Traceroute Isn't Real

[toast0]

8.8.8.8 is in many places. It's hard to get a list of exactly where[1], but the more places you can traceroute from, the more places you can add to your list. For 8.8.8.8 in particular, if you've got probes in major PoPs, you can probably get response times of 1 ms or less and be pretty sure that Google has a presence there. Of course, if you get a longer response time, they may have a presence there but your network may not have their local advertisement and your query routes elsewhere; or maybe the response from Google is being routed through another location. Traceroute might help debug a longer route to Google, but it'll be hard to debug the return.

For dns steering to unicast ips, you can get a reasonable idea of where the ips you can see are, although you'll need to make dns requests from different locations to see more of the available dns answers.

[1] Unless you're an insider, or maybe Google publishes a list somewhere. Their peeringdb listing of locations is probably a good start, though.

[mrngm]

  $ dig @8.8.8.8 +nsid news.ycombinator.com.
  ; NSID: 67 70 64 6e 73 2d 61 6d 73 ("gpdns-ams")
  news.ycombinator.com. 1 IN A 209.216.230.207

Repeating the same query returned:

  ; NSID: 67 70 64 6e 73 2d 67 72 71 ("gpdns-grq")

A few other resolvers implement this as well, e.g. 1.1.1.1 and 9.9.9.9:

  1.1.1.1: ; NSID: 35 32 31 6d 32 37 34 ("521m274")
  9.9.9.9: ; NSID: 72 65 73 31 32 31 2e 61 6d 73 2e 72 72 64 6e 73 2e 70 63 68 2e 6e 65 74 ("res121.ams.rrdns.pch.net")

with, as you can see, various degrees of human-readable information on the actual replying resolver.

(more DNS resolver introspection tricks can be found with DNSDiag https://dnsdiag.org/ )

[westurner]

DNSSEC:

  delv @8.8.8.8 +dnssec news.ycombinator.com
  delv @8.8.8.8 +dnssec AAAA news.ycombinator.com