Is unbound dns leaking to google?

I am using pihole last version with unbound. I am looking my logs in my router when i see this.
192.168.88.99 is pihole

Take a look at the last entry...

NetRange: 216.239.32.0 - 216.239.63.255
CIDR: 216.239.32.0/19
NetName: GOOGLE

All above is root servers . But 216.239.38.10 is normal ??

That appears to be a google name server and you would expect to see this if you were looking for a google domain. A root server points to TLD server which leads to this.

Using the site (Trace DNS Delegation | Simple DNS Plus) to trace delegation on DNS query for "google.com," the path is shown below:

Loading root server list (static data):
-> a.root-servers.net (198.41.0.4)
-> b.root-servers.net (192.228.79.201)
-> c.root-servers.net (192.33.4.12)
-> d.root-servers.net (128.8.10.90)
-> e.root-servers.net (192.203.230.10)
-> f.root-servers.net (192.5.5.241)
-> g.root-servers.net (192.112.36.4)
-> h.root-servers.net (128.63.2.53)
-> i.root-servers.net (192.36.148.17)
-> j.root-servers.net (192.58.128.30)
-> k.root-servers.net (193.0.14.129)
-> l.root-servers.net (199.7.83.42)
-> m.root-servers.net (202.12.27.33)

Sending request to "k.root-servers.net" (193.0.14.129)
Received referral response - DNS servers for "com":
-> j.gtld-servers.net (192.48.79.30)
-> d.gtld-servers.net (192.31.80.30)
-> k.gtld-servers.net (192.52.178.30)
-> g.gtld-servers.net (192.42.93.30)
-> m.gtld-servers.net (192.55.83.30)
-> b.gtld-servers.net (192.33.14.30)
-> c.gtld-servers.net (192.26.92.30)
-> e.gtld-servers.net (192.12.94.30)
-> a.gtld-servers.net (192.5.6.30)
-> l.gtld-servers.net (192.41.162.30)
-> h.gtld-servers.net (192.54.112.30)
-> f.gtld-servers.net (192.35.51.30)
-> i.gtld-servers.net (192.43.172.30)

Sending request to "f.gtld-servers.net" (192.35.51.30)
Received referral response - DNS servers for "google.com":
-> ns2.google.com (216.239.34.10)
-> ns1.google.com (216.239.32.10)
-> ns3.google.com (216.239.36.10)
-> ns4.google.com (216.239.38.10)

Sending request to "ns2.google.com" (216.239.34.10)
Received authoritative (AA) response:
-> Answer: A-record for google.com = 216.58.214.46
1 Like

In the way as you explain it , indeed does not exist something suspect. Ηowever i have a objection here because this is happend with differend url`s that do not belong to any google url.

As exampe i see the same 216.239.38.10 in my logs as visited https://www.in.gr

Here is the trace delegation for that domain. Nothing through that Google nameserver. Note that we are in different areas of the world so the specific DNS path to the final domain might be different for each of us.

 Loading root server list (static data):
    -> a.root-servers.net (198.41.0.4)
    -> b.root-servers.net (192.228.79.201)
    -> c.root-servers.net (192.33.4.12)
    -> d.root-servers.net (128.8.10.90)
    -> e.root-servers.net (192.203.230.10)
    -> f.root-servers.net (192.5.5.241)
    -> g.root-servers.net (192.112.36.4)
    -> h.root-servers.net (128.63.2.53)
    -> i.root-servers.net (192.36.148.17)
    -> j.root-servers.net (192.58.128.30)
    -> k.root-servers.net (193.0.14.129)
    -> l.root-servers.net (199.7.83.42)
    -> m.root-servers.net (202.12.27.33)
   
 Sending request to "i.root-servers.net" (192.36.148.17)
    Received referral response - DNS servers for "gr":
    -> gr-d.ics.forth.gr (194.0.11.102)
    -> gr-m.ics.forth.gr (194.0.4.10)
    -> gr-c.ics.forth.gr (194.0.1.25)
    -> estia.ics.forth.gr (139.91.191.3)
    -> grdns.ics.forth.gr (139.91.1.1)
    -> gr-at.ics.forth.gr (78.104.145.227)
  
  Sending request to "estia.ics.forth.gr" (139.91.191.3)
    Received referral response - DNS servers for "in.gr":
    -> ns1.in.gr (195.97.55.98)
    -> ns.dolnet.gr (194.63.247.134)
    -> ns.in.gr (194.63.247.20)

  Sending request to "ns1.in.gr" (195.97.55.98)
    Received authoritative (AA) response:
    -> Answer: A-record for www.in.gr = 213.133.127.245
    -> Answer: A-record for www.in.gr = 213.133.127.247
    -> Authority: NS-record for in.gr = ns1.in.gr
    -> Authority: NS-record for in.gr = ns.in.gr
    -> Authority: NS-record for in.gr = ns.dolnet.gr
    -> Additional: A-record for ns.in.gr = 194.63.247.20
    -> Additional: A-record for ns.dolnet.gr = 194.63.247.134
    -> Additional: A-record for ns1.in.gr = 195.97.55.98

Likely some other software on your computer is querying a Google domain (Chrome browser, email client, etc.). The Google nameserver IP in your router log might not be related to this specific DNS query.

A quick test - block that Google name server IP in your router firewall and see what application no longer works.

So i disconnect all devices from my network and i have only this. Running swagarch linux and firefox browser. Nothing with gmail or google services etc. My android is closed. I am waiting 5-6 minutes and start browsing to discourse.pi-hole.net

No comments..

192.168.88.99 pihole

There is nothing in the DNS trace path to "discourse.pi-hole.net" that goes through a Google name server.

There is an option in an unbound configuration for verbose logging - that may help you figure out what's calling the Google name servers.

Did you try blocking that google name server IP?

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.