Re: Google Captcha on web searches

[Damian Menscher via NANOG <nanog () nanog org>]

On Tue, Nov 10, 2015 at 2:43 PM, Chris Murray <chris () ipstuff ca> wrote:

> The "popular open dns services" you refer to appear to be Proxy/VPN
> services that also provide DNS to get around region blocking. These
> services proxy and/or NAT users behind a single IP address to make it
> look like you are coming from a different country.
>
> I may be biased, but when I think of popular open DNS services I think
> of OpenDNS or Google DNS, and you should *never* see a captcha as a
> result of using OpenDNS. Disclaimer: I work for OpenDNS, and while I
> can't speak to Google DNS, I have never heard of this behaviour with
> their service either.

Chris: as you correctly note, this can only happen if the DNS provider
returns falsified records to hijack traffic and MITM it through their own
proxies.  But it sounds like you're unaware of the dark past of OpenDNS
where they did exactly that, and their users got Google captchas as a
result (they don't do this anymore).

To answer the other questions/comments on the list:
  - You're responsible for all the traffic that comes from your IP.  Joe,
if you put 600 users behind an IPv4/32 you'd better make sure you have
controls in place to keep malware (and shady browser extensions) off their
machines.
  - The obvious way to avoid needing to share a NAT address is to switch to
IPv6 if possible, as Nich said.
  - Google looks at an IPv4/32 or IPv6/64 by default (may be /56 or /48 for
some hosting providers).  If you have significant numbers of users sharing
a /64, please explain why?  Is it because you hate your users? ;)

Damian