What is IPv4?

5 min read · Networking fundamentals · Published Jan 2026 · Updated May 2026

The 32-bit address space

IPv4 uses 32-bit addresses written as four decimal numbers separated by dots — e.g. 192.168.1.1. With 32 bits the total space is 2³² ≈ 4.3 billion unique addresses. IANA allocated the last unassigned blocks to regional registries in 2011.

Dotted-decimal notation

203.0.113.42
^   ^ ^   ^
|   | |   └── 4th octet (0–255)
|   | └────── 3rd octet
|   └──────── 2nd octet
└──────────── 1st octet

Private and reserved ranges

• 10.0.0.0/8 — large private networks (~16 million addresses)
• 172.16.0.0/12 — medium private networks (~1 million)
• 192.168.0.0/16 — home/office routers (65,536 addresses)
• 127.0.0.0/8 — loopback (your own machine)
• 169.254.0.0/16 — link-local / APIPA (auto-assigned when DHCP fails)

CIDR notation

CIDR expresses a range as base address + prefix length: 192.168.1.0/24 means 24 bits are the network, leaving 8 bits (256 addresses) for hosts.

NAT — the band-aid that stuck

Most routers use Network Address Translation so many devices share a single public IP. It solved exhaustion short-term but breaks end-to-end connectivity. IPv6 eliminates the need for NAT entirely.

Check your IPv4 with curl

curl -4 https://checkmyipv6.com/ip
# Windows PowerShell:
curl.exe -4 https://checkmyipv6.com/ip

What is IPv6?

7 min read · Networking fundamentals · Published Jan 2026 · Updated May 2026

The 128-bit address space

IPv6 uses 128-bit addresses yielding 2¹²⁸ ≈ 340 undecillion unique addresses — enough to assign a /48 subnet to every grain of sand on Earth.

Addresses are written as eight groups of four hex digits separated by colons: 2001:0db8:85a3:0000:0000:8a2e:0370:7334.

Address shortening rules

1. Leading zeros in each group can be dropped: 0db8 → db8
2. One consecutive run of all-zero groups can be replaced with ::

Full:       2001:0db8:0000:0000:0000:0000:0000:0001
Shortened:  2001:db8::1

Address types

• Global Unicast (GUA) — publicly routable, starts with 2 or 3
• Link-Local — single segment only, starts with fe80::
• Loopback — ::1 (like IPv4's 127.0.0.1)
• Unique Local (ULA) — private use, starts with fc or fd
• Multicast — one-to-many, starts with ff

Dual-stack and Happy Eyeballs

Most modern networks run dual-stack. OSes use the Happy Eyeballs algorithm (RFC 8305) — attempt IPv6 first, fall back to IPv4 within ~300 ms if IPv6 fails.

Test IPv6 connectivity

curl -6 https://checkmyipv6.com/ip
# Windows PowerShell:
curl.exe -6 https://checkmyipv6.com/ip

Network Terminology Glossary

60+ terms · 6 categories · Reference · Published Jan 2026 · Updated May 2026

IP Addressing

DNS

Routing & Infrastructure

Transport & Security

IPv6-specific

General

Debugging Tips & Tricks

Practical guide · CLI tools · Published Feb 2026 · Updated May 2026

Find your IP

# Unix / macOS / WSL
curl -4 https://checkmyipv6.com/ip   # IPv4
curl -6 https://checkmyipv6.com/ip   # IPv6

# Windows PowerShell (use curl.exe — not the PS alias)
curl.exe -4 https://checkmyipv6.com/ip
curl.exe -6 https://checkmyipv6.com/ip

# Windows CMD (curl maps to curl.exe directly)
curl -4 https://checkmyipv6.com/ip

Test IPv6 connectivity

ping6 ipv6.google.com
curl -6 https://ipv6.google.com
ip -6 addr show          # Linux — look for global unicast (2xxx: / 3xxx:)
ipconfig                 # Windows — look for "IPv6 Address"

DNS debugging

dig AAAA example.com       # Does domain have IPv6 records?
dig +trace example.com     # Full resolution trace
dig -x 203.0.113.42        # Reverse DNS
dig @8.8.8.8 example.com   # Use specific resolver

Traceroute

traceroute google.com
traceroute -6 ipv6.google.com
mtr --ipv6 google.com      # Live stats (install mtr first)

Test TCP port reachability

nc -zv example.com 443
curl "https://checkmyipv6.com/ping?host=example.com&port=443"

Common issues

• IPv6 address but no connectivity — may be link-local (fe80::) with no global route. Check router IPv6 settings.
• curl -6 fails, browser reaches IPv6 — Happy Eyeballs fell back to IPv4. Run dig AAAA yourdomain.com.
• DNS resolves but no connection — firewall blocking port. Use /ping to test TCP separately.
• Windows curl -4 not working — use curl.exe -4 in PowerShell to bypass the Invoke-WebRequest alias.

API Usage Guide

10 min read · Scripting & automation · Published Feb 2026 · Updated May 2026

Getting started with curl

All endpoints return plain text by default (ideal for scripts) and JSON when called from a browser or with ?format=json.

# Your current IP (plain text)
curl https://checkmyipv6.com/ip

# JSON format (includes version and timestamp)
curl "https://checkmyipv6.com/ip?format=json"

# Force IPv4 or IPv6
curl -4 https://checkmyipv6.com/ip
curl -6 https://checkmyipv6.com/ip

Parsing JSON with jq

# Extract just the IP address
curl -s "https://checkmyipv6.com/ip?format=json" | jq -r '.ip'

# Check if connected via IPv6
curl -s "https://checkmyipv6.com/ip?format=json" | jq '.version == 6'

# Get ISP name
curl -s "https://checkmyipv6.com/asn?format=json" | jq -r '.org'

# DNS lookup — list all AAAA records
curl -s "https://checkmyipv6.com/dns?host=google.com&type=AAAA&format=json" \
  | jq -r '.records.AAAA[]'

Rate limits and best practices

• 20 requests per IP per hour across all endpoints
• IPv6 /64 subnets are treated as a single identity — rotating addresses won't bypass limits
• On HTTP 429, wait for Retry-After: 3600 seconds before retrying
• Cache DNS results locally — TTL is typically 30 s to 5 min
• Use -s (silent) in production scripts to suppress curl progress output

Bash scripting example

#!/usr/bin/env bash
# Check IPv6 connectivity and alert if lost
set -euo pipefail

API="https://checkmyipv6.com/ip?format=json"
STATE_FILE="/tmp/ipv6_state"

current=$(curl -s -6 "$API" 2>/dev/null | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('ip',''))" 2>/dev/null || echo "")
previous=$(cat "$STATE_FILE" 2>/dev/null || echo "")

if [[ -z "$current" && -n "$previous" ]]; then
  echo "ALERT: IPv6 connectivity lost! Was: $previous"
  # Add: curl -X POST https://your-webhook.com/alert ...
elif [[ -n "$current" && "$current" != "$previous" ]]; then
  echo "IPv6 address changed: $previous → $current"
fi

echo "$current" > "$STATE_FILE"

Python scripting example

import urllib.request
import json

BASE = "https://checkmyipv6.com"

def get_ip(version=None):
    suffix = f"/v{version}" if version else ""
    with urllib.request.urlopen(f"{BASE}/ip{suffix}?format=json") as r:
        return json.loads(r.read())

def get_asn(ip=None):
    qs = f"?ip={ip}&format=json" if ip else "?format=json"
    with urllib.request.urlopen(f"{BASE}/asn{qs}") as r:
        return json.loads(r.read())

# Usage
info = get_ip()
print(f"Connected via IPv{info['version']}: {info['ip']}")

asn = get_asn()
print(f"ISP: {asn.get('org', 'unknown')}")

PowerShell scripting example

# Get IP as object
$ip = Invoke-WebRequest "https://checkmyipv6.com/ip?format=json" | ConvertFrom-Json
Write-Host "IP: $($ip.ip) (v$($ip.version))"

# DNS lookup
$dns = Invoke-WebRequest "https://checkmyipv6.com/dns?host=google.com&format=json" `
       | ConvertFrom-Json
$dns.records.AAAA | ForEach-Object { Write-Host "AAAA: $_" }

# IPv6 readiness score
$score = Invoke-WebRequest "https://checkmyipv6.com/score?format=json" | ConvertFrom-Json
Write-Host "Score: $($score.score)/100 Grade: $($score.grade)"

Monitoring / webhook pattern

# cron: run every 5 minutes, alert on IPv6 loss
# */5 * * * * /usr/local/bin/check-ipv6.sh

#!/usr/bin/env bash
IPV6=$(curl -s -6 --max-time 5 https://checkmyipv6.com/ip 2>/dev/null || echo "")
if [[ -z "$IPV6" ]]; then
  curl -s -X POST "$SLACK_WEBHOOK" \
    -H "Content-Type: application/json" \
    -d '{"text":"⚠️ IPv6 connectivity lost on prod!"}'
fi

TLS and WHOIS automation

# Check cert expiry — alert if < 14 days
DAYS=$(curl -s "https://checkmyipv6.com/tls?host=example.com&format=json" \
       | jq '.days_remaining')
if (( DAYS < 14 )); then
  echo "CERT EXPIRY WARNING: $DAYS days remaining"
fi

# Quick domain info
curl -s "https://checkmyipv6.com/whois?host=example.com" | jq '{registrar, expires}'

How DNS Works

6 min read · DNS fundamentals · Published Mar 2026 · Updated May 2026

What is DNS?

The Domain Name System (DNS) is the internet's phone book. When you type google.com into a browser, DNS translates that human-friendly name into a machine-readable IP address like 142.250.185.14. Without DNS, you'd need to memorise IP addresses for every site you visit.

The resolution chain

A DNS lookup involves up to four servers before you get an answer:

1. Recursive resolver — your ISP's or Google's 8.8.8.8. It does the legwork on your behalf and caches results.
2. Root nameserver — 13 logical root server clusters worldwide. They don't know the answer, but they know who to ask next (the TLD server).
3. TLD nameserver — handles .com, .net, .io etc. It points to the authoritative server for the specific domain.
4. Authoritative nameserver — holds the actual records for the domain. The final answer comes from here.

You → Recursive Resolver → Root NS → TLD NS (.com) → Authoritative NS
                                                             ↓
                                                       "google.com A = 142.250.185.14"

DNS caching and TTL

Every DNS record has a Time-to-Live (TTL) in seconds. Resolvers cache the answer for that duration and serve it without re-querying. A TTL of 300 means results can be up to 5 minutes stale after a DNS change. For critical changes (e.g. migrating servers), lower your TTL to 60 seconds 24 hours in advance.

UDP vs TCP

DNS queries typically use UDP port 53 for speed — a single packet goes out, a single packet comes back. If the response is larger than 512 bytes (e.g. many TXT records or DNSSEC data), DNS falls back to TCP port 53 automatically.

DNS over HTTPS (DoH) and DNS over TLS (DoT)

Traditional DNS is unencrypted — your ISP can see every domain you look up. DoH (port 443) and DoT (port 853) encrypt DNS queries so network intermediaries can't log or tamper with them. Cloudflare's 1.1.1.1 and Google's 8.8.8.8 support both.

Try it

# Query authoritative DNS from your terminal
dig google.com A @8.8.8.8

# Force UDP vs TCP
dig google.com A +notcp    # UDP (default)
dig google.com A +tcp      # TCP

# Check TTL
dig google.com A | grep -E "^google|IN"

→ Try the DNS Lookup tool to query any record type from our server-side resolver.

DNS Record Types Explained

8 min read · DNS reference · Published Mar 2026 · Updated May 2026

A Record

Maps a domain to an IPv4 address. Every domain that serves web traffic needs at least one A record.

example.com.  300  IN  A  93.184.216.34

AAAA Record

Maps a domain to an IPv6 address. If a domain lacks an AAAA record, IPv6-only clients cannot reach it. Check AAAA presence with our DNS Lookup tool.

example.com.  300  IN  AAAA  2606:2800:220:1:248:1893:25c8:1946

CNAME Record

An alias from one name to another. www.example.com CNAME example.com means "www is the same as the apex". CNAMEs cannot coexist with other record types at the same name (the "CNAME flattening" problem at the zone apex is why some DNS providers offer ALIAS/ANAME records).

MX Record

Specifies the mail server(s) for a domain. Multiple MX records can exist with different priorities — lower number = higher priority.

example.com.  3600  IN  MX  10  mail1.example.com.
example.com.  3600  IN  MX  20  mail2.example.com.

TXT Record

Free-form text attached to a domain, used for domain verification (Google, Microsoft), SPF, DKIM, and DMARC policies.

SPF (Sender Policy Framework)

A TXT record that declares which mail servers are authorised to send email on behalf of a domain. Receiving servers check this to filter spam.

v=spf1 include:_spf.google.com ~all

DKIM

DomainKeys Identified Mail — a TXT record at selector._domainkey.example.com containing a public key. Outgoing mail is signed with the corresponding private key so recipients can verify authenticity.

DMARC

A TXT record at _dmarc.example.com that tells receivers what to do when SPF or DKIM fail (none / quarantine / reject) and where to send failure reports.

_dmarc.example.com.  IN  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"

NS Record

Lists the authoritative nameservers for the domain. These are set at your registrar and delegate DNS authority.

SOA Record

Start of Authority — one per zone, contains serial number, refresh interval, and contact email. Critical for zone transfers and DNSSEC.

CAA Record

Certification Authority Authorisation — restricts which CAs can issue TLS certificates for a domain. If you only use Let's Encrypt, add 0 issue "letsencrypt.org" to prevent rogue issuance.

PTR Record

Reverse DNS — maps an IP address back to a hostname. Stored in the in-addr.arpa zone for IPv4 and ip6.arpa for IPv6. Used by email servers for spam scoring.

→ Check your domain's DNS health — our dashboard audits A, AAAA, MX, SPF, DMARC, CAA and more in one click.

TLS/SSL & HTTPS Explained

7 min read · Security · Published Mar 2026 · Updated May 2026

What TLS does

Transport Layer Security (TLS) — often called SSL after its predecessor — encrypts the connection between your browser and a web server. Without TLS, anyone on your network (coffee shop Wi-Fi, ISP, VPN exit node) can read the exact bytes you send and receive.

HTTPS = HTTP running over a TLS-encrypted channel on port 443.

The TLS handshake

1. ClientHello — browser sends supported TLS versions and cipher suites.
2. ServerHello — server picks version and cipher, sends its certificate.
3. Certificate validation — browser verifies the cert is signed by a trusted CA, not expired, and matches the hostname (via SAN).
4. Key exchange — both sides derive a shared secret (using ECDHE in TLS 1.3).
5. Finished — encrypted communication begins. The handshake adds ~1 RTT to the first connection.

TLS 1.3 vs TLS 1.2

• TLS 1.3 reduces the handshake to 1 RTT (vs 2 for TLS 1.2) — faster page loads.
• Removes weak cipher suites (RC4, 3DES, SHA-1) — more secure by default.
• Supports 0-RTT resumption for returning visitors — near-zero overhead on reconnect.

Certificates and the trust chain

A TLS certificate is a cryptographic document that proves identity. It's issued by a Certificate Authority (CA) — a trusted third party like Let's Encrypt, DigiCert, or Sectigo. Browsers ship with a list of trusted root CAs. The chain goes: Root CA → Intermediate CA → Your Certificate.

Subject Alternative Names (SANs)

Modern certificates use SANs to list all hostnames they cover. A single cert can cover example.com, www.example.com, and api.example.com. Wildcard SANs (*.example.com) cover all single-level subdomains.

HSTS — HTTP Strict Transport Security

The Strict-Transport-Security response header tells browsers to always use HTTPS for a domain, even if the user types http://. With includeSubDomains; preload and registration at the HSTS preload list, browsers never attempt an insecure connection at all.

Check any certificate

# CLI check
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
  | openssl x509 -noout -text | grep -E "Subject:|Not After|DNS:"

# Simpler
curl -vI https://example.com 2>&1 | grep -E "SSL|expire|subject"

→ Use our TLS Checker to inspect any domain's certificate — expiry date, issuer, SANs, and days remaining.

HTTP Headers & Security

6 min read · Security · Web · Published Mar 2026 · Updated May 2026

What are HTTP headers?

HTTP headers are key-value metadata lines sent in every request and response. They tell the server who you are, what formats you accept, and how to handle the connection — and they tell the browser how to handle the response, what to cache, and what security policies to apply.

Key request headers

• User-Agent — browser, version, and OS identifier. Servers use it for content negotiation and analytics.
• Accept-Encoding — advertises compression support (gzip, br). Servers compress responses accordingly — typically 70–80% smaller.
• X-Forwarded-For — added by proxies and CDNs to preserve the original client IP. If you're behind Cloudflare, this header contains your real IP.
• Authorization — carries Bearer tokens, API keys, or Basic auth credentials.
• Origin / Referer — used for CORS checks and analytics attribution.

Security response headers

• Strict-Transport-Security (HSTS) — forces HTTPS. max-age=63072000; includeSubDomains; preload is the gold standard.
• Content-Security-Policy (CSP) — whitelists which scripts, styles, images, and frames are allowed to load. Prevents XSS attacks.
• X-Frame-Options: SAMEORIGIN — prevents your page from being loaded in an iframe on another domain (clickjacking protection).
• X-Content-Type-Options: nosniff — stops browsers from guessing MIME types, preventing MIME-confusion attacks.
• Referrer-Policy: strict-origin-when-cross-origin — controls how much referrer information is sent with links.
• Permissions-Policy — restricts access to browser features like camera, microphone, and geolocation per origin.

Caching headers

• Cache-Control: max-age=31536000, immutable — tells browsers to cache a resource for 1 year without revalidation (use with content-hashed filenames).
• Cache-Control: no-cache, no-store — never cache (use for HTML pages with dynamic content).
• ETag — a fingerprint of the resource. Browser sends it on next request; server says 304 Not Modified if unchanged.

Debug headers on your connection

# See all headers your browser sends
curl -v https://checkmyipv6.com/headers 2>&1 | grep "^>"

# Check security headers on a site
curl -sI https://example.com | grep -Ei "strict-transport|content-security|x-frame|x-content"

→ View your browser's HTTP headers — see exactly what your browser sends to our server, including proxy and CDN additions.

BGP & Autonomous System Numbers

7 min read · Routing · Infrastructure · Published Mar 2026 · Updated May 2026

What is an Autonomous System?

The internet isn't run by one organisation — it's a network of networks. An Autonomous System (AS) is a collection of IP prefixes under the administrative control of a single entity (an ISP, a company, a university, a cloud provider). Every AS has a unique number: an ASN.

Examples: AS15169 (Google), AS16509 (Amazon AWS), AS13335 (Cloudflare), AS7018 (AT&T).

What is BGP?

Border Gateway Protocol (BGP) is the routing protocol that glues the internet together. Every AS announces the IP prefixes it "owns" to its neighbouring ASes via BGP. Routers exchange these announcements to build a map of which AS can reach which IP ranges.

BGP is a path-vector protocol — each announcement includes the full AS path. This allows routers to detect and avoid routing loops.

BGP route selection

When multiple paths exist to the same prefix, BGP picks the best one based on attributes (in order of preference): Local Preference → AS path length → MED → eBGP over iBGP → IGP metric. The shortest AS path is usually preferred, but network operators can manipulate this with local-pref and route policies.

BGP security problems

BGP hijacking is a serious problem: a rogue AS can announce someone else's IP prefix, attracting traffic meant for the victim. RPKI (Resource Public Key Infrastructure) is the emerging standard to cryptographically sign prefix ownership, making hijacks detectable and filterable.

Reading ASN data

When you look up an IP, the ASN lookup returns the origin AS — the AS that originated the BGP announcement for that IP's prefix. This tells you which ISP or organisation owns that IP range.

# Lookup your own ASN
curl https://checkmyipv6.com/asn

# Lookup any IP
curl "https://checkmyipv6.com/asn?ip=8.8.8.8"
# → { "asn": "AS15169", "org": "Google LLC", "country": "US", ... }

→ Try the ASN Lookup tool to resolve any IP to its ISP, ASN, and location.

NAT & CGNAT Explained

6 min read · Networking · IPv4 · Published Mar 2026 · Updated May 2026

What is NAT?

Network Address Translation (NAT) maps multiple private IP addresses to a single public IP. Your home router does this: all your devices (192.168.1.x) share one public IP assigned by your ISP. NAT tracks which internal device made which outbound connection using a NAT table that maps (private IP + port) → (public IP + port).

Internal: 192.168.1.5:54321 → NAT rewrites → Public: 203.0.113.1:42000 → Google
Google's response comes back to 203.0.113.1:42000 → NAT rewrites → 192.168.1.5:54321

Types of NAT

• SNAT (Source NAT) — rewrites the source address. The most common type in home routers.
• DNAT (Destination NAT) — rewrites the destination. Used for port forwarding and load balancers.
• Masquerade — dynamic SNAT where the public IP is read from the interface (useful when the IP is dynamic).

Problems with NAT

NAT breaks the internet's end-to-end connectivity model. You can initiate outbound connections, but inbound connections require port forwarding configuration. This breaks peer-to-peer applications, VoIP, online gaming, and self-hosting without manual setup.

CGNAT — Carrier-Grade NAT

As IPv4 addresses ran out, ISPs started doing two layers of NAT: your home router NATing 192.168.x.x, and then the ISP NATing a whole neighbourhood of customers behind one public IP (using RFC 6598 addresses — the 100.64.0.0/10 range).

With CGNAT you share a public IP with tens or hundreds of other customers. Side effects:

• Port forwarding is impossible without ISP assistance.
• IP-based bans affect innocent users sharing the same public IP.
• Self-hosting a server at home is not feasible.
• Some apps (gaming, VoIP) have degraded performance due to double-NAT traversal.

Detecting CGNAT

If your router's WAN IP (e.g. 100.x.x.x) differs from the IP that external servers see, you're behind CGNAT. Our IP Inspector shows your connection's public IP; compare it to your router's WAN address.

IPv6 is the real fix

IPv6 provides enough addresses for every device to have a globally routable public IP, eliminating the need for NAT entirely. With IPv6, every device has true end-to-end connectivity. Learn about IPv6 addressing →

Subnetting & CIDR Made Easy

8 min read · Networking fundamentals · Published Mar 2026 · Updated May 2026

What is a subnet?

A subnet is a logical subdivision of an IP network. Subnetting splits a large address block into smaller, manageable pieces — each subnet is an independent broadcast domain. Routers connect subnets; switches connect hosts within a subnet.

CIDR notation

Classless Inter-Domain Routing (CIDR) expresses a network as a base address plus a prefix length: 192.168.1.0/24. The /24 means the first 24 bits are the network portion; the remaining 8 bits (2⁸ = 256 addresses, 254 usable) are for hosts.

Network and broadcast addresses

In every subnet, the first address is the network address (all host bits = 0) and the last is the broadcast address (all host bits = 1). These are not assignable to hosts. In 192.168.1.0/24: network = 192.168.1.0, broadcast = 192.168.1.255, usable = 192.168.1.1–192.168.1.254.

IPv6 subnetting

IPv6 uses the same CIDR notation but with 128-bit addresses. ISPs typically allocate a /48 to each customer (65,536 /64 subnets). Within your /48, you carve out /64 subnets — one per VLAN or LAN segment. Each /64 has 2⁶⁴ addresses — enough for every grain of sand on Earth.

Wildcard masks (ACLs)

The inverse of the subnet mask, used in Cisco ACLs and firewall rules. A /24 subnet mask is 255.255.255.0; the wildcard is 0.0.0.255. Bits set to 1 in the wildcard are "don't care" bits.

→ Try our Subnet Calculator — enter any CIDR and instantly see network address, broadcast, host range, and more for IPv4 and IPv6.

WHOIS & RDAP: Domain Registration Lookup

5 min read · Domains · Published Mar 2026 · Updated May 2026

What is WHOIS?

WHOIS is a query-response protocol (port 43) that returns registration data about domain names and IP address blocks. It answers questions like: Who registered this domain? When does it expire? Which registrar is responsible?

RDAP — the modern standard

Registration Data Access Protocol (RDAP) is the IETF-standardised successor to WHOIS. It returns structured JSON instead of unformatted text, supports authentication for privacy-sensitive data, and is served over HTTPS. All major TLDs now support RDAP.

# RDAP query (JSON response)
curl "https://rdap.org/domain/example.com" | jq '{handle, ldhName, registrar: .entities[0].vcardArray}'

# Traditional WHOIS
whois example.com

What WHOIS/RDAP tells you

• Registrar — the company through which the domain was registered (GoDaddy, Namecheap, Google Domains, etc.)
• Registration date — when the domain was first registered. Old domains have more SEO authority.
• Expiry date — when the domain will be released if not renewed. Critical for monitoring.
• Name servers — the authoritative DNS servers for the domain.
• Registrant contact — often redacted via WHOIS privacy services (GDPR in EU).

WHOIS privacy and GDPR

Since GDPR took effect in 2018, most European registrants' personal details are hidden. Registrars like Cloudflare and Namecheap include free WHOIS privacy by default, replacing your name and address with proxy contact information.

IP address WHOIS

IP address blocks have their own WHOIS data maintained by regional internet registries (ARIN, RIPE, APNIC, LACNIC, AFRINIC). An IP WHOIS query returns the organisation that owns the block, the country, and abuse contact details.

→ Try our WHOIS Lookup tool — query any domain's registration, registrar, and expiry date instantly.

TCP/IP & the Internet Protocol Stack

7 min read · Networking fundamentals · Published Apr 2026 · Updated May 2026

The TCP/IP model

The internet runs on a four-layer model. Each layer handles a specific abstraction, and layers communicate only with the layers directly above and below them:

IP — the Internet Protocol

IP is a connectionless, best-effort protocol. It delivers packets from source to destination by routing them hop-by-hop based on the destination address. It makes no guarantees about ordering, duplication, or delivery — that's TCP's job.

TCP — Transmission Control Protocol

TCP adds reliability on top of IP: guaranteed delivery, ordered data, and flow control. The three-way handshake establishes a connection before any data flows:

Client → SYN     → Server
Client ← SYN-ACK ← Server
Client → ACK     → Server
(connection established — data can now flow)

TCP also manages congestion control — it backs off when the network is saturated, then probes for more bandwidth (slow start → congestion avoidance → fast recovery).

UDP — User Datagram Protocol

UDP is connectionless and unreliable — it just sends packets with no handshake, no retransmission, no ordering. This makes it faster and lower-latency than TCP. Used for DNS, video streaming, VoIP, online gaming, and QUIC (the protocol underlying HTTP/3).

QUIC and HTTP/3

QUIC is Google's modern replacement for TCP + TLS, built on UDP. It multiplexes streams without head-of-line blocking, encrypts all headers and payload, and supports 0-RTT connection resumption. HTTP/3 runs on QUIC and is now supported by all major browsers and CDNs.

Ports

Ports distinguish services on the same IP. Well-known ports: 80 (HTTP), 443 (HTTPS), 53 (DNS), 22 (SSH), 25 (SMTP), 587 (SMTP submission), 993 (IMAPS). Ports above 1023 are ephemeral (dynamically assigned for outbound connections).

Network Latency & Round-Trip Time

5 min read · Networking · Performance · Published Apr 2026 · Updated May 2026

What is latency?

Latency is the time it takes for a packet to travel from source to destination. Round-Trip Time (RTT) is the total time for a packet to go there and come back — what you see in a ping response. Latency is measured in milliseconds (ms).

What causes latency?

• Propagation delay — light travels at ~200,000 km/s through fibre (2/3 of vacuum speed). A transatlantic cable adds ~35–40 ms each way, unavoidably.
• Serialisation delay — time to physically transmit bits onto the wire. Negligible at gigabit speeds.
• Processing delay — time routers take to look up routing tables and forward packets. Usually microseconds.
• Queuing delay — packets wait in router buffers when a link is congested. This is the main source of variable "jitter" under load.

Latency benchmarks

Jitter

Jitter is the variation in latency between packets. High jitter causes choppy audio/video even if average latency is low. VoIP and gaming need jitter below 30 ms for acceptable quality.

TCP Ping vs ICMP Ping

Traditional ping uses ICMP echo requests. Many firewalls block ICMP but allow TCP on port 80/443. A TCP ping opens a TCP connection to a specific port to test reachability and measure RTT — more representative of real application behaviour.

# ICMP ping
ping -c 5 google.com

# TCP "ping" with curl
curl -o /dev/null -s -w "%{time_total}\n" https://checkmyipv6.com/ip

# TCP ping to specific port
nc -zv -w 2 example.com 443 2>&1 | grep succeeded

→ Try TCP Ping to test connectivity to any host and port. Measure your RTT to our global CDN.

IPv6 Transition Mechanisms

7 min read · IPv6 · Infrastructure · Published Apr 2026 · Updated May 2026

The dual-stack era

The internet cannot switch to IPv6 overnight — billions of devices, applications, and routers need simultaneous IPv4 support. Dual-stack is the primary strategy: a host or network operates both IPv4 and IPv6 at the same time, using whichever is available for each connection.

Happy Eyeballs (RFC 8305)

When a browser connects to a dual-stack server, it prefers IPv6 but doesn't want to wait if IPv6 is broken. Happy Eyeballs starts an IPv6 connection attempt and, after 250 ms (the "eyeballs" delay), simultaneously starts an IPv4 attempt. Whichever completes first wins. This hides IPv6 failures from users while keeping IPv6 as the preferred path.

Tunnelling mechanisms

• 6in4 — encapsulates IPv6 packets inside IPv4 packets (protocol 41). Used by tunnel brokers like Hurricane Electric (tunnelbroker.net) when your ISP doesn't offer native IPv6.
• 6to4 — automatic tunnelling using the 2002::/16 prefix. Embeds the IPv4 address in the IPv6 address. Largely deprecated due to performance and security issues.
• Teredo — tunnels IPv6 over UDP/IPv4 to cross NAT. Windows has Teredo built in. Also deprecated for most uses.
• ISATAP — Intra-Site Automatic Tunnel Addressing Protocol, for within-enterprise IPv6-over-IPv4 tunnelling.

NAT64 & DNS64

On IPv6-only networks (mobile, some ISPs), NAT64 translates IPv6 packets to IPv4 at a gateway, allowing IPv6-only clients to reach IPv4-only servers. DNS64 synthesises AAAA records from A records so IPv6 clients can resolve IPv4-only hostnames. iOS and Android networks use NAT64/DNS64 extensively.

464XLAT

Used on mobile networks — a client-side CLAT (Customer-side transLATor) translates the device's local IPv4 (from apps) to IPv6, which is then translated back to IPv4 by the carrier's PLAT. This lets legacy IPv4-only apps work on IPv6-only networks transparently.

Check your IPv6 readiness

→ Get your IPv6 Readiness Score — we check your connection type, ISP support, and address properties.

Traceroute & Network Path Analysis

6 min read · Debugging · CLI · Published Apr 2026 · Updated May 2026

What traceroute does

Traceroute maps the network path between you and a destination by exploiting the IP TTL (Time-to-Live) field. It sends a series of probes, each with an incrementing TTL starting at 1. When a router decrements TTL to 0, it drops the packet and sends back an ICMP "Time Exceeded" message — revealing the router's IP address and RTT.

Reading traceroute output

traceroute to google.com (142.250.185.14), 30 hops max
 1  192.168.1.1       1.2 ms   1.1 ms   1.3 ms   ← your home router
 2  100.64.0.1        5.4 ms   5.2 ms   5.8 ms   ← ISP CGNAT gateway
 3  10.0.0.1          8.1 ms   7.9 ms   8.3 ms   ← ISP core router (private IP)
 4  203.0.113.1      12.4 ms  12.8 ms  12.2 ms   ← ISP upstream peering
 5  72.14.195.232    14.1 ms  14.3 ms  14.5 ms   ← Google edge
 6  142.250.185.14   14.8 ms  14.9 ms  14.7 ms   ← destination!

Interpreting asterisks (*)

Three asterisks on a hop mean the router either doesn't send ICMP Time Exceeded responses or rate-limits them. This is common at large ISPs and CDNs. A hop showing * * * doesn't mean the path is broken — look at subsequent hops. If later hops respond, the path is fine.

Diagnosing with traceroute

• High RTT jump at a specific hop — network bottleneck or congested link between those two routers.
• Consistently high RTT from hop N onwards — the issue is at or before hop N, not in later parts of the path.
• Path divergence — compare traceroutes from different times of day. ECMP and BGP routing changes cause different paths.

IPv6 traceroute

# Linux/macOS
traceroute6 google.com
traceroute -6 google.com

# Windows
tracert -6 google.com

# With TCP (bypasses ICMP-blocking firewalls)
traceroute -T -p 443 google.com    # Linux (requires root)
sudo tcptraceroute google.com 443

MTR — realtime traceroute

mtr (Matt's Traceroute) combines ping and traceroute into a live, continuously-updating display. It shows packet loss per hop, which is invaluable for diagnosing intermittent issues.

mtr google.com          # interactive
mtr --report google.com # one-shot report mode
mtr -6 google.com       # IPv6

→ Read the full debugging guide for more CLI networking tips.

VPNs, Proxies & Anonymisation

6 min read · Privacy · Security · Published Apr 2026 · Updated May 2026

How a VPN changes your IP

A VPN (Virtual Private Network) creates an encrypted tunnel between your device and a VPN server. All your traffic exits the internet from the VPN server's IP address — websites and services see the VPN server's IP, not yours. Your real IP is only visible to your ISP and the VPN provider.

Without VPN: You → ISP → Internet (your real IP is visible)
With VPN:    You → ISP → VPN Server → Internet (VPN server IP visible)

VPN vs Proxy

• VPN — operates at the OS network level. Encrypts all TCP and UDP traffic from every app. Requires a client app. Hides all traffic from the ISP.
• HTTP/HTTPS Proxy — browser-level only (or specific apps). Passes HTTP traffic through an intermediary server. No encryption unless combined with TLS. ISP can still see which server you're connecting to.
• SOCKS5 Proxy — lower-level than HTTP proxy, works with any TCP/UDP traffic. Commonly used with Tor and SSH tunnels.

What VPNs don't hide

• Your activity from the VPN provider — they see all your traffic (choose a no-log provider).
• Browser fingerprinting — websites can identify your device via canvas, WebGL, font rendering even without your IP.
• DNS leaks — if your device queries DNS outside the VPN tunnel, your ISP can see your DNS lookups. Use DNS leak test tools.
• IPv6 leaks — many VPNs only tunnel IPv4. If IPv6 is enabled on your device, it bypasses the VPN. Our IP Inspector can reveal this.

Tor

Tor routes traffic through three encrypted relays. No single relay knows both origin and destination. Much slower than VPNs (typically 2–5 s latency) but provides stronger anonymity. Tor exit nodes share a small pool of IPs, so they're commonly blocked by services.

Detecting VPN/proxy use

IP intelligence services flag datacenter IPs, known VPN provider IP ranges, and Tor exit nodes. Our IP Inspector shows whether your IP is a datacenter or residential address — the same check services run on your traffic.

DNSSEC: Securing the DNS Chain

6 min read · DNS · Security · Published Apr 2026 · Updated May 2026

The DNS cache poisoning problem

Traditional DNS has no authentication. An attacker who can inject a forged response into a recursive resolver's cache can redirect users to a malicious server — even for a legitimate domain name. This is a DNS cache poisoning or Kaminsky attack.

How DNSSEC works

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records. The zone operator signs all records with a private key; resolvers validate the signatures using the corresponding public key. Forged records without a valid signature are rejected.

DNSSEC creates a chain of trust from the root zone down to the individual domain:

Root zone (.) → signs TLD (.com)
TLD (.com) → signs domain (example.com) via DS record
Domain (example.com) → signs individual records with RRSIG

Key DNS record types added by DNSSEC

• DNSKEY — the public key for a zone. Two keys are used: KSK (Key Signing Key, changed rarely) and ZSK (Zone Signing Key, rotated frequently).
• RRSIG — a digital signature over an RRset (group of records of the same type). Every signed record gets an RRSIG.
• DS (Delegation Signer) — a hash of the child zone's KSK, stored in the parent zone to link the chain of trust downward.
• NSEC / NSEC3 — proves that a record does NOT exist (authenticated denial of existence). NSEC3 adds hashing to prevent zone enumeration.

DNSSEC limitations

DNSSEC protects data integrity but not confidentiality — responses are still transmitted in plain text (DoH/DoT handles privacy). DNSSEC also significantly increases response sizes and operational complexity. Zone signing and key rotation require careful management.

Checking DNSSEC

# Check if a domain is DNSSEC-signed
dig example.com DNSKEY +short

# Validate the chain of trust
dig example.com +dnssec | grep "RRSIG"

# Check DS record in parent
dig example.com DS @a.gtld-servers.net

→ Run DNS Health Check to audit your domain's DNS configuration including DNSSEC signals.

IPv6 Security & Privacy

7 min read · IPv6 · Security · Published Apr 2026 · Updated May 2026

New attack surface with IPv6

IPv6 changes the threat model in several important ways. NAT no longer provides implicit filtering — every device has a globally routable address, so firewall rules that were implicit in IPv4 NAT must be explicitly configured in IPv6.

EUI-64 and MAC address leakage

Early IPv6 implementations used Stateless Address Autoconfiguration (SLAAC) with EUI-64 addressing: the device embedded its 48-bit MAC address into the 128-bit IPv6 interface identifier, making the address globally unique and trackable across networks.

EUI-64 addresses are identifiable by the ff:fe bytes in the middle of the interface ID:

2001:db8::0200:5eff:fe12:3456
             ^^^^    ↑↑↑↑
          inverted     ff:fe = EUI-64 marker
          U/L bit
MAC = 00:00:5e:12:34:56  (after flipping the U/L bit back)

→ Our IP Inspector can detect EUI-64 addresses and reconstruct the embedded MAC address.

Privacy Extensions (RFC 4941)

To solve EUI-64 tracking, RFC 4941 Privacy Extensions generate temporary, random interface IDs that change periodically (typically every few days). Modern OSes (Windows, macOS, Linux, iOS, Android) enable privacy extensions by default.

When privacy extensions are active, your IPv6 address changes regularly — making cross-site tracking by IP significantly harder than with IPv4.

NDP — the IPv6 equivalent of ARP

Neighbour Discovery Protocol (NDP) replaces ARP in IPv6. It uses ICMPv6 to find link-layer addresses, detect duplicate addresses, and learn about routers. NDP is more powerful than ARP but also a larger attack surface:

• NDP spoofing — analogous to ARP poisoning. An attacker can fake Neighbour Advertisement messages to redirect traffic. Mitigated by SEND (Secure Neighbour Discovery) and RA Guard.
• Rogue Router Advertisement (RA) — an attacker on the LAN can send fake Router Advertisements to redirect all traffic through their machine. RA Guard on managed switches blocks unauthorised RAs.

IPv6 firewall rules

Critical firewall rules for IPv6 that don't have IPv4 equivalents:

• Allow ICMPv6 — essential for NDP, path MTU discovery, and traceroute6. Blocking all ICMPv6 breaks IPv6 connectivity.
• Block incoming connections to all ports by default (unlike NAT, which provided this implicitly in IPv4).
• Allow established/related connections to return.
• Apply the same application-layer rules as IPv4 — services listening on IPv6 are publicly reachable.

Check your IPv6 address type

→ Use the IP Inspector to analyse your IPv6 address — detect EUI-64 MAC embedding, scope, type, and privacy extension status.