We started getting a Google Captcha for our web searches this morning. Does anyone have contact info for Google so that I can contact them and figure out where the traffic is coming from on my side or what service it is going to so that I can track down the users? Thanks, Joe Jenkins 909.636.2097
We had that problem too, it was only happening to computers with a NATed v4 address. Connecting to Google over IPv6 made the problems go away. Thank you, - Nich
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Joseph Jenkins Sent: Tuesday, November 10, 2015 11:28 AM To: nanog@nanog.org Subject: Google Captcha on web searches
We started getting a Google Captcha for our web searches this morning. Does anyone have contact info for Google so that I can contact them and figure out where the traffic is coming from on my side or what service it is going to so that I can track down the users?
Thanks,
Joe Jenkins 909.636.2097
On Tue 2015-Nov-10 09:28:09 -0800, Joseph Jenkins <joe@breathe-underwater.com> wrote:
We started getting a Google Captcha for our web searches this morning. Does anyone have contact info for Google so that I can contact them and figure out where the traffic is coming from on my side or what service it is going to so that I can track down the users?
Out of curiosity: Is this happening with IPv6-capable hosts? We've had instances where Google flags our dual stack hosts and pops up Captcha's like you're reporting when connecting via v6, but where we've never had problems accessing their services from the same host(s) over v4. Flipping the affected host's browser over to using v4 using a browser extension let's them access Google services again. https://support.google.com/websearch/answer/86640?hl=en is too generic/vague to give any specifics of why Google decided the user's v6 IP is put on the nasty list (or even whether it's their IP specifically or something larger like a /64).
Thanks,
Joe Jenkins 909.636.2097
-- Hugo hugo@slabnet.com: email, xmpp/jabber PGP fingerprint (B178313E): CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E (also on Signal)
It's done per /32 I believe. Do you have a lot of NATed users? Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Nov 10, 2015 12:29 PM, "Joseph Jenkins" <joe@breathe-underwater.com> wrote:
We started getting a Google Captcha for our web searches this morning. Does anyone have contact info for Google so that I can contact them and figure out where the traffic is coming from on my side or what service it is going to so that I can track down the users?
Thanks,
Joe Jenkins 909.636.2097
I have about a 600 users. We aren’t dual stick only ipv4 at this point. Someone contacted me off list and gave me some insight as to what to key on. Joe
On Nov 10, 2015, at 9:48 AM, Josh Luthman <josh@imaginenetworksllc.com> wrote:
It's done per /32 I believe. Do you have a lot of NATed users?
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
On Nov 10, 2015 12:29 PM, "Joseph Jenkins" <joe@breathe-underwater.com <mailto:joe@breathe-underwater.com>> wrote: We started getting a Google Captcha for our web searches this morning. Does anyone have contact info for Google so that I can contact them and figure out where the traffic is coming from on my side or what service it is going to so that I can track down the users?
Thanks,
Joe
You may get captcha if you are using popular open dns services. At least this is what I've seen. On 10/11/2015 20:28, Joseph Jenkins wrote:
We started getting a Google Captcha for our web searches this morning. Does anyone have contact info for Google so that I can contact them and figure out where the traffic is coming from on my side or what service it is going to so that I can track down the users?
Thanks,
Joe Jenkins 909.636.2097
On Tue, Nov 10, 2015 at 1:09 PM, Nikolay Shopik <shopik@inblock.ru> wrote:
You may get captcha if you are using popular open dns services. At least this is what I've seen.
pardon, what?
On 10/11/2015 20:28, Joseph Jenkins wrote:
We started getting a Google Captcha for our web searches this morning. Does anyone have contact info for Google so that I can contact them and figure out where the traffic is coming from on my side or what service it is going to so that I can track down the users?
Thanks,
Joe Jenkins 909.636.2097
When I've started using DNS from unotelly service, captcha starts appears from time to time. If I change DNS to something else, catcha gone immediately. Its probably related to DNS geo-locating to decide what records serve to client On 10/11/2015 23:00, Christopher Morrow wrote:
On Tue, Nov 10, 2015 at 1:09 PM, Nikolay Shopik <shopik@inblock.ru> wrote:
You may get captcha if you are using popular open dns services. At least this is what I've seen.
pardon, what?
On 10/11/2015 20:28, Joseph Jenkins wrote:
We started getting a Google Captcha for our web searches this morning. Does anyone have contact info for Google so that I can contact them and figure out where the traffic is coming from on my side or what service it is going to so that I can track down the users?
Thanks,
Joe Jenkins 909.636.2097
Hi Nikolay, The "popular open dns services" you refer to appear to be Proxy/VPN services that also provide DNS to get around region blocking. These services proxy and/or NAT users behind a single IP address to make it look like you are coming from a different country. I may be biased, but when I think of popular open DNS services I think of OpenDNS or Google DNS, and you should *never* see a captcha as a result of using OpenDNS. Disclaimer: I work for OpenDNS, and while I can't speak to Google DNS, I have never heard of this behaviour with their service either. Just wanted to clarify. - Chris On Tue, Nov 10, 2015 at 12:29 PM, Nikolay Shopik <shopik@inblock.ru> wrote:
When I've started using DNS from unotelly service, captcha starts appears from time to time. If I change DNS to something else, catcha gone immediately.
Its probably related to DNS geo-locating to decide what records serve to client
On 10/11/2015 23:00, Christopher Morrow wrote:
On Tue, Nov 10, 2015 at 1:09 PM, Nikolay Shopik <shopik@inblock.ru> wrote:
You may get captcha if you are using popular open dns services. At least this is what I've seen.
pardon, what?
On 10/11/2015 20:28, Joseph Jenkins wrote:
We started getting a Google Captcha for our web searches this morning. Does anyone have contact info for Google so that I can contact them and figure out where the traffic is coming from on my side or what service it is going to so that I can track down the users?
Thanks,
Joe Jenkins 909.636.2097
Hi Chris, Yeah I probably should worded that differently not 'open dns services', sorry about that. In my case there is no proxy/vpn service (i know they can do that), just DNS changes. For some reason that cause false-positive detection in google from time to time. On 11/11/2015 01:43, Chris Murray wrote:
Hi Nikolay,
The "popular open dns services" you refer to appear to be Proxy/VPN services that also provide DNS to get around region blocking. These services proxy and/or NAT users behind a single IP address to make it look like you are coming from a different country.
I may be biased, but when I think of popular open DNS services I think of OpenDNS or Google DNS, and you should *never* see a captcha as a result of using OpenDNS. Disclaimer: I work for OpenDNS, and while I can't speak to Google DNS, I have never heard of this behaviour with their service either.
Just wanted to clarify. - Chris
On Tue, Nov 10, 2015 at 12:29 PM, Nikolay Shopik <shopik@inblock.ru> wrote:
When I've started using DNS from unotelly service, captcha starts appears from time to time. If I change DNS to something else, catcha gone immediately.
Its probably related to DNS geo-locating to decide what records serve to client
On 10/11/2015 23:00, Christopher Morrow wrote:
On Tue, Nov 10, 2015 at 1:09 PM, Nikolay Shopik <shopik@inblock.ru> wrote:
You may get captcha if you are using popular open dns services. At least this is what I've seen.
pardon, what?
On 10/11/2015 20:28, Joseph Jenkins wrote:
We started getting a Google Captcha for our web searches this morning. Does anyone have contact info for Google so that I can contact them and figure out where the traffic is coming from on my side or what service it is going to so that I can track down the users?
Thanks,
Joe Jenkins 909.636.2097
On Wed, Nov 11, 2015 at 12:58 AM, Mark Tinka <mark.tinka@seacom.mu> wrote:
On 11/Nov/15 01:09, Nikolay Shopik wrote:
Hi Chris,
Yeah I probably should worded that differently not 'open dns services', sorry about that.
I think those types of DNS services are so-called "Smart DNS".
'smart' ... I can't imagine that the DNS server you use would matter to Google, from a 'send to captcha' perspective. I CAN imagine that the DNS server you use could lie to you about the right RR to send back, and then push you through some proxy for all manner of good/bad reasons. Don't use DNS servers that lie.
On 11/Nov/15 17:09, Christopher Morrow wrote:
'smart' ... I can't imagine that the DNS server you use would matter to Google, from a 'send to captcha' perspective. I CAN imagine that the DNS server you use could lie to you about the right RR to send back, and then push you through some proxy for all manner of good/bad reasons.
Don't use DNS servers that lie.
https://en.wikipedia.org/wiki/Smart_DNS_proxy_server I don't make this sh** up. Mark.
On Wed, Nov 11, 2015 at 10:57 AM, Mark Tinka <mark.tinka@seacom.mu> wrote:
On 11/Nov/15 17:09, Christopher Morrow wrote:
'smart' ... I can't imagine that the DNS server you use would matter to Google, from a 'send to captcha' perspective. I CAN imagine that the DNS server you use could lie to you about the right RR to send back, and then push you through some proxy for all manner of good/bad reasons.
Don't use DNS servers that lie.
https://en.wikipedia.org/wiki/Smart_DNS_proxy_server
I don't make this sh** up.
it's in wikipedia, so ... someone did :) But yea, don't use dns servers that lie to you UNLESS you understand very well what that lie is going to be and under what conditions you'll get the lie.
On 11/Nov/15 18:03, Christopher Morrow wrote:
it's in wikipedia, so ... someone did :) But yea, don't use dns servers that lie to you UNLESS you understand very well what that lie is going to be and under what conditions you'll get the lie.
Well, there is a ton of them offering pay-for services online that seem to work for millions of people globally. I suppose those folk are okay with the "lies" those resolvers tell - but there is a specific use-case for those, as you may know... Mark.
On Wed, Nov 11, 2015 at 11:09 AM, Mark Tinka <mark.tinka@seacom.mu> wrote:
On 11/Nov/15 18:03, Christopher Morrow wrote:
it's in wikipedia, so ... someone did :) But yea, don't use dns servers that lie to you UNLESS you understand very well what that lie is going to be and under what conditions you'll get the lie.
Well, there is a ton of them offering pay-for services online that seem to work for millions of people globally.
I suppose those folk are okay with the "lies" those resolvers tell - but there is a specific use-case for those, as you may know...
Yes, people also jump out of perfectly good airplanes... we can't fix all the things :( my point really is you assume some risk when you do odd things with basic plumbing on the internet, if you don't actually know what you are doing you're going to get burned. Quoted from Wikipedia: "Dangers of Use[edit] The dangers of using an unknown IP as a Smart DNS are similar to any other rogue DNS server preforming DNS hijacking in that the user is not aware which parts of his traffic are redirect and intercepted." -chris
On 11/Nov/15 18:15, Christopher Morrow wrote:
Yes, people also jump out of perfectly good airplanes... we can't fix all the things :( my point really is you assume some risk when you do odd things with basic plumbing on the internet, if you don't actually know what you are doing you're going to get burned.
Quoted from Wikipedia: "Dangers of Use[edit] The dangers of using an unknown IP as a Smart DNS are similar to any other rogue DNS server preforming DNS hijacking in that the user is not aware which parts of his traffic are redirect and intercepted."
No arguments from me there... Mark.
We had an IP flagged where a new hire in our Marketing dept was doing some kind of SEO and was hammering Google's servers with API requests in the hundreds per minute. Google flagged it as malicious, got the captcha for all users behind that IP. After we found and stopped him, it returned to normal after a few hours. Ian Mock ________________________________________ From: NANOG [nanog-bounces@nanog.org] on behalf of Mark Tinka [mark.tinka@seacom.mu] Sent: Wednesday, November 11, 2015 10:23 AM To: Christopher Morrow Cc: nanog list Subject: Re: Google Captcha on web searches On 11/Nov/15 18:15, Christopher Morrow wrote:
Yes, people also jump out of perfectly good airplanes... we can't fix all the things :( my point really is you assume some risk when you do odd things with basic plumbing on the internet, if you don't actually know what you are doing you're going to get burned.
Quoted from Wikipedia: "Dangers of Use[edit] The dangers of using an unknown IP as a Smart DNS are similar to any other rogue DNS server preforming DNS hijacking in that the user is not aware which parts of his traffic are redirect and intercepted."
No arguments from me there... Mark.
On Tue, Nov 10, 2015 at 2:43 PM, Chris Murray <chris@ipstuff.ca> wrote:
The "popular open dns services" you refer to appear to be Proxy/VPN services that also provide DNS to get around region blocking. These services proxy and/or NAT users behind a single IP address to make it look like you are coming from a different country.
I may be biased, but when I think of popular open DNS services I think of OpenDNS or Google DNS, and you should *never* see a captcha as a result of using OpenDNS. Disclaimer: I work for OpenDNS, and while I can't speak to Google DNS, I have never heard of this behaviour with their service either.
Chris: as you correctly note, this can only happen if the DNS provider returns falsified records to hijack traffic and MITM it through their own proxies. But it sounds like you're unaware of the dark past of OpenDNS where they did exactly that, and their users got Google captchas as a result (they don't do this anymore). To answer the other questions/comments on the list: - You're responsible for all the traffic that comes from your IP. Joe, if you put 600 users behind an IPv4/32 you'd better make sure you have controls in place to keep malware (and shady browser extensions) off their machines. - The obvious way to avoid needing to share a NAT address is to switch to IPv6 if possible, as Nich said. - Google looks at an IPv4/32 or IPv6/64 by default (may be /56 or /48 for some hosting providers). If you have significant numbers of users sharing a /64, please explain why? Is it because you hate your users? ;) Damian
participants (10)
-
Chris Murray
-
Christopher Morrow
-
Damian Menscher
-
Hugo Slabbert
-
Ian Mock
-
Joseph Jenkins
-
Josh Luthman
-
Mark Tinka
-
Nicholas Warren
-
Nikolay Shopik