Bogon Check: a beginner's guide
Check if IP is private, reserved, or bogon
Bogon IPs: the addresses that shouldn't exist on the public internet
A bogon is an IP address that should never appear as the source of a packet on the public internet — because it belongs to a range that is reserved, private, unallocated, or otherwise illegitimate. The most familiar bogons are the private address ranges that everyone uses inside their home or office network: `10.0.0.0/8`, `172.16.0.0/12`, and `192.168.0.0/16`. These are explicitly defined in RFC 1918 for private use, and no router on the public internet should ever forward a packet with a private source IP. Other bogons are addresses in `0.0.0.0/8` (the "this network" range), the loopback range (`127.0.0.0/8`), the link-local range (`169.254.0.0/16`), and the documentation ranges reserved for examples (like `203.0.113.0/24`).
You should care because a packet from a bogon source on the public internet is almost always a sign of spoofing. There is no legitimate reason for a public-facing server to receive traffic claiming to come from `10.0.0.5` or `127.0.0.1`. When you see one in your logs, you are almost always looking at a misconfiguration upstream, a malicious actor trying to forge a source address, or a Denial-of-Service attack using spoofed sources to amplify traffic. Bogon detection is one of the simplest and oldest forms of network security, and it is still surprisingly effective at catching obviously broken or hostile traffic.
The five bogon categories every check looks at:
RFC 1918 private addresses. `10/8`, `172.16/12`, `192.168/16`.
Loopback. `127/8` — the entire range, not just `127.0.0.1`.
Link-local. `169.254/16` — used for auto-configuration when no DHCP server is present.
Documentation ranges. `192.0.2/24`, `198.51.100/24`, `203.0.113/24`, all reserved for use in examples and never routed.
Unallocated address space. Ranges that the IANA has not yet assigned to any regional internet registry.
Three questions a bogon check answers:
Is this incoming packet actually from a real public IP, or a forgery?
Are any of my logs filling up with bogon-source traffic that suggests an attack or a misconfiguration?
Should I configure my firewall or perimeter router to drop bogons at the edge?
The cost of accepting bogon traffic is the small but real risk of being part of an amplification attack, accepting forged log entries, or being fooled by spoofed source addresses. The fix is one firewall rule, and is the kind of "set it and forget it" hardening every network engineer learns early. The current bogon list is maintained at Team Cymru.
The Bogon Check endpoint, in plain language
In one sentence: Check if [IP (Internet Protocol address)](/guides/ip-geolocation) is private, reserved, or bogon
Identifies bogon IP (Internet Protocol address) addresses - IPs from private, reserved, or special-purpose ranges as defined by IANA and various RFCs (the official internet standard, the official internet standard, the official internet standard, the official internet standard). Supports both IPv4 (Internet Protocol version 4) and IPv6 (Internet Protocol version 6). Critical for firewall hardening, spoofed traffic detection, and input validation.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Checks if an IPv4 (Internet Protocol version 4) or IPv6 (Internet Protocol version 6) address falls within any IANA-defined special-purpose range. For IPv4, checks 16 ranges including: private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 per the official internet standard), CGNAT (100.64.0.0/10 per the official internet standard), loopback (127.0.0.0/8), link-local (169.254.0.0/16), documentation (192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24 per the official internet standard), benchmarking (198.18.0.0/15), multicast (224.0.0.0/4), and reserved (240.0.0.0/4). For IPv6, checks unique-local (fc00::/7 per the official internet standard), link-local (fe80::/10), loopback (::1), and more. Returns the bogon type, matching CIDR (Classless Inter-Domain Routing) range, RFC (Request for Comments) reference, and whether it is specifically a private address.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Bogon Check tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
Bogon traffic on the public internet indicates either network misconfiguration or IP (Internet Protocol address) spoofing attacks. Filtering bogons is a fundamental network security practice recommended by NIST, SANS, and FIRST. This endpoint helps developers validate user-submitted IPs, network engineers audit firewall rules, and SOC analysts detect spoofed traffic in real-time.
Picture this in real life. Imagine a network engineer. Here's the situation they're walking into: Audit firewall allowlists and ACLs to ensure no bogon ranges are accidentally permitted, especially CGNAT (100.64.0.0/10) ranges that are commonly misconfigured. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Bogon Check tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Bogon Check tool is built for you:
Is this domain or IP address known for fraud, phishing, or abuse?
Should my signup form, payment flow, or comment system trust this visitor?
Is someone out there registering lookalike domains targeting my brand?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Trust and safety teams, fraud analysts, brand-protection managers, security operations engineers, and product teams running open signup flows. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and you find out a domain or IP was malicious only after it has already cost you money or trust. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the free plan. The technical details: `GET /v1/ip/bogon`.
When would I actually use this?
If you're still on the fence about whether the Bogon Check tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a network engineer, a SOC analyst, and a backend developer — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Firewall Rule Validation
Imagine you're a network engineer. Audit firewall allowlists and ACLs to ensure no bogon ranges are accidentally permitted, especially CGNAT (100.64.0.0/10) ranges that are commonly misconfigured.
Why it matters: Eliminate security holes from misconfigured firewall rules that allow reserved address space.
Story 2: Spoofed Traffic Detection
Imagine you're an SOC analyst. Flag incoming traffic from bogon IP (Internet Protocol address) addresses at the network edge as definitively spoofed, since these addresses cannot exist on the public internet.
Why it matters: Instant, zero-false-positive detection of IP (Internet Protocol address) spoofing attacks in traffic analysis.
Story 3: API Input Validation
Imagine you're a backend developer. Validate user-submitted IP (Internet Protocol address) addresses in registration forms and API (Application Programming Interface) requests to reject private or reserved ranges that indicate test data, misconfiguration, or abuse.
Why it matters: Ensure data quality and prevent SSRF-like attacks by rejecting non-routable addresses at the application layer.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Bogon Check tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
Inside a signup form, payment flow, or comment system, to score risk in real time.
When investigating a customer complaint about a suspicious link or message.
On a recurring schedule, to monitor lookalike domains targeting your brand.
During incident response, to enrich an alert with reputation context.
If you can see yourself in even one of those bullets, the Bogon Check tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Bogon Check tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the Bogon Check tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/ip/bogon?ip=192.168.1.1"What you need to provide
There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
ip | string | Yes | The IPv4 (Internet Protocol version 4) or IPv6 (Internet Protocol version 6) address to check | 192.168.1.1 |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
ip | string | The queried IP (Internet Protocol address) address |
is_bogon | boolean | Whether IP (Internet Protocol address) is a bogon (non-routable) address |
bogon_type | string | Classification: private, loopback, link_local, multicast, carrier_grade_nat, documentation, benchmarking, reserved, broadcast, unspecified, unique_local |
description | string | Human-readable description of the range purpose |
rfc | string | RFC (Request for Comments) defining the reserved range (e.g., the official internet standard, the official internet standard) |
ip_version | number | IP (Internet Protocol address) version: 4 or 6 |
is_private | boolean | Whether the IP (Internet Protocol address) is specifically a private address (the official internet standard / the official internet standard) |
matched_range | string | The matching CIDR (Classless Inter-Domain Routing) range (e.g., 10.0.0.0/8), null if not bogon |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
IP (Internet Protocol address) — A unique number that identifies a computer on the internet, like a phone number for a server.
API (Application Programming Interface) — A way for one program to ask another program for something — like a waiter taking your order to the kitchen.
CIDR (Classless Inter-Domain Routing) — A shorthand way of describing a range of IP addresses, like 192.168.1.0/24. The number after the slash says how many addresses are in the range.
IPv4 (Internet Protocol version 4) — The original kind of internet address — four numbers separated by dots, like 203.0.113.10. The internet has run out of new ones, which is why IPv6 exists.
IPv6 (Internet Protocol version 6) — The newer, longer kind of internet address. Looks like 2001:0db8:85a3::8a2e:0370:7334. Designed because the world ran out of IPv4 addresses.
RFC (Request for Comments) — The official internet standards documents. When someone says 'RFC 8484' they mean a specific numbered standards document — in that case, the one defining DNS over HTTPS.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.