IP Cow logo IP Cow

Privacy-first IP, DNS & email tools · 20+ years of serving your IP

Tools reference

What each of IP Cow's 52 tools does, grouped by category.

Every tool is free and needs no account. Network probes (ping, port, HTTP, SSL, traceroute…) run from our own IPv4 and IPv6 servers; the browser-side tools never send your data anywhere. Jump to a category: IP & addressing · DNS · Email & deliverability · Network · RDAP / Whois · Privacy · Diagnostics · AI .

IP & addressing

CIDR Calculator

Enter any IPv4 or IPv6 CIDR block and get its network and broadcast addresses, subnet mask, wildcard mask, usable host range and total host count. Useful for planning subnets, writing firewall rules or sanity-checking an allocation.

Command-Line IP

A plain-text version of your public IP, built for scripts and the command line — "curl checkip.ipcow.com" returns just the address. Force a protocol with -4 / -6, or append ?json for a structured response. Ideal for shell scripts, cron jobs and CI that need to know their egress IP.

IP Geolocation

Approximate geographic location (country, region, city) and network details (ISP, ASN) for any IPv4 or IPv6 address. The data comes from a GeoLite2 database we host ourselves, so the lookup never touches a third-party geolocation API. Good for a quick read on where an address is and who runs it — with the usual caveat that IP geolocation is only ever approximate.

IP Range → CIDR

Give it an inclusive start and end IP and it returns the minimal set of CIDR blocks that exactly covers that range — no more, no less. Handy when a vendor hands you a range but your firewall, route table or ACL only speaks CIDR.

What's My IP

Shows your public IPv4 and IPv6 addresses as our servers see them, along with the request headers that actually matter for debugging — User-Agent, the forwarded-for chain, Accept-Language and more. Everything is resolved on our own infrastructure with no third-party lookups, so it's a clean view of how the internet sees your connection.

DNS

AAAA Lookup

Resolves a domain's AAAA records — its IPv6 addresses. A focused lookup for confirming a host is reachable over IPv6 and which addresses it publishes.

CAA Check

Reads a domain's CAA records, which declare exactly which certificate authorities are allowed to issue certificates for it. Useful for locking down issuance and for debugging why a CA refused — or was allowed — to issue.

CERT Lookup

Fetches CERT records, which store certificates or CRLs directly in DNS — PKIX, PGP, SPKI and other types. A niche lookup for setups that publish keys or certificates via DNS.

CNAME Lookup

Resolves a host's CNAME alias and follows the chain it points to, so you can see exactly where an alias ultimately leads. Handy for untangling layered CNAMEs behind CDNs and SaaS vendors.

DNS Check

A one-shot overview of a domain's core DNS records — A, AAAA, MX, NS, TXT, SOA and CAA — plus its DNSSEC status, all in a single view. The fast health-check for when you just want the big picture of a domain's DNS.

DNS Lookup

Resolves any common DNS record type — A, AAAA, CNAME, MX, TXT, NS, SOA, CAA or SRV — for a domain, queried through the privacy-respecting Quad9 resolver. The everyday DNS lookup for checking what a domain currently publishes.

DNS Propagation

Queries the same record across several public resolvers — Quad9, Cloudflare, Mullvad and AdGuard — and shows whether they agree. After a DNS change this tells you how far the update has propagated and whether any resolver is still serving the old answer.

DNSKEY Lookup

Shows the DNSKEY records a zone publishes for DNSSEC — the zone-signing and key-signing keys, with their key tags. Useful for matching keys against the DS record at the parent and for DNSSEC key-rollover work.

DNSSEC Check

Checks whether a domain is DNSSEC-signed and actually validating, showing the DNSKEY/DS chain and the resolver's authenticated-data (AD) flag. Confirms the cryptographic chain of trust is intact, not merely present.

DS Lookup

Fetches the DS (Delegation Signer) records that live at the parent zone and link a domain into the DNSSEC chain of trust. When DNSSEC validation fails, a missing or mismatched DS record at the registrar is a common culprit.

IPSECKEY Lookup

Resolves IPSECKEY records — the IPsec public key and gateway a host publishes for opportunistic encryption. Useful when configuring or debugging IPsec that bootstraps from DNS.

LOC Lookup

Resolves a DNS LOC record, which encodes a latitude, longitude and altitude for a name. Rare in the wild, but this surfaces it when present.

NS Lookup

Lists the authoritative nameservers a domain is delegated to — a quick way to confirm which DNS provider is in charge of a zone, for example after a migration.

NSEC Lookup

Fetches the NSEC record for a name, which authenticates the next name in the zone and the record types that exist — the mechanism DNSSEC uses to prove a record does not exist. A diagnostic for authenticated denial-of-existence.

NSEC3PARAM Lookup

Reads a zone's NSEC3PARAM record — the hash algorithm, iteration count and salt for its NSEC3 chain, the hashed variant of NSEC that hides zone contents. Useful when auditing a zone's DNSSEC denial-of-existence setup.

Reverse DNS (PTR)

Looks up the PTR record(s) an IP address resolves back to — the reverse of a normal A/AAAA lookup. Mail servers and logging systems lean on reverse DNS, so this is handy for diagnosing delivery or attribution issues.

RRSIG Lookup

Shows the RRSIG records — the DNSSEC signatures over a name — including each signature's validity window and the signer. Handy for diagnosing DNSSEC validation failures caused by expired or mismatched signatures.

SOA Lookup

Reads a zone's SOA (Start of Authority) record: the primary nameserver, the responsible contact, the serial number and the refresh/retry/expire/minimum timers. Good for checking a zone's serial bumped after an edit, or reviewing its caching behaviour.

SRV Lookup

Resolves an SRV service record and shows its priority, weight, target host and port. SRV records steer clients to services like SIP, XMPP and Microsoft 365 autodiscover, so this helps verify service discovery is configured correctly.

TXT Lookup

Fetches a domain's TXT records, where SPF policies, domain-verification tokens and other free-form text live. Useful for confirming a verification record has landed or auditing what a domain publishes.

Email & deliverability

BIMI Lookup

Finds a domain's BIMI record — the brand logo it asks mailbox providers to display next to authenticated mail — and its associated Verified Mark Certificate (VMC). Useful for setting up or verifying brand indicators in the inbox.

Blacklist Check

Checks an IP against a curated set of major DNS blacklists (RBLs) in one sweep and shows exactly which ones list it. Essential for diagnosing why mail from a server is being rejected or routed to spam.

DKIM Lookup

Fetches a DKIM public key for a given selector and flags weak keys, such as short RSA keys. Useful for confirming a DKIM selector is published correctly and meets modern strength expectations.

DMARC Check

Resolves and validates the DMARC policy published at _dmarc.<domain>, showing the policy (none / quarantine / reject), alignment and reporting addresses. Tells you whether a domain is protected against spoofing and how strictly.

Email Deliverability

Runs MX, SPF, DMARC and MTA-STS checks together and summarises a domain's whole inbound-email posture in one shot, flagging the problems. The fastest way to see whether a domain's email authentication is set up correctly end to end.

MTA-STS Check

Reports a domain's inbound SMTP TLS posture: its MTA-STS policy (mode, MX list, max_age) and its TLS-RPT reporting record. Confirms a domain enforces TLS for incoming mail and receives failure reports.

MX Lookup

Lists a domain's MX (mail exchanger) records in preference order, so you can see which servers receive its mail and at what priority. The starting point for any email-routing investigation.

SPF Check

Parses a domain's SPF record and counts the DNS lookups it triggers against the RFC 7208 limit of 10 — the limit that silently breaks SPF for so many domains once they add a few senders. Flags the problem before it causes delivery failures.

Network

HTTP Check

Fetches a URL from our probes and reports the HTTP status, the full redirect chain and the response time, broken down per IP stack. Good for confirming a site is up, seeing where it redirects, and comparing IPv4 vs IPv6 behaviour.

HTTP Headers

Fetches a URL, follows the redirect chain and shows every response header — with the important security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options and friends) called out so you can see what is set and what is missing. Useful for a quick security-header audit or for debugging caching and CORS behaviour.

Ping

Measures ICMP round-trip time to a host from our IPv4 and IPv6 probe servers, so you can compare latency across both stacks from a neutral vantage point. Useful for spotting reachability problems or latency differences that your own connection might mask.

Port Check

Tests whether a TCP port on a host is open and how quickly it accepts a connection, checked over both IPv4 and IPv6. A fast way to confirm a service is listening and reachable from the public internet — or to confirm a firewall is doing its job.

SMTP Banner

Connects to a mail server on its SMTP port and reads the greeting banner it returns, which usually reveals the mail software and version. Mostly an IPv4 story, since plenty of mail servers still are not on IPv6. Handy for confirming a mail host answers and seeing what it announces.

SSL Certificate

Inspects a host's TLS certificate over both IPv4 and IPv6 and reports the issuer, validity dates, days remaining until expiry, the Subject Alternative Names it covers and the chain. A quick way to check a certificate is valid, not about to expire and covers the right hostnames. For ongoing alerts, the SSL monitor in your dashboard watches expiry for you.

Traceroute

Traces the network path to a host hop by hop from our IPv4 and IPv6 probes, showing each router along the way and its latency. Useful for locating exactly where a connection slows down or breaks between us and the target.

URL Shortener

Shorten a long URL onto one of our own short domains — shortcow.com (the default), n9a.us or n48.us. It's first-party with no click-tracking and no third-party middlemen: the short link simply redirects to your target. Pick the domain that fits and we generate a compact code.

RDAP / Whois

ASN Lookup

Finds the autonomous system announcing an IP — the AS number, network name and the BGP prefix it sits in — resolved over Team Cymru's DNS service rather than a rate-limited whois API. Good for identifying which network operator routes an address.

RDAP / Domain Whois

Fetches a domain's registration details via RDAP — registrar, status codes, nameservers, DNSSEC status and expiry date. RDAP coverage varies by TLD; see the RDAP coverage guide for which domains answer and why some come back empty.

RDAP / IP Whois

Looks up registration data for an IP address straight from the Regional Internet Registries via RDAP — the owning organisation, the allocated network range and the abuse contact. The modern, structured replacement for IP WHOIS.

Privacy

Quick File Share

Share files without an account: upload up to 10 files (250 MB total) and get a short, memorable code plus a QR code to hand off. Files are encrypted at rest on our own servers and auto-delete when they expire (up to 24 hours) or hit an optional download limit. Two or more files are bundled into a single zip on download.

Send a Secret

Send a password, API key or private note as a one-time, end-to-end-encrypted link. The secret is encrypted in your browser and we only ever store the ciphertext — the decryption key lives in the link's fragment and never reaches us, so we can't read it or recover it. Choose how many views it allows and when it expires; once it's viewed out or expired, it's gone for good.

Diagnostics

Sound Test

Plays test tones through your speakers or headphones — left channel, right channel and both — so you can confirm audio output and channel balance. Runs entirely in your browser.

Speed Test

Measures your download and upload throughput and latency against our own IPv4 and IPv6 servers, right in the browser — no Flash, no ads, no third-party CDN. A clean read on your connection speed over both stacks.

Webcam Test

Previews your camera so you can confirm it works and is framed correctly before a call. The video never leaves your browser — nothing is uploaded anywhere.

WebSocket Test

Checks whether your network actually allows WebSocket connections, which some corporate proxies and firewalls quietly block. Useful when a real-time app won't connect and you suspect the network is at fault.

AI

LLMs.txt Lookup

Checks whether a site publishes an /llms.txt file — the emerging convention for offering curated, model-friendly documentation to LLMs — and shows what it found. Useful for site owners adopting the standard and for seeing who already has.

Robots.txt LLM Policy

Reads a site's robots.txt and shows how it treats AI crawlers specifically — GPTBot, ClaudeBot, Google-Extended, PerplexityBot and others — so you can tell at a glance whether AI bots are allowed or blocked. Handy for publishers deciding their AI-crawl policy.