[HN Gopher] Google DNS at 010.010.010.010
___________________________________________________________________
Google DNS at 010.010.010.010
Author : boramalper
Score : 120 points
Date : 2021-10-30 15:08 UTC (7 hours ago)
(HTM) web link (010.010.010.010)
(TXT) w3m dump (010.010.010.010)
| TheSwordsman wrote:
| The JSON format they display results in is a bit rough, though.
| Some keys are capitalized, some not.
| EastOfTruth wrote:
| another DNS to avoid... using anything but your ISP's DNS
| decrease privacy... unless you are using a VPN, then the DNS
| should be from your VPN's ISP
| sodality2 wrote:
| > using anything but your ISP's DNS decrease privacy
|
| Using your ISP's DNS decreases privacy. I assume you mean that
| because UDP/53 DNS is unencrypted, if you switch to another DNS
| provider, then both the ISP _and_ the new DNS can see your
| requests? In which case I present to you DNS over HTTPS
| boramalper wrote:
| I found this quite amusing as it seems as if Google is trying to
| impersonate Cloudflare's 1.1.1.1, whereas 010.010.010.010 is
| indeed the octal representation of 8.8.8.8.
|
| Credit: _IPv4 addresses are silly, inet_aton(3) doubly so._
| https://www.netmeister.org/blog/inet_aton.html
| zh3 wrote:
| Ever tried to google 192.168.1.1? Here at least it gives lots
| of bogosity (all in the name of keeping us safe from what we
| actually wanted to get to).
| pxc wrote:
| Google is for web search, and http://192.168.1.1 is not on
| the web
| Dylan16807 wrote:
| Google also has info boxes, and this would be a very good
| place for one.
| zh3 wrote:
| ...in which case they shouldn't give misleading replies
| like "192.168.l.l", n'est ce pas?
| dcminter wrote:
| For clarity - 8.8.8.8 has been around as a free public DNS for
| a good bit longer than 1.1.1.1 has
|
| I think you probably know that already, but there are at least
| a couple of ways to interpret what you wrote.
|
| https://en.wikipedia.org/wiki/Google_Public_DNS
|
| https://en.wikipedia.org/wiki/1.1.1.1
| csouza-f wrote:
| Indeed octal. The second DNS is 010.010.04.04 == 8.8.4.4
| eyelidlessness wrote:
| Amusingly, iOS thinks the text "010.010.010.010" is a phone
| number.
| stefan_ wrote:
| Is there a good IPv6 option?
| bikingbismuth wrote:
| For DNS, I am not sure. If you are talking about strange IP
| formats, not really. The best I've been able to do is some
| playing with the IPv6.IPv4 formatting.
| p1mrx wrote:
| Yeah, https://[2001:4860:4860:00::000:0.0.136.136]/ is
| probably the weirdest format that still parses.
| lucb1e wrote:
| It's also at 010.010.2056 or 0x8080808 or 01002004010. I made a
| little tool a while ago that iterates over all the options that I
| know of:
|
| https://lucb1e.com/randomprojects/php/funnip.php?ip=8.8.8.8
|
| The variant found by OP is apparently the very last option that
| my tool generates. These days, Firefox is a bit boring (okay,
| okay, I'll admit it's a good choice for security) and translates
| these at the first opportunity. Even hyperlinks are translated on
| hover in the 'status bar' (if we can still call it that). For
| mobile users, this is what it shows when you paste one of those
| addresses in Firefox: https://snipboard.io/kbLTso.jpg
| 1vuio0pswjnm7 wrote:
| This program, "ip4dec", converts lists of IPv4 addresses to
| decimal. Wrote this while experimenting with storing domain->ip
| mappings in a trie, such as https://github.com/tlwg/libdatrie
|
| Name borrowed from https://github.com/ian-hamlin/ipdec
|
| Note the trietool "list" command prints data as %d not %u. To
| fix, edit list_enum_func() in trietool.c sed
| -n 's/ //;wip4dec.l' << eof /* not a
| domain name or ip address validator input file
| format: (left-justified, no leading spaces)
| example.com 93.184.216.34 example.net 93.184.216.34
| comment */ int fileno(FILE *); int
| setenv(const char*,const char*,int); int unsetenv(const
| char*); #define echo
| do{if(fwrite(yytext,(size_t)yyleng,1,yyout)){}}while(0)
| #define jmp (yy_start) = 1 + 2 * int x=0,y=0,o=0;
| xa [0-9]{1,3}\x2e xb [0-9]{1,3} xc [0-9]{4,5}
| xd ^[A-Za-z0-9\.-]+ xe ^[^A-Za-z0-9] %s xa
| %option noyywrap nounput noinput %% {xd}
| if(yytext[0]=='-'||yytext[0]=='.')jmp
| 0;else{o=0;y=0;x=0;setenv("x",yytext,1);jmp xa;} {xe}
| jmp 0; <xa>{xc} jmp 0; <xa>{xa}|{xb} {
| switch(o){ case 0:
| y=atoi(yytext);if(y<1)break;x=y*16777216;y=0;o++;break;
| case 1:
| y=atoi(yytext);if(y>255)break;x=x+y*65536;y=0;o++;break;
| case 2: y=atoi(yytext);if(y>255)break;x=x+y*256;y=0;o++;break;
| case 3: y=atoi(yytext);if(y>255)break;x=x+y;printf("%s\t%u\n",g
| etenv("x"),x);unsetenv("x");break; default: break;
| } } .|\n %% int main(){
| yylex();exit(0) ;} eof flex -8iCrf
| ip4dec.l cc -std=c89 -Wall -pedantic -I. -pipe lex.yy.c
| -static -o ip4dec
|
| usage: ip4dec < input-file
|
| example: echo example.com 93.184.216.34
| icann|ip4dec
|
| output: example.com 1572395042
| [deleted]
| [deleted]
| ktpsns wrote:
| +1 for <?php if
| (isset($_GET['source'])) {
| highlight_file(__FILE__); exit; }
|
| This is such a useful and nice snippet I add to many of my PHP
| files. Open Source at its finest, literally "in place" :-)
| cpach wrote:
| What does it do?
| pbiggar wrote:
| If you provide the GET parameter "source" (which means you
| try /the-url?source"), it prints a pretty-printed version
| of the source code.
|
| So basically it allows the reader to read the source
| directly without hunting it down on github of something.
| nikeee wrote:
| It prints the source off itself, when source is present as
| a query parameter:
|
| https://lucb1e.com/randomprojects/php/funnip.php?source
| [deleted]
| jeffbee wrote:
| It's weird that this is just a side-effect of the way strtol
| works, but there's no way (that I can figure out) to get + or -
| involved.
| lucb1e wrote:
| It can't only be that, or 127.1 would not work. It is doing
| some parsing beyond just calling a parseInt on each of them
| in order to recognize domain names and use name resolution
| rather than directly putting the bytes in the IP header. That
| must be why 0x9000000.-16250872 doesn't work (if negative
| worked, that should also resolve to 8.8.8.8).
| dharmab wrote:
| I looked into this a while back, IIRC BSD added the "omit
| zeroes" as a nonstandard convenience feature and other OSes
| copied it. I'm far afk for I'd find my notes on this.
| mitchs wrote:
| All of this weird behavior is generally inet_aton.
| https://linux.die.net/man/3/inet_aton
| shireboy wrote:
| Out of sheer curiosity, how does one go about reserving an IP
| address like this, or the ones CloudFlare and google dns use?
| xanathar wrote:
| The main prerequisite is "having a bloatload of money".
| charcircuit wrote:
| Let's say that's true already
| linux2647 wrote:
| One has to buy the block of IP addresses, from ARIN or some
| other Internet governance body, that contains the IP you're
| looking for
| Scaevolus wrote:
| IP address ranges were allocated to various organizations that
| can declare routes for them onto their own networks, or sell to
| other parties.
|
| This is most commonly seen with large clouds like AWS buying
| millions of IPs from owners that weren't using them.
|
| You can use "whowas" to track the ownership shifts, but I don't
| know of a global index-- each NIC has their own implementation
| and restrictions.
|
| https://www.apnic.net/static/whowas-ui/#1.1.1.1
| EE84M3i wrote:
| For me the link on HN is to https://dns.google/ but I'm pretty
| sure it's supposed to be to https://010.010.010.010/ (which
| redirects, for me). Did the admins change it?
| pxc wrote:
| Is that a real TLD?
| tialaramex wrote:
| No, it's an IPv4 address. No TLD is allowed to be a series of
| digits in order to avoid any confusion about this.
|
| Whether your URL parser considers that octal IPv4 addresses
| are a reasonable thing is up to each individual parser. On
| the whole I'd suggest user-facing software should not permit
| this because it's pointlessly confusing.
|
| Rust took a patch that says if you try to convert (for
| example) 010.010.010.010 to an IPv4 address that's an error,
| which again I think is reasonable for the same reason.
|
| In the patch feedback several people want it to mean
| 10.10.10.10 and others think it should mean 8.8.8.8 and
| eventually it seems to become clear to both groups that this
| is itself a _terrible_ sign for their positions, since if you
| expected one but got the other now your software has
| unexpected behaviour, whereas if you got an _error_ you can
| fix your program to do whatever it was you intended. So hence
| the error behaviour won.
|
| [Edited to add: It has been pointed out to me that maybe the
| poster meant .google. Yes, that's a TLD owned by Google. They
| applied for, and received a number of "new gTLDs" from ICANN,
| some like .dev are open for you to register 2LDs in, others
| like .google are only for their own use. Running TLDs likely
| costs Google somewhere in the region of a million dollars per
| year to maintain, but that's a drop in the ocean for a large
| tech company.]
| pxc wrote:
| Yeah, I meant the .google name the IP redirects you to in
| the browser
| fragmede wrote:
| Without getting into the existential question of _what does
| it mean to be real_ , yes [0]. It's one of the sponsored
| modern TLDs[1], along with the likes of .horse, .cat (not
| what you think), .wiki, .club, etc.
|
| [0] https://en.m.wikipedia.org/wiki/.google [1]
| https://en.m.wikipedia.org/wiki/Sponsored_top-level_domain
| ignoramous wrote:
| TLS certs can be issued to make them work with IP addresses,
| which is why https to 8.8.8.8 (octal: 010.010.010.010) works:
| https://cabforum.org/guidance-ip-addresses-certificates/
|
| See also: https://01.01.01.01/
|
| (btw: _.google_ and _.goog_ are valid TLDs)
| tialaramex wrote:
| Not explicitly mentioned in that CAB/F document, the PKIX
| standard that makes ipAddress SANs work actually defines
| them as numeric types with a set number of bits, so an
| ipAddress is literally a 32-bit or 128-bit value.
|
| This leaves no room for the ambiguity of the text rendering
| something like 010.010.010.010 in the certificate itself.
|
| Likewise the dnsName SAN type is defined in an alphabet for
| X.509 that literally can't represent fancy Unicode, so you
| can't mistakenly write certificates with dnsName SANs that
| give the Unicode name instead of the unambiguous punycode
| name stored in DNS.
|
| These two choices mean your browser can mechanically with
| 100% reliability check certificates in the Web PKI match
| the IP address or DNS name from the URL you believed you
| were visiting, whereas historically the abuse of "Common
| Name" features to write a human representation had nasty
| edge cases for both IP addresses and some DNS names.
| dang wrote:
| Our software follows redirects now. Obviously that's not
| correct in cases like this; but it's so much of an improvement
| in other cases that I don't want to roll it back. Not sure what
| to do yet really.
|
| I've changed the URL above back to https://010.010.010.010/
| now. Thanks!
| JoshTriplett wrote:
| Interestingly, Firefox canonicalizes such links to the
| decimal IP address: if you hover over it, you see
| https://8.8.8.8/ , and if you click on it that's where you
| end up.
| boramalper wrote:
| I was just about to edit my comment: either that is the case or
| HN automatically runs a reverse DNS query to get the domain
| name associated with the IP address in the submission URL?
| missingcolours wrote:
| More likely they do an HTTP request and if there's a redirect
| they update the link.
| boramalper wrote:
| Indeed!
| knorker wrote:
| Depends on the parser. Even under one OS different libc functions
| will return different results.
| ehershey wrote:
| Did google get slashdotted by hacker news? The "getting started"
| link at the bottom gives me an internal server error.
| jcims wrote:
| This is the first time I've seen a certificate issued to an IP
| address. Cloudflare does the same thing for 1.1.1.1.
| X509v3 Subject Alternative Name: DNS:dns.google,
| DNS:dns.google.com, DNS:*.dns.google.com,
| DNS:8888.google, DNS:dns64.dns.google, IP
| Address:8.8.8.8, IP Address:8.8.4.4, IP
| Address:2001:4860:4860:0:0:0:0:8888, IP
| Address:2001:4860:4860:0:0:0:0:8844, IP
| Address:2001:4860:4860:0:0:0:0:6464, IP
| Address:2001:4860:4860:0:0:0:0:64
|
| I'm guessing this is in part for network device auth? DNS over
| HTTPS?
| tialaramex wrote:
| You can use this for any purpose. These certificates conform to
| PKIX and are part of the Web PKI if they're issued (as this
| was) by a trusted CA.
|
| In some ways the actual _rules_ for IP addresses are less
| strict than for DNS names. Perhaps this will get tightened up.
| Google Trust Services (the part of Google which issues
| certificates, as distinct from say, Chrome, which on behalf of
| Relying Parties has to decide if the certificates are
| trustworthy) expressed interest in issuing IP address
| certificates via ACME, ie automatically to anyone who asks. The
| pushback (including from people in other parts of Google) was
| considerable, even though what GTS proposed to do was actually
| _more_ robust than what 's technically required for issuance
| today. But it's nice that they asked (and indeed one argument
| to allow what they requested is, hey, there was no
| _requirement_ for them to ask, if somebody had just done this
| without asking would we have been even more unhappy about that
| or would we let it slide?)
|
| In practical terms, you likely don't get and don't want
| certificates with ipAddress SANs in them. You probably don't
| get them because (unless GTS went ahead subsequently) this is a
| Special Request item not something your Certbot or acme.sh or
| whatever can get for you, and you probably don't want them
| because unless you're a DNS server people expect to type in a
| name, not a sequence of arcane numbers.
| jcims wrote:
| Awesome info, thank you!
| _ache_ wrote:
| Yeah ... Just use 1.1.
|
| Cloudflare is way better. It doesn't even look like an IP. And
| you just can't have shorter.
| zeroimpl wrote:
| Feels like next somebody should setup a DNS system at 2.0.
| vmoore wrote:
| For those interested in more memorable DNS IPs, there is the
| following:
|
| Just be careful, because TWNIC/Quad101 was subjected to a BGP
| hijack in 2019[0] 101.101.101.101 [TWNIC]
| 80.80.80.80 [FREENOM][1] 4.2.2.2 [Level 3]
|
| [0] https://www.manrs.org/2019/05/public-dns-in-taiwan-the-
| lates...
|
| [1] https://www.freenom.world/en/index.html?lang=en
| aftbit wrote:
| Don't forget 1.1.1.1 and 1.0.0.1 (aka 1.1) [Cloudflare]
| vmoore wrote:
| Yeah I left that out for a reason. Most geeks know about
| that. Also 9.9.9.9 is an obvious one. I wanted to point out
| lesser known/esoteric ones
| [deleted]
| [deleted]
| mongol wrote:
| Why is Google providing a public DNS? Is it a PR thing?
| zhenyavinogrdov wrote:
| An example of putting one's public DNS server to a good use is
| Cloudflare's analysis of the recent Facebook outage effects
| https://blog.cloudflare.com/during-the-facebook-outage/
| jayd16 wrote:
| I'm sure it's useful to run analytics over what people are
| connecting to but they have plenty of reasons to run their own
| DNS for their own purposes.
| JonathanMerklin wrote:
| Do you perhaps think that DNS log data could be valuable for
| Google? As always, when a product is free...
| Redoubts wrote:
| Is it any worse than the harvesting my ISP is likely doing?
| tjoff wrote:
| Yes. And no, I would not assume that your ISP is doing it.
| neilk wrote:
| Octal 010 is 8. Dotted quads can apparently be in octal, so
| that's just 8.8.8.8 .
|
| What are we looking at here that's new?
| capableweb wrote:
| "News" in Hacker News doesn't necessarily mean everything is
| new that comes up. Everyone might not know what you know, so
| sometimes it's interesting enough to end up on the front page.
| sieabahlpark wrote:
| Sounds like Reddit.
| makeworld wrote:
| Google's server handles the octal case if it's provided
| directly. Not sure if this is an explicit code path or if the
| server handles all IP forms.
|
| Try this: curl -v -H "Host: 010.010.010.010"
| https://8.8.8.8
|
| Trying to do the same with other websites doesn't seem to work.
| icedchai wrote:
| They probably don't even look at the host header. You can set
| _any_ host header and it works.
| [deleted]
| Philip-J-Fry wrote:
| Edge (and I presume Chromium) interprets a
| https://010.010.010.010 URL as https://8.8.8.8
|
| You can check it by hovering over the link
| lucb1e wrote:
| Not sure what you mean about other websites, it works fine on
| Apache and Nginx, e.g. on my server: curl
| -kiH Host:1348764566 https://1348764566
|
| (-k flag needed because I didn't get a valid cert for this
| variant of the IP. One could also specify the fingerprint but
| let's keep the demo simple.)
|
| It'll give you a 404 because of the unknown vhost, but it
| would also do that if you access it using the 'normal' dotted
| decimal notation: http://80.100.131.150
|
| I used to detect this number actually and it would give you a
| small easter egg, but nobody triggered it and nowadays
| Firefox doesn't send it as a host header anymore when you
| specify the IP as such so I didn't check how to port that
| over to my new web server stack.
| anderskaseorg wrote:
| Google's server doesn't handle that as a special case; it
| redirects any host other than dns.google to dns.google. These
| give the same result: curl -v -H "Host:
| 010.010.010.010" https://8.8.8.8 curl -v -H "Host:
| 222.222.222.222" https://8.8.8.8 curl -v -H "Host:
| example.com" https://8.8.8.8
| cpach wrote:
| https://xkcd.com/1053/
| sixothree wrote:
| And why on earth would anyone want to use google's DNS.
| tata71 wrote:
| Have you used malicious ISP DNS resolution?!
___________________________________________________________________
(page generated 2021-10-30 23:00 UTC)