Note: This article was originally published in 2013. Some steps, commands, or software versions may have changed. Check the current Infrastructure documentation for the latest information.
This article explains 1e100.net? and why it matters for your environment.
What is 1e100.net? Is it a Virus?
The short answer is: No, 1e100.net is not a virus, malware, or spyware. It is a legitimate, official domain owned and operated by Google.
“1e100” is scientific notation for $1 \times 10^{100}$, which is a 1 followed by 100 zeros. This massive number is mathematically known as a Googol—which is where Google got its name.
Google uses 1e100.net as the primary reverse DNS hostname for its vast infrastructure of servers worldwide. Instead of assigning a unique domain to every single IP address used by YouTube, Gmail, Google Search, Google Drive, and Google Analytics, the company unified its network under this single, hidden domain name in 2009.
Why does 1e100.net appear in my firewall or proxy logs?
If you are a sysadmin monitoring a corporate firewall (like Fortinet, Palo Alto, or pfSense) or using network analysis tools like Wireshark, you will frequently see connections to domains like oa-in-f95.1e100.net.
When your computer communicates with any Google service (which happens constantly, even if you are just browsing a third-party site that uses Google Analytics or Google Fonts), the traffic routes to an IP address owned by Google. When your firewall or logging software performs a Reverse DNS (rDNS) lookup on that IP address to find out what it is, Google’s DNS servers respond with a 1e100.net hostname.
Troubleshooting: SSL Server Certificate Does Not Match
Often, network administrators first notice 1e100.net when their firewall explicitly blocks a connection. For example:
| Field | Value |
|---|---|
| Log type: | Web Proxy (Forward) |
| Status: | 12227 The name on the SSL server certificate supplied by a destination server does not match the name of the host requested. |
| Destination: | oa-in-f95.1e100.net (173.194.64.95:443) |
| Protocol: | https-inspect |
Why does this happen?
This connection is blocked because the SSL certificate presented by the server (likely for *.google.com or *.youtube.com) does not mathematically match the hostname the firewall parsed via reverse DNS (oa-in-f95.1e100.net).
If you are running an SSL-inspecting proxy, you must configure it to acknowledge that 1e100.net is a valid Subject Alternative Name (SAN) for Google services, or simply whitelist Google’s known IP ranges from deep SSL inspection.
Proof: Verifying the Domain Ownership
If you perform a WHOIS lookup on any Google IP address resolving to 1e100.net (for example, 173.194.64.95), the ARIN database confirms it is directly allocated to Google Inc.:
NetRange: 173.194.0.0 - 173.194.255.255
CIDR: 173.194.0.0/16
Organization: Google LLC (GOGL)
RegDate: 2009-08-17
Updated: 2012-02-24Official Explanation from Google
To eliminate any doubt and prevent concerns about cross-site scripting or tracking, Google officially addressed this on their help portal:
“1e100.net is a Google-owned domain name used to identify the servers in our network. Following standard industry practice, we make sure each IP address has a corresponding hostname. In October 2009, we started using a single domain name to identify our servers across all Google products, rather than use different product domains such as youtube.com, blogger.com, and google.com. We did this to keep things simpler and to proactively improve security by protecting against potential threats such as cross-site scripting attacks.”