Normal tracerotue for mail.google.com to china?
-
Do I have something messed up with unbound?
win10:~ joe$ traceroute mail.google.com
traceroute: Warning: mail.google.com has multiple addresses; using 74.125.203.83
traceroute to mail-china.l.google.com (74.125.203.83), 64 hops max, 52 byte packets
1 firewall (10.254.254.1) 5.600 ms 6.978 ms 6.227 ms
2 22.34.207.1 (22.34.207.1) 12.827 ms 14.139 ms 12.455 ms
3 96-34-42-196.static.unas.mi.charter.com (96.34.42.196) 12.892 ms 12.064 ms 13.005 ms
4 crr01aldlmi-bue-230.aldl.mi.charter.com (96.34.35.24) 16.756 ms 19.596 ms 21.591 ms
5 bbr01aldlmi-bue-1.aldl.mi.charter.com (96.34.2.8) 25.962 ms 21.507 ms 13.627 ms
6 bbr01chcgil-bue-805.chcg.il.charter.com (96.34.0.139) 33.123 ms 25.634 ms 31.569 ms
7 prr01chcgil-bue-2.chcg.il.charter.com (96.34.3.9) 24.906 ms 25.575 ms 25.726 ms
8 prr01chcgil-gbe-0-7-0-3.chcg.il.charter.com (96.34.152.117) 32.434 ms 31.151 ms 34.082 ms
9 108.170.243.197 (108.170.243.197) 29.061 ms * *
10 216.239.47.128 (216.239.47.128) 29.545 ms
108.170.233.110 (108.170.233.110) 34.229 ms
72.14.232.168 (72.14.232.168) 24.593 ms
11 108.170.243.233 (108.170.243.233) 26.131 ms
72.14.232.70 (72.14.232.70) 44.499 ms
209.85.143.103 (209.85.143.103) 42.330 ms
12 209.85.250.146 (209.85.250.146) 33.273 ms
209.85.251.139 (209.85.251.139) 49.183 ms
209.85.254.94 (209.85.254.94) 34.961 ms
13 108.170.228.147 (108.170.228.147) 88.452 ms
72.14.239.127 (72.14.239.127) 94.546 ms
209.85.247.5 (209.85.247.5) 35.727 ms
14 216.239.47.250 (216.239.47.250) 47.152 ms
108.170.236.125 (108.170.236.125) 177.227 ms
216.239.47.250 (216.239.47.250) 50.881 ms
15 216.239.54.53 (216.239.54.53) 89.672 ms
209.85.245.48 (209.85.245.48) 204.713 ms
72.14.234.25 (72.14.234.25) 297.979 ms
16 209.85.248.153 (209.85.248.153) 399.879 ms
209.85.249.207 (209.85.249.207) 208.874 ms
209.85.247.19 (209.85.247.19) 409.622 ms
17 209.85.249.53 (209.85.249.53) 237.340 ms
216.239.46.3 (216.239.46.3) 211.124 ms
72.14.233.210 (72.14.233.210) 245.371 ms
18 * 209.85.247.199 (209.85.247.199) 318.458 ms *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * 74.125.203.83 (74.125.203.83) 261.646 ms -
That definitely doesn’t look like the right server, but nothing there shows how you got that answer. You could dial up the logging level and see if you get something interesting there.
-
Unbound is getting the responses straight from the DNS root hosts. If something is wrong with DNS, it's likely their fault on the other end and not your end.
-
Clearing the dns cache on the client seemed to help, Mac OS X 10.13 but the same issue happened on the pfSense box. I think charter was doing some DNS manipulation, someone at charter made a mistake or the spooks have put my dns traffic in the tunnel for them to tamper with. moving to DNSSEC and pointing my firewall to use a DNSSEC provider seems to have cleared this issue up.
-
I had similar/identical traceroute from a Mac OS X client and on the pfSense box itself using 127.0.0.1(unbound).
Seems like it would be interesting to have unbound log when DNSSEC could not be used becuase the root keys are invalid, either the time on pfSense is wrong or the ISP is doing layer 7 manipulation. i.e. like what happens when you live in China, Russia or the USA...
