Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ED
Advisor

Geopolicy blocks 8.8.8.8 (India)

Hi everyone,

 

If you have geo policy enabled and blocking to and from India your DNS request for Google 8.8.8.8 will be blocked. 

Checking IP 8.8.8.8 now shows India.

 

Anyone else seeing this?

 

0 Kudos
Reply
7 Replies
_Val_
Admin
Admin

Please go to https://ipstack.com/ and show output you have for 8.8.8.8

0 Kudos
Reply
ED
Advisor

The output shows US but I believe Check Point is using Maxmind? 

Maxmind shows India.

 

You can check yourself https://www.maxmind.com/en/geoip-demo

 

Thanks for the quick reply.

0 Kudos
Reply
_Val_
Admin
Admin

You are correct, it does how India. I would suggest TAC case, if you believe this info is incorrect. You can also send a correction directly to the service via the online form.Not sure, how effective that would be.

0 Kudos
Reply
Timothy_Hall
Champion
Champion

Running a traceroute to 8.8.8.8 from the USA and looking at the hops leading up to the final 8.8.8.8 destination and the relatively low latencies at each hop (15 ms or less), my opinion is the India classification for that address is not correct.

Also when blocking countries with Geo Policy it is usually a good idea to create an exception for all domain-udp and domain-tcp traffic to avoid what I call "Indirect DNS blocks" in my book, which can cause seemingly random failures accessing certain sites whose server location and/or DNS service happen to load-balance into a blocked country.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
Steve_Spohn
Explorer

I saw the same behavior this morning w/ 8.8.8.8 being classified in India. Thanks for the best practice suggestion, makes sense to me, was an easy fix!

0 Kudos
Reply

I went hardcore and blocked some countries using fwaccel dos rate command 😀 As I am using upstream DNS as forwarder, that seems to take care of the problem with accessing sites, etc.

0 Kudos
Reply
Tobias_Moritz
Collaborator

Well, locating the well known Google DNS server 8.8.8.8 in India is right and wrong at the same time.

Google uses anycast routing to give you the nearest operational server, depending on your source network.

See Wikipedia article about Google Public DNS.

Geolocation databases cannot show the right info here, as these adresses cannot be assigned to a fixed location.