Firewall Wizards mailing list archives
Re: (no subject)
From: Coleburn <coleburn () aland net>
Date: Thu, 22 Jun 2006 11:33:28 +0300 (EEST)
On Tue, 20 Jun 2006, Aaron Smith wrote:
On Tue, 2006-06-20 at 13:12 -0500, Frank Knobbe wrote: On Mon, 2006-06-19 at 22:18 -0400, Paul D. Robertson wrote: But looky here! Today I get: # host talk.google.com talk.google.com is an alias for talk.l.google.com. talk.l.google.com has address 216.239.37.125 talk.google.com is an alias for talk.l.google.com. talk.google.com is an alias for talk.l.google.com. # host www.google.com www.google.com is an alias for www.l.google.com. www.l.google.com has address 64.233.179.99 www.l.google.com has address 64.233.179.104 www.google.com is an alias for www.l.google.com. www.google.com is an alias for www.l.google.com. So it would appear that the initial reports are wrong and the IP addresses are indeed different. Hopefully you are able to block all distributed IP's for talk.google while leaving at least some for www.google unblocked so you can use the search engine.Not quite--you need to use a better DNS query tool: # dnsq a talk.google.com ns1.google.com ÿÿÿÿ(Tuesday, June 20)ÿÿÿÿ 1 talk.google.com: 246 bytes, 1+1+6+6 records, response, authoritative, noerror query: 1 talk.google.com answer: talk.google.com 604800 CNAME talk.l.google.com authority: l.google.com 86400 NS a.l.google.com authority: l.google.com 86400 NS b.l.google.com authority: l.google.com 86400 NS c.l.google.com authority: l.google.com 86400 NS d.l.google.com authority: l.google.com 86400 NS e.l.google.com authority: l.google.com 86400 NS g.l.google.com additional: a.l.google.com 86400 A 216.239.53.9 additional: b.l.google.com 86400 A 64.233.179.9 additional: c.l.google.com 86400 A 64.233.161.9 additional: d.l.google.com 86400 A 64.233.183.9 additional: e.l.google.com 86400 A 66.102.11.9 additional: g.l.google.com 86400 A 64.233.167.9 # dnsq a www.google.com ns1.google.com ÿÿÿÿ(Tuesday, June 20)ÿÿÿÿ 1 www.google.com: 244 bytes, 1+1+6+6 records, response, authoritative, noerror query: 1 www.google.com answer: www.google.com 604800 CNAME www.l.google.com authority: l.google.com 86400 NS a.l.google.com authority: l.google.com 86400 NS b.l.google.com authority: l.google.com 86400 NS c.l.google.com authority: l.google.com 86400 NS d.l.google.com authority: l.google.com 86400 NS e.l.google.com authority: l.google.com 86400 NS g.l.google.com additional: a.l.google.com 86400 A 216.239.53.9 additional: b.l.google.com 86400 A 64.233.179.9 additional: c.l.google.com 86400 A 64.233.161.9 additional: d.l.google.com 86400 A 64.233.183.9 additional: e.l.google.com 86400 A 66.102.11.9 additional: g.l.google.com 86400 A 64.233.167.9
Not quite--you need to check your interpretation of the DNS answers Above given data is entirely correct, but you missed a step!As the answer section says, talk.google.com is a CNAME for talk.l.google.com AND the authorative NS for l.google.com is one of the above mentioned NS. Thus -->
[nickes@thunder ~] dig @a.l.google.com talk.l.google.com a ; <<>> DiG 9.3.2 <<>> @a.l.google.com talk.l.google.com a ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2028 ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;talk.l.google.com. IN A ;; ANSWER SECTION: talk.l.google.com. 300 IN A 64.233.167.125 talk.l.google.com. 300 IN A 216.239.37.125 ;; Query time: 191 msec ;; SERVER: 216.239.53.9#53(216.239.53.9) ;; WHEN: Thu Jun 22 11:10:16 2006 ;; MSG SIZE rcvd: 67 and [nickes@thunder ~] dig @a.l.google.com www.l.google.com a ; <<>> DiG 9.3.2 <<>> @a.l.google.com www.l.google.com a ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20348 ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.l.google.com. IN A ;; ANSWER SECTION: www.l.google.com. 300 IN A 66.249.93.104 www.l.google.com. 300 IN A 66.249.93.99 ;; Query time: 191 msec ;; SERVER: 216.239.53.9#53(216.239.53.9) ;; WHEN: Thu Jun 22 11:14:20 2006 ;; MSG SIZE rcvd: 66which in fact gives us exactly the same answer as Franks simple 'host' command, since the above procedure is what 'host' actually performs.
This means that you should be able to block out talk.google.com wherever you like, and still be able to use the search engine.
==Coleburn== -- --- It takes a lot of knowledge to really mess something up! ---
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- (no subject) Paul D. Robertson (Jun 19)
- Re: (no subject) Devdas Bhagat (Jun 20)
- Re: (no subject) Marcus J. Ranum (Jun 21)
- Re: (no subject) Frank Knobbe (Jun 20)
- Re: (no subject) Aaron Smith (Jun 21)
- Re: (no subject) Coleburn (Jun 22)
- Re: (no subject) Aaron Smith (Jun 21)
- Re: (no subject) Devdas Bhagat (Jun 20)