[dns-operations] Random question about Google resolver behaviour and long-lived TCP sessions

Alexander Dupuy alexdupuy at google.com
Fri Sep 27 03:06:53 UTC 2019

Jake wrote:

> I'm looking at TCP, and one of the things I'm measuring is average length
> of TCP sessions.
> For the most part, the output seems to be in the range that one might
> expect...
> ...
> But I occasionally discover outliers where the TCP sessions last much
> longer...and they're all (every single one of them over a 3 hour period)
> owned by Google...
> 2019-09-18 15:25:56.142138 - Close connection with -
> duration: 30.0402970314026 seconds *** OVER5

These addresses are not the Google addresses that we publish at
https://developers.google.com/speed/public-dns/faq#locations, and although
they are clearly Google addresses, they aren't coming from Google Public
DNS resolvers.

$ dig +short -x

That name makes me wonder whether that is actually a DNS TCP connection,
and not an HTTP TCP connection? Or FTP? Do you have any logs or packet
captures of those connections? Are you getting any valid DNS queries on

Maybe some bright light has stuck http://c.ca-servers.ca:53/ URLs into
their web pages, or the Googlebot web crawler has some bad IP (and port?)
information from somewhere. Either way, you should look to see if they are
really sending DNS, and if the Google clients from those addresses are
either waiting for your server to say something first (FTP style) or
sending an HTTP GET, you should see about robots.txt blocking or some other
mechanism through the Google Webmaster Central help (
https://support.google.com/webmasters) and/or the Search Console (
https://search.google.com/search-console/welcome) to tell the Googlebot to
lay off.

If it's really DNS traffic, post here, and we can probably figure out where
it's coming from and why it's keeping the TCP connections open that long.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190926/0a903508/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4849 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190926/0a903508/attachment.bin>

More information about the dns-operations mailing list