Re: [mailop] New Google DNS Servers? 192.178.65.0/28 NO PTR records.. anyone? Brandon?
Correct, 1.1.1.1 is the anycast address that clients use. The resolvers behind that anycast address will be part of the listed IP addresses. Servers will not see the query coming from 1.1.1.1. Regards, Graeme Slogrove -Original Message- From: mailop On Behalf Of Jose Morales Velazquez via mailop Sent: Tuesday, December 5, 2023 9:12 AM To: mailop@mailop.org Subject: Re: [mailop] New Google DNS Servers? 192.178.65.0/28 NO PTR records.. anyone? Brandon? - CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. - I believe they do not add the DNS IP 1.1.1.1 or any other to the list of IPs because the list is of access IP addresses used make requests to servers from their proxies backends. Like, on the Cloudflare DNS for your domain you add a hostname record pointing to one of your server's IP addresses and enable Cloudflare's proxy on it, then Cloudflare will mask your IP address to external queries on their 1.1.1.1 DNS server or your domain's assigned DNS server from Cloudflare with one of the proxy server they assigned to your record. Now when someone requests that hostname they will see the Cloudflare Proxy IP assigned to the hostname and in the backend, cloudflare will route the communication thru one of these IP addresses on that list of IPs to your servers. Example: Set firewalls /ACLs to only allow access from these IP addresses to your webservers, so that only CLoudflare's proxied records can connect to them. Sincerely, Jose On 12/4/2023 1:53 PM, Randolf Richardson, Postmaster via mailop wrote: > Interestingly, 1.1.1.1, which is Cloudflare's famous public DNS > resolver, is not included in that list of IPv4 addresses: > > IP Ranges | Cloudflare > https://www.cloudflare.com/ips/ > > Their main reference page (above) doesn't seem to mention it, but I > wonder if it might be prudent to whitelist it as well (in addition to > Cloudflare's official list) to ensure smoother operations overall. > >> Hello, >> >> I believe you can enumerate cloudflare IPs via : >> >> https://www.cloudflare.com/ips-v4 >> https://www.cloudflare.com/ips-v6 >> >> It's likely an overfit situation (not just resolvers), but it's something. >> >> -tony >> >> On 12/2/23 21:57, Arne Jensen via mailop wrote: >>> Always happy to help! And wauh, times flies by these days... >>> >>> First of all - I completely agree with you, that several things >>> could be better here ;-). >>> >>> Taking the four major ones, the top list, from best to worst, might >>> be >>> like: >>> >>> 1. OpenDNS >>> 2. Google >>> 3. Quad 9/PCH >>> 4. Cloudflare >>> >>> Given your mention of "internal documentation", maybe there could be >>> something more for you to document, if you haven't already: >>> >>> Google does, as mentioned previously, document their resolver >>> infrastructure on the Web, contrary to many others, but also with a JSON: >>> >>> -> API/JSON: https://www.gstatic.com/ipranges/publicdns.json >>> >>> OpenDNS is also documenting theirs, and also have PTR on the >>> outgoing resolver IP, but unfortunately, the PTR **doesn't always** >>> point to one of their OpenDNS.* domain names, which could be confusing: >>> >>> Reaching OpenDNS Copenhagen: >>> - 146.112.135.70 (r7.compute.cph1.edc.strln.net) >>> - 2a04:e4c0:17::73 (r10.compute.cph1.edc.strln.net) >>> >>> Reaching OpenDNS London: >>> - 208.69.34.73 (m53.lon.opendns.com) >>> - 2a04:e4c0:10::91 (r3.compute.lon1.edc.strln.net) >>> >>> It is however consistent with their locations as retrieved from here: >>> >>> -> Web: https://www.opendns.com/data-center-locations/ >>> -> JSON: >>> https://umbrella-dns-requests.marketops.umbrella.com/api/data-center >>> -locations >>> >>> Currently, it seems very much a hit and miss, mostly miss, when >>> reaching any IP address with PTR records, through Quad 9. I haven't >>> ever seen Quad 9 document it like OpenDNS or Google. >>> >>> With Cloudflare, I've never see any of their outbound resolver IP >>> addresses have any PTR records. I haven't ever seen Cloudflare >>> do
Re: [mailop] New Google DNS Servers? 192.178.65.0/28 NO PTR records.. anyone? Brandon?
I believe they do not add the DNS IP 1.1.1.1 or any other to the list of IPs because the list is of access IP addresses used make requests to servers from their proxies backends. Like, on the Cloudflare DNS for your domain you add a hostname record pointing to one of your server's IP addresses and enable Cloudflare's proxy on it, then Cloudflare will mask your IP address to external queries on their 1.1.1.1 DNS server or your domain's assigned DNS server from Cloudflare with one of the proxy server they assigned to your record. Now when someone requests that hostname they will see the Cloudflare Proxy IP assigned to the hostname and in the backend, cloudflare will route the communication thru one of these IP addresses on that list of IPs to your servers. Example: Set firewalls /ACLs to only allow access from these IP addresses to your webservers, so that only CLoudflare's proxied records can connect to them. Sincerely, Jose On 12/4/2023 1:53 PM, Randolf Richardson, Postmaster via mailop wrote: Interestingly, 1.1.1.1, which is Cloudflare's famous public DNS resolver, is not included in that list of IPv4 addresses: IP Ranges | Cloudflare https://www.cloudflare.com/ips/ Their main reference page (above) doesn't seem to mention it, but I wonder if it might be prudent to whitelist it as well (in addition to Cloudflare's official list) to ensure smoother operations overall. Hello, I believe you can enumerate cloudflare IPs via : https://www.cloudflare.com/ips-v4 https://www.cloudflare.com/ips-v6 It's likely an overfit situation (not just resolvers), but it's something. -tony On 12/2/23 21:57, Arne Jensen via mailop wrote: Always happy to help! And wauh, times flies by these days... First of all - I completely agree with you, that several things could be better here ;-). Taking the four major ones, the top list, from best to worst, might be like: 1. OpenDNS 2. Google 3. Quad 9/PCH 4. Cloudflare Given your mention of "internal documentation", maybe there could be something more for you to document, if you haven't already: Google does, as mentioned previously, document their resolver infrastructure on the Web, contrary to many others, but also with a JSON: -> API/JSON: https://www.gstatic.com/ipranges/publicdns.json OpenDNS is also documenting theirs, and also have PTR on the outgoing resolver IP, but unfortunately, the PTR **doesn't always** point to one of their OpenDNS.* domain names, which could be confusing: Reaching OpenDNS Copenhagen: - 146.112.135.70 (r7.compute.cph1.edc.strln.net) - 2a04:e4c0:17::73 (r10.compute.cph1.edc.strln.net) Reaching OpenDNS London: - 208.69.34.73 (m53.lon.opendns.com) - 2a04:e4c0:10::91 (r3.compute.lon1.edc.strln.net) It is however consistent with their locations as retrieved from here: -> Web: https://www.opendns.com/data-center-locations/ -> JSON: https://umbrella-dns-requests.marketops.umbrella.com/api/data-center-locations Currently, it seems very much a hit and miss, mostly miss, when reaching any IP address with PTR records, through Quad 9. I haven't ever seen Quad 9 document it like OpenDNS or Google. With Cloudflare, I've never see any of their outbound resolver IP addresses have any PTR records. I haven't ever seen Cloudflare document it like OpenDNS or Google. With the above possible ways to retrieve the OpenDNS and Google data, you have the option to automate e.g. a weekly update of their resolver addresses, if you feel for something like that in any way. ;) ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] New Google DNS Servers? 192.178.65.0/28 NO PTR records.. anyone? Brandon?
Interestingly, 1.1.1.1, which is Cloudflare's famous public DNS resolver, is not included in that list of IPv4 addresses: IP Ranges | Cloudflare https://www.cloudflare.com/ips/ Their main reference page (above) doesn't seem to mention it, but I wonder if it might be prudent to whitelist it as well (in addition to Cloudflare's official list) to ensure smoother operations overall. > Hello, > > I believe you can enumerate cloudflare IPs via : > > https://www.cloudflare.com/ips-v4 > https://www.cloudflare.com/ips-v6 > > It's likely an overfit situation (not just resolvers), but it's something. > > -tony > > On 12/2/23 21:57, Arne Jensen via mailop wrote: > > Always happy to help! And wauh, times flies by these days... > > > > First of all - I completely agree with you, that several things could be > > better here ;-). > > > > Taking the four major ones, the top list, from best to worst, might be > > like: > > > > 1. OpenDNS > > 2. Google > > 3. Quad 9/PCH > > 4. Cloudflare > > > > Given your mention of "internal documentation", maybe there could be > > something more for you to document, if you haven't already: > > > > Google does, as mentioned previously, document their resolver > > infrastructure on the Web, contrary to many others, but also with a JSON: > > > > -> API/JSON: https://www.gstatic.com/ipranges/publicdns.json > > > > OpenDNS is also documenting theirs, and also have PTR on the outgoing > > resolver IP, but unfortunately, the PTR **doesn't always** point to one > > of their OpenDNS.* domain names, which could be confusing: > > > > Reaching OpenDNS Copenhagen: > > - 146.112.135.70 (r7.compute.cph1.edc.strln.net) > > - 2a04:e4c0:17::73 (r10.compute.cph1.edc.strln.net) > > > > Reaching OpenDNS London: > > - 208.69.34.73 (m53.lon.opendns.com) > > - 2a04:e4c0:10::91 (r3.compute.lon1.edc.strln.net) > > > > It is however consistent with their locations as retrieved from here: > > > > -> Web: https://www.opendns.com/data-center-locations/ > > -> JSON: > > https://umbrella-dns-requests.marketops.umbrella.com/api/data-center-locations > > > > Currently, it seems very much a hit and miss, mostly miss, when reaching > > any IP address with PTR records, through Quad 9. I haven't ever seen > > Quad 9 document it like OpenDNS or Google. > > > > With Cloudflare, I've never see any of their outbound resolver IP > > addresses have any PTR records. I haven't ever seen Cloudflare document > > it like OpenDNS or Google. > > > > With the above possible ways to retrieve the OpenDNS and Google data, > > you have the option to automate e.g. a weekly update of their resolver > > addresses, if you feel for something like that in any way. ;) > > > > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop -- Postmaster - postmas...@inter-corporate.com Randolf Richardson - rand...@inter-corporate.com Inter-Corporate Computer & Network Services, Inc. Vancouver, British Columbia, Canada https://www.inter-corporate.com/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] New Google DNS Servers? 192.178.65.0/28 NO PTR records.. anyone? Brandon?
Hello, I believe you can enumerate cloudflare IPs via : https://www.cloudflare.com/ips-v4 https://www.cloudflare.com/ips-v6 It's likely an overfit situation (not just resolvers), but it's something. -tony On 12/2/23 21:57, Arne Jensen via mailop wrote: Always happy to help! And wauh, times flies by these days... First of all - I completely agree with you, that several things could be better here ;-). Taking the four major ones, the top list, from best to worst, might be like: 1. OpenDNS 2. Google 3. Quad 9/PCH 4. Cloudflare Given your mention of "internal documentation", maybe there could be something more for you to document, if you haven't already: Google does, as mentioned previously, document their resolver infrastructure on the Web, contrary to many others, but also with a JSON: -> API/JSON: https://www.gstatic.com/ipranges/publicdns.json OpenDNS is also documenting theirs, and also have PTR on the outgoing resolver IP, but unfortunately, the PTR **doesn't always** point to one of their OpenDNS.* domain names, which could be confusing: Reaching OpenDNS Copenhagen: - 146.112.135.70 (r7.compute.cph1.edc.strln.net) - 2a04:e4c0:17::73 (r10.compute.cph1.edc.strln.net) Reaching OpenDNS London: - 208.69.34.73 (m53.lon.opendns.com) - 2a04:e4c0:10::91 (r3.compute.lon1.edc.strln.net) It is however consistent with their locations as retrieved from here: -> Web: https://www.opendns.com/data-center-locations/ -> JSON: https://umbrella-dns-requests.marketops.umbrella.com/api/data-center-locations Currently, it seems very much a hit and miss, mostly miss, when reaching any IP address with PTR records, through Quad 9. I haven't ever seen Quad 9 document it like OpenDNS or Google. With Cloudflare, I've never see any of their outbound resolver IP addresses have any PTR records. I haven't ever seen Cloudflare document it like OpenDNS or Google. With the above possible ways to retrieve the OpenDNS and Google data, you have the option to automate e.g. a weekly update of their resolver addresses, if you feel for something like that in any way. ;) ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] New Google DNS Servers? 192.178.65.0/28 NO PTR records.. anyone? Brandon?
Always happy to help! And wauh, times flies by these days... First of all - I completely agree with you, that several things could be better here ;-). Taking the four major ones, the top list, from best to worst, might be like: 1. OpenDNS 2. Google 3. Quad 9/PCH 4. Cloudflare Given your mention of "internal documentation", maybe there could be something more for you to document, if you haven't already: Google does, as mentioned previously, document their resolver infrastructure on the Web, contrary to many others, but also with a JSON: -> API/JSON: https://www.gstatic.com/ipranges/publicdns.json OpenDNS is also documenting theirs, and also have PTR on the outgoing resolver IP, but unfortunately, the PTR **doesn't always** point to one of their OpenDNS.* domain names, which could be confusing: Reaching OpenDNS Copenhagen: - 146.112.135.70 (r7.compute.cph1.edc.strln.net) - 2a04:e4c0:17::73 (r10.compute.cph1.edc.strln.net) Reaching OpenDNS London: - 208.69.34.73 (m53.lon.opendns.com) - 2a04:e4c0:10::91 (r3.compute.lon1.edc.strln.net) It is however consistent with their locations as retrieved from here: -> Web: https://www.opendns.com/data-center-locations/ -> JSON: https://umbrella-dns-requests.marketops.umbrella.com/api/data-center-locations Currently, it seems very much a hit and miss, mostly miss, when reaching any IP address with PTR records, through Quad 9. I haven't ever seen Quad 9 document it like OpenDNS or Google. With Cloudflare, I've never see any of their outbound resolver IP addresses have any PTR records. I haven't ever seen Cloudflare document it like OpenDNS or Google. With the above possible ways to retrieve the OpenDNS and Google data, you have the option to automate e.g. a weekly update of their resolver addresses, if you feel for something like that in any way. ;) -- Med venlig hilsen / Kind regards, Arne Jensen Den 15-11-2023 kl. 01:19 skrev Michael Peddemors via mailop: Okay, not great at conforming to industry methods ;) Thanks for that direct link, need to update our internal documentation, but still no excuse for Google not to have reverse DNS in place on these IPs. Thanks Arne. On 2023-11-13 21:59, Arne Jensen via mailop wrote: Den 13-11-2023 kl. 23:35 skrev Michael Peddemors via mailop: Of course, Google never SWIP's their segments very well, but with no PTR records, not much to go on.. Not much to go on, hmm ... ... Have you tried the Google Public DNS documentation? :) large DNS Queries coming from this range, anyone know if it has legit usage? - 192.178.65.2 = 10357 - 192.178.65.5 = 10327 - 192.178.65.8 = 9997 - 192.178.65.1 = 9602 - 192.178.65.7 = 9538 - 192.178.65.4 = 9492 - 192.178.65.3 = 9467 - 192.178.65.9 = 9378 - 192.178.65.6 = 8608 - 192.178.65.10 = 8557 Those, and the /28 from your Subject line should all be covered by 192.178.65.0/26? -> https://developers.google.com/speed/public-dns/faq#locations 192.178.65.0/26 iad 192.178.65.64/26 del 192.178.65.128/25 cmh [...] Seems to be the IAD (Washington, DC) area of Google Public DNS to me. -- Med venlig hilsen / Kind regards, Arne Jensen ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] New Google DNS Servers? 192.178.65.0/28 NO PTR records.. anyone? Brandon?
Okay, not great at conforming to industry methods ;) Thanks for that direct link, need to update our internal documentation, but still no excuse for Google not to have reverse DNS in place on these IPs. Thanks Arne. On 2023-11-13 21:59, Arne Jensen via mailop wrote: Den 13-11-2023 kl. 23:35 skrev Michael Peddemors via mailop: Of course, Google never SWIP's their segments very well, but with no PTR records, not much to go on.. Not much to go on, hmm ... ... Have you tried the Google Public DNS documentation? :) large DNS Queries coming from this range, anyone know if it has legit usage? - 192.178.65.2 = 10357 - 192.178.65.5 = 10327 - 192.178.65.8 = 9997 - 192.178.65.1 = 9602 - 192.178.65.7 = 9538 - 192.178.65.4 = 9492 - 192.178.65.3 = 9467 - 192.178.65.9 = 9378 - 192.178.65.6 = 8608 - 192.178.65.10 = 8557 Those, and the /28 from your Subject line should all be covered by 192.178.65.0/26? -> https://developers.google.com/speed/public-dns/faq#locations 192.178.65.0/26 iad 192.178.65.64/26 del 192.178.65.128/25 cmh [...] Seems to be the IAD (Washington, DC) area of Google Public DNS to me. -- Med venlig hilsen / Kind regards, Arne Jensen ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] New Google DNS Servers? 192.178.65.0/28 NO PTR records.. anyone? Brandon?
Den 13-11-2023 kl. 23:35 skrev Michael Peddemors via mailop: Of course, Google never SWIP's their segments very well, but with no PTR records, not much to go on.. Not much to go on, hmm ... ... Have you tried the Google Public DNS documentation? :) large DNS Queries coming from this range, anyone know if it has legit usage? - 192.178.65.2 = 10357 - 192.178.65.5 = 10327 - 192.178.65.8 = 9997 - 192.178.65.1 = 9602 - 192.178.65.7 = 9538 - 192.178.65.4 = 9492 - 192.178.65.3 = 9467 - 192.178.65.9 = 9378 - 192.178.65.6 = 8608 - 192.178.65.10 = 8557 Those, and the /28 from your Subject line should all be covered by 192.178.65.0/26? -> https://developers.google.com/speed/public-dns/faq#locations 192.178.65.0/26 iad 192.178.65.64/26 del 192.178.65.128/25 cmh [...] Seems to be the IAD (Washington, DC) area of Google Public DNS to me. -- Med venlig hilsen / Kind regards, Arne Jensen ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] New Google DNS Servers? 192.178.65.0/28 NO PTR records.. anyone? Brandon?
Of course, Google never SWIP's their segments very well, but with no PTR records, not much to go on.. large DNS Queries coming from this range, anyone know if it has legit usage? - 192.178.65.2 = 10357 - 192.178.65.5 = 10327 - 192.178.65.8 = 9997 - 192.178.65.1 = 9602 - 192.178.65.7 = 9538 - 192.178.65.4 = 9492 - 192.178.65.3 = 9467 - 192.178.65.9 = 9378 - 192.178.65.6 = 8608 - 192.178.65.10 = 8557 NetRange: 192.178.0.0 - 192.179.255.255 CIDR: 192.178.0.0/15 NetName:GOOGLE NetHandle: NET-192-178-0-0-1 Parent: NET192 (NET-192-0-0-0-0) NetType:Direct Allocation OriginAS: AS15169 Organization: Google LLC (GOGL) RegDate:2012-07-12 Updated:2012-07-12 Ref:https://rdap.arin.net/registry/ip/192.178.0.0 OrgName:Google LLC -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop