IPinfo's ping-based geolocation provides more reliable IP location compared to WHOIS records

IPinfo’s probe network based data ensures highly reliable IP location data

In the IP geolocation process, there are hints of where an IP address may be located. These hints can be found across different publicly available datasets. These publicly available datasets are mainly geofeed and WHOIS records.

These publicly available datasets usually provide regional or country-level context to IP addresses. However, we have found that these datasets are often not reliable and thus fail to achieve the level of accuracy warranted in many cybersecurity and analytics operations. Even though we use these public databases in our geolocation methodology, our core process relies on our probe network infrastructure.

Issues in public datasets - WHOIS organization location is not the same as IP location

Consider the IP address: 64.138.26.13

According to WHOIS records, the country associated with the IP address is US because the organization is based there.

$ whois 64.138.26.13
[...]

NetRange:       64.138.0.0 - 64.138.191.255
CIDR:           64.138.128.0/18, 64.138.0.0/17
[...]

PostalCode:     75093
Country:        US
RegDate:
Updated:        2022-11-29

[...]

Using WHOIS records information, some IP geolocation provider even says that the IP address is based in US:

However, IPinfo.io thinks the IP address is based in SG (Singapore) and not in US.

$ curl https://ipinfo.io/64.138.26.13
{
  "ip": "64.138.26.13",
  "hostname": "host-64-138-26-13.masergy.com",
  "city": "Singapore",
  "region": "Singapore",
  "country": "SG",
  "loc": "1.3239,103.9209",
  "org": "AS19855 Masergy Communications, Inc.",
  "postal": "469005",
  "timezone": "Asia/Singapore",
  "readme": "https://ipinfo.io/missingauth"
}

So, is IPinfo providing inaccurate geolocation data?
No. Not at all.

WHOIS data usually provides data in an organizational context. So, a global ASN can share their IP address ranges across many different locations that goes beyond their organization’s headquarter location.

To confirm the location of the IP address, we can ping it. we can see that the IP address has the lowest average RTT (Round Trip Time) from servers based in Singapore.

Based on this information, we can reliably say that the IP address is based in Singapore and not in the United States.

However, there is another interesting fact about this IP address in particular.

If you take a closer look at the WHOIS database, you can see there is a set field, that describes the customer information of the IP address. This means that the owner of the IP address range ( AS19855 Masergy Communications, Inc. details - IPinfo.io) has allocated this IP address to a different organization, which is located in a different location.

$ whois 64.138.26.13

[...]

CustName:       Haemonetics Corporation
Address:        Masergy Customer
City:           Chai Chee
StateProv:      SINGAPORE
PostalCode:     469005
Country:        SG

[...]

And lo and behold, that customer organization is based in SG (Singapore), which confirms our ping-based location information!

Going beyond our IP location information, we can see other providers are locating this IP address in the United States and the Netherlands.

Random Provider #1 → US

Random Provider #2 → US

Random Provider #2 says US

Random Provider #3 → US

Random Provider #4 → NL

Random Provider #4 says NL

That is just one example. There are plenty of examples like this.

For IP location, the reliability of WHOIS data is questionable. Moreover, WHOIS records have inconsistent structures and inconsistent information, which makes it harder to parse and interpret. And they are also not kept up to date.

So, for IP location, it is best not to rely on WHOIS records as the source of truth and, to some extent, not to rely on IP geolocation providers that mainly use WHOIS records for geolocation data. IPinfo provides the evidence behind the IP address with its probe network infrastructure.