OpenDNS, Google and local ISPs...
Hi,
Is OpenDNS using Google Peering with local ISPs?
I'm using OpenDNS with DNSCrypt. I just noticed my browser (Iron) connecting to m414-mp1-cvx1c.lan.ntl.com when it started.
This resolves to 62.252.173.158
However, if I run an nslookup on that IP, it doesn't resolve.
After some Googling, I find this (appears) to resolve to Google, if I'm using OpenDNS
Name: www.google.com
Addresses: 2a00:1450:4009:803::1012
62.252.173.168
62.252.173.163
62.252.173.182
62.252.173.167
62.252.173.172
62.252.173.153
62.252.173.148
62.252.173.177
62.252.173.162
62.252.173.178
62.252.173.152
62.252.173.183
62.252.173.173
62.252.173.187
62.252.173.158
62.252.173.157
Except that IP range belongs to my ISP.
> tracert 62.252.173.158
Tracing route to m414-mp1-cvx1c.lan.ntl.com [62.252.173.158]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.1.1
2 8 ms 16 ms 6 ms cpc19-sutt4-2-0-gw.19-1.cable.virginm.net [82.46.137.1]
3 5 ms 7 ms 8 ms perr-core-2a-xe-1131-604.network.virginmedia.net [80.1.68.34]
4 10 ms 11 ms 11 ms manc-bb-1c-ae5-0.network.virginmedia.net [62.255.149.65]
5 9 ms 7 ms 11 ms brhm-bb-1b-et-010-0.network.virginmedia.net [62.253.175.73]
6 18 ms 11 ms 11 ms wolv-icdn-1-ae0-0.network.virginmedia.net [62.253.175.86]
7 10 ms 12 ms 10 ms m414-mp1-cvx1c.lan.ntl.com [62.252.173.158]
-
This m414-mp1-cvx1c.lan.ntl.com seems to be a "private" domain, i.e. not accessible over the public internet, but within your ISP's network only, as also the name part LAN indicates. OpenDNS, Google DNS and other non-Virginmedia DNS services cannot resolve this domain name therefore.
"However, if I run an nslookup on that IP, it doesn't resolve."
But the reverse lookup (PTR) does:
nslookup 62.252.173.158
Server: resolver2.opendns.com
Address: 208.67.220.220
Name: m414-mp1-cvx1c.lan.ntl.com
Address: 62.252.173.158So, what's your problem if any?
-
Erm, "OpenDNS, Google DNS and other non-Virginmedia DNS services cannot resolve this domain name therefore"
Except you then show OpenDNS resolving it for you via Resolver2....
The resolution is now working here - suspicously after I emailed my ISP about it :\
The "problem" is I want to know the reason why OpenDNS is returning what appears to be a local ISP address for what should be www.google.com's public IP. What I've been told is that this appears to be an instance of Google Peering, which would imply that OpenDNS (with DNSCrypt, as that's how I access OpenDNS) is identifying my IP/ISP and returning the local copy. This may be "by design", but just seemed a bit odd.
-
"Except you then show OpenDNS resolving it for you via Resolver2...."
No, it does not resolve for me, but returns NXDOMAIN, suprisingly, because OpenDNS would normally return 67.215.65.132 for non-existent domains. It only resolves if raising a reverse lookup (PTR record), from the IP address to that host name.
"The resolution is now working here"
Still not for me. Also CacheCheck (http://www.opendns.com/support/cache/) returns NXDOMAIN for all locations. Not sure why you think it's working.
"The "problem" is I want to know the reason why OpenDNS is returning what appears to be a local ISP address for what should be www.google.com's public IP."
I can't confirm any of this. OpenDNS does not resolve the domain m414-mp1-cvx1c.lan.ntl.com as I have clearly shown.
-
It clearly is & can...
My *nix box uses itself as a DNS host (for the LAN), but it's DNS server (DNSMasq) is set to resolve from DNSCrypt, running on the same server on a different IP (127.0.0.2)
This is what I get for an "unknown" domain (I'd expect .132), a blocked domain (.130) and www.google.com...
(the non-auth answers are due to the chaining)
root@MEDIAVAULT:/home/pete-adm# nslookup www.dksjgs.com
Server: 127.0.0.1
Address: 127.0.0.1#53Non-authoritative answer:
Name: www.dksjgs.com
Address: 67.215.65.132root@MEDIAVAULT:/home/pete-adm# nslookup www.penthouse.com
Server: 127.0.0.1
Address: 127.0.0.1#53Non-authoritative answer:
Name: www.penthouse.com
Address: 67.215.65.130root@MEDIAVAULT:/home/pete-adm# nslookup www.google.com
Server: 127.0.0.1
Address: 127.0.0.1#53Non-authoritative answer:
Name: www.google.com
Address: 62.252.173.153
Name: www.google.com
Address: 62.252.173.172
Name: www.google.com
Address: 62.252.173.157
Name: www.google.com
Address: 62.252.173.173
Name: www.google.com
Address: 62.252.173.183
Name: www.google.com
Address: 62.252.173.167
Name: www.google.com
Address: 62.252.173.182
Name: www.google.com
Address: 62.252.173.178
Name: www.google.com
Address: 62.252.173.158
Name: www.google.com
Address: 62.252.173.163
Name: www.google.com
Address: 62.252.173.168
Name: www.google.com
Address: 62.252.173.152
Name: www.google.com
Address: 62.252.173.177
Name: www.google.com
Address: 62.252.173.162
Name: www.google.com
Address: 62.252.173.187
Name: www.google.com
Address: 62.252.173.148Here is my resolv.conf (pointing to the local machine instance of DNSMasq)
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1resolv.dnsmasq (for the local server on 127.0.0.1) reads :
nameserver 127.0.0.2
and /etc/init.d/dnscrypt-proxy contains the line :
start-stop-daemon --start --pid /var/run/dnscrypt-proxy.pid --make-pidfile --exec /usr/local/sbin/dnscrypt-proxy -- -u dnsmasq -d -a 127.0.0.2:53
So DNSCrypt is bound to 127.0.0.2 and upstream of DNSMasq.
So the above shows OpenDNS is returning blocked and NXDOMAIN pages, and I can prove the lookup works by using :
tcpdump -A -i eth0 host 208.67.220.220
Here is the chatter when looking up www.google.com :
09:47:20.798831 IP mediavault.citadel.51706 > resolver2.opendns.com.https: UDP, length 512
E.......@.^{.....C........q.qe47QHHw6_....KC~Jn.....\B..[|wz......W| ../.b..w...d.>.UsT..5.{...D....H...Ig.NE.u...i...E.QH.6....B7~[...`.......K.Zhq..+
.....y.E.+.%.....;p.[...9...K'.>"C.^...o).XL...c.........
&....+...;,'.....:.aW...N.FFJm..........$.>.3.-S=.../5.....>....v..kD@..NN['..D...F.. Q. .[..R..J.[df
.._l.4_0.&..d,.[..L=
.../..".K....j.`..%(_cq.?....v2..F..X.......}..x0..9."....3.xS,.4.......4~x...1...{......eM.'a.F.@.....4........W...&...3.....X..m].q.V...i.N.%61.TB-o..<...).M...R
09:47:20.815704 IP resolver2.opendns.com.https > mediavault.citadel.51706: UDP, length 496
.&~.0&.....?....../.k.\.K........a.......tPT..~...*..57..nR..Z..w....|C.Y..Z..>.V.d....k&.\...jp.gC.h3.;T.;....c|<....l.p...}e..9.y.=..=p..f.u...
.z8r.....{.Hd...r.3sz..".C3..9K..ns.o....f(.3\...ut$....3.N.......!C..M;':.I.L..%.....P.&.x.s.,............J.'...g...*..-.T8......f\So, given I'm getting 62.252.173.158 returned, via OpenDNS, it clearly can resolve www.google.com to the IP used by m414-mp1-cvx1c.lan.ntl.com somehow.....(and returns the IP for m414-mp1-cvx1c.lan.ntl.com also)
-
(I can take DNSCrypt out of the loop and see the plaintext traffic).
In fact, if I use 8.8.4.4, I get the following :
09:59:24.780382 IP mediavault.citadel.57957 > google-public-dns-b.google.com.domain: 16305+ A? www.google.com. (32)
E..<..@.@.l+.........e.5.(..?............www.google.com.....
09:59:24.801780 IP google-public-dns-b.google.com.domain > mediavault.citadel.57957: 16305 16/0/0 A 62.252.173.168, A 62.252.173.162, A 62.252.173.148, A 62.252.173.187, A 62.252.173.172, A 62.252.173.153, A 62.252.173.163, A 62.252.173.158, A 62.252.173.167, A 62.252.173.178, A 62.252.173.152, A 62.252.173.183, A 62.252.173.157, A 62.252.173.177, A 62.252.173.173, A 62.252.173.182 (288)
E..<....0..U.........5.e.( 1?............www.google.com.................>...............>...............>...............>...............>...............>...............>...............>...............>...............>...............>...............>...............>...............>...............>...............>...So, the same IPs are returned (direct from Google - which would imply some form of local peering/cache).
So, given DNSCrypt is returning the same IPs, either
a) OpenDNS CAN resolv the hosts via some path
b) my ISP has managed to MITM DNSCrypt (doubtful)
Merry Christmas, by the way!
-
Merry Christmas, too!
"Is OpenDNS using Google Peering with local ISPs?"
The IP address (range) 62.252.128.0/17 is assigned to Virginmedia/NTLI being ISP and network carrier, also used for Google hosting in your area of the world, i.e. UK, why not. Here in Germany I get totally different IP addresses returned for www.google.com. IP addresses are almost Multicast and therefore generally local except if they are Anycast addresses.
"The "problem" is I want to know the reason why OpenDNS is returning what appears to be a local ISP address for what should be www.google.com's public IP."
OpenDNS and every other recursive DNS service return information they have been fed with by the hierachical DNS system. The fact that OpenDNS and Google DNS and others return the same results is just a sign of DNS consistency, no matter of peering or not. OpenDNS may also use Virginmedia/NTLI as network carrier in the UK, beside Google and others. Someone must do the job for Google and OpenDNS which both do not operate an own network across the globe. It's more efficient to use the existing network structure.
Further, all of this is unrelated to DNSCrypt. Plain OpenDNS and Google DNS and most likely any others return the same consistent DNS lookup results.
-
And that's what I was after, an explanation that made sense.
A comment received on the DNSCrypt support page phrased it a little differently, but just as usefully :)
"google.com (and other google domains) returns a different set of IPs according to the client IP, so that (hopefully) you are going to load content from the closest/fastest location.
OpenDNS leaks your IP address to upstream resolvers. When a query for google.com is received by their resolvers, they send this query to Google servers. Actually, the query is modified to add your real IP address so that Google can see it. This probably explains why Google servers are then returning the IP of their local caches hosted by your ISP."
I have no problem with it now I know how it works - the initial "fun" was caused by a lack of working rDNS (now mysteriously fixed after I raised it on the ISP forum) such that I see "random" IP/names being hit by my machine when not requested (i.e. browser startup) which would have been less bothersome if they'd have said "google.com" as they should do!)
Thanks for the help!
Please sign in to leave a comment.
Comments
7 comments