Privacy Detection: a beginner's guide
Detect VPN, proxy, Tor, and datacenter IPs
Residential vs VPN vs datacenter IPs: why fraud teams care about the difference
Every IP address on the public internet belongs to one of a small number of categories based on what kind of network it sits on. The most important categories are residential (a real person's home internet connection through their ISP), datacenter (a server in a hosting provider like AWS, Hetzner, or DigitalOcean), mobile (a cellular network), VPN (a commercial VPN provider's exit nodes), proxy (an intermediate relay), and Tor exit node (the final hop of the Tor anonymity network). Each category has a completely different baseline behavior: real users mostly come from residential and mobile IPs, automated traffic mostly comes from datacenter IPs, and anyone hiding their location is usually on a VPN, proxy, or Tor.
You should care because the IP category is one of the strongest signals available to a fraud team or a content-licensing service. A signup attempt from a datacenter IP is much more likely to be a bot than a signup attempt from a residential IP. A streaming session from a VPN exit node in a different country than the account is registered in is probably someone trying to bypass geo-licensing. A login attempt from a Tor exit node on an account that has never used Tor before is worth flagging. None of these signals are individually conclusive — but they are all cheap to compute and they all add up.
The five categories every privacy/network check distinguishes:
Residential. Real consumer broadband connections via ISPs like Comcast, BT, Deutsche Telekom, Verizon. Highest baseline trust.
Datacenter. Servers in commercial hosting providers. Almost never legitimate end-user traffic; usually bots, scrapers, or back-end services.
Mobile. Cellular networks. Roughly as trustworthy as residential, but with higher geographic noise (carrier-grade NAT, etc.).
VPN. Commercial VPN providers (NordVPN, ExpressVPN, Mullvad, Surfshark, etc.). Trusted by the user but anonymous by design.
Tor exit node. Final hops of the Tor network. Public lists exist; widely used by both privacy-conscious users and abusers.
Three questions an IP privacy check answers:
Is this visitor coming from a real residential connection, or a datacenter / VPN / proxy / Tor?
For licensing purposes, is this user really in the country they claim to be in?
For fraud purposes, does this signup or login deserve extra scrutiny based on its network type?
The cost of ignoring IP privacy classification is the inability to distinguish bots from real users at the network level. The fix is to add the category as a feature in the fraud-decision system. The most authoritative public sources are the MaxMind GeoIP2 databases, IP2Location, and several open-source feeds for VPN and Tor exit nodes.
The Privacy Detection endpoint, in plain language
In one sentence: Detect VPN (Virtual Private Network), proxy, Tor (The Onion Router), and datacenter IPs
Identifies whether an IP (Internet Protocol address) address is associated with a VPN (Virtual Private Network) provider, open proxy, Tor (The Onion Router) exit node, or datacenter/hosting provider. Uses multi-layered detection combining pre-indexed threat feeds (Tor Project, X4BNet, FireHOL) with ASN-based pattern-matching rules for 50+ known hosting and VPN autonomous systems. Returns detection flags, provider identification, and confidence scores.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Executes a a stack of checks running across several data sources at once: (1) fast database lookups against pre-indexed lists of Tor (The Onion Router) exit nodes (official Tor Project bulk exit list), VPN (Virtual Private Network) provider IPs (X4BNet community-maintained lists), open proxies (FireHOL aggregated proxy feeds), and datacenter CIDR (Classless Inter-Domain Routing) ranges (X4BNet datacenter lists). (2) ASN-based pattern-matching rules detection against 50+ known hosting ASNs (AWS, GCP, Azure, DigitalOcean, Hetzner, OVH, Vultr, Linode, Cloudflare) and VPN provider ASNs (NordVPN, M247). Returns boolean flags for VPN, proxy, Tor, datacenter, and residential classification with confidence scoring (50-99%) and identified provider names. Results cached for 6 hours.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Privacy Detection tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
Privacy detection is essential for fraud prevention (VPN/Tor IPs correlate with higher fraud rates), ad verification (datacenter IPs indicate bot traffic), and risk-based authentication (step-up verification for anonymized connections). Unlike single-source detection, the multi-layered approach reduces false negatives by combining IP-level lists with network-level ASN (Autonomous System Number) pattern-matching rules.
Picture this in real life. Imagine a fraud analyst. Here's the situation they're walking into: Flag transactions from VPN (Virtual Private Network) or Tor (The Onion Router) exit nodes for additional verification (3DS (3-Domain Secure), manual review) before processing payments, with confidence-based thresholds to minimize friction for legitimate users. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Privacy Detection tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Privacy Detection tool is built for you:
Is this domain or IP address known for fraud, phishing, or abuse?
Should my signup form, payment flow, or comment system trust this visitor?
Is someone out there registering lookalike domains targeting my brand?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Trust and safety teams, fraud analysts, brand-protection managers, security operations engineers, and product teams running open signup flows. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and you find out a domain or IP was malicious only after it has already cost you money or trust. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the developer plan. The technical details: `GET /v1/ip/privacy`.
When would I actually use this?
If you're still on the fence about whether the Privacy Detection tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a fraud analyst, a ad operations manager, and a security engineer — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Payment Fraud Prevention
Imagine you're a fraud analyst. Flag transactions from VPN (Virtual Private Network) or Tor (The Onion Router) exit nodes for additional verification (3DS (3-Domain Secure), manual review) before processing payments, with confidence-based thresholds to minimize friction for legitimate users.
Why it matters: Reduce chargebacks by 15-30% by identifying high-risk anonymization tools while keeping friction low for residential IPs.
Story 2: Ad Fraud & Invalid Traffic Detection
Imagine you're an ad operations manager. Identify non-human traffic originating from datacenter IPs, proxy networks, and VPN (Virtual Private Network) providers to exclude invalid clicks and impressions from advertising campaigns.
Why it matters: Protect ad spend by filtering datacenter and proxy traffic flagged as General Invalid Traffic (GIVT) per MRC guidelines.
Story 3: Risk-Based Authentication
Imagine you're a security engineer. Implement adaptive authentication that requires MFA for logins from VPN (Virtual Private Network), Tor (The Onion Router), or datacenter IPs while allowing passwordless flows for trusted residential connections.
Why it matters: Balance security and usability by calibrating authentication strength to the connection anonymity level.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Privacy Detection tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
Inside a signup form, payment flow, or comment system, to score risk in real time.
When investigating a customer complaint about a suspicious link or message.
On a recurring schedule, to monitor lookalike domains targeting your brand.
During incident response, to enrich an alert with reputation context.
If you can see yourself in even one of those bullets, the Privacy Detection tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Privacy Detection tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the Privacy Detection tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/ip/privacy?ip=1.2.3.4"What you need to provide
There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
ip | string | Yes | The IPv4 (Internet Protocol version 4) or IPv6 (Internet Protocol version 6) address to check for VPN (Virtual Private Network), proxy, Tor (The Onion Router), or datacenter association | 1.2.3.4 |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
ip | string | The queried IP (Internet Protocol address) address |
is_vpn | boolean | Whether the IP (Internet Protocol address) is a known VPN (Virtual Private Network) endpoint (source: X4BNet, ASN (Autonomous System Number) pattern-matching rules) |
is_proxy | boolean | Whether the IP (Internet Protocol address) is a known open proxy (source: FireHOL proxy feeds) |
is_tor | boolean | Whether the IP (Internet Protocol address) is a Tor (The Onion Router) relay or exit node (source: Tor Project) |
is_datacenter | boolean | Whether the IP (Internet Protocol address) belongs to a datacenter/hosting provider (source: X4BNet, ASN (Autonomous System Number) pattern-matching rules) |
is_residential | boolean | Whether the IP (Internet Protocol address) appears to be a residential/ISP connection (no detections) |
tor_exit_node | boolean | Specifically whether this is a Tor (The Onion Router) exit node (vs relay) |
vpn_provider | string | Identified VPN (Virtual Private Network) provider name if detected (e.g., NordVPN, M247) |
hosting_provider | string | Identified hosting/cloud provider if detected (e.g., Amazon AWS, Google Cloud) |
confidence | number | Detection confidence score (0-100). Higher = more certain. IP (Internet Protocol address) list match: 85-99, ASN (Autonomous System Number) pattern-matching rules: 70-75, no detection: 50 |
detection_method | string | Method used: tor_exit_list, vpn_ip_list, proxy_list, datacenter_cidr, cidr_range_match, rdns_pattern, asn_hosting, asn_vpn, or no_signals |
last_updated | string | ISO 8601 timestamp of the detection check |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
IP (Internet Protocol address) — A unique number that identifies a computer on the internet, like a phone number for a server.
ASN (Autonomous System Number) — A unique number assigned to a big network operator (like an ISP or cloud provider). Tells you who owns a chunk of the internet.
CIDR (Classless Inter-Domain Routing) — A shorthand way of describing a range of IP addresses, like 192.168.1.0/24. The number after the slash says how many addresses are in the range.
VPN (Virtual Private Network) — A service that hides your real IP address by routing your internet traffic through someone else's server first. Used for privacy, getting around region locks, and connecting to work networks.
Tor (The Onion Router) — A free privacy network that bounces your traffic through several volunteer-run servers around the world to make it very hard to trace back to you. The 'exit node' is the last server in the chain — the one your destination actually sees.
3DS (3-Domain Secure) — A payment authentication system used by Visa, Mastercard, and others. When you check out and your bank sends you a one-time code or asks you to confirm in their app, that's 3DS.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.