Re: [fw-wiz] (no subject)



On Tue, 20 Jun 2006, Aaron Smith wrote:

On Tue, 2006-06-20 at 13:12 -0500, Frank Knobbe wrote:
On Mon, 2006-06-19 at 22:18 -0400, Paul D. Robertson wrote:

But looky here! Today I get:

# host talk.google.com
talk.google.com is an alias for talk.l.google.com.
talk.l.google.com has address 216.239.37.125
talk.google.com is an alias for talk.l.google.com.
talk.google.com is an alias for talk.l.google.com.

# host www.google.com
www.google.com is an alias for www.l.google.com.
www.l.google.com has address 64.233.179.99
www.l.google.com has address 64.233.179.104
www.google.com is an alias for www.l.google.com.
www.google.com is an alias for www.l.google.com.

So it would appear that the initial reports are wrong and the IP
addresses are indeed different. Hopefully you are able to block all
distributed IP's for talk.google while leaving at least some for
www.google unblocked so you can use the search engine.


Not quite--you need to use a better DNS query tool:
# dnsq a talk.google.com ns1.google.com
ÿÿÿÿ(Tuesday, June 20)ÿÿÿÿ
1 talk.google.com:
246 bytes, 1+1+6+6 records, response, authoritative, noerror
query: 1 talk.google.com
answer: talk.google.com 604800 CNAME talk.l.google.com
authority: l.google.com 86400 NS a.l.google.com
authority: l.google.com 86400 NS b.l.google.com
authority: l.google.com 86400 NS c.l.google.com
authority: l.google.com 86400 NS d.l.google.com
authority: l.google.com 86400 NS e.l.google.com
authority: l.google.com 86400 NS g.l.google.com
additional: a.l.google.com 86400 A 216.239.53.9
additional: b.l.google.com 86400 A 64.233.179.9
additional: c.l.google.com 86400 A 64.233.161.9
additional: d.l.google.com 86400 A 64.233.183.9
additional: e.l.google.com 86400 A 66.102.11.9
additional: g.l.google.com 86400 A 64.233.167.9

# dnsq a www.google.com ns1.google.com
ÿÿÿÿ(Tuesday, June 20)ÿÿÿÿ
1 www.google.com:
244 bytes, 1+1+6+6 records, response, authoritative, noerror
query: 1 www.google.com
answer: www.google.com 604800 CNAME www.l.google.com
authority: l.google.com 86400 NS a.l.google.com
authority: l.google.com 86400 NS b.l.google.com
authority: l.google.com 86400 NS c.l.google.com
authority: l.google.com 86400 NS d.l.google.com
authority: l.google.com 86400 NS e.l.google.com
authority: l.google.com 86400 NS g.l.google.com
additional: a.l.google.com 86400 A 216.239.53.9
additional: b.l.google.com 86400 A 64.233.179.9
additional: c.l.google.com 86400 A 64.233.161.9
additional: d.l.google.com 86400 A 64.233.183.9
additional: e.l.google.com 86400 A 66.102.11.9
additional: g.l.google.com 86400 A 64.233.167.9


Not quite--you need to check your interpretation of the DNS answers

Above given data is entirely correct, but you missed a step!
As the answer section says, talk.google.com is a CNAME for talk.l.google.com AND the authorative NS for l.google.com is one of the above mentioned NS. Thus -->

[nickes@thunder ~] dig @a.l.google.com talk.l.google.com a

; <<>> DiG 9.3.2 <<>> @a.l.google.com talk.l.google.com a
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2028
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;talk.l.google.com. IN A

;; ANSWER SECTION:
talk.l.google.com. 300 IN A 64.233.167.125
talk.l.google.com. 300 IN A 216.239.37.125

;; Query time: 191 msec
;; SERVER: 216.239.53.9#53(216.239.53.9)
;; WHEN: Thu Jun 22 11:10:16 2006
;; MSG SIZE rcvd: 67

and

[nickes@thunder ~] dig @a.l.google.com www.l.google.com a

; <<>> DiG 9.3.2 <<>> @a.l.google.com www.l.google.com a
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20348
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.l.google.com. IN A

;; ANSWER SECTION:
www.l.google.com. 300 IN A 66.249.93.104
www.l.google.com. 300 IN A 66.249.93.99

;; Query time: 191 msec
;; SERVER: 216.239.53.9#53(216.239.53.9)
;; WHEN: Thu Jun 22 11:14:20 2006
;; MSG SIZE rcvd: 66

which in fact gives us exactly the same answer as Franks simple 'host' command, since the above procedure is what 'host' actually performs.

This means that you should be able to block out talk.google.com wherever you like, and still be able to use the search engine.


==Coleburn==

--
---

It takes a lot of knowledge
to really mess something up!

---_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: Avoiding domain mismatch (TCPIP Services)
    ... I think I have the BIND server configured ok, ... database doesn't get to the DNS server so you can't test it. ... of a DI524 host name, since this would help isolate problems. ... But you don't have authority for it. ...
    (comp.os.vms)
  • Re: [fw-wiz] (no subject)
    ... # host talk.google.com ... talk.google.com is an alias for talk.l.google.com. ... www.google unblocked so you can use the search engine. ... authority: l.google.com 86400 NS a.l.google.com ...
    (Firewall-Wizards)
  • Re: OT| Late Nights Dave tear OReally a new one
    ... >>Hard to tell with you hiding behind an alias. ... >>you can't even admit to who you are, ... What are you an authority in? ...
    (alt.guitar.amps)
  • Help: Startx is useless in my box
    ... to 5 in root user, ... hostname:Unknown host ... xauth:creating new authority file/root/.serverauth.5758 ... Server is already active for display 0 ...
    (comp.os.linux.x)
  • Re: OT Help with really slow email
    ... smtp.02.co.uk is an alias for mail.o2.co.uk. ... Be's and O2's network topology, it is almost impossible to say whether ... ;; AUTHORITY SECTION: ... ;; Query time: 39 msec ...
    (uk.comp.sys.mac)