dslreports logo
    All Forums Hot Topics Gallery
spc
uniqs
4909
noclue6
join:2012-09-12

noclue6

Member

[BC] Shaw DNS redirect for google?

I was looking at my firewall logs last night, and i noticed that my wifes android phone was talking to a shaw ip address alot.

The address when you go to it in a web browser, has the google page! 24.244.19.212

I naturally thought this was some sort of attack or redirection, but when i went onto my DNS server and did a query for google.ca, I got a list of SHAW servers. WTF! i say to myself. So then i tried querying opendns:

nslookup google.ca 208.67.222.222

and I get this:

Server: 208.67.222.222
Address: 208.67.222.222#53

Non-authoritative answer:
Name: google.ca
Address: 24.244.19.212
Name: google.ca
Address: 24.244.19.237
Name: google.ca
Address: 24.244.19.222
Name: google.ca
Address: 24.244.19.242
Name: google.ca
Address: 24.244.19.241
Name: google.ca
Address: 24.244.19.232
Name: google.ca
Address: 24.244.19.216
Name: google.ca
Address: 24.244.19.217
Name: google.ca
Address: 24.244.19.221
Name: google.ca
Address: 24.244.19.236
Name: google.ca
Address: 24.244.19.247
Name: google.ca
Address: 24.244.19.251
Name: google.ca
Address: 24.244.19.231
Name: google.ca
Address: 24.244.19.246
Name: google.ca
Address: 24.244.19.227
Name: google.ca
Address: 24.244.19.226

all shaw ip addresses! so whats going on here? is shaw intercepting my DNS requests and using its own local caching server? how would I turn this behaviour off? I dont want shaw to be intercepting my private communications with google. Sure they are the ISP, and we have to trust them, but I would rather be talking directly to google, especially for sensitive things like her webmail. I would hate to think its all cached on some shaw server.

Anyone seeing this? am I just being crazy or have done something really wrong? I purposefully run my own DNS servers for many reasons and privacy is one of them. Are there other sites that shaw is injecting its claws into? is it only google because google is special?

duckduckgo.com seems to resolve fine.

rustydusty
join:2009-09-29
Red Deer County, AB

rustydusty

Member

If you are worried about Shaw doing strange things with DNS queries, change to google:

8.8.8.8

kevinds
Premium Member
join:2003-05-01
Calgary, AB

kevinds to noclue6

Premium Member

to noclue6
Shaw hosts some Google servers in Vancouver, for use by the Shaw customers.

Most medium and large sized ISPs do this,

Those are some of the same servers that were being looked at when the YouTube buffering issue was happening.

It is ok...
noclue6
join:2012-09-12

noclue6

Member

Well thats the point, I am *not* using shaw's dns servers. Like so:

C:\Users\USERNAME>nslookup google.com 8.8.8.8

Server: google-public-dns-a.google.com
Address: 8.8.8.8

Non-authoritative answer:
Name: google.com
Addresses: 2607:f8b0:400a:800::1008
24.244.19.227
24.244.19.236
24.244.19.212
24.244.19.216
24.244.19.226
24.244.19.251
24.244.19.217
24.244.19.241
24.244.19.242
24.244.19.237
24.244.19.222
24.244.19.247
24.244.19.231
24.244.19.232
24.244.19.221
24.244.19.246

humanfilth
join:2013-02-14
river styx

1 edit

humanfilth to noclue6

Member

to noclue6
Switch over to encrypted Google.

»encrypted.google.com

.ca version
»www.google.ca/

If they redirect that, then really bitch about intercepting/redirecting encrypted communications.

You can also use HTTPS everywhere
»www.eff.org/https-everywhere
for firefox or chrome
to force your browser to use the encrypted versions of websites. Some site that have an expired encrypted key may generate an security error.
scubascythan
join:2005-05-14

scubascythan to noclue6

Member

to noclue6
Install the addon/extension noscript or it's equivalent on your computer browser.

You'll find ALOT of websites use google-analytics. Even dslreports does.

Wouldn't surprise me if that was what's tracking you.
fender
join:2007-07-23
Vancouver, BC

fender to noclue6

Member

to noclue6
I run bind internally because I don't care to give shaw, google, or the NSA any more information conveniently packaged for their consumption whenever possible.
noclue6
join:2012-09-12

noclue6

Member

1. I am trying to bitch about that. But I doubt I can just call up some tier 1 shaw tech and explain this. Want to mainly know if others are seeing it. Theres nothing I can do really about it except change ISPs (if i care enough). They do appear to be redirecting https:

from firewall:
tcp 24.244.19.227:443 <- 192.168.1.XXX:52136 ESTABLISHED:ESTABLISHED 
tcp 192.168.1.XXX:52136 -> SHAWIP_ROUTER:5531 -> 24.244.19.227:443 ESTABLISHED:ESTABLISHED 
tcp 24.244.19.182:443 <- 192.168.1.XXX:52139 ESTABLISHED:ESTABLISHED 
tcp 192.168.1.XXX:52139 -> SHAWIP_ROUTER:53514 -> 24.244.19.182:443 ESTABLISHED:ESTABLISHED
 

2. The device in question is my wifes google phone on my wifi. I already do not use google and block it with noscript. I have an ad blocking application on her rooted phone, but you cannot block google on a google phone... I try and stay away from google, but that is irrelevant.

3. I am running nameserver BIND 9.8.1-P1 locally, looking up from root servers (for better or worse practice wise). It does not matter what namesever I resolve from, the IP addresses always come up as shaw addresses. I would have assumed there was a redirect somewhere and be looking for that if i hadnt tried opendns and google dns and gotten the same shaw IP addresses back.

Either shaw is proxying any lookup for google, or google itself is returning closest local mirror based on my ip address. Since my isp is shaw, it returns shaw. It is either interesting behaviour, or I am being a real retard and cannot see my obvious error in logic.

humanfilth
join:2013-02-14
river styx

3 edits

humanfilth to noclue6

Member

to noclue6
Maybe a detecting the Shaw proxy is over-riding your DNS box?
"auto detect proxy settings"

I do like ISP's that are a dumb pipe.

And I guess you have patched Bind(though the bug may not effect your version of bind).
»kb.isc.org/article/AA-00967

Hopefully I do not assume wrong, that a Shaw proxy could crash your dns root resolver lookups with its proxy interference? A bit technical for me, but that would be assuming that you are not actually reaching your wanted dns resolvers resulting in Shaw overriding your DNS cache.

And your ISP gateway(?) is or still is in a bridge mode?

»deepthought.isc.org/arti ··· tes.html
2008. [func] It is now possible to enable/disable DNSSEC
validation from rndc. This is useful for the
mobile hosts where the current connection point
breaks DNSSEC (firewall/proxy). [RT #15592]

I do find it annoying(for other ISP's) where Google sets up a local node along with the forced ISP redirect and that breaks DNS.
With YouTube, people had to block the ISP's Youtube IP to avoid buffering.
stolen
join:2004-04-12
Calgary, AB

stolen to noclue6

Member

to noclue6

Shaw is not re-directing https. These are Google caches on Shaw's network. Telus has them as well on their network, as do most reasonably sized ISPs. Google may be redirecting you to these servers, but Shaw is not doing any "tricks" to make this happen.

kevinds
Premium Member
join:2003-05-01
Calgary, AB

kevinds to noclue6

Premium Member

to noclue6
or google itself is returning closest local mirror based on my ip address

This is what is happening...

It would be much more annoying for it to return an IP in Germany for your traffic from Canada, the "best" servers are picked...

humanfilth
join:2013-02-14
river styx

3 edits

humanfilth to stolen

Member

to stolen
said by stolen:

Shaw is not re-directing https. These are Google caches on Shaw's network. Telus has them as well on their network, as do most reasonably sized ISPs. Google may be redirecting you to these servers, but Shaw is not doing any "tricks" to make this happen.

But that would be only if you were to use Telus DNS servers. I can not remember if a 'Telus IP google' was still named 'Google'. Been ages since I did tracert using Telus DNS(Google-chilliwack?).
I get
74.125.228.73 or 173.194.33.32(this one seems to be in Seattle)
For my Google pages at this time using Telus with a non-Telus DNS provider.

So the 'trick' that Shaw is doing is ignoring the users DNS settings(or hard coded IP) and over-riding with a Shaw DNS. Hey it may have Googles crap covered hand in the redirect. Like Rogers had with misspelled text address's being sent to an ad page search engine.

The other way to block Shaws hijacking would be if blocking the certain IP's would kill the redirect. That is what some Rogers customers wallets did to block the notice/ad insertions into webpages.
fender
join:2007-07-23
Vancouver, BC

fender

Member

I'm seeing the same results you're seeing here on Shaw.

Every other machine I have out there in the world sees this..

google.com has address 173.194.43.37
google.com has address 173.194.43.35
google.com has address 173.194.43.41
google.com has address 173.194.43.39
google.com has address 173.194.43.36
google.com has address 173.194.43.32
google.com has address 173.194.43.33
google.com has address 173.194.43.40
google.com has address 173.194.43.38
google.com has address 173.194.43.46
google.com has address 173.194.43.34
google.com has IPv6 address 2607:f8b0:4006:803::1003
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.

kevinds
Premium Member
join:2003-05-01
Calgary, AB

kevinds

Premium Member

Make sure you are using google.ca for lookups to be consistant

This is what I get though,

C:\Users\kevin>nslookup google.ca.
Server: UnKnown
Address: 192.168.5.6

Non-authoritative answer:
Name: google.ca
Addresses: 2607:f8b0:400a:801::101f
173.194.33.56
173.194.33.63
173.194.33.55

C:\Users\kevin>ping google.ca

Pinging google.ca [2607:f8b0:400a:801::101f] with 32 bytes of data:
Reply from 2607:f8b0:400a:801::101f: time=48ms
Reply from 2607:f8b0:400a:801::101f: time=51ms
Reply from 2607:f8b0:400a:801::101f: time=48ms
Reply from 2607:f8b0:400a:801::101f: time=48ms

Ping statistics for 2607:f8b0:400a:801::101f:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 48ms, Maximum = 51ms, Average = 48ms
fender
join:2007-07-23
Vancouver, BC

fender

Member

You're quite right -- I never use google.ca personally so my fingers don't type it.

google.ca has address 173.194.40.152
google.ca has address 173.194.40.159
google.ca has address 173.194.40.151
google.ca has IPv6 address 2a00:1450:4007:808::101f
google.ca mail is handled by 20 alt1.aspmx.l.google.com.
google.ca mail is handled by 30 alt2.aspmx.l.google.com.
google.ca mail is handled by 40 alt3.aspmx.l.google.com.
google.ca mail is handled by 50 alt4.aspmx.l.google.com.
google.ca mail is handled by 10 aspmx.l.google.com.
fender

fender

Member

Finally a different result geographically.

In Atlanta I get..

google.ca has address 74.125.139.94
google.ca has IPv6 address 2607:f8b0:4002:c03::5e
google.ca mail is handled by 50 alt4.aspmx.l.google.com.
google.ca mail is handled by 20 alt1.aspmx.l.google.com.
google.ca mail is handled by 10 aspmx.l.google.com.
google.ca mail is handled by 30 alt2.aspmx.l.google.com.
google.ca mail is handled by 40 alt3.aspmx.l.google.com.
rotohoto
join:2012-03-31
canada

rotohoto to humanfilth

Member

to humanfilth
Shaw isn't hijacking anything.

As others have mentioned this is the "Google Global Cache" and has been around for years now.
Previously using opendns would break it, I guess maybe they've now got a workaround in place with them so that people on Shaw still get redirected to the Shaw cache servers when querying opendns servers.

Also, Shaw has absolutely no control or visibility in to the cache servers. They are 100% owned and operated by Google, they just happen to be placed inside Shaw's network.

Google also controls which server you get redirected to. If you're in Vancouver on Shaw, you may get pointed to the servers that Shaw hosts, you may get pointed to some in Seattle, you might get pointed elsewhere... totally up to google.
fender
join:2007-07-23
Vancouver, BC

fender to noclue6

Member

to noclue6
It appears that google's authoritative answers actually return geographically rel. results even when queried directly using Dig.

Nothing to be more concerned about than normal regarding Google (trust them about as far as you can throw a cloud.)

Inate
@shawcable.net

1 edit

Inate

Anon


This is all normal Google behavior, if you have a gripe, speak to them.