Firewall considerations for Google reCAPTCHA

Firewall considerations for Google reCAPTCHA

Some websites leverage Google's reCAPTCHA service to provide a means to stop bots from abusing the site. This blog post describes how to identify what outbound firewall IP addresses and ports that are needed.

What is reCAPTCHA?

  • A free service that protects your site from spam and abuse.
  • Uses advanced analysis techniques to tell humans and robots apart.
  • Comes in the form of a widget that you could easily add to a page.

There are essentially two approaches to opening up your outbound firewall: (1) Allow outbound access to all Google IP addresses on ports 80 and 443 (see below), or (2) use a proxy server to access control on www.google.com.

Identifying Google IP Addresses and Ports

  1. Run the following commands from the servers that is hosting your code that requires access to Google reCAPTCHA:
dig -t TXT \_netblocks.google.com
dig -t TXT \_netblocks2.google.com
dig -t TXT \_netblocks3.google.com

Note that:

  • _netblocks.google.com <– lists IPv4 addresses
  • _netblocks2.google.com <– lists IPv6 addresses
  • _netblocks3.google.com <– lists IPv4 addresses

2. If you are opening up your firewall for IPv4 ports, then copy all IP subnets identified in the output, and open up ports 80 and 443 to them.

For example:

References