Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Normal tracerotue for mail.google.com to china?

    Scheduled Pinned Locked Moved DHCP and DNS
    5 Posts 3 Posters 637 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SmokinMoJoe
      last edited by

      Do I have something messed up with unbound?

      win10:~ joe$ traceroute mail.google.com
      traceroute: Warning: mail.google.com has multiple addresses; using 74.125.203.83
      traceroute to mail-china.l.google.com (74.125.203.83), 64 hops max, 52 byte packets
      1 firewall (10.254.254.1) 5.600 ms 6.978 ms 6.227 ms
      2 22.34.207.1 (22.34.207.1) 12.827 ms 14.139 ms 12.455 ms
      3 96-34-42-196.static.unas.mi.charter.com (96.34.42.196) 12.892 ms 12.064 ms 13.005 ms
      4 crr01aldlmi-bue-230.aldl.mi.charter.com (96.34.35.24) 16.756 ms 19.596 ms 21.591 ms
      5 bbr01aldlmi-bue-1.aldl.mi.charter.com (96.34.2.8) 25.962 ms 21.507 ms 13.627 ms
      6 bbr01chcgil-bue-805.chcg.il.charter.com (96.34.0.139) 33.123 ms 25.634 ms 31.569 ms
      7 prr01chcgil-bue-2.chcg.il.charter.com (96.34.3.9) 24.906 ms 25.575 ms 25.726 ms
      8 prr01chcgil-gbe-0-7-0-3.chcg.il.charter.com (96.34.152.117) 32.434 ms 31.151 ms 34.082 ms
      9 108.170.243.197 (108.170.243.197) 29.061 ms * *
      10 216.239.47.128 (216.239.47.128) 29.545 ms
      108.170.233.110 (108.170.233.110) 34.229 ms
      72.14.232.168 (72.14.232.168) 24.593 ms
      11 108.170.243.233 (108.170.243.233) 26.131 ms
      72.14.232.70 (72.14.232.70) 44.499 ms
      209.85.143.103 (209.85.143.103) 42.330 ms
      12 209.85.250.146 (209.85.250.146) 33.273 ms
      209.85.251.139 (209.85.251.139) 49.183 ms
      209.85.254.94 (209.85.254.94) 34.961 ms
      13 108.170.228.147 (108.170.228.147) 88.452 ms
      72.14.239.127 (72.14.239.127) 94.546 ms
      209.85.247.5 (209.85.247.5) 35.727 ms
      14 216.239.47.250 (216.239.47.250) 47.152 ms
      108.170.236.125 (108.170.236.125) 177.227 ms
      216.239.47.250 (216.239.47.250) 50.881 ms
      15 216.239.54.53 (216.239.54.53) 89.672 ms
      209.85.245.48 (209.85.245.48) 204.713 ms
      72.14.234.25 (72.14.234.25) 297.979 ms
      16 209.85.248.153 (209.85.248.153) 399.879 ms
      209.85.249.207 (209.85.249.207) 208.874 ms
      209.85.247.19 (209.85.247.19) 409.622 ms
      17 209.85.249.53 (209.85.249.53) 237.340 ms
      216.239.46.3 (216.239.46.3) 211.124 ms
      72.14.233.210 (72.14.233.210) 245.371 ms
      18 * 209.85.247.199 (209.85.247.199) 318.458 ms *
      19 * * *
      20 * * *
      21 * * *
      22 * * *
      23 * * *
      24 * * *
      25 * * *
      26 * * 74.125.203.83 (74.125.203.83) 261.646 ms

      1 Reply Last reply Reply Quote 0
      • M
        motific
        last edited by

        That definitely doesn’t look like the right server, but nothing there shows how you got that answer. You could dial up the logging level and see if you get something interesting there.

        S 1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          Unbound is getting the responses straight from the DNS root hosts. If something is wrong with DNS, it's likely their fault on the other end and not your end.

          1 Reply Last reply Reply Quote 0
          • S
            SmokinMoJoe
            last edited by

            Clearing the dns cache on the client seemed to help, Mac OS X 10.13 but the same issue happened on the pfSense box. I think charter was doing some DNS manipulation, someone at charter made a mistake or the spooks have put my dns traffic in the tunnel for them to tamper with. moving to DNSSEC and pointing my firewall to use a DNSSEC provider seems to have cleared this issue up.

            1 Reply Last reply Reply Quote 0
            • S
              SmokinMoJoe @motific
              last edited by

              I had similar/identical traceroute from a Mac OS X client and on the pfSense box itself using 127.0.0.1(unbound).

              Seems like it would be interesting to have unbound log when DNSSEC could not be used becuase the root keys are invalid, either the time on pfSense is wrong or the ISP is doing layer 7 manipulation. i.e. like what happens when you live in China, Russia or the USA...

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.