What's at the Other End of 8.8.8.8?
Source: Hacker News
Testing 8.8.8.8
To see how 8.8.8.8 queries authoritative nameservers, I used my own wildcard DNS service — nip.io & sslip.io. By sending a series of uniquely‑marked queries to 8.8.8.8, the resolver forwards them to our nameservers.
for i in $(seq 0 255); do
dig +short 8-8-8-8.test-$i.sslip.io @8.8.8.8
doneConnect to the nameserver to inspect the logs:
ssh ns-ovh.sslip.ioThe Logs
The DNS server runs as a systemd service, so the logs can be extracted with journalctl:
sudo journalctl -u sslip.io-dns -S yesterday > /tmp/sslip.io.logFilter for the crafted lookups:
grep -i 8-8-8-8.test /tmp/sslip.io.logSample output (truncated):
172.253.244.145.46402 TypeA 8-8-8-8.TesT-158.SsLIp.io. ? 8.8.8.8
172.253.244.144.45355 TypeA 8-8-8-8.test-158.sslip.io. ? 8.8.8.8
172.253.0.21.41598 TypeA 8-8-8-8.teSt-161.SSlIP.iO. ? 8.8.8.8
172.253.2.29.34349 TypeA 8-8-8-8.tEst-163.ssliP.iO. ? 8.8.8.8
172.253.244.145.48298 TypeA 8-8-8-8.test-163.sslip.io. ? 8.8.8.8
2607:f8b0:4004:1001::12b.39475 TypeA 8-8-8-8.TesT-164.Sslip.Io. ? 8.8.8.8
74.125.181.155.54746 TypeA 8-8-8-8.TEST-173.ssLip.iO. ? 8.8.8.8
172.253.2.23.49071 TypeA 8-8-8-8.TeSt-177.sSlIP.iO. ? 8.8.8.8What the fields mean
| Field | Description |
|---|---|
172.253.244.145 | Source IP address of the DNS query (IPv4). |
46402 | Source UDP/TCP port. |
TypeA | Query type (A record). |
8-8-8-8.test-158.sslip.io. | Queried name (note the random capitalization). |
? | Indicates a DNS query. |
8.8.8.8 | The address we returned. |
Observations
- Only 8 of the 256 queries (≈ 3 %) reached our Warsaw server, which normally handles ~66 % of our traffic.
- The source address is never
8.8.8.8; each query comes from a different Google‑owned IP. - Random capitalization of the query name is introduced by Google’s resolvers to mitigate DNS cache poisoning.
Verifying ownership of the source IPs
Using ARIN’s REST API and jq:
curl -s -H "Accept: application/json" \
"https://whois.arin.net/rest/ip/172.253.244.145" |
jq '.net.orgRef."@name", .net.netBlocks.netBlock.cidrLength."$"'Output:
"Google LLC"
"16"The /16 block confirms Google owns the entire 172.253.0.0/16 range, covering most of the IPv4 addresses seen.
For the IPv6 address:
curl -s -H "Accept: application/json" \
"https://whois.arin.net/rest/ip/2607:f8b0:4004:1001::12b" |
jq '.net.orgRef."@name", .net.netBlocks.netBlock.cidrLength."$"'Output:
"Google LLC"
"32"Thus Google also owns the 2607:f8b0::/32 IPv6 block. (The remaining IPv4 address 74.125.181.155 is likewise within a Google‑owned range.)
Conclusion
When the public resolver 8.8.8.8 forwards queries to upstream authoritative servers, the queries do not originate from the IP address 8.8.8.8. Instead, they come from a pool of Google‑owned IP addresses, both IPv4 and IPv6, with varying source ports. Google also randomizes the capitalization of the queried domain name as an additional defense against DNS cache poisoning.