[AusNOG] maps.gstatic.com and ssl.gstatic.com

Donal irldexter at podomere.com
Sat Oct 25 00:33:04 EST 2014 

Hi,

Short version: TPG IPs serving Google content: http://203.219.219.108 and dig'ing at 8.8.8.8 from our TPG CE's result in these non-Google IPs for google.com, gstatic.com A records etc? Is this an official edge?

From a TPG fibre connection (utilising another wholesale primary carrier) we were also seeing responses from Uneeda [139.130.4.4] with a CNAME saying 'blocked.domain.gstatic.com' resolving to home [127.0.0.1] for about 2 hours+ essentially blackholing 'ssl.gstatic.com' traffic (as per others on this list) -> thus much associated SSL/TLS related account management mechanisms for Google services (affecting Google Mail domain account management and Google Drive permissions as an example!). TPG noted a peering issue between TPG <- PIPE -> Google but this doesn't directly explain the CNAME/A record responses being different (especially when asking 139.130.4.4 locally).. unless there was some conflation of multiple issues and/or blacklisting?

The funny thing was though that a dig @8.8.8.8 from the TPG client edge for 'ssl.gstatic.com' results in the response A records being from a TPG prefix and not a Google AS'/prefix range which worries me. Albeit Telstra is now returning the correct A records (and always was internationally), it is only when sourcing DNS requests from inside TPG ranges that we had issues on multiple client sites and the below is friek'ing me out.

An example DIG @ Fri Oct 24 16:01:39 EST 2014 to 8.8.8.8 for 'ssl.gstatic.com' resulted in the below TPG A records: 

ssl.gstatic.com.	219	IN	A	203.219.219.99
ssl.gstatic.com.	219	IN	A	203.219.219.108
ssl.gstatic.com.	219	IN	A	203.219.219.89
… and lots more...

Currently @11.20pm AEST the response from "8.8.8.8" @ a TPG CE IP range is:

;; ANSWER SECTION:
ssl.gstatic.com.	299	IN	A	220.244.223.35
ssl.gstatic.com.	299	IN	A	220.244.223.49
ssl.gstatic.com.	299	IN	A	220.244.223.38
… and lots more...

Whereupon tracerouting 8.8.8.8 from the customer site does go deep in to Google AS territory… but...

laptop$ whois -h whois.cymru.com " -v 203.219.219.99"
AS      | IP               | BGP Prefix          | CC | Registry | Allocated  | AS Name
7545    | 203.219.219.99   | 203.219.219.0/24    | AU | apnic    | 2003-03-11 | TPG-INTERNET-AP TPG Telecom Limited,AU

laptop$ whois -h whois.cymru.com " -v 220.244.223.35"
AS      | IP               | BGP Prefix          | CC | Registry | Allocated  | AS Name
7545    | 220.244.223.35   | 220.244.223.0/24    | AU | apnic    | 2003-06-18 | TPG-INTERNET-AP TPG Telecom Limited,AU

I find it vary hard to believe that Google's 8.8.8.8 was returning TPG A records and keep leaning towards someone mangling DNS along the way (or trying to do SSL offload/MITM)… anyone got a simpler explanation like an official egde that's not well documented?

Note: The certificate served by these IPs is valid, different expiry dates than elsewhere for the same content but still GeoTrust listed for *.google.com (as opposed to 

The IP "203.219.219.108" for example, serves Google.com content even from Germany… and RADB confirms the IP as TPG origin AS AS7545 …? This can't be an official edge right?

--
Humble regards,

Donal @podomere

More information about the AusNOG mailing list