What are these Google IPs hammering on my DNS server?
John R. Levine
johnl at iecc.com
Sun Dec 3 19:18:00 UTC 2023
> Did a bit of digging on Google's developer site and came across this:
> https://developers.google.com/speed/public-dns/faq#locations_of_ip_address_ranges_google_public_dns_uses_to_send_queries
>
> Looks like the IPs you mentioned belong to Google's public DNS resolver
> based on that list on their site. They could also be spoofed though from a
> DNS AMP attack, so keep that in mind.
Per my recent message, the replies are tiny so if it's an amplification
attack, it's a very incompetent one. The queries are case randomized so I
guess it's really Google. Sigh.
If anyone is wondering, I have a passive aggressive countermeasure against
some overqueriers that returns ten NS referral names, and then 25 random
IP addresses for each of those names, but I don't do that to Google.
R's,
John
> ------------------------------------------------------------------------------
> *Accuris Technologies Ltd.*
>
>
> On Sun, Dec 3, 2023 at 1:51 PM John Levine <johnl at iecc.com> wrote:
>
>> At contacts.abuse.net, I have a little stunt DNS server that provides
>> domain contact info, e.g.:
>>
>> $ host -t txt comcast.net.contacts.abuse.net
>> comcast.net.contacts.abuse.net descriptive text "abuse at comcast.net"
>>
>> $ host -t hinfo comcast.net.contacts.abuse.net
>> comcast.net.contacts.abuse.net host information "lookup" "comcast.net"
>>
>> Every once in a while someone decides to look up every domain in the
>> world and DoS'es it until I update my packet filters. This week it's
>> been this set of IPs that belong to Google. I don't think they're
>> 8.8.8.8. Any idea what they are? Random Google Cloud customers? A
>> secret DNS mapping project?
>>
>> 172.253.1.133
>> 172.253.206.36
>> 172.253.1.130
>> 172.253.206.37
>> 172.253.13.196
>> 172.253.255.36
>> 172.253.13.197
>> 172.253.1.131
>> 172.253.255.35
>> 172.253.255.37
>> 172.253.1.132
>> 172.253.13.193
>> 172.253.1.129
>> 172.253.255.33
>> 172.253.206.35
>> 172.253.255.34
>> 172.253.206.33
>> 172.253.206.34
>> 172.253.13.194
>> 172.253.13.195
>> 172.71.125.63
>> 172.71.117.60
>> 172.71.133.51
>>
>> R's,
>> John
>>
>
Regards,
John Levine, johnl at taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
More information about the NANOG
mailing list