IP Geolocation: How It Works, How Accurate It Is, and Its Limitations

IP geolocation databases are assembled by combining multiple independent data sources, each contributing to accuracy at different geographic granularity levels. WHOIS and RDAP registration data from Regional Internet Registries (ARIN, RIPE NCC, APNIC, LACNIC, and AFRINIC) provides the most authoritative information about which organization was allocated a given IP address block and their registered address. However, registration addresses are often headquarters locations and do not reflect where the IP block is actually deployed in the network. This gap between registered location and deployment location is a primary source of geolocation errors at the city level.

BGP routing table analysis provides another layer of data by examining how IP address prefixes are announced and routed through the global internet. Active measurement techniques — sending traceroute-style probes to IP addresses and measuring round-trip latency from multiple vantage points worldwide — can triangulate approximate geographic location based on the principle that network latency correlates with physical distance. Passive measurement from user-submitted correction data, commercial partnerships with ISPs, and mobile device location data from Wi-Fi access point databases add further refinement. Database providers continuously update their data to track IP address reassignments and network infrastructure changes.

• WHOIS/RDAP registration data: authoritative for organization identity but may not reflect deployment location
• BGP routing table analysis: tracks how IP prefixes are announced through global routing infrastructure
• Active latency measurements: triangulate location from round-trip times to multiple global vantage points
• User-submitted corrections: database providers accept corrections from IP block owners
• Wi-Fi access point databases: improve accuracy for mobile device IP addresses in dense urban areas

IP geolocation accuracy varies significantly depending on the geographic granularity requested. At the country level, major commercial databases achieve 95-99% accuracy for most IP address ranges. This high country-level accuracy makes IP geolocation reliable for broad geographic filtering use cases such as country-level content restrictions, regulatory compliance, and high-level fraud risk scoring. The remaining 1-5% error rate at the country level is largely attributable to corporate VPNs, cloud infrastructure, and IP blocks allocated to organizations with international operations that may be used far from their registration location.

Accuracy degrades substantially at finer geographic levels. State or region-level accuracy typically falls in the 70-90% range. City-level accuracy ranges from approximately 50-80% for well-mapped urban areas in developed countries, and considerably lower for rural areas, developing regions, and mobile IP ranges. Postal code accuracy falls below 50% for most databases. Despite this, many geolocation database APIs return a precise-looking coordinate with latitude and longitude values that imply sub-kilometer accuracy — this precision is misleading and these coordinates should be understood as a centroid of the estimated area, not a precise location.

• Country level: 95-99% accurate for most databases and IP types
• State/region level: approximately 70-90% accurate depending on the database and region
• City level: 50-80% accurate — reliability varies significantly by region and IP type
• Postal code level: below 50% accurate — avoid relying on this for security decisions
• Coordinate precision is misleading — treat coordinates as a centroid estimate, not an exact location

Several structural factors cause IP geolocation accuracy to degrade at city level and below. ISPs commonly route traffic from large geographic service areas through central regional network hubs, meaning that a customer in a rural area 200 kilometers from the hub city will appear to be located in the hub city in routing-based geolocation. Mobile carriers aggregate traffic from thousands of cellular towers across entire states or provinces through a small number of gateway nodes, causing geolocation of mobile IP addresses to reflect the gateway location rather than the subscriber's actual location.

Corporate VPN and split tunneling configurations cause employees working remotely to appear to be located at their company's headquarters — the location of the VPN gateway. A Fortune 500 company's VPN concentrator in New York may be accessed by employees working from California, Texas, or internationally, all of whom appear to be in New York for geolocation purposes. Anycast IP addresses, used extensively by CDN providers like Cloudflare, Akamai, and Fastly, are assigned to servers in many global locations simultaneously — a geolocation query for an anycast address may return the registration location of the anycast block rather than the nearest serving node's actual location.

• ISP regional routing hubs: customers across large geographic areas appear to be at the hub city
• Mobile carrier aggregation: cellular traffic funneled through a small number of gateways
• Corporate VPN: remote workers appear to be located at the VPN concentrator's physical location
• Anycast addressing: CDN and DNS providers use a single IP block across dozens of global locations
• CGNAT: carrier-grade NAT causes many users to share a single public IP, creating location clusters

Commercial VPN services are well-known to IP geolocation databases. The IP address ranges used by major VPN providers such as NordVPN, ExpressVPN, Mullvad, and others are catalogued in commercial databases and commonly flagged as "hosting," "VPN," or "proxy" in geolocation database responses. When a user connects to a VPN server in Amsterdam, their traffic originates from the VPN server's IP address, and geolocation accurately identifies the Amsterdam datacenter as the source location — the user's actual location is hidden. Most fraud detection and risk-scoring services specifically flag VPN-affiliated IP addresses as elevated risk indicators due to their common use in account fraud.

Residential proxies — services that route traffic through IP addresses assigned to ordinary home internet subscribers rather than datacenter ranges — are significantly harder for geolocation databases to identify and flag. Because these IP addresses appear identical to legitimate residential subscribers, they are not catalogued as proxies in most databases and their geolocation reflects the residential subscriber's actual location, which may be different from the operator of the proxy. Tor exit nodes are publicly listed in the Tor Project's official exit node list and are universally flagged by geolocation and threat intelligence databases. Any traffic originating from a listed Tor exit node can be identified and handled accordingly by security systems.

• Commercial VPN IPs: catalogued in major databases — flagged as VPN or hosting, user location hidden
• Residential proxies: appear as ordinary subscribers — not flagged by most geolocation databases
• Tor exit nodes: publicly listed, universally flagged — easily identified by any geolocation service
• CGNAT IP addresses: multiple subscribers share one IP — location accuracy is lowest for these ranges
• Datacenter IPs: high geolocation accuracy for the datacenter location; actual user location is unknown

IP geolocation plays a role in several security operations and product security use cases. CDN providers use geolocation to route user requests to the nearest edge node, reducing latency and improving reliability. Content licensing and distribution platforms use country-level geolocation to implement geo-restrictions on licensed content, allowing distribution rights holders to enforce territorial licensing agreements. Fraud detection systems use geolocation as one factor in risk scoring: a login from a country where the account has never previously been active is a risk signal worth flagging for review.

Regulatory compliance systems use geolocation to determine whether GDPR, CCPA, or other jurisdiction-specific regulations apply to a particular visitor's session. Export control compliance systems may use geolocation to block access to regulated technology from sanctioned countries. Login anomaly detection systems compare the geolocation of a successful login against the user's historical login locations and flag significant geographic anomalies — known as impossible travel alerts — where two consecutive logins originate from locations that could not have been reached in the time elapsed between them, indicating credential theft or account sharing.

• CDN routing: geolocation directs users to the nearest edge node for lowest latency
• Geo-restriction: country-level filtering for content licensing and regulatory compliance
• Fraud detection: country-of-origin is one risk signal in multi-factor fraud scoring
• Login anomaly detection: impossible travel alerts when consecutive logins show unrealistic geography
• Export control: blocking access to regulated technology from sanctioned country IP ranges

MaxMind is the dominant commercial IP geolocation provider, offering the GeoIP2 commercial database and the free GeoLite2 database. GeoIP2 Precision provides higher accuracy with additional data fields including ISP, organization, connection type, and user type. MaxMind accepts correction requests through their website, and IP block owners who register with their service can update their block's location data directly. IP2Location and ipinfo.io are competing providers each with their own data collection methodologies and pricing models. For API-based geolocation in applications, ipapi.co and ip-api.com provide free tiers suitable for low-volume use.

Organizations that operate their own IP address blocks and find them mislocated in geolocation databases can submit correction requests to each database provider individually. The process typically requires proving control of the IP block through WHOIS ownership data. For large IP address allocations, the Regional Internet Registries encourage keeping WHOIS registration data up to date with accurate deployment location information, as this data feeds directly into geolocation database inputs. MaxMind provides a specific form for IP address location corrections at their website that submits updates directly to their data team for review.

• MaxMind GeoIP2: leading commercial database; GeoLite2 is the free version with reduced accuracy
• IP2Location: commercial alternative with similar feature set and different data collection methods
• ipinfo.io: provides ASN, organization, and geolocation data through a developer-friendly API
• Submitting corrections: MaxMind, IP2Location, and ipinfo.io all accept correction requests from IP block owners
• Keep WHOIS registration data current — accurate WHOIS location data feeds into geolocation databases