Why some hostNames are not resolved by my browser once dns-reversed?

2

I have some newby questions about dns.
Here are the steps that lead me to those : 

C:\Windows\system32>nslookup google.ca
Serveur :   p81-004.pixelweb.net
Address:  206.41.81.4

Réponse ne faisant pas autorité :
Nom :    google.ca
Addresses:  2607:f8b0:4006:80b::1018
      107.161.13.237
      107.161.13.241
      107.161.13.245
      107.161.13.249
      107.161.13.251
      107.161.13.207
      107.161.13.211
      107.161.13.215
      107.161.13.219
      107.161.13.221
      107.161.13.222
      107.161.13.226
      107.161.13.230
      107.161.13.234
      107.161.13.236

Then 

C:\Windows\system32>nslookup 107.161.13.237
Serveur :   p81-004.pixelweb.net
Address:  206.41.81.4

Nom :    cache.google.com
Address:  107.161.13.237

Note that I got cache.google.com for any of those addresses.

    My questions are :
  • why is that an entire range of ip addresses are associated with only one host name cache.google.com, is it related to ssl?
  • why did nslookup omitted some google addresses within the range 207:251 that respond perfectly in my browser?
  • why is that https://107.161.13.237 is resolved whereas https://cache.google.com/ isn't?
  • why firefox tells me that https://107.161.13.237 isn't certified connection, while 107.161.13.237 alone is?

Thanks a lot for your answers!

Jules Randolph

Posted 2014-10-26T03:09:02.637

Reputation: 347

Answers

1

why is that an entire range of ip addresses are associated with only one host name cache.google.com, is it related to ssl?

This has nothing to do with SSL. Clients will just use any of these IP addresses and if this fails they will try another one. If you do the request again it might even give other IP or the same IP in different order. This is a way to balance the load between different servers.

why did nslookup omitted some google addresses within the range 207:251 that respond perfectly in my browser?

It might be that google returns only the IP which are nearby you and thus are faster or which it would like to be used by you at the moment. Again, IP and order might change for later DNS lookups as a way to balance the load between different servers. It might also change if you query other DNS servers.

why is that https://107.161.13.237 is resolved whereas https://cache.google.com/ isn't?

This a a kind of strange setup, that the reverse lookup of the IP resolves to a hostname, but resolving the same hostname back fails. But, reverse records (IP to name) and address records (name to IP) are separate entries in DNS and it is not guaranteed that they match each other. Often you don't even have reverse records.

why firefox tells me that https://107.161.13.237 isn't certified connection, while 107.161.13.237 alone is?

Because you need to verify the identity in the certificate against the given identity. If you look into the certificate you see it is for various google domains, among them google.ca. But is not for an IP address. Because you've only requested the IP address it will check this IP against the certificate and will not find a match. If you've requested https://google.ca instead it will find the match.

As for "107.161.13.237 alone" - this would be access by HTTP and not HTTPS, so no SSL/TLS is involved and no certificates are available and can be checked. That's why the connection will succeed, but contrary to HTTPS it is not encrypted.

Steffen Ullrich

Posted 2014-10-26T03:09:02.637

Reputation: 3 897

Thanks a lot for all those very clear answers (can't vote you up yet, but will asa I have 15crdts). One last question come to mind though with respect to your last sentence : Why http is reachable through direct ip access while it redirects to a https request when accessed through http://www.google.ca/ ? Is is firefox, the operating system (I doubt), the dns server or google server (I doubt too) that operate this redirection? – Jules Randolph – 2014-10-26T15:13:42.637

In this case the redirection is done by the server, using a HTTP redirect. A redirection at the DNS layer is not possible. It is possible that the browser redirects, if it detects unencrypted access to a page which is known from earlier visits to be only accessible encrypted, see HSTS.

– Steffen Ullrich – 2014-10-26T15:36:22.083

Asked: 2014-10-26T03:09:02.637

Viewed: 688 times

Active: 2014-10-26T06:58:31.997