How to check if the server I'm connecting to is owned by Google?

2

1

On my home machine, google.com resolves to 46.134.200.108 (public100460.xdsl.centertel.pl). WHOIS for that IP indicates that it's owned by Orange, which happens to be my ISP.

On my VPS, google.com resolves to 173.194.112.206 (fra02s17-in-f14.1e100.net), which is owned by Google.

Both machines are in the same country and are configured to use Google's DNS servers (8.8.8.8, 8.8.4.4).

Now, how do I tell whether this is a legit Google CDN server or the ISP is doing some shady crap with my connections?

Staven

Posted 2015-07-23T21:35:24.137

Reputation: 121

How are you determining what the name resolution is? – EBGreen – 2015-07-23T21:43:28.567

1Also be aware that almost all ISPs play with the traffic. Especially for individual users. – EBGreen – 2015-07-23T21:44:06.863

Answers

0

As you noted, it certainly doesn't appear to be a Google address. RIPE, the Regional Internet Registry (RIR) for Europe, i.e., the organization that doles out IP address space to European entitites, lists 46.134.200.108 as part of the block of addresses in the range 46.134.192.0 - 46.134.255.255 that it has assigned as follows:

org-name:PTK-Centertel org-type:Other
address:Orange Polska S.A.
address:Al. Jerozolimskie 160
address:02-326 Warszawa
address:POLAND

You can emulate the commands a web browser issues to a server and see the server's response using telnet. If you have a Linux or OS X system, you likely already have that utility. Microsoft no longer has that utility as part of a default Windows installation, but PuTTY is a free program available for Microsoft Windows systems that provides SSH and telnet client support; PuTTY can be used to emulate a web browser, also. If you do so, you will see that when a browser connects to the 46.134.200.108 address that it is automatically redirected to www.google.com (I've bolded the commands you would type) by the server returning a HTTP 301 status code:

$ telnet 46.134.200.108 80 Trying 46.134.200.10... Connected to 46.134.200.10. Escape character is '^]'. GET / HTTP/1.1 Host: google.com

HTTP/1.1 301 Moved Permanently Location: http://www.google.com/ Content-Type: text/html; charset=UTF-8 Date: Fri, 24 Jul 2015 00:51:14 GMT Expires: Sun, 23 Aug 2015 00:51:14 GMT Cache-Control: public, max-age=2592000 Server: gws Content-Length: 219 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Alternate-Protocol: 80:quic,p=0

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>301 Moved</TITLE></HEAD><BODY> <H1>301 Moved</H1> The document has moved <A HREF="http://www.google.com/">here</A>. </BODY></HTML>` Connection closed by foreign host.

Your browser will normally automatically go to the URL provided after "Location:", so you won't normally see the "document has moved" message.

I also noticed I got the same results when I used telnet 46.134.200.10 80, i.e., I inadvertently left off the "8" from "108", so there appear to be multiple IP addresses assigned to your ISP that also handle queries for google.com.

If you connect to http://google.com on some other address assigned to Google, though, say 216.58.217.142 (iad23s43-in-f142.1e100.net), which the American Registry for Internet Numbers (ARIN) shows is assigned to Google, you will see the same redirection occur if you use http://google.com. I.e., you will be redirected to http://www.google.com. What IP address do you see if you perform an nslookup on www.google.com?

To determine why your ISP is returning one of its own addresses if you look up google.com, you might have to question the ISP. Google is now automatically redirecting HTTP traffic to HTTPS, so unless your ISP has somehow managed to get you to install a security certificate on your systems that allows one of the ISP's systems to function as a man-in-the-middle tricking your system into thinking it is dealing with a Google system when it is not, your traffic should be encrypted and hidden from the ISP once your browser is redirected to use HTTPs rather than HTTP with https://www.google.com, or perhaps it is https://www.google.pl/ for you.

Google has a distributed network architecture for load balancing, so people in different parts of the world will see different IP addresses returned when they look up an IP address for Google.com. Even people in different areas of the same country may see different IP addresses. And, since Google uses a round-robin DNS technique, also, someone's system may look up an IP address for google.com now and get one IP address, but when it looks up the address an hour later get another IP address. E.g., here's what I see from one site in the U.S. when I perform an nslookup for google.com:

Name: google.com Addresses: 173.194.121.7, 173.194.121.3, 173.194.121.1, 173.194.121.2 173.194.121.6, 173.194.121.4, 173.194.121.9, 173.194.121.8, 173.194.121.5 173.194.121.0, 173.194.121.14

As you can see a list of IP addresses is returned, not just one. Any of those IP addresses could be used to access Google's search engine.

I suppose it is possible Google has an arrangement with your ISP for load balancing purposes in Poland rather than your ISP doing anything shady. Google has a global presence and it makes sense to refer systems in Poland to network resources in Poland that are geographically and thus likely closer in network hops as well, e.g., https://www.google.pl/. The fqdn www.google.pl resolves to 216.58.217.131 on the system in the U.S. I'm on at the moment, but may not resolve to that address for anyone in Poland.

moonpoint

Posted 2015-07-23T21:35:24.137

Reputation: 4 432

Asked: 2015-07-23T21:35:24.137

Viewed: 667 times

Active: 2015-07-24T02:15:18.050