Tuesday, February 26, 2013

Firewall: How to know the full range of ip used by google or by another company

Hi,

we can use the spf entry of dns. Used by mail servers to knoiw how is allowed from a domain to send mail for that particular domain. Usually, companies put their full range of ip. Ok you may find one exception, in that case forget this tips :-)

 

The request in general is:

 

dig txt logmein.com

; <<>> DiG 9.7.3 <<>> txt logmein.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52340
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;logmein.com.                   IN      TXT

;; ANSWER SECTION:
logmein.com.            3600    IN      TXT     "v=spf1 " "mx:3amlabs.com ip4:82.150.61.82 ip4:63.251.133.64/27 ip4:77.242.192.1 ip4:69.25.20.1 ip4:74.201.74.1 ip4:173.48.77.106 ip4:195.56.119.18 ip4:67.20.183.208/28 " "ip4:216.52.233.0/24 ip4:64.94.18.0/24 ip4:64.94.46.1 ip4:74.112.65.204 ip4:74.112.65.210 ip4:72.22.169.96/27 ip4:207.106.191.64/26 ip4:67.208.179.240/28 include:salesforce.com -all"

;; Query time: 116 msec
;; SERVER: 172.16.165.248#53(172.16.165.248)
;; WHEN: Tue Feb 26 16:04:16 2013
;; MSG SIZE  rcvd: 389

 

For google in particular, it is:

dig TXT _netblocks.google.com

; <<>> DiG 9.7.3 <<>> TXT _netblocks.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65120
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_netblocks.google.com.         IN      TXT

;; ANSWER SECTION:
_netblocks.google.com.  3583    IN      TXT     "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"

;; Query time: 20 msec
;; SERVER: 172.16.165.248#53(172.16.165.248)
;; WHEN: Tue Feb 26 15:59:19 2013
;; MSG SIZE  rcvd: 254

Found using:

 dig txt google.com

; <<>> DiG 9.7.3 <<>> txt google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21752
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.                    IN      TXT

;; ANSWER SECTION:
google.com.             2465    IN      TXT     "v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"

;; Query time: 1 msec
;; SERVER: 172.16.165.248#53(172.16.165.248)
;; WHEN: Tue Feb 26 16:08:26 2013
;; MSG SIZE  rcvd: 116

Then:

dig txt _spf.google.com

; <<>> DiG 9.7.3 <<>> txt _spf.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42788
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_spf.google.com.               IN      TXT

;; ANSWER SECTION:
_spf.google.com.        183     IN      TXT     "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ?all"

;; Query time: 0 msec
;; SERVER: 172.16.165.248#53(172.16.165.248)
;; WHEN: Tue Feb 26 16:08:58 2013
;; MSG SIZE  rcvd: 149

So, you'll found the _netblocks.google.com

And then you can use all the netblock in a group, and then used that groupe in a firewall policy to allow/disallow/dowhatuwant with the packet from/to those network.

That's all folks!