[AusNOG] maps.gstatic.com and ssl.gstatic.com
Tom Paseka
tom at cloudflare.com
Fri Oct 31 00:02:28 EST 2014
TPG host a google cache - which is served from TPG IP Space. 8.8.8.8 is
using the EDNS Client Subnet option and determining that their cache is the
best spot for you. 139.130.4.4 is probably doing the same.
-Tom
On Fri, Oct 24, 2014 at 10:33 AM, Donal <irldexter at podomere.com> wrote:
> Hi,
>
> Short version: TPG IPs serving Google content: http://203.219.219.108 and
> dig'ing at 8.8.8.8 from our TPG CE's result in these non-Google IPs for
> google.com, gstatic.com A records etc? Is this an official edge?
>
> From a TPG fibre connection (utilising another wholesale primary carrier)
> we were also seeing responses from Uneeda [139.130.4.4] with a CNAME saying
> 'blocked.domain.gstatic.com' resolving to home [127.0.0.1] for about 2
> hours+ essentially blackholing 'ssl.gstatic.com' traffic (as per others
> on this list) -> thus much associated SSL/TLS related account management
> mechanisms for Google services (affecting Google Mail domain account
> management and Google Drive permissions as an example!). TPG noted a
> peering issue between TPG <- PIPE -> Google but this doesn't directly
> explain the CNAME/A record responses being different (especially when
> asking 139.130.4.4 locally).. unless there was some conflation of multiple
> issues and/or blacklisting?
>
> The funny thing was though that a dig @8.8.8.8 from the TPG client edge
> for 'ssl.gstatic.com' results in the response A records being from a TPG
> prefix and not a Google AS'/prefix range which worries me. Albeit Telstra
> is now returning the correct A records (and always was internationally), it
> is only when sourcing DNS requests from inside TPG ranges that we had
> issues on multiple client sites and the below is friek'ing me out.
>
> An example DIG @ Fri Oct 24 16:01:39 EST 2014 to 8.8.8.8 for '
> ssl.gstatic.com' resulted in the below TPG A records:
>
> ssl.gstatic.com. 219 IN A 203.219.219.99
> ssl.gstatic.com. 219 IN A 203.219.219.108
> ssl.gstatic.com. 219 IN A 203.219.219.89
> … and lots more...
>
> Currently @11.20pm AEST the response from "8.8.8.8" @ a TPG CE IP range is:
>
> ;; ANSWER SECTION:
> ssl.gstatic.com. 299 IN A 220.244.223.35
> ssl.gstatic.com. 299 IN A 220.244.223.49
> ssl.gstatic.com. 299 IN A 220.244.223.38
> … and lots more...
>
> Whereupon tracerouting 8.8.8.8 from the customer site does go deep in to
> Google AS territory… but...
>
> laptop$ whois -h whois.cymru.com " -v 203.219.219.99"
> AS | IP | BGP Prefix | CC | Registry |
> Allocated | AS Name
> 7545 | 203.219.219.99 | 203.219.219.0/24 | AU | apnic |
> 2003-03-11 | TPG-INTERNET-AP TPG Telecom Limited,AU
>
> laptop$ whois -h whois.cymru.com " -v 220.244.223.35"
> AS | IP | BGP Prefix | CC | Registry |
> Allocated | AS Name
> 7545 | 220.244.223.35 | 220.244.223.0/24 | AU | apnic |
> 2003-06-18 | TPG-INTERNET-AP TPG Telecom Limited,AU
>
> I find it vary hard to believe that Google's 8.8.8.8 was returning TPG A
> records and keep leaning towards someone mangling DNS along the way (or
> trying to do SSL offload/MITM)… anyone got a simpler explanation like an
> official egde that's not well documented?
>
> Note: The certificate served by these IPs is valid, different expiry dates
> than elsewhere for the same content but still GeoTrust listed for *.
> google.com (as opposed to
>
> The IP "203.219.219.108" for example, serves Google.com content even from
> Germany… and RADB confirms the IP as TPG origin AS AS7545 …? This can't be
> an official edge right?
>
> --
> Humble regards,
>
> Donal @podomere
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20141030/571883b6/attachment.html>
More information about the AusNOG
mailing list