Google DNS resolves "clients*.google.com", "ssl.gstatic.com" to non-Google IPs

[kuro...@gmail.com]

Hello,

I use 8.8.8.8 as a main DNS for my devices. Today I accidently noticed, that Google DNS resolves all "clients*.google.com" names, "ssl.gstatic.com", etc into IP addresses belonging to the uplink of my ISP (as of Whois information), but not Google's IPs.

My browser connects to those non-google IPs as I am logged-in in Gmail.

So, I wondering, if this is expected behavior and that is some Google's caching servers? Or my ISP messing with DNS response?

Thanks.

[Alexander Dupuy]

kuro...@gmail.com wrote:

Today I accidentally noticed, that Google DNS resolves all "clients*.google.com" names, "ssl.gstatic.com", etc into IP addresses belonging to the uplink of my ISP (as of Whois information), but not Google's IPs. 

My browser connects to those non-google IPs as I am logged-in in Gmail.

So, I wondering, if this is expected behavior and that is some Google's caching servers? Or my ISP messing with DNS response?

See https://peering.google.com/#/options/google-global-cache 

[kuro...@gmail.com]

Oh, I see. But there's one thing I can't understand. How such Edge nodes handle HTTPS traffic in case of cacheing (not proxying)? FAQ says: "The local node cache is filled on a read-through basis when content is requested by the end user". Okay, and how content become encrypted with session key within HTTPS session? Is it really possible, that Google's Private keys are available on GGC servers staying in 3rd party data-centers in foreign countries?

[kuro...@gmail.com]

Ok, answering to myself:

there is a "Keyless SSL" technique, so it only session key is exposed.

I.e. https://blog.cloudflare.com/keyless-ssl-the-nitty-gritty-technical-details/