Most streaming services and compliance-sensitive platforms fail to enforce geo-restrictions correctly on 60-80% of residential IPs, according to internal audits at three major CDNs. The root cause is not poor IP databases — it is a testing workflow that never exercises the edge cases that actually break geo-fencing. Engineers who treat geo-blocking as a simple IP-to-country lookup are building a sieve, not a barrier.
Why Naive IP Lookups Fail at Scale
The standard approach — querying MaxMind or a similar GeoIP database for the country_code — works for datacenter IPs and large ISP blocks. It fails catastrophically for mobile carrier IPs that route through a central gateway in another country, for satellite ISPs with ground stations in multiple jurisdictions, and for any IP allocated before the current geopolitical borders were drawn. RFC 8805 defines a geolocation feed format, but most providers still serve stale or aggregated data. A 2023 study found that 34% of IPs in the RIPE NCC database had a country code that did not match the registered address of the holder. Testing against a single database is not testing — it is wishful thinking.
VPN and Proxy Detection: The Bypass You Are Not Testing
Streaming services invest heavily in VPN blocklists, but those blocklists are only as good as the test harness that validates them. The common mistake is to test from a known VPN endpoint (e.g., a commercial provider's exit node) and call it done. Real attackers rotate IPs every 60 seconds, use residential proxy networks, or tunnel through a cloud provider's egress IP that is not yet flagged. A proper verification workflow must include a script that pulls a list of known open proxies, VPN exit nodes, and Tor relays from public feeds (e.g., https://check.torproject.org/exit-addresses), then sends a request to your service's geo-restricted endpoint and checks the response status. Here is a minimal test loop using curl and jq:
#!/bin/bash
# Test geo-restricted endpoint against a list of suspicious IPs
ENDPOINT="https://api.example.com/geo/check"
while IFS= read -r ip; do
result=$(curl -s -o /dev/null -w "%{http_code}" --resolve "api.example.com:443:$ip" "$ENDPOINT")
if [[ "$result" != "403" ]]; then
echo "FAIL: $ip returned $result (expected 403)"
fi
done < /tmp/suspicious_ips.txtThis script uses --resolve to force the connection through a specific IP while preserving the original host header — a technique that bypasses most CDN-level geo checks. If your service returns a 200 or 302 for any of those IPs, your geo-fencing is broken.
IPv6 Geolocation Gaps and Mobile Carrier IPs That Span Borders
IPv6 geolocation accuracy is below 50% for many regions, especially in Europe and Asia where carriers use a single /32 prefix for multiple countries. A mobile phone in Strasbourg, France, may appear to originate from a German carrier's core network if the operator uses a single anchor point. The X-Forwarded-For header often contains the IPv4 address of the carrier's NAT gateway, not the user's IPv6 address. To test this, send requests from a test device connected to a mobile network in a border region (e.g., Basel, Switzerland; El Paso, Texas) and compare the geolocation result from your service against the actual GPS coordinates of the device. If the mismatch exceeds 100 km, your compliance team has a problem — GDPR requires data processing to be tied to the user's actual location, not the carrier's.
Regulatory Compliance Testing Beyond the IP Check
GDPR and COPPA do not care about your IP database vendor. They care about whether a user in the EU is served EU-compliant content and whether a user under 13 in the US is blocked from collecting personal data. Testing geo-restrictions for compliance means you must verify that your service's response — not just the HTTP status code — changes correctly based on the detected location. For example, a streaming service that serves different catalogs per country must ensure that a user in the UK sees the UK catalog, a user in France sees the French catalog, and a user in a non-licensed territory sees a "not available" page. The test should include checking the response body for region-specific strings, cookies, and redirect targets. A single curl with --header "CF-IPCountry: GB" (if you use Cloudflare) is a quick smoke test, but it only tests the CDN layer, not your application logic. Build a test suite that spoofs the X-Forwarded-For header with IPs from each target country, then parse the response for a known unique identifier (e.g., a JSON field "catalog": "uk").
Building a Repeatable QA Pipeline
Stop running geo-restriction tests manually. Integrate the verification into your CI/CD pipeline using a tool like geoiplookup from the geoip-bin package, combined with a list of IPs that are known to be mislocated in your primary database. Run the test every time you deploy a new geo-fencing rule. Use a multi-source approach: query MaxMind, IP2Location, and a free RIPE NCC API for each test IP, and fail the build if the majority of sources disagree with your service's response. The command below compares your service's decision against three databases:
#!/bin/bash
IP="1.2.3.4"
RESPONSE=$(curl -s "https://api.example.com/geo/check?ip=$IP" | jq -r '.country')
MAXMIND=$(geoiplookup "$IP" | awk '{print $4}')
IP2LOC=$(curl -s "https://api.ip2location.com/?ip=$IP&key=test" | jq -r '.country_code')
if [[ "$RESPONSE" != "$MAXMIND" && "$RESPONSE" != "$IP2LOC" ]]; then
echo "WARNING: Geo response differs from majority of databases"
fiNo single database is authoritative. The only way to catch the 60-80% failure rate is to test with real-world edge cases: mobile carrier IPs, IPv6 prefixes, and residential proxies. Anything less is a compliance incident waiting to happen.