Google Apps IP and Google DNS servers? no compliant?

480 views
Skip to first unread message

francoi...@gmail.com

unread,
Jan 6, 2015, 5:44:09 AM1/6/15
to public-dn...@googlegroups.com
Dear all,


We have a strange behavior when we used google DNS servers to resolve google apps DNS objects through our private DNS environment.


First of all, the context :
Our company use Google apps (gmail, drive, docs, sites...) since 2 years and we followed google recommendation. It mean "avoid proxy devices with google apps traffic". We do that with some line inside a PAC file where we put in direct mode google apps based on these criterion :

//Exception Google
if (isInNet(resolved_ip, "216.239.32.0", "255.255.224.0")||
   isInNet(resolved_ip, "64.233.160.0", "255.255.224.0")||
   isInNet(resolved_ip, "66.249.80.0", "255.255.240.0")||
   isInNet(resolved_ip, "72.14.192.0", "255.255.192.0")||
   isInNet(resolved_ip, "209.85.128.0", "255.255.128.0")||
   isInNet(resolved_ip, "66.102.0.0", "255.255.240.0")||
   isInNet(resolved_ip, "74.125.0.0", "255.255.0.0")||
   isInNet(resolved_ip, "64.18.0.0", "255.255.240.0")||
   isInNet(resolved_ip, "207.126.144.0", "255.255.240.0")||
   isInNet(resolved_ip, "173.194.0.0", "255.255.0.0")
   )
   {if (shExpMatch(url, "*.google.com*")||
      shExpMatch(url, "*.googleapis.com*")||
      shExpMatch(url, "*.googlegroups.com*")||
      shExpMatch(url, "*.google-analytics.com*")||
      shExpMatch(url, "*.gstatic.com*")||
      shExpMatch(url, "*.googleusercontent.com*")||
      shExpMatch(url, "*.gmodules.com*")||
      shExpMatch(url, "*.gvt0.com*")||
      shExpMatch(url, "*.googlepages.com*")||
      shExpMatch(url, "*.ytimg.com*")||
      shExpMatch(url, "*toolbox.googleapps.com*")
      )
      {return proxy_no;}
   }

Public IP range used by google apps are find from this command :

C:\windows\system32>nslookup -q=TXT _netblocks.google.com 8.8.8.8
Address:  8.8.8.8
Réponse ne faisant pas autorité :
        "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:7
0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ~all"

These IP range are authorized in "Direct" through all our internet firewall (about 20 for the moment but more and more in the future).

We followed these recommendations from google :


THE ISSUE :
4 months ago (during one or 2 days) :
After slowly issue (proxy overloaded) in Swiss (with Swisscom), we found this fact :

C:\Users\admfrabeck>nslookup sites.google.com 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53
Non-authoritative answer:
sites.google.com        canonical name = www3.l.google.com.
Address: 193.134.255.153
Address: 193.134.255.148

A "whoise IP" gave me this result :
route:          193.134.255.0/24
descr:          Google GGC
origin:         AS3303
mnt-by:         CH-UNISOURCE-MNT
source:         RIPE # Filtered

And this public IP range 193.134.255.0/24 is not inside the result of "nslookup -q=TXT _netblocks.google.com 8.8.8.8"

Yesterday, from France (with Completel), I identified the same issue but with an other public IP range :

Address:  8.8.8.8
Réponse ne faisant pas autorité :
Nom :    docs.google.Com
Addresses:  2a00:1450:4007:80b::2000
          216.58.211.78
          216.58.211.64

Serveur :   dns1.completel.fr
Address:  213.244.0.15
DNS request timed out.
    timeout was 2 seconds.
Réponse ne faisant pas autorité :
Nom :    docs.google.Com
Addresses:  2a00:1450:4007:807::1003
          173.194.40.96
          173.194.40.104
          173.194.40.103
          173.194.40.102
          173.194.40.105
          173.194.40.101
          173.194.40.110
          173.194.40.100
          173.194.40.97
          173.194.40.98
          173.194.40.99

A "whoise IP" gave me this result :
NetRange:       216.58.192.0 - 216.58.223.255
CIDR:           216.58.192.0/19
NetName:        GOOGLE
NetHandle:      NET-216-58-192-0-1
Parent:         NET216 (NET-216-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS15169
Organization:   Google Inc. (GOGL)

And this public IP range 216.58.192.0/19 is not inside the result of "nslookup -q=TXT _netblocks.google.com 8.8.8.8"


SO, QUESTIONS :

For the moment, I keep the position to not use Google DNS servers because there is too many risk with Google Apps and this kind of behavior is not compliant with network google recommendation (for me, here, we have an incoherence in the Google Network recommendation, they recommand to avoid proxy but we don't have visibility on public IP used...).

8.8.8.8 is anycast IP so, it could be a benefits in term of geolocalisation, in term of exploitation to simplify our settings through EMEA and in term of performance (I already saw better reply from Google DNS server than provider DNS server). But, I can not recommand this with this kind of behavior for the moment.

How is it possible to have better visibility about public IP used by Google apps? it's clear that this information inside google support "https://support.google.com/a/answer/60764?hl=en" is not true if we used Google DNS servers, why?


Best regards,

francoi...@gmail.com

unread,
Jan 7, 2015, 5:22:37 AM1/7/15
to public-dn...@googlegroups.com, francoi...@gmail.com
Dear all,


I don't know if something have been change on your side or on google apps side but it seems that this new range is officially propagated from yesterday afternoon (so, some hours after my initial message)

Now, we have this new range inside the _netblocks.google.com

C:\windows\system32>nslookup -type=txt _netblocks.google.com 8.8.8.8
Address:  8.8.8.8

Réponse ne faisant pas autorité :

        "v=spf1 ip4:64.18.0.0/20 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.24
9.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:173.194.0.0/16 ip4:207.126.14


Do you have more information about this topic?

Do you know if there is a way to be informed about that before production?


Thanks in advance for your help.


Best regards,
Reply all
Reply to author
Forward
0 new messages