How GeoIP Works: Mapping IP Addresses to Physical Locations

Your IP address doesn't contain your location. Not a single bit of it encodes latitude, longitude, city, or country. It's a number assigned to a network, not a place.

And yet, right now, dozens of systems are using your IP address to decide where you are. Netflix is checking whether to show you The Office. Your bank is deciding whether to flag your login as suspicious. An ad network is choosing which local restaurant to shove in your face. A weather website is guessing your city.

They're all guessing. Some of them guess well. Some of them guess so badly that a farm in Kansas spent years being accused of every cybercrime in America.

This is GeoIP—the art and science of turning a number that has nothing to do with geography into a physical location on Earth.

The Gap Between Number and Place

IP addresses are assigned by bureaucracies, not cartographers. The Internet Assigned Numbers Authority (IANA) allocates giant blocks to five Regional Internet Registries (RIRs)—ARIN for North America, RIPE NCC for Europe and Central Asia, APNIC for Asia-Pacific, LACNIC for Latin America, and AFRINIC for Africa¹. These registries hand out smaller blocks to Internet Service Providers. ISPs assign individual addresses to customers.

At no point in this chain does anyone record the GPS coordinates of the device that will use the address. The registries track which organization holds the address. The organization might be headquartered in Dallas but serve customers across twelve states. The address might be reassigned tomorrow. It might be routed through a data center in Virginia even though the user is in Portland.

So when someone asks "where is 74.125.224.72?"—the honest answer is "we don't really know, but we can make an educated guess."

The entire GeoIP industry exists in this gap between honest answer and educated guess.

How GeoIP Databases Are Built

No single technique reliably maps IP addresses to locations. Instead, GeoIP providers like MaxMind, IP2Location, and DB-IP layer multiple imperfect signals on top of each other, hoping the composite picture is more accurate than any single source.

Registry Data: The Foundation

Every IP address block has a paper trail. When ARIN assigns a block to Comcast, that assignment goes into a public WHOIS database. The record includes the organization's name, address, and contact information².

This tells you who owns the block, not who uses it. Comcast's headquarters is in Philadelphia, but Comcast serves customers from coast to coast. Still, registry data gives you a starting point—at minimum, you know the country. For smaller ISPs that serve a single city, the registry data alone might get you surprisingly close.

BGP Route Analysis: Following the Wires

The Border Gateway Protocol (BGP) is how networks tell each other which IP address ranges they can reach. By analyzing BGP routing tables—publicly available from projects like RIPE RIS and RouteViews—GeoIP providers can trace which autonomous systems originate specific IP ranges and where those systems peer with each other³.

If two networks exchange traffic at an Internet Exchange Point in Frankfurt, and a particular IP range is announced through that exchange, there's a decent chance those addresses serve users in or near Frankfurt. It's circumstantial evidence, not proof—but it narrows the search.

Latency Measurements: The Speed of Light as a Ruler

Light travels through fiber optic cable at roughly two-thirds the speed of light in vacuum. A ping from New York to an IP address that returns in 10 milliseconds can't be more than about 1,000 kilometers away, because physics says so.

By pinging an IP address from multiple known locations and measuring the round-trip time, GeoIP providers can draw circles on a map. The target must be inside every circle. Where the circles overlap is the estimate⁴.

This technique—called constraint-based geolocation or multilateration—sounds elegant. In practice, it's messy. Network congestion adds delay. Asymmetric routes mean the packet might travel a longer path in one direction. Policy-based routing might send traffic through a data center hundreds of miles away. And most IP addresses don't respond to pings at all, because firewalls block them.

Still, when it works, latency triangulation can narrow a location to within tens of kilometers. That's often better than registry data alone.

Wi-Fi Positioning: Phones as Surveyors

This one is clever and slightly unsettling. Every time a smartphone with GPS enabled passes near a Wi-Fi access point, it can report the access point's unique identifier (BSSID) along with the phone's GPS coordinates. Apple and Google have built enormous databases this way, mapping the physical locations of hundreds of millions of Wi-Fi routers worldwide⁵.

If a GeoIP provider knows which Wi-Fi networks are near a particular IP address, they can cross-reference those networks against Wi-Fi positioning databases to infer a location. This works remarkably well in dense urban areas where Wi-Fi networks are everywhere. It works poorly in rural areas where a single router might serve a farmhouse miles from its nearest neighbor.

ISP-Published Geofeeds: Asking the Source

Since 2020, there's been a standardized way for ISPs to just tell GeoIP providers where their IP addresses are. RFC 8805 defines a format called a "geofeed"—a simple CSV file where a network operator maps their IP ranges to geographic locations⁶.

It's refreshingly direct. Instead of inferring, measuring, or triangulating, you just ask the people who actually assigned the addresses. Google has incorporated geofeeds into their geolocation pipeline, and a growing number of ISPs publish them⁷.

The catch: it's voluntary. Many ISPs don't bother. And the data is only as honest as the publisher.

User-Submitted Corrections: The Last Resort

When all else fails, humans file complaints. MaxMind, Google, and other providers accept correction requests from users who notice their IP address is being mapped to the wrong location⁸. These corrections are reviewed, and if credible, get folded into the next database update.

It's the least scalable method, but sometimes the only one that works. If an ISP reorganized its address space and nobody updated the geofeed, and BGP analysis points to the old location, and latency measurements are ambiguous—a human saying "I'm in Denver, not Dallas" might be the best data available.

Why GeoIP Is Inherently Inaccurate

Every technique described above is a proxy. None of them directly measure where a device physically sits. And the gap between proxy and reality creates predictable categories of error.

IP Addresses Move

ISPs reassign addresses constantly. The IP address that served a household in Chicago last month might serve a business in Milwaukee today. GeoIP databases update periodically—MaxMind updates weekly—but between updates, some fraction of the database is simply wrong⁹.

VPNs and Proxies Mask Location

When you connect through a VPN, your traffic exits from the VPN server's IP address, not yours. A user in Tokyo connecting through a VPN server in London will appear to be in London. GeoIP databases see the VPN's address and report the VPN server's location—which is technically correct for the IP address, but completely wrong for the human.

Mobile Networks Shift

Your phone's IP address doesn't follow you around. Mobile carriers use Carrier-Grade NAT (CGNAT), which means thousands of users share a single public IP address¹⁰. That address is associated with the carrier's infrastructure, not your location. You could be in downtown Manhattan, and your IP might geolocate to a network operations center in New Jersey. Move to a different cell tower, and you might get a different shared address that geolocates to somewhere else entirely.

ISPs Centralize Routing

A regional ISP might route all of its customers' traffic through a single gateway. Every customer—whether they're in Boise, Twin Falls, or Pocatello—exits the Internet through the same point. GeoIP databases see one location for all of them.

Databases Go Stale

The Internet isn't static. ISPs acquire competitors and restructure their networks. Companies move headquarters. Address blocks get sold on the secondary market. A GeoIP database that was accurate on Monday might have errors by Friday—not because anyone made a mistake, but because the Internet changed underneath it.

Country vs. City: A 34-Percentage-Point Gap

Not all GeoIP queries need the same precision. And the accuracy varies dramatically depending on what you're asking for.

MaxMind estimates their databases identify the correct country with 99.8% accuracy¹¹. That's remarkably good. For most IP addresses, there's enough signal—registry data, BGP routes, ISP assignments—to at least figure out which country a block serves.

City-level accuracy drops sharply. Within the United States, MaxMind reports roughly 80% accuracy at the state level and 66% at the city level within a 50-kilometer radius¹². Outside the US, city-level accuracy averages around 80%.

That 34-point gap between country accuracy (99.8%) and city accuracy (66%) tells the real story. Figuring out "this is an American IP address" is easy. Figuring out "this is a Des Moines IP address" is hard. And "this is a specific household in Des Moines" is often impossible.

MaxMind includes an accuracy radius with every city-level estimate—an acknowledgment that "we think it's here, give or take this many kilometers." Sometimes that radius is 5 km. Sometimes it's 500. The radius is the database admitting how uncertain it is.

The Farm in Kansas

The most famous GeoIP failure illustrates everything that can go wrong when an educated guess gets treated as fact.

In 2002, MaxMind needed a default location for IP addresses that could be identified as American but couldn't be placed more precisely. Every GeoIP database needs a fallback—when you know a user is in the United States but nothing else, what coordinates do you return?

MaxMind chose to round the geographic center of the contiguous United States to a clean coordinate: 38.0000°N, 97.0000°W¹³.

That coordinate pointed to a 360-acre farm near Potwin, Kansas, owned by Joyce Taylor.

From that moment on, every time someone looked up the location of an American IP address that MaxMind couldn't pinpoint—roughly 600 million addresses—the answer came back: Joyce Taylor's farm.

The consequences were relentless. FBI agents showed up looking for stolen laptops. Federal marshals came searching for fugitives. IRS collectors arrived demanding unpaid taxes. Ambulances came looking for suicidal veterans. Police officers appeared hunting for runaway children. Angry strangers showed up accusing the family of fraud, identity theft, and harassment¹⁴.

None of it had anything to do with the Taylor family. Their farm just happened to sit at the coordinates that a database rounded to when it didn't have a better answer.

In 2016, after the story went public, MaxMind moved the default U.S. coordinates to the middle of Cheney Reservoir—a lake west of Wichita, Kansas¹⁵. Lakes, as far as anyone knows, don't file lawsuits.

The Taylors sued MaxMind and settled in 2017. But similar problems emerged elsewhere. A family in Pretoria, South Africa, endured years of police visits and angry strangers because MaxMind's default coordinates for Pretoria—derived from the National Geospatial-Intelligence Agency's data—pointed to their house¹⁶.

The lesson: GeoIP data is a probability, not a fact. Treating it as a street address is like treating a weather forecast as a promise.

What GeoIP Powers in the Real World

Despite its imperfections, GeoIP is deeply embedded in how the Internet works. The accuracy doesn't need to be perfect for most use cases—it just needs to be good enough for the decision at hand.

Content Licensing

When Netflix shows you a different library depending on your country, that's GeoIP at work. Content licensing is negotiated country by country—a studio might sell streaming rights for a film to Netflix in the US and to a different service in the UK. Netflix uses GeoIP to enforce these boundaries, and actively detects VPNs to prevent circumvention¹⁷.

Country-level GeoIP accuracy of 99.8% makes this feasible. Netflix doesn't need to know your city. It needs to know your country. And for that, GeoIP is reliable enough.

Fraud Detection

When your bank flags a login because it came from a different state than your last login, that's GeoIP. Credit card processors check whether the IP address of an online purchase matches the cardholder's billing address. A card registered in Phoenix making a purchase from an IP geolocated to Romania raises a flag¹⁸.

This doesn't require city-level precision. Country and region are usually enough to distinguish "this looks normal" from "this looks wrong."

Advertising and Localization

Ad networks use GeoIP to target local ads. Search engines use it to default your language. Weather sites use it to guess your city. E-commerce sites use it to suggest the right currency and shipping options.

These applications are soft—a wrong guess is annoying, not catastrophic. If a weather site thinks you're in a city 30 miles away, the forecast is probably still close enough. If an ad network shows you a restaurant in the wrong neighborhood, you just ignore it.

Legal Compliance

Online gambling sites must verify that users are in jurisdictions where gambling is legal. Some content is banned in certain countries. Tax calculations depend on location. GeoIP provides the first layer of compliance, often supplemented by more precise verification methods when the stakes are high.

The Arms Race: VPNs vs. Detection

A significant industry exists on both sides of GeoIP's accuracy gap.

VPN providers sell the ability to appear to be somewhere you're not. Streaming services, fraud detection platforms, and compliance systems invest heavily in detecting VPNs.

The detection methods are layered. Databases of known VPN server IP addresses are the first line—services like MaxMind maintain lists of data center IPs and known proxy servers¹⁹. Beyond IP reputation, detectors look for mismatches: a browser reporting a timezone in Tokyo while the IP geolocates to London. An HTTP fingerprint suggesting one operating system while the network signature suggests another.

It's a cat-and-mouse game with no permanent winner. VPN providers rotate IP addresses through residential ISPs to avoid data center detection. Detection services develop new fingerprinting techniques. The cycle continues.

The Future Is Still Guessing (But Better)

GeoIP accuracy will continue improving through better data sources—more ISPs publishing geofeeds, more sophisticated latency measurement networks, better crowdsourced correction systems. IPv6 adoption adds complexity, since the enormous address space means less historical data per address, but also offers opportunities for more granular allocation²⁰.

But the fundamental constraint remains: an IP address is not a location. It's a bureaucratic assignment that happens to correlate with geography—sometimes closely, sometimes laughably wrong. No amount of clever inference changes the fact that inference is all we have.

The systems that work best are the ones that know this. They treat GeoIP as one signal among many. They include confidence scores and accuracy radii. They use it for decisions proportional to its reliability—country-level for content licensing, city-level for weather, and never, ever, as a street address to send the FBI.