How Good is Geolocation?

by Geo Spoof  (geo.spoof@gmail.com)

Internet geolocation is currently being used to target specific areas with local advertising.  Also, geolocation is being used to restrict web site functionality based on geographic region.

But how good is geolocation?  According to Wikipedia:

"Geolocation is the identification of the real-world geographic location of an Internet-connected computer, mobile device, website visitor or other.  IP address geolocation data can include information such as country, region, city, postal/ZIP Code, latitude, longitude, and timezone."

Wikipedia also describes how geolocation works:

"Geolocation can be performed by associating a geographic location with the Internet Protocol (IP) address, MAC address, RFID, hardware embedded article/production number, embedded software number (such as UUID, Exif/IPTC/XMP or modern steganography), invoice, Wi-Fi connection location, or device GPS coordinates, or other, perhaps self-disclosed information.  Geolocation usually works by automatically looking up an IP address on a WHOIS service and retrieving the registrant's physical address."

The availability of a MAC address for a geolocation service (geolocator) to use seems dubious and Wikipedia fails to mention the traceroute utility.  Wi-Fi connection locations and GPS coordinates are likely being utilized by some geolocators, but at present, a key component of geolocation is the WHOIS service.

Wikipedia has this to say about WHOIS:

"WHOIS (pronounced as the phrase 'who is') is a query/response protocol that is widely used for querying databases in order to determine the registrant or assignee of Internet resources, such as a domain name, an IP address block, or an autonomous system number.  WHOIS lookups were traditionally performed with a command line interface application, and network administrators predominantly still use this method, but many simplified web-based tools exist.  WHOIS services are typically communicated using the Transmission Control Protocol (TCP).  Servers listen to requests on the well-known port number 43.  The WHOIS system originated as a method for system administrators to obtain contact information for IP address assignments or domain name administrators."

It is important to note that geolocators do not rely on WHOIS information for a domain name.  However, they can use information from WHOIS for an IP address assigned to a domain name.

The typical Internet home user will subscribe to Internet access from an Internet Service Provider (ISP).  The ISP will assign, either statically or dynamically, an IP address to the subscriber.  The home user has no control over the information contained in the WHOIS database for their IP address.

Let's see what can be discovered about a specific IP address without using geolocators.  Consider the following static IP address assigned by Speakeasy for use in Arlington, Virginia: 66.92.163.234

First, the Linux whois command line tool will be used to query the WHOIS database:

$ whois 66.92.163.234 # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2024, American Registry for Internet Numbers, Ltd. # # start NetRange: 66.92.0.0 - 66.93.255.255 CIDR: 66.92.0.0/15 NetName: MEGAPATH-BLK-53 NetHandle: NET-66-92-0-0-1 Parent: NET66 (NET-66-0-0-0-0) NetType: Direct Allocation OriginAS: AS3257 Organization: GTT (GC-494) RegDate: 2001-03-28 Updated: 2023-11-21 Ref: https://rdap.arin.net/registry/ip/66.92.0.0 OrgName: GTT OrgId: GC-494 Address: 7900 Tysons One Place Address: Suite 1450 City: McLean StateProv: VA PostalCode: 22102 Country: US RegDate: 2015-08-06 Updated: 2017-01-28 Ref: https://rdap.arin.net/registry/entity/GC-494 OrgTechHandle: AS3251-ARIN OrgTechName: AS3257 Netguard OrgTechPhone: +49 6102 8235 389 OrgTechEmail: netguard@gtt.net OrgTechRef: https://rdap.arin.net/registry/entity/AS3251-ARIN OrgNOCHandle: GNOC16-ARIN OrgNOCName: GTT Network Operations Center OrgNOCPhone: +1-703-442-5500 OrgNOCEmail: noc@gtt.net OrgNOCRef: https://rdap.arin.net/registry/entity/GNOC16-ARIN OrgAbuseHandle: GAD46-ARIN OrgAbuseName: GTT Abuse Department OrgAbusePhone: +1-703-442-5500 OrgAbuseEmail: abuse@gtt.net OrgAbuseRef: https://rdap.arin.net/registry/entity/GAD46-ARIN # end # start NetRange: 66.92.163.1 - 66.92.163.255 CIDR: 66.92.163.4/30, 66.92.163.16/28, 66.92.163.2/31, 66.92.163.32/27, 66.92.163.8/29, 66.92.163.128/25, 66.92.163.1/32, 66.92.163.64/26 NetName: SPEK-WDC-BR-19 NetHandle: NET-66-92-163-1-1 Parent: MEGAPATH-BLK-53 (NET-66-92-0-0-1) NetType: Reassigned OriginAS: Customer: WDC BRIDGED CIRCUITS (C00240602) RegDate: 2001-11-09 Updated: 2001-11-09 Ref: https://rdap.arin.net/registry/ip/66.92.163.1 CustName: WDC BRIDGED CIRCUITS Address: 21711 Filigree Court City: Ashburn StateProv: VA PostalCode: 20147 Country: US RegDate: 2001-11-09 Updated: 2013-10-08 Ref: https://rdap.arin.net/registry/entity/C00240602 OrgTechHandle: AS3251-ARIN OrgTechName: AS3257 Netguard OrgTechPhone: +49 6102 8235 389 OrgTechEmail: netguard@gtt.net OrgTechRef: https://rdap.arin.net/registry/entity/AS3251-ARIN OrgNOCHandle: GNOC16-ARIN OrgNOCName: GTT Network Operations Center OrgNOCPhone: +1-703-442-5500 OrgNOCEmail: noc@gtt.net OrgNOCRef: https://rdap.arin.net/registry/entity/GNOC16-ARIN OrgAbuseHandle: GAD46-ARIN OrgAbuseName: GTT Abuse Department OrgAbusePhone: +1-703-442-5500 OrgAbuseEmail: abuse@gtt.net OrgAbuseRef: https://rdap.arin.net/registry/entity/GAD46-ARIN # end # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2024, American Registry for Internet Numbers, Ltd. #

The WDC (Washington, D.C.) keyword seems to be a big clue.

Now look at a traceroute from New York to 66.92.163.234 shown below:

Hop TCP UDP ICMP Real Time IP Hostname AS AS name i time ms 2 1.7 1.5 1.4 1.4 +1.4 67.202.117.17 vl600.core1.nyc01.steadfast.net 32748 STEADFAST 3 1.6 2.2 2.1 1.6 +0.2 198.32.160.119 nyiix.ge-0-2-0.cr2.nyc1.speakeasy.net 13538 TELEHOUSE 4 7.8 7.8 7.9 7.8 +6.2 69.17.87.22 ge-2-0-0.cr2.wdc1.speakeasy.net 23504 SPEAKEASY 5 9.7 9.3 9.2 9.2 +1.4 69.17.83.46 220.ge-3-0.er1.wdc1.speakeasy.net 23504 SPEAKEASY 6 * * * * * 7 * * * * * 8 * * * * * Destination unreachable

The traceroute was blocked and was unable to reach its final destination, but the hostnames in hops 4 and 5 indicate that the target IP is located in the WDC area.  (The traceroute was performed with the WorldIP Firefox add-on.)

Now let's see what geolocators have to say about 66.92.163.234.  These four free geolocators were easily found with Google and they all allow unlimited lookups:

• Geobytes
• IPInfoDB
• IP Location.net
• WhatIsMyIPAddress

All four geolocators were requested to provide the location of 66.92.163.234 and here are the results:

• Geobytes:  Washington, DC
• IPInfoDB:  Silver Spring, MD
• IP Locatio.net:  Ashburn, VA
• WhatIsMyIPAddress:  Rockville, MD

That is not exactly pinpoint accuracy for an IP address in Arlington, Virginia, but all locations are probably within 20 miles of Arlington.  A commercial concern that targets specific regions with local advertising would think that geolocation works very well.

Now let's look at how well geolocation does with locating a web server.  The location of the web server shown below will be attempted without the use of geolocators: Geospoof.org

Here is a fragment of the WHOIS record for Geospoof.org:

$ whois geospoof.org [snip] Tech ID:tultDEX6uQuRBJgV Tech Name:Hollie Dewers Tech Organization:Dogs R Us Tech Street1:101 Bow Wow Way Tech Street2: Tech Street3: Tech City:Pittsburgh Tech State/Province:Pennsylvania Tech Postal Code:15218 Tech Country:US Tech Phone:+412.3718139 Tech Phone Ext.: Tech FAX: Tech FAX Ext.: Tech Email:holliedewers@aol.com Name Server:NS2.ZONEEDIT.COM Name Server:NS4.ZONEEDIT.COM

This information in WHOIS for Geospoof.org is bogus except for the name servers.

Use one of those name servers and lookup Geospoof.org several times:

$ nslookup > server NS2.ZONEEDIT.COM Default server: NS2.ZONEEDIT.COM Address: 69.72.158.226#53 > geospoof.org Server: NS2.ZONEEDIT.COM Address: 69.72.158.226#53 Name: geospoof.org Address: 216.98.141.250 Name: geospoof.org Address: 69.72.142.98 > geospoof.org Server: NS2.ZONEEDIT.COM Address: 69.72.158.226#53 Name: geospoof.org Address: 69.72.142.98 Name: geospoof.org Address: 216.98.141.250 >

Notice that Geospoof.org resolves to two different IP addresses (216.98.141.250 and 69.72.142.98) and that the name server NS2.ZONEEDIT.COM does not always return the two addresses in the same order.

The 69.72.142.98 address appears to be in Clifton, New Jersey:

$ whois 69.72.142.98 OrgName: FortressITX OrgID: FORTR-5 Address: 100 Delawanna Ave City: Clifton StateProv: NJ PostalCode: 07014 Country: US [snip]

And the 216.98.141.250 address seems to be in San Diego, California:

$ whois 216.98.141.250 OrgName: CariNet, Inc. OrgID: CARIN-6 Address: 8929 COMPLEX DR City: SAN DIEGO StateProv: CA PostalCode: 92123 Country: US [snip]

Not all geolocators will do lookups on domain names.  Many will only do lookups on IP addresses.

From the list of geolocators above, IPInfoDB will look up either a domain name or IP address.

Do a lookup of Geospoof.org on IPInfoDB and sometimes it will say that Geospoof.org is in Clifton, NJ and other times it will say that Geospoof.org is in San Diego, CA.

So the geolocators are confused because Geospoof.org is on two networks and the primary name server for Geospoof.org alternates its answer between the two IP addresses.

The domain or zone management for Geospoof.org is provided by ZoneEdit.

They provide free services for up to five domains.  More specifically, they provide the primary and secondary DNS name servers for Geospoof.org.  Their services also include web forwarding with a cloaking option.  The cloaking option means that the real URL of the web server will not be displayed in the navigation bar.

Geolocators do not follow web forwards.

At the time of the writing of this article, the web server for Geospoof.org is in Seattle, Washington.  The web page for Geospoof.org can be easily moved around the world and geolocators cannot find it.

Of course, any organization can hide the real location of a server with a private network that connects to the Internet in some distant location.  Using geolocation to find the geographical location of a web server does not work very well.

However, in many cases finding the real location of a proxy web server is not necessary in order to bypass restrictions.  For example, someone in New York might have a need to post an ad on Craigslist in Los Angeles and geolocation restrictions are preventing this from happening.

The solution may be to find a proxy that geolocation says is in Los Angeles and not be concerned with where it really is located.

The ownership of domain Geospoof.org is currently in dispute.  Please contact the author at geospoof@gmail.com if the domain does not seem to be related to the article.  A correct domain will be provided.