On Tue, Nov 10, 2015 at 2:43 PM, Chris Murray <chris@ipstuff.ca> wrote:
The "popular open dns services" you refer to appear to be Proxy/VPN services that also provide DNS to get around region blocking. These services proxy and/or NAT users behind a single IP address to make it look like you are coming from a different country.
I may be biased, but when I think of popular open DNS services I think of OpenDNS or Google DNS, and you should *never* see a captcha as a result of using OpenDNS. Disclaimer: I work for OpenDNS, and while I can't speak to Google DNS, I have never heard of this behaviour with their service either.
Chris: as you correctly note, this can only happen if the DNS provider returns falsified records to hijack traffic and MITM it through their own proxies. But it sounds like you're unaware of the dark past of OpenDNS where they did exactly that, and their users got Google captchas as a result (they don't do this anymore). To answer the other questions/comments on the list: - You're responsible for all the traffic that comes from your IP. Joe, if you put 600 users behind an IPv4/32 you'd better make sure you have controls in place to keep malware (and shady browser extensions) off their machines. - The obvious way to avoid needing to share a NAT address is to switch to IPv6 if possible, as Nich said. - Google looks at an IPv4/32 or IPv6/64 by default (may be /56 or /48 for some hosting providers). If you have significant numbers of users sharing a /64, please explain why? Is it because you hate your users? ;) Damian