OpenDNS, Google and local ISPs...

Comments

7 comments

  • Avatar
    rotblitz

    This m414-mp1-cvx1c.lan.ntl.com seems to be a "private" domain, i.e. not accessible over the public internet, but within your ISP's network only, as also the name part LAN indicates.  OpenDNS, Google DNS and other non-Virginmedia DNS services cannot resolve this domain name therefore.

    "However, if I run an nslookup on that IP, it doesn't resolve."

    But the reverse lookup (PTR) does:

    nslookup 62.252.173.158
    Server:  resolver2.opendns.com
    Address:  208.67.220.220

    Name:    m414-mp1-cvx1c.lan.ntl.com
    Address:  62.252.173.158

    So, what's your problem if any?

  • Avatar
    Citadel Admin

    Erm, "OpenDNS, Google DNS and other non-Virginmedia DNS services cannot resolve this domain name therefore"

    Except you then show OpenDNS resolving it for you via Resolver2....

     

    The resolution is now working here - suspicously after I emailed my ISP about it :\

     

    The "problem" is I want to know the reason why OpenDNS is returning what appears to be a local ISP address for what should be www.google.com's public IP.  What I've been told is that this appears to be an instance of Google Peering, which would imply that OpenDNS (with DNSCrypt, as that's how I access OpenDNS) is identifying my IP/ISP and returning the local copy.  This may be "by design", but just seemed a bit odd.

     

  • Avatar
    rotblitz

    "Except you then show OpenDNS resolving it for you via Resolver2...."

    No, it does not resolve for me, but returns NXDOMAIN, suprisingly, because OpenDNS would normally return 67.215.65.132 for non-existent domains.  It only resolves if raising a reverse lookup (PTR record), from the IP address to that host name.

    "The resolution is now working here"

    Still not for me.  Also CacheCheck (http://www.opendns.com/support/cache/) returns NXDOMAIN for all locations.  Not sure why you think it's working.

    "The "problem" is I want to know the reason why OpenDNS is returning what appears to be a local ISP address for what should be www.google.com's public IP."

    I can't confirm any of this.  OpenDNS does not resolve the domain m414-mp1-cvx1c.lan.ntl.com as I have clearly shown.

  • Avatar
    Citadel Admin

    It clearly is & can...

    My *nix box uses itself as a DNS host (for the LAN), but it's DNS server (DNSMasq) is set to resolve from DNSCrypt, running on the same server on a different IP (127.0.0.2)

    This is what I get for an "unknown" domain (I'd expect .132), a blocked domain (.130) and www.google.com...

    (the non-auth answers are due to the chaining)

     

    root@MEDIAVAULT:/home/pete-adm# nslookup www.dksjgs.com
    Server: 127.0.0.1
    Address: 127.0.0.1#53

    Non-authoritative answer:
    Name: www.dksjgs.com
    Address: 67.215.65.132

    root@MEDIAVAULT:/home/pete-adm# nslookup www.penthouse.com
    Server: 127.0.0.1
    Address: 127.0.0.1#53

    Non-authoritative answer:
    Name: www.penthouse.com
    Address: 67.215.65.130

    root@MEDIAVAULT:/home/pete-adm# nslookup www.google.com
    Server: 127.0.0.1
    Address: 127.0.0.1#53

    Non-authoritative answer:
    Name: www.google.com
    Address: 62.252.173.153
    Name: www.google.com
    Address: 62.252.173.172
    Name: www.google.com
    Address: 62.252.173.157
    Name: www.google.com
    Address: 62.252.173.173
    Name: www.google.com
    Address: 62.252.173.183
    Name: www.google.com
    Address: 62.252.173.167
    Name: www.google.com
    Address: 62.252.173.182
    Name: www.google.com
    Address: 62.252.173.178
    Name: www.google.com
    Address: 62.252.173.158
    Name: www.google.com
    Address: 62.252.173.163
    Name: www.google.com
    Address: 62.252.173.168
    Name: www.google.com
    Address: 62.252.173.152
    Name: www.google.com
    Address: 62.252.173.177
    Name: www.google.com
    Address: 62.252.173.162
    Name: www.google.com
    Address: 62.252.173.187
    Name: www.google.com
    Address: 62.252.173.148

     

    Here is my resolv.conf (pointing to the local machine instance of DNSMasq)

    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    nameserver 127.0.0.1

    resolv.dnsmasq (for the local server on 127.0.0.1) reads :

    nameserver 127.0.0.2

    and /etc/init.d/dnscrypt-proxy contains the line :

    start-stop-daemon --start --pid /var/run/dnscrypt-proxy.pid --make-pidfile --exec /usr/local/sbin/dnscrypt-proxy -- -u dnsmasq -d -a 127.0.0.2:53

     

    So DNSCrypt is bound to 127.0.0.2 and upstream of DNSMasq.

    So the above shows OpenDNS is returning blocked and NXDOMAIN pages, and I can prove the lookup works by using :

    tcpdump -A -i eth0 host 208.67.220.220

    Here is the chatter when looking up www.google.com :

    09:47:20.798831 IP mediavault.citadel.51706 > resolver2.opendns.com.https: UDP, length 512
    E.......@.^{.....C........q.qe47QHHw6_....KC~Jn.....\B..[|wz......W| ../.b..w...d.>.UsT..5.{...D....H...Ig.NE.u...i...E.QH.6....B7~[...`.......K.Zhq..+
    .....y.E.+.%.....;p.[...9...K'.>"C.^...o).XL...c.........
    &....+...;,'.....:.aW...N.FFJm..........$.>.3.-S=.../5.....>....v..kD@..NN['..D...F.. Q. .[..R..J.[df
    .._l.4_0.&..d,.[..L=
    .../..".K....j.`..%(_cq.?....v2..F..X.......}..x0..9."....3.xS,.4.......4~x...1...{......eM.'a.F.@.....4........W...&...3.....X..m].q.V...i.N.%61.TB-o..<...).M...R
    09:47:20.815704 IP resolver2.opendns.com.https > mediavault.citadel.51706: UDP, length 496
    .&~.0&.....?....../.k.\.K........a.......tPT..~...*..57..nR..Z..w....|C.Y..Z..>.V.d....k&.\...jp.gC.h3.;T.;....c|<....l.p...}e..9.y.=..=p..f.u...
    .z8r.....{.Hd...r.3sz..".C3..9K..ns.o....f(.3\...ut$....3.N.......!C..M;':.I.L..%.....P.&.x.s.,............J.'...g...*..-.T8......f\

     

    So, given I'm getting 62.252.173.158 returned, via OpenDNS, it clearly can resolve www.google.com to the IP used by m414-mp1-cvx1c.lan.ntl.com somehow.....(and returns the IP for m414-mp1-cvx1c.lan.ntl.com also)

     

  • Avatar
    Citadel Admin

    (I can take DNSCrypt out of the loop and see the plaintext traffic).

    In fact, if I use 8.8.4.4, I get the following :

     

    09:59:24.780382 IP mediavault.citadel.57957 > google-public-dns-b.google.com.domain: 16305+ A? www.google.com. (32)
    E..<..@.@.l+.........e.5.(..?............www.google.com.....
    09:59:24.801780 IP google-public-dns-b.google.com.domain > mediavault.citadel.57957: 16305 16/0/0 A 62.252.173.168, A 62.252.173.162, A 62.252.173.148, A 62.252.173.187, A 62.252.173.172, A 62.252.173.153, A 62.252.173.163, A 62.252.173.158, A 62.252.173.167, A 62.252.173.178, A 62.252.173.152, A 62.252.173.183, A 62.252.173.157, A 62.252.173.177, A 62.252.173.173, A 62.252.173.182 (288)
    E..<....0..U.........5.e.( 1?............www.google.com.................>...............>...............>...............>...............>...............>...............>...............>...............>...............>...............>...............>...............>...............>...............>...............>...

     

    So, the same IPs are returned (direct from Google - which would imply some form of local peering/cache).

    So, given DNSCrypt is returning the same IPs, either

    a) OpenDNS CAN resolv the hosts via some path

    b) my ISP has managed to MITM DNSCrypt (doubtful)

     

    Merry Christmas, by the way!

  • Avatar
    rotblitz

    Merry Christmas, too!

    "Is OpenDNS using Google Peering with local ISPs?"

    The IP address (range) 62.252.128.0/17 is assigned to Virginmedia/NTLI being ISP and network carrier, also used for Google hosting in your area of the world, i.e. UK, why not.  Here in Germany I get totally different IP addresses returned for www.google.com.  IP addresses are almost Multicast and therefore generally local except if they are Anycast addresses.

    "The "problem" is I want to know the reason why OpenDNS is returning what appears to be a local ISP address for what should be www.google.com's public IP."

    OpenDNS and every other recursive DNS service return information they have been fed with by the hierachical DNS system.  The fact that OpenDNS and Google DNS and others return the same results is just a sign of DNS consistency, no matter of peering or not.  OpenDNS may also use Virginmedia/NTLI as network carrier in the UK, beside Google and others.  Someone must do the job for Google and OpenDNS which both do not operate an own network across the globe.  It's more efficient to use the existing network structure.

    Further, all of this is unrelated to DNSCrypt.  Plain OpenDNS and Google DNS and most likely any others return the same consistent DNS lookup results.

  • Avatar
    Citadel Admin

    And that's what I was after, an explanation that made sense.

    A comment received on the DNSCrypt support page phrased it a little differently, but just as usefully :)

    "google.com (and other google domains) returns a different set of IPs according to the client IP, so that (hopefully) you are going to load content from the closest/fastest location.

    OpenDNS leaks your IP address to upstream resolvers. When a query for google.com is received by their resolvers, they send this query to Google servers. Actually, the query is modified to add your real IP address so that Google can see it. This probably explains why Google servers are then returning the IP of their local caches hosted by your ISP."

    I have no problem with it now I know how it works - the initial "fun" was caused by a lack of working rDNS (now mysteriously fixed after I raised it on the ISP forum) such that I see "random" IP/names being hit by my machine when not requested  (i.e. browser startup) which would have been less bothersome if they'd have said "google.com" as they should do!)

    Thanks for the help!

Please sign in to leave a comment.