a security dashboard, debugging a suspicious login, or just curious about who's hitting your server at 3 AM.
Most IP investigation tools are either paid, rate-limited to uselessness, or wrapped in annoying UIs. Here's how to build your own investigation tool using free APIs and about 30 lines of code.
What We're Building
A simple script that takes any IP address and returns:
- Geolocation — Country, city, coordinates, timezone
- Network info — ISP, organization, ASN
- DNS records — Reverse DNS, associated domains
- Visual proof — Screenshot of any associated website
All from the command line. No signup walls. No credit card.
Step 1: Get a Free API Key
curl -X POST https://api.frostbyte.world/api/keys/create
Response:
{
"key": "fb_a1b2c3...",
"credits": 200,
"message": "Store this key safely"
}
200 free credits. That's 200 IP investigations. No email required.
Step 2: IP Geolocation Lookup
curl -H "x-api-key: YOUR_KEY" \
"https://api.frostbyte.world/v1/agent-geo/geo/185.220.101.1"
{
"ip": "185.220.101.1",
"country": "Germany",
"countryCode": "DE",
"region": "Hessen",
"city": "Frankfurt am Main",
"lat": 50.1109,
"lon": 8.6821,
"timezone": "Europe/Berlin",
"isp": "Hetzner Online GmbH",
"org": "Hetzner Online GmbH",
"as": "AS24940 Hetzner Online GmbH"
}
This tells you where the IP is and who operates it. In this case, it's a Hetzner server in Frankfurt — commonly used for VPNs, Tor exits, and legitimate hosting alike.
Step 3: Reverse DNS Lookup
curl -H "x-api-key: YOUR_KEY" \
"https://api.frostbyte.world/v1/agent-dns/lookup/185.220.101.1?type=PTR"
Reverse DNS reveals the hostname associated with the IP. If it resolves to something like tor-exit.example.com, you know what you're dealing with.
Step 4: Screenshot the Associated Domain
If you've identified a domain, grab a visual snapshot:
curl -H "x-api-key: YOUR_KEY" \
"https://api.frostbyte.world/v1/agent-screenshot/capture?url=https://example.com&format=png"
This renders the page in a real Chromium browser and returns a screenshot. Useful for documenting phishing sites or checking if a suspicious domain is actually serving content.
Putting It All Together: The Script
Here's a complete Node.js investigation script:
const API_KEY = process.env.FROSTBYTE_KEY || 'YOUR_KEY';
const BASE = 'https://api.frostbyte.world';
const headers = { 'x-api-key': API_KEY };
async function investigate(ip) {
console.log(`\n🔍 Investigating ${ip}...\n`);
// Geolocation
const geo = await fetch(`${BASE}/v1/agent-geo/geo/${ip}`, { headers })
.then(r => r.json());
console.log(`📍 Location: ${geo.city}, ${geo.region}, ${geo.country}`);
console.log(`🌐 ISP: ${geo.isp}`);
console.log(`🏢 Org: ${geo.org}`);
console.log(`📡 AS: ${geo.as}`);
console.log(`🕐 Timezone: ${geo.timezone}`);
console.log(`📌 Coords: ${geo.lat}, ${geo.lon}`);
// Reverse DNS
const dns = await fetch(`${BASE}/v1/agent-dns/lookup/${ip}?type=PTR`, { headers })
.then(r => r.json());
if (dns.records?.length) {
console.log(`\n🔗 Reverse DNS: ${dns.records.join(', ')}`);
} else {
console.log(`\n🔗 Reverse DNS: No PTR record found`);
}
// Forward DNS if we got a hostname
if (dns.records?.length) {
const hostname = dns.records[0].replace(/\.$/, '');
const forward = await fetch(
`${BASE}/v1/agent-dns/lookup/${hostname}?type=A`, { headers }
).then(r => r.json());
console.log(`📋 Forward DNS (${hostname}): ${forward.records?.join(', ') || 'No A records'}`);
}
console.log('\n--- Investigation complete ---');
}
const target = process.argv[2] || '8.8.8.8';
investigate(target);
Run it:
export FROSTBYTE_KEY="fb_your_key_here"
node investigate.js 185.220.101.1
Output:
🔍 Investigating 185.220.101.1...
📍 Location: Frankfurt am Main, Hessen, Germany
🌐 ISP: Hetzner Online GmbH
🏢 Org: Hetzner Online GmbH
📡 AS: AS24940 Hetzner Online GmbH
🕐 Timezone: Europe/Berlin
📌 Coords: 50.1109, 8.6821
🔗 Reverse DNS: tor-exit-relay.example.com
📋 Forward DNS (tor-exit-relay.example.com): 185.220.101.1
--- Investigation complete ---
Use Cases
This same approach works for:
- Security incident response — Quickly profile attacking IPs from your logs
- Fraud detection — Check if a user's IP matches their claimed location
- Compliance — Verify traffic isn't coming from sanctioned regions
- Network debugging — Trace routing issues with geolocation data
- OSINT investigations — Profile infrastructure behind suspicious domains
Why Not Just Use ipinfo.io or Shodan?
You absolutely can. But here's the comparison:
| Feature | ipinfo.io | Shodan | Frostbyte |
|---|---|---|---|
| Free tier | 50K/mo | 100 queries/mo | 200 credits |
| Geolocation | Yes | Yes | Yes |
| DNS lookup | No | Port scan | Yes |
| Screenshots | No | No | Yes |
| Code execution | No | No | Yes |
| API key required for basic | No | Yes | No (basic) |
| Signup required | Yes (email) | Yes (email) | No |
The difference: one API key gives you geo + DNS + screenshots + 40 other tools instead of stitching together 4 different services.
Get Started
# Get your free key (no signup)
curl -X POST https://api.frostbyte.world/api/keys/create
# Try it
curl "https://api.frostbyte.world/v1/agent-geo/geo/1.1.1.1"
Full docs: api.frostbyte.world
What's the most suspicious IP you've ever investigated? Drop it in the comments — I'll run it through the tool live.
Top comments (0)