[dns-operations] Unpublished IP addresses for Google Public DNS

Babak Farrokhi babak at farrokhi.net
Thu Oct 19 17:52:31 UTC 2017


I believe it is safe to assume that documentation might be outdated or inaccurate.
I’ve been probing this for a while using RIPE Atlas network around the world and sending queries like this:

dig +short TXT maxmind.test-ipv6.com @8.8.8.8

It returns the IP address AS number from which the resolver sends a query (should be one of those IP addresses Google published). There has been several cases that IPs belonged the Google (AS15169) but was not in the list you mentioned.  And it turned out there are operators around the world who redirect DNS traffic toward their own resolvers (like 2% of responses were coming from IP addresses did not belong to Google).

Kind Regards,

-- 
Babak Farrokhi


On 19 Oct 2017, at 20:13, Andrea Barberio wrote:

> Maybe silly, but you could do some enumeration test with scapy and whoami from multiple vantage points to build your list, and cross the results with the subnets declared at https://developers.google.com/speed/public-dns/faq (quick example at the bottom).
>
> The 172.17 prefixes are declared in the FAQ too, so these are confirmed valid ranges.
>
> E.g.:
>
>>>> a, u = sr(IP(dst='8.8.8.8') / UDP(sport=(12345, 12385), dport=53) / DNS(rd=1, qd=DNSQR(qname='whoami.akamai.net.', qtype='A', qclass='IN')))
> Begin emission:
> ..****************.******************.****Finished to send 41 packets.
> ***
> Received 45 packets, got 41 answers, remaining 0 packets
>>>> set([x[1][DNSRR].rdata for x in a])
> set(['74.125.73.84', '74.125.181.15', '74.125.47.138', '74.125.47.129', '74.125.47.140', '74.125.73.77', '74.125.47.142', '74.125.47.145', '74.125.181.5', '74.125.181.4', '74.125.73.67', '74.125.47.14', '74.125.73.69', '74.125.73.68', '74.125.73.79', '74.125.73.82', '74.125.73.80'])
>
>
>
>
>
>
> From: "Babak Farrokhi" <babak at farrokhi.net>
> To: "Rajesh Maskara" <rajmask at microsoft.com>
> Cc: dns-operations at dns-oarc.net
> Sent: Thursday, October 19, 2017 4:44:31 PM
> Subject: Re: [dns-operations] Unpublished IP addresses for Google Public DNS
>
>
>
> Hi,
>
> I have seen several addresses from 172.217.42.x as source address from Google resolvers. Here is a list of IPs I’ve seen recently:
>
> 172.217.42.3
> 172.217.42.4
> 172.217.42.5
> 172.217.42.6
> 172.217.42.7
> 172.217.42.8
> 172.217.42.9
> 172.217.42.10
> 172.217.42.11
> 172.217.42.14
>
>
> Kind Regards,
>
> -- 
> Babak Farrokhi
>
>
> On 12 Oct 2017, at 3:51, Rajesh Maskara wrote:
>
>
>
>
>
> Are following two IP addresses used by Google Public DNS for DNS resolution?
>
> 172.217.42.2
>
> 172.217.42.4
>
>
>
> These addresses are NOT included in published ranges:
>
> C:\>nslookup -type=TXT locations.publicdns.goog. | findstr "172.217."
>
> Non-authoritative answer:
>
> "172.217.32.0/26 lhr "
>
> "172.217.32.64/26 lhr "
>
> "172.217.32.128/26 sin "
>
> "172.217.33.0/26 syd "
>
> "172.217.33.64/26 syd "
>
> "172.217.33.128/26 fra "
>
> "172.217.33.192/26 fra "
>
> "172.217.34.0/26 fra "
>
> "172.217.34.64/26 bom "
>
> "172.217.34.192/26 bom "
>
> "172.217.35.0/24 gru "
>
> "172.217.36.0/24 atl "
>
> "172.217.37.0/24 gru "
>
>
>
> This is resulting in Traffic Managers like DYN etc to map the end-users incorrectly to CA, USA.
>
>
>
> Thanks,
> Rajesh Maskara
>
> Microsoft
>
>
>
>
> BQ_BEGIN
>
> BQ_END
>
> BQ_BEGIN
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> [ https://lists.dns-oarc.net/mailman/listinfo/dns-operations | https://lists.dns-oarc.net/mailman/listinfo/dns-operations ]
> dns-operations mailing list
> [ https://lists.dns-oarc.net/mailman/listinfo/dns-operations | https://lists.dns-oarc.net/mailman/listinfo/dns-operations ]
> BQ_END
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20171019/29c503aa/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20171019/29c503aa/attachment.sig>


More information about the dns-operations mailing list