Geographic Location of an IP Address: How It's Determined (and Why It's Often Wrong)
Geolocation providers determine the geographic location of an IP address by combining registry records, BGP routing data, latency triangulation and user-submitted corrections. Country accuracy reaches 99 percent. City accuracy ranges from 60 to 75 percent on fixed connections. Street-level accuracy does not exist outside law enforcement requests to the ISP. Mobile, VPN and CGNAT make the guesses worse.
The phrase "the IP says you are in Frankfurt" gets repeated all the time, usually with too much confidence. The truth sits closer to "some company's database thinks the network announcing this prefix has a centre of gravity in Frankfurt this month" π. That is a useful guess for ad targeting and content delivery. It is a terrible basis for any action that depends on knowing where one specific person physically sits.
This article walks through the actual mechanics of IP geolocation, the four signal sources providers blend together, the layered accuracy you should expect, and the famous cases where the guess went catastrophically wrong. By the end, the gap between country-level and street-level becomes obvious, and the reason VPNs work so well becomes clearer too.
What an IP address contains by itself
An IPv4 address is 32 bits with no geographic encoding. Nothing in 203.0.113.42 points at a city or even a continent. The only structural information is the boundary between network bits and host bits, which depends on the CIDR mask. The article on CIDR notation covers how that boundary works. The address by itself is just a number. Location appears only when external data is layered on top.
That external data starts with the regional internet registries. ARIN, RIPE, APNIC, LACNIC and AFRINIC each publish daily delegation reports listing which blocks went to which country. A WHOIS query on the address returns the registered country code with reasonable accuracy because the registry asks the holder for it. This single signal gets country-level location right about 99 percent of the time. Anything more precise needs additional sources.
The four methods, ranked by reliability
Commercial geolocation databases combine several inputs. The blend differs by provider but the menu is shared.
- Registry and WHOIS data. Country code, sometimes region, occasionally city for static allocations. Reliable for country, weak below that.
- BGP routing tables. The autonomous system announcing a prefix often hosts the address in specific data centres. Looking at which BGP peers carry the route hints at the geographic edge.
- Latency triangulation. A provider with monitoring nodes worldwide measures round-trip times from each node to the target IP. The shortest latency points at the closest node, which suggests the rough region.
- User-submitted corrections. Websites that ask users to confirm their city, browsers that share GPS with permission, and ISP-supplied geofeeds per RFC 8805 all feed corrections back into the databases.
MaxMind, IP2Location, ipinfo, ipdata and the other large vendors all combine these in different proportions. MaxMind publishes a detailed methodology that emphasises BGP and ISP geofeeds. The comparison article on IP geolocation APIs goes through the trade-offs in depth.
The accuracy tiers nobody advertises in the headline
| Level | Typical accuracy | Reliable use cases |
|---|---|---|
| Continent | 99.9% | CDN edge selection, regulatory blocks |
| Country | 99% | Currency display, content licensing, language defaults |
| Region or state | 80% | Tax calculation, broad ad targeting |
| City (fixed broadband) | 60-75% | Local weather widget, regional pricing |
| City (mobile) | 30-50% | Marginally useful, often wrong |
| Postcode | 20-40% | Rarely reliable, vendor claims overstate this |
| Street or address | ~0% | Not possible without ISP cooperation |
That bottom row is the one people refuse to believe. An IP address by itself cannot identify a house number. Movies and crime shows where a hacker types furiously and a satellite zooms onto a kitchen window have no basis in reality. The depth of detail needed for that level of precision exists only in the subscriber database of the ISP, which never leaves without a warrant. The piece on who can find you with your IP traces that legal boundary in more detail.
The four big distortions
Even with perfect data, four real-world phenomena bend geolocation off the truth.
VPN endpoints. When a user connects through a VPN, every outbound packet carries the VPN exit node's IP. Geolocation reads the exit node, which sits in whatever country the user picked. That is the exact mechanism described in how a VPN works and the reason streaming services try to detect them, as explored in how streaming services detect VPN traffic.
Mobile networks. Carriers route traffic through a handful of national gateway IPs. A subscriber browsing from a beach in southern Spain may carry an IP geolocated to the carrier's NOC in Madrid. The phone is on holiday. The IP says corporate office.
CGNAT. Carrier-grade NAT shares one public IP across hundreds or thousands of subscribers in a region. The geolocation can only point at the aggregate region, not the individual user. Many mobile providers and some residential ISPs use CGNAT extensively.
Cloud and hosting. Servers in AWS, Hetzner or DigitalOcean carry IPs allocated to the provider, geolocated to the data centre's host city. A web request from a serverless function might appear to originate in Ashburn, Virginia even though the developer pressing the deploy button is in Tokyo.
β οΈ Treating IP geolocation as proof of location for legal, security or identity decisions is a mistake. The data is good enough to choose a CDN edge or pick a currency. It is not good enough to ban a user, charge fraud penalties or verify residence. Pair it with other signals like browser timezone, payment country and document checks for anything consequential.
The Potwin Kansas problem
The most famous geolocation failure is the case of the Taylor family in Potwin, Kansas. Their farm sat at the geographic centre of the continental United States. MaxMind's database, when it could not resolve an IP beyond country level, used a default coordinate at that centre point. Anyone querying a vague US-only IP got the Taylor farm's GPS location. For more than a decade, law enforcement, scammers and angry internet users showed up at their door because of fraud, missing children searches and stolen phones supposedly "tracked" to that address. MaxMind eventually moved the default to the middle of a lake.
The lesson is that geolocation default coordinates are real and dangerous. Providers needed a fallback for IPs they could not resolve. They picked a point, and everyone who queried those IPs got that point. The Kansas case prompted a quiet industry-wide review and most providers now use either ocean coordinates or explicit nulls for unresolvable addresses.
How providers update their data
The data is not static. Major commercial databases update weekly, sometimes daily. MaxMind ships GeoLite2 and GeoIP2 databases on a regular cadence. ipinfo refreshes from BGP and registry feeds continuously. Most APIs return both a database lookup and a confidence score. The score is more honest than the underlying location, because it reflects how many independent signals agreed on the answer.
ISPs willing to participate publish geofeeds in the RFC 8805 format. A geofeed is a CSV file at a known URL listing each customer subnet with country, region and postcode. Geolocation providers ingest these feeds and trust them above their own guesses. Most large North American and European ISPs publish geofeeds today. Cloudflare publishes one for its anycast network so that accurate geolocation works on top of its CDN.
Checking your own apparent location
Two simple checks reveal what the world thinks about your IP. The homepage IP tool returns the current public address, country, region and city as several different providers see it. Comparing the answers across two or three databases exposes how much disagreement exists for the same address. Some addresses get the same city from every provider. Others get five different cities, which is itself a useful signal that nobody really knows.
Power users can run curl ipinfo.io or curl ipapi.co/json from a terminal for a quick JSON answer. Both return a coordinate pair, an organisation name and a country code in a couple of lines. The coordinate is rarely your home. It is usually somewhere in the city where your ISP terminates the regional broadband network.
π‘ If a website reports you are in a city you have never been to, the explanation is almost always the path your traffic takes through your ISP's backbone, not a privacy breach. The fix, when you actively need a different country to appear, is the standard list in how to hide your IP and nine practical ways to do it.
The ad industry's love affair with imprecise data
Advertising platforms know IP geolocation is imperfect. They use it anyway because the answer is fast, free of consent prompts and accurate enough at the country level. Programmatic bidders use geolocation for currency selection, regulatory compliance and broad audience filtering. They do not pretend it identifies individuals. The story of what your IP says about you walks through the inferential layer that the ad ecosystem builds on top of these signals.
Streaming services use the same data with stricter rules. Netflix, BBC iPlayer, DAZN and the others rely on geolocation for licensing, then layer VPN detection on top. The piece on geo-blocking and the legal status of geo-restricted content covers how that layered approach plays out for end users.
Limits the industry will not admit out loud
Two structural limits are unlikely to improve. IPv4 exhaustion forces increased CGNAT and shared addresses, which destroys per-user resolution. Mobile traffic dominates new connections globally, and mobile IPs already resolve poorly. The shift to IPv6 helps slightly because every device gets its own address again, but mobile carriers still aggregate routing through national gateways. The fundamentals of IPv4 versus IPv6 explain why the change in protocol does not fix the geographic problem.
If anything, accuracy at the city level has plateaued or declined since 2020. Providers compensate with confidence scores and probabilistic models. They market the result as "intelligence" but the underlying truth is unchanged. IP geolocation answers the question "which country" with high confidence, the question "which region" with moderate confidence, and the question "which house" never at all. Plan accordingly.
Reading about IP, VPN and privacy? Lock down yours in 5 minutes
NordVPN ranks first on AV-TEST's privacy benchmark and blocks malware, ads and trackers at the network level. 30-day money-back guarantee, audited no-logs policy.
- 6,400+ servers, 111 countries
- Audited no-logs policy
- Built-in threat protection
- 10 devices per account
Frequently asked questions
Can an IP address reveal my exact home address?
No. An IP address by itself encodes no street-level information. Public geolocation databases identify the country with about 99 percent accuracy and the city with 60 to 75 percent accuracy on fixed broadband. Street and house number information lives only in the subscriber records of the internet service provider. That information leaves the ISP only when compelled by a court order or law enforcement request. Anyone claiming a free online tool can pull someone's home address from an IP is either mistaken or selling something. The actual mapping of an IP to a household requires legal process, not a search box.
Why does a VPN successfully change my apparent location?
A VPN routes all traffic through an exit server in a chosen country. Every website then sees the exit server's IP rather than the original. Geolocation databases look up that exit IP and return the exit server's location. The user's real ISP and city never appear in the request. This works because there is no built-in mechanism in TCP or HTTP to disclose the true origin once a tunnel is in place. Streaming services and banks invest heavily in detecting VPN exit IPs through reputation lists, datacentre ASN flags and behavioural anomalies, which is why some VPN connections still get blocked despite the geolocation change.
How can I check what location my own IP shows?
Visit the homepage IP tool on this site or any equivalent service like ipinfo.io, ipapi.co or whatismyipaddress.com. Each returns the public IP your traffic is carrying along with the country, region and city as that provider sees them. Cross-check two or three providers. If they all agree, the city result is probably reasonable. If they disagree, none of them is sure and the result is a best guess. For a quick terminal answer run curl ipinfo.io on Linux or macOS, or Invoke-RestMethod ipinfo.io on Windows PowerShell. The JSON output includes coordinates, organisation and country.
Why is mobile geolocation worse than home broadband?
Mobile carriers route subscriber traffic through a small number of national or regional gateways. The phone may be physically in a coastal town but the public IP it carries belongs to a gateway in the capital city, where the carrier terminates the mobile data network. Geolocation databases see the gateway IP and return the capital city. Carrier-grade NAT compounds the effect by sharing one public IP across hundreds or thousands of subscribers in different physical locations. The combination means mobile IP geolocation at the city level rarely exceeds 30 to 50 percent accuracy, even with the best commercial databases. Fixed broadband performs noticeably better because the address space is less aggregated.