Tuesday, March 16, 2010

Why is Google Public DNS scanning ports on my host computer?!

Being fade up with poor DNS response during peak hours from the ISP assigned resolver or occasional complete blackouts, recently I opted to use Google Public DNS. While the performance and security benefits of the latter are impressive and I trust Google being able to safeguard against DNS poisoning compared to an average, unaware ISP, recently I found myself on the receiving side of port scan or DoS attempts from Google DNS directed to the private IP of my host computer! Here is a firewall log from my Internet facing router. The router is on a private LAN shared with the host computer. I have intentionally masked the time and the private IP addresses on my host.

Tue, 2010-03-16 03:33:04 - UDP Packet - Source:8.8.8.8 Destination:192.168.x.y - [PORT SCAN]
Tue, 2010-03-16 03:34:43 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,52344 - [DOS]
Tue, 2010-03-16 03:34:44 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,59397 - [DOS]
Tue, 2010-03-16 03:34:44 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,36034 - [DOS]
Tue, 2010-03-16 03:34:49 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,58507 - [DOS]
Tue, 2010-03-16 03:34:49 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,47320 - [DOS]
Tue, 2010-03-16 03:34:49 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,43986 - [DOS]
Tue, 2010-03-16 03:34:54 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,57783 - [DOS]
Tue, 2010-03-16 03:34:54 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,46381 - [DOS]
Tue, 2010-03-16 03:34:54 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,37386 - [DOS]
Tue, 2010-03-16 03:34:59 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,42595 - [DOS]
Tue, 2010-03-16 03:34:59 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,49444 - [DOS]
Tue, 2010-03-16 03:35:00 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,46906 - [DOS]
Tue, 2010-03-16 03:35:05 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,50278 - [DOS]
Tue, 2010-03-16 03:35:05 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,42480 - [DOS]
Tue, 2010-03-16 03:35:05 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,46706 - [DOS]
Tue, 2010-03-16 03:35:10 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,33430 - [DOS]
Tue, 2010-03-16 03:35:10 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,37712 - [DOS]
Tue, 2010-03-16 03:35:10 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,58394 - [DOS]
Tue, 2010-03-16 03:35:16 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,39228 - [DOS]
Tue, 2010-03-16 03:35:16 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,41935 - [DOS]
Tue, 2010-03-16 03:35:16 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,57780 - [DOS]
Tue, 2010-03-16 03:35:21 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,60592 - [DOS]
Tue, 2010-03-16 03:35:21 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,45238 - [DOS]
Tue, 2010-03-16 03:35:21 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,37143 - [DOS]
Tue, 2010-03-16 03:35:26 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,47709 - [DOS]
Tue, 2010-03-16 03:35:26 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,58876 - [DOS]
Tue, 2010-03-16 03:35:26 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,42900 - [DOS]
Tue, 2010-03-16 03:35:32 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,56628 - [DOS]
Tue, 2010-03-16 03:50:59 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,35201 - [DOS]
Tue, 2010-03-16 03:50:59 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,58851 - [DOS]
Tue, 2010-03-16 03:51:00 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,59257 - [DOS]
Tue, 2010-03-16 03:51:05 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,44891 - [DOS]
Tue, 2010-03-16 03:51:05 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,36661 - [DOS]
Tue, 2010-03-16 03:51:05 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,56824 - [DOS]
Tue, 2010-03-16 03:51:11 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,43335 - [DOS]
Tue, 2010-03-16 03:51:11 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,44840 - [DOS]
Tue, 2010-03-16 03:51:11 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,48039 - [DOS]


Notice the time difference between two successive scanning or reported DoS attempts. Why is Google scanning these ports? Isn't DNS resolver supposed to be a passive entity responding only to user requests and not initiate a connection with the client host computer? Is this some sort of opportunistic spying?

3 comments:

  1. Good question!

    I've been hammered by Google for the past two months, and I've kept the logs to prove it.

    I've used google DNS for about 2 years and this probing just started recently.

    WHY is this happening?

    ReplyDelete
  2. Forgot to add....

    I think I'll try OpenDNS on my DSL router and see if they scan.

    ReplyDelete
  3. Hi,
    Me too was looking for info on the same and just so curious to find so many connection initiated from 8.8.8.8 to closed ports on my caching dns server. Do you have any update on this late?

    ReplyDelete