Google Domains

[Retold3202]

Which domain(s) should be blocked?

auditrecording-pa.googleapis.com clienttracing-pa.googleapis.com datasaver.googleapis.com feedback-pa.googleapis.com growth-pa.googleapis.com gvt2-cn.com gvt3.com locationhistory-pa.googleapis.com locationhistoryaggregates-pa.googleapis.com

Why should these domain(s) be blocked?

auditrecording-pa.googleapis.com - It looks like this is already blocked on Ultimate, but I think it might be worth blocking this on some of the less aggressive lists as well. This appears to be related to Google's Cloud Audit Logging API: https://cloud.google.com/logging/docs/audit, so it's just more telemetry. I was also able to find more info on it proving this further here on Page 34 & Page 36. We can see: `POST https://auditrecording−pa.googleapis.com/google.internal.api.auditrecording.v1.AuditRecordingMobileService/CreateAuditRecord POST body:

` & `POST https://auditrecording−pa.googleapis.com/google.internal.api. auditrecording.v1.AuditRecordingMobileService/CreateAuditRecord Headers x−goog−spatula: CjYKFmNvbS5nb29n...Fwu6/s+CCz+wBKgA= POST body decoded as protobuf: <...> <...>`. `clienttracing-pa.googleapis.com` - I've noticed Stock Android devices phone home to this, difficult to find info on, but it seems to be related to Google's [Cloud Trace API](https://cloud.google.com/trace/docs/reference/v2/rest/), so just more telemetry. `datasaver.googleapis.com` - This is related to Chromium's "Data Saver" feature, I think we should really consider blocking this one, at least on the more aggressive lists. You can see [here](https://www.fastvue.co/sophos/blog/google-data-saver-affect-security-confidentiality-reporting/) for more info, but this is **extremely** concerning from a privacy & security standpoint... Google is not only sent the websites you visit, but literally MITMs them. `feedback-pa.googleapis.com` - I've noticed Google apps on iOS and Android frequently call this domain, I wasn't able to find any official references or documentation on it, but it appears to be used for telemetry based off this [Czech forum post](https://forum.viry.cz/viewtopic.php?p=1552134&sid=78c6f5d12d61596281ce3bd0c0e135c0#p1552134) - `annotation=anonymous_feedback_submit_apicka_apkey=AIzaSejQEszExuVHsgk8YElDTlbbrhzeRISc --anenation=anonymous_feedback_submit_url=https://feedback-pa.googleapis.com/v1/feedback/products/1633926/web:anonymous_submit` `growth-pa.googleapis.com` - I saw this domain was requested before in #44 & #2411, and it seems like it wasn't blocked due to the lack of information. However, I was able to find info on it, and it appears this domain is directly related to & used for promotions in Google's apps & services. See [here](https://chromium.googlesource.com/chromium/src/+/c26ff44a53..bf7ad46dee) from Chromium's source code, & [here](https://www.scss.tcd.ie/doug.leith/apple_google.pdf) on Page 9: `-const char kDesktopIOSPromotionQueryPhoneNumber[] =` `- "https://growth-pa.googleapis.com/v1/get_verified_phone_numbers";` `-` `-const char kDesktopIOSPromotionSendSMS[] =` `- "https://growth-pa.googleapis.com/v1/send_sms";` `-` `The Google Docs and Messaging apps (or a process on its behalf) connect to growth-pa.googleapis.com/google.internal.identity.growth.v1.GrowthApiService/GetPromos, sending device details but no unique identifiers` `gvt2-cn.com` - Chinese variant of `gvt2.com`, which we already block, used for telemetry. `gvt3.com` - Similar to `gvt2.com`, [according to Google, this is used for "Google Play connectivity monitoring and diagnostics"](https://support.google.com/work/android/answer/10513641). `locationhistory-pa.googleapis.com` - This is extremely difficult to find information on, but it appears to be related to Google's location history. I think it'd probably make sense to block this on the more aggressive tests. This might need more investigation though, unclear. `locationhistoryaggregates-pa.googleapis.com` - Same as above.

[hagezi]

Thank you @Retold3202, great work as always. We'll take a closer look.

@xRuffKez

[Retold3202]

I recently dug up an old Stock Android phone I've had lying around, so I've been doing some experimenting & testing with it, and I found a couple more domains & more info.

feedback-pa.clients6.google.com - Another domain for feedback-pa.googleapis.com

footprints-pa.googleapis.com - Another domain that was requested in #2411, but lacked info around it. After a lot of investigating and testing on my device, this appears to be responsible for Google's Web & Activity History tracking. I was able to confirm this through the Google Maps app. If you try to start a route, and have your Google account's web & activity history disabled, there will be a prompt asking you to enable it. If you select Get started on the prompt while this domain is blocked, it will do nothing. However, when the domain is unblocked and you select Get started, it'll give you a pop-up and go through the process of enabling it. So, I think this is a fair conclusion to reach based on this behavior & context clues of its naming. It looks like we already have this domain blocked on some of the lists, but I figured I'd still give info on it regardless since there's literally none anywhere that I can find.

timeline.google.com - This appears to be another domain related to Google's Location History/"Timeline" tracking, might be worth blocking at least on the more aggressive lists.

There were a few other interesting domains I found as well that caught my eye, but I need to find more info on them, will probably further investigate tomorrow & report back with my findings. :)

[hagezi]

Thanks for the details @Retold3202 - great. I have added feedback-pa.clients6.google.com.

I will not completely block Google Maps Timeline through timeline.google.com, the data collection is blocked in Ultimate by blocking userlocation.googleapis.com.

[hagezi]

@Retold3202 Can you confirm that geller-pa.googleapis.com needs to be unblocked for the Google Assistant to work? It is currently unblocked.

There is also device-provisioning.googleapis.com, which also appears frequently in the logs. I once blocked it as a test and found that the push notifications could no longer be configured in the F1TV iOS app as a result.

[Retold3202]

@Retold3202 Can you confirm that geller-pa.googleapis.com needs to be unblocked for the Google Assistant to work? It is currently unblocked.

I tried blocking geller-pa.googleapis.com, and I did notice Assistant trying to connect there & being blocked, but it looks like Assistant is still functioning fine for me, I'm able to have a conversation with it & it seems to be able to still retrieve data from the internet. It looks like the main domain responsible for Assistant is assistant-s3-pa.googleapis.com, so I think as long as we don't touch that, we should be fine.

There is also device-provisioning.googleapis.com, which also appears frequently in the logs. I once blocked it as a test and found that the push notifications could no longer be configured in the F1TV iOS app as a result.

I noticed this one as well. After some digging, it looks like it's part of Firebase Cloud Messaging according to Google's docs here, so that would make sense with it breaking push notifications for you there. We should probably just leave it alone.

[hagezi]

Many thanks @Retold3202, geller-pa.googleapis.com added to aggressive lists.

[Retold3202]

Always glad to help @hagezi :)

I'm currently investigating these domains, but they're very difficult to find info on and I'm struggling to get them to reproduce, so I'll go ahead and post them here in case you or anyone else who stumbles upon this has any info on them:

searchpromo-pa.googleapis.com - I caught the "Google" app connecting to this, but I've only seen it connect one time, and sadly I already had it blocked when it did. So far I haven't been able to get it to connect to this again, and I've tried researching it and also haven't been able to find info on it, but it seems certainly related to some form of promotion, just wish I could get it to replicate. I can at least confirm that the Google app appears to function perfectly without issue with it blocked.

searchlabspartnerservice-pa.googleapis.com - This appears to be related to Google's "Search Labs" experiments, I've noticed the "Google" app connecting to this, probably worth blocking at least on the aggressive lists IMO.

labs.google - Same as above.

labs.google.com - Same as above, another domain used for the "Search Labs" experiments.

voilatile-pa.googleapis.com - This is probably the strangest domain I've found so far. It appears to be connected to from Google Play Services... but that's about all I know about it. I can't find any documentation or references to this online at all. I haven't seen any issues with it blocked, but since I don't have any idea what it does, it's tough to say whether it's actually safe or not to block. This'll definitely need more investigation.

xgapromomanager-pa.googleapis.com - Same story as searchpromo-pa.googleapis.com, I saw this connected to the same time that domain was by the "Google" app, but I also had it blocked. Highly likely also related to some form of promotion, the Google app seems to function perfectly with it blocked, but I just wish I could also get it to reproduce. This is another domain with no documentation.

Some of these Google domains have been extremely difficult to find info on, they lack documentation, I've even dug through Google's developer resources. I'll keep experimenting around & investigating.

[Retold3202]

A couple more discoveries:

glsfrontend-pa.googleapis.com - This domain is used for Google's "Local Services Ads". I can confirm as the app directly connects here.

localservices.googleapis.com - Another domain used for Google's "Local Service Ads", Source: Page 5 of here & here.

scone-pa.clients6.google.com - Another domain with no documentation, but I'm 100% certain this is related to Google advertising/tracking. In the "Google" app, whenever a sponsored result comes up, if I hit the 3 dots to access the "My Ad Center" pop-up, every single time without fail, this domain is also called. I haven't noticed any breakage with this blocked, and I've observed various Google apps connecting to it.

scone-pa.googleapis.com - Same as above.

[AleIlMagno]

@Retold3202 I had personally blocked voilatile-pa.googleapis.com in the past but I then whitelisted it because, if I remember right, after some days Google Play Store showed "Device not certified" under Play Protect Certification

[AleIlMagno]

Regarding locationhistory-pa.googleapis.com, this seems really sketchy, my device tries to call it two times a day even if I have location history (Timeline) disabled

[AleIlMagno]

I would also consider blocking:

content-autofill.googleapis.com lamssettings-pa.googleapis.com infinitedata-pa.googleapis.com quake-pa.googleapis.com chromesyncentities-pa.googleapis.com nearbysharing-pa.googleapis.com remoteprovisioning.googleapis.com

I have these blocked for months and I didn't notice any problem, but I also don't use most of google services, so some investigation is needed.

[Retold3202]

I had personally blocked voilatile-pa.googleapis.com in the past but I then whitelisted it because, if I remember right, after some days Google Play Store showed "Device not certified" under Play Protect Certification

I've had it blocked on my device for around a week now, and I just took a look, and it appears to still show as "Certified". So it might've just been a coincidence, or maybe it's something different in my case. Some of these Google domains are probably the hardest I've ever tried researching/finding info on, a lot of them are fairly sketchy IMO and there's near no info anywhere on a lot of them unfortunately.

content-autofill.googleapis.com

I'm fairly certain this is related to the "Autofill with Google" feature on Android. Personally I could care less about it and I block it on my personal list, but I doubt Hagezi will want to block this for the masses since this could be a legitimate feature people are using.

lamssettings-pa.googleapis.com

This appears to be related to geolocation (ex. Page 3 here). As to what its purpose is... your guess is as good as mine. 🤷‍♀️ I've had it blocked and haven't noticed any issues, looks like you have as well, but certainly needs more investigation.

infinitedata-pa.googleapis.com

This is definitely a sketchy one, I've ran into it myself and spent a lot of time researching it. After some more research, according to Page 53 here, this appears to be another form of telemetry & was caught here sending the list of installed apps to Google. I haven't encountered any issues with this blocked, & you said you haven't either, so I think we should probably consider blocking this on the lists.

quake-pa.googleapis.com

Another domain with absolutely no info on it anywhere. Definitely needs investigation.

chromesyncentities-pa.googleapis.com

This is probably related to Google Chrome Sync. This is another case where I doubt Hagezi will block it for the masses since it could be a legitimate feature that people are using. I'll probably add it to my personal blocklist though because I could care less about it.

nearbysharing-pa.googleapis.com

This is definitely another sketchy one. It appears to be required for Google's "Quick Share" feature to work (ex. here), but this does also appear to be used for advertising & tracking. I think we should block it on the more aggressive lists.

remoteprovisioning.googleapis.com

This shouldn't be blocked, it's part of Android's Remote Provisioning Attestation feature, which is useful from a security perspective & for checking device integrity.

[Retold3202]

Also looks like I was 100% correct about footprints-pa.googleapis.com, this is definitely used for Google's Web & Activity History tracking. See Page 18 & 42 here.

POST https://footprints−pa.googleapis.com/footprints.oneplatform. FootprintsService/GetActivityControlsSettings

[Retold3202]

As an aside, I think we should also consider blocking:

admob.googleapis.com - Google AdMob API.

adsensehost.googleapis.com - Google Adsense "Host" API.

audit.googleapis.com - Google Cloud Audit Logging.

analyticsadmin.googleapis.com - Google "Analytics Admin" API.

analyticsdata.googleapis.com - Google "Analytics Data" API.

analyticshub.googleapis.com - Google "Analytics Hub" API.

analyticsreporting.googleapis.com - Google "Analytics Reporting" API.

appenginereporting.googleapis.com - Google "App Engine Reporting Service".

chromeuxreport.googleapis.com - Google "Chrome UX Report" API.

cloudaudit.googleapis.com - Same as audit.googleapis.com, also used for Cloud Audit Logging.

cloudlatencytest.googleapis.com - Google "Cloud Network Performance Monitoring" API.

cloudprofiler.googleapis.com - Google Cloud Profiler Observability & Monitoring.

cloudtrace.googleapis.com - Google's "Cloud Trace" API.

content-partnersbadge-pa.googleapis.com - Google "Partner Badge Program" - Just more marketing & tracking.

dfareporting.googleapis.com - Google Doubleclick "Campaign Manager 360" API.

doubleclickbidmanager.googleapis.com - Google Doubleclick "Bid Manager" API.

doubleclicksearch.googleapis.com - Google Doubleclick "Search Ads 360" API.

federatedcompute-pa.googleapis.com - Part of Google's "Private Compute Services" - "Enables privacy-preserving aggregate machine learning and analytics across many devices, without any raw data leaving the device.

firebasepredictions.googleapis.com - Google Firebase "Predictions", just more creepy ad/tracking... See here.

firewallinsights.googleapis.com - Google "Firewall Insights".

gapromomanager-pa.googleapis.com - Not extremely clear, but appears to be another domain related to promotions in the "Google" app on Android, similar to xgapromomanager-pa.googleapis.com.

logging.googleapis.com - Google "Cloud Logging" API.

marketingplatformadmin.googleapis.com - Google "Marketing Platform Admin" API.

meshtelemetry.googleapis.com - Google "Mesh Telemetry & Monitoring" API.

mobilenetworkscoring-pa.googleapis.com - This appears to be reporting sensitive network data back to Google in order to determine the "network quality". See Page 18 & 42 here.

monitoring.googleapis.com - Google's "Cloud Monitoring" API.

pagespeedmobilizer.com - Google's "Page Speed Insights" API.

pagespeedonline.googleapis.com - Same as above.

partners-json.googleapis.com - Google "Partners API" - "Lets advertisers search certified companies and create contact leads with them, and also audits the usage of clients".

recommendationengine.googleapis.com - Google "Recommendations AI" & here - "Take advantage of Google's expertise in recommendations, powered by state-of-the-art machine learning models. Provide effective and real-time personalization with the recommendations capability (formerly Recommendations AI) of Vertex AI Search."

recommender.googleapis.com - Google "Recommender" & here. - "Recommender is a service on Google Cloud that provides usage recommendations and insights for Cloud products and services".

stackdriver.googleapis.com - Google's "Stackdriver" API - "Used by Google Cloud’s operations suite to collect signals across Google Cloud internal and external apps, platforms, and services".

surveys.googleapis.com - Google "Surveys" API.

tagmanager.googleapis.com - Google Tag Manager API.

timeseriesinsights.googleapis.com - Google "Time Series Insights" Monitoring API.

wirelessdevicestats.googleapis.com - Appears to be telemetry & data collection from Google Home.

[hagezi]

In https://github.com/hagezi/dns-blocklists/commit/426849232c606444d5d3c78f7fd9be517ed9458b I have made a few adjustments based on the comments. Thanks @AleIlMagno and @Retold3202. @AleIlMagno, if you want the "full program", then I recommend using Ultimate.

[Retold3202]

Another domain I noticed devices on my network connecting to that might be worth blocking: tracedepot-pa.googleapis.com - Difficult to find info on, but its likely also related to Google's "Cloud Trace". I haven't seen any issues with it blocked.