Google.com IP range

We access an external vendor's site who provided us some sort of service.

However, about 300 of our staff, mostly contract staff needs to access this
service but they currently are not granted Internet access on their PCs, so
we permit by firewall rules for entire organization to access that vendor's
site as going by proxy, we'll need to grant 300 proxy entries (ie by their
AD Id) to 3 URLs as that site will call/redirect to 2 other URLs.

By permitting at firewall rules & letting these contract staff bypass the
proxy, the contract staff can only access these 3 URLs & not any other
links/sites on Internet so this is still "secure" in my view as these 3
URLs are "trusted" sites.   This method of bypassing proxy is also to
facilitate that should new contract staff joins, the staff could access
as the 3 URLs while if we go by proxy, each time a new staff joins,
have to request for it & each time a staff leaves, have to remove that
staff's AD Id from proxy: quite an enormous admin task (for the
proxy admin as well as supervisors of these staff).

Q1:
Now, we just found that this vendor has coded another module to call
Google's "Captcha" service (which is  www.google.com/..... ) : what's
the entire subnet range of google.com ?  Is it a Class A, B or C or a
mix of many Class C  ranges ?

Q2:
Our firewalls can't resolve via public DNS currently so if permit to
access a large range of public IP, what's the security/risk implications?
Any other safe way of working around this?
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
Google owns -- in my sole opinion -- a far too large chunk of the IPv4 address space.

These are the ones I've been forced to block on my own server:

# ==== 23.251.128 - 23.251.159 ====
# ==== 35.184, 35.185, 35.186, 35.187, 35.188, 35.189, 35.190, 35.191 ====
# ==== 35.192, 35.193, 35.194, 35.195, 35.196, 35.197, 35.198, 35.199 ====
# ==== 35.200, 35.201, 35.202, 35.203 ====
# ==== 64.233.160 - 64.233.191 ====
# ==== 66.102.0 - 66.102.15 ====
# ==== 66.249.80 - 66.249.95 -- Non-Googlebot, proxies, experimental
# ==== 104.154 - 104.155 ====
# ==== 104.196, 104.197, 104.198, 104.199 ====
# ==== 107.178.192 - 107.178.255 ====
# ==== 130.211 ====
# ==== 146.148.96 - 146.148.127 ====
# ==== 162.222.176 - 162.222.183 ====
# ==== 199.223.232 - 199.223.239 ====
# ==== 209.85.128 - 209.85.255 -- Google proxies ====

Open in new window


So at present I'm blocking around 1.8 million addresses belonging to Google.  There are other ranges as well; these are just the ones that I've had to block due to security issues.  This also partially addresses your second question.
4

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.