The Mysterious 1e100.net

If you are the type of tech junkie who likes to dig into your Internet access logs to look at your incoming and outgoing Internet connections, you may have noticed that the domain “1e100.net” pops up once in a while, seemingly without rhyme or reason. In some instances you may even have a persistent connection to 1e100.net, even as soon as you start your computer.

What on Earth is 1e100.net? Well, if you are enough of a math geek, you know that the “e” symbol stands for exponentiation, and “1e100” means 1×10 to the 100th power. That’s a big number…in fact, it’s a number so large that it’s called a “googol” – a one followed by 100 zeroes. Hmmm, googol, googol…what’s familiar about that word? Ah yes – it sounds just like Google. And that’s because Google is named after googol, and 1e100.net is one of Google’s domains. A WHOIS lookup for that domain reveals it’s owned by them.

Because many power users aren’t aware of this connection, their first reaction upon seeing 1e100.net pop up in in a network management program, such as a software-based firewall, is to block it because they don’t know what it is. It further freaks people out if it shows up as a persistent connection that they can’t get rid of. However, it is a perfectly harmless connection and there’s no need for panic. The 1e100.net domain will never show up by itself. It will always be a subdomain such as server-name.1e100.net.

Instances where you will see the 1e100.net connection

(By “see” I mean viewing from a network utility that can closely monitor all network requests.)

Any web page that has embedded YouTube video

For YouTube itself (a Google property) or any other web site that has a YouTube video embedded in it, 1e100.net will show up even if the video isn’t loaded. When the Flash player first launches it makes a request to YouTube for the video thumbnail image and therefore sends a request to 1e100.net for that data.

Firefox “safe browsing”

This feature by default is enabled and uses a Google server to check web sites you load to see if they’re in the “bad” list.

This is located from Tools / Options / Security:

image

The two checkboxes “Block reported attack sites” and “Block reported web forgeries” enable Firefox to check every single web site you load against the “bad” list Google has.

Uncheck these two boxes if you don’t want where you surf to be checked against the Google list.

If you want to see the actual configuration data for this, load the address about:config in Firefox, then search for safebrowsing, like this:

image

You don’t have to necessarily do anything here, but if you wanted to know “How much Google is in my Firefox?”, there’s your answer.

Google Earth / Google Updater

Both Earth and Updater (which Earth installs by default) will make connections to 1e100.net to check for updates.

You can instruct Updater not to do that if so desired.

Other places?

As far as I’m aware, the three above instances are where you will see 1e100.net appear. Now that you’re aware what it is and its purpose, you now know it’s not spyware or malware. It’s Google. Using a weird domain because.. um.. well.. it’s a long story and we’ll leave it at that. :)

26 thoughts on “The Mysterious 1e100.net”

Gina OShell says:
If you look up the longitude and latitude coordinates from the IP address information, you are able to obtain the property owner’s name. But it’s not google, LLC, as you would expect it to be! The property is owned by the City of Mountain View. I can’t imagine Google doesn’t own its own land and buildings where it’s servers are housed, as they would want to take full opportunity of any depreciation for tax purposes ?? So Whom is watching Who??
aurorum says:
dont think youre in a position to control your privacy without external firewalls and a whole lot of monitoring and paranoia. as UEFI gets more and more developed and more overlooked as just a bios replacement more and more people will forgot or not know that it is a middleman os and doeant srop after it boots your os. it has full admin access to hardware, data on hardware and can make connections to the internet to servers like these to report or upload malicious or illicit content that it has detected. also, ita already hacked by a russian group named something bear and that is why mobo native wifi is cancer. also the open source altenatives exist for uefi but i have not tried them yet. afraid of bricking my dual bios mobo lol. so really, my point is your computr siftwarunning in layers below your os can do things without you knowing. without your os software firewall knowing. thus is the age the non paranoid or the apathetic have left us.
helpful_zombie says:
since when did fancy bear hack the entirety of uefi?
Bali Bebas! says:
Great little post here. If you’re on an Android device you may detect and block this domain using NetGuard, an open source firewall for Android (available on F-Droid). Based on profiling on EMUI I saw connection attempts to 1e100 for services such as “Google Backup Transport”, “Google Play services” and “1021” (GPS daemon). I’d have personally blocked this domain sooner but I’ve only been using Android for a few months and only recently became aware of NetGuard.
John says:
ummm, you guys are still blind, deaf and dumb. The registrant is located in Bluffdale Utah which IS the NSA Data Center. They run everything through the 1e100 as well as Akamai to make it hard for you to block it using wildcard filters. You CAN just block the bluffdale list. And the servers will fallback to other non-nsa servers. This is also why the pentagon and google have got together for delivering data recently.
helpful_zombie says:
other things than the nsa data center are allowed to be located in bluffdale. for example: my house

they don’t do it to make it hard for you to block, they do it to prevent xss and to assign hostnames to their multiple ip addresses.

source: https://support.google.com/faqs/answer/174717

Cotton_balls_007 says:
I don’t know if we’re all just geeking, googling or Google Eyed I’m going to contact Paul Harvey by way of Jodie Foster cuz if ain’t nobody after there’s an awful lot of waste of space.
androidhacked says:
I wish you had the time to dig deeper a little bit more because markmonitor is not just the registrar of that address (le100.net) but its also rigistered with gstatic which is a intrusive dangerous virus that gets pass any anti virus ware, malware, etc… Detection…. I found out by firefox extensions called no script 10.1. This extension reveals scripts running on websites you look at. I looked up all the websites (scripts) that was running on my pages i was looking at, even key locked pages and gstatic.com will always pop up. I think you was getting close because (le100.net) (gstatic) both registrar is mark monitor who i THINK is descizing or hiding behind being registered to google. My phone is currently hacked by gstatic and i looked up their ip which led me to this page. I tried everything but no antivirus apps can remove this on an android phone. Any suggestions???
helpful_zombie says:
gstatic isn’t a virus — it’s google’s (notice the g in gstatic) static hosting site for all of their scripts and fonts. (also, markmonitor is just the company that registered gstatic, 1e100, etc. on behalf of google.) 9/10 times the reason you see it on random sites is because it uses fonts, scripts, or CSS styles from google. This is quite common, and is absolutely nothing to be scared of. You can see it on this page too — there’s a reCAPTCHA and some fonts, which are both hosted, at least partly, on gstatic.
Scott says:
Found this domain in my net logs and it had 2.9GB of data outbound to it in just 1 day. The data was coming from an iPhone connected via WiFi.
Leo says:
By mass data collection makes it Harder to find the correct information. What it is this 1e100 doesnt represent scientific notion for a Google. Bc e= 2.718
Whst does it mean?
Giving in this situation I know that the integral of e is itself a partial differential operation. Do e= operator of the partial differential in question, with reference yo our initial integral.

Technically speaking GOOGLE COULD HAVE AN INFINITE VOLUME OF SPACE by utilizing this domain name properly. Its what sets an integral to start moving leads to imaginary numbers, Querteronians…..

My best guess is a SUPER WIFIMAXX COMPUTER OR “baby QUANTUM” computer using just Quibits FOR EXTRA COMPUTATIONAL POWER

no thanks says:
Oh boy, way to go completely down the wrong path. 1e100 is 1*10^100, where “e” is just a convention for scientific notation. It is not related to the mathematical constant “e” that is the base of the natural logarithm.
Mikael Isaksson says:
Occasionally Fallout 4 crasches when changing area. Everytime that happens, and I don’t know if this is the cause or a respons to the crasch, but every time that happens, steam.exe sends several hundreds of megabyte to an adress such as this. But Fallout just become unresponsive and has to be forcibly shut down.
Drew says:
Those interested can buy the 1e100.net away from google, it expires on: Registrar Registration Expiration Date: 2019-09-24T22:40:03-0700. Hmmm, I wonder if you could reserve it from the 25th of September and on….. >;)
no thanks says:
That’s now how this works… there is zero chance they won’t continue to renew the domain.
Cybershield Cyberguard says:
“ET ATTACK_RESPONSE Microsoft CScript Banner Outbound” being detected to f27.1e100.net and not entirely sure why the sig matches what Google is doing. 1e100.net shows registered to Google but Registrar is markmonitor.com who specializes in brand protection. Curious what is really going on but no time to dig deeper.
jiamei says:
using ie 11 and no network activity that I can see in network resource monitor
Tiago Paolini says:
Just in case someone is interested, here is the official satement from Google about this domain:
http://support.google.com/bin/answer.py?hl=en&answer=174717
Michael says:
> …it’s not spyware or malware. It’s Google…

Well, who says that Google isn’t spying on you anyway. Just because it’s Google doesn’t mean it’s can’t or won’t be used against you.

Randy says:
They are, Google tracks everything and every site.
Agua Loca SL says:
found 12 names for the MX servers for ESTAFADORES agualoca.es: TIMO gy-in-f27.1e100.net, alt1.aspmx.l.google.com, bw-in-f27.1e100.net, qy-in-f27.1e100.net, aspmx2.googlemail.com, iw-in-f27.1e100.net, aspmx.l.google.com, pv-in-f27.1e100.net, aspmx3.googlemail.com, aspmx4.googlemail.com, ww-in-f27.1e100.net, and alt2.aspmx.l.google.com. (A single machine may go by more than one hostname. All of them are shown.)
d0ug says:
you will see that domain when you start firefox… you know.. the default google search page that loads when you first start google?
Jad says:
Forget Google, try DuckDuckGo. duckduckgo.com
Biswajit says:
Well why actually google is using 1e100.net for is quite unknown, but i checked out the above link to find out, what is the link between google and 1e100
Jim Cooper says:
A ‘google’ is the name for the number that is one with 100 zeros… similar to Tera .. and Mega … we’re just not used to dealing with numbers quite that big … YET ..
mxm says:
You can see the 1e100.net also if you 'ping http://www.google.com'(and of course by using nslookup/dig but that's geeky stuff ;-)
TechnoShaman says:
PING showed me nothing of the sort. I think you mean to say, “Do a TRACEROUTE”, as in
tracert http://www.google.com
(leave off the http:// stuff, it is not the proper syntax for this)
which for me leads to a series of anonymous servers along the path… rather odd.
For those unfamiliar with this “geeky stuff”, these are DOS-like commands you use in a Command Window in Windows: CMD.EXE followed by TRACERT and the NAME or ADDRESS you wish to inquire about, which does not have to be an http type name or address:
tracert google.com
works just fine (but checks a slightly different address).

Regards, etc.

no thanks says:
It’s POSIX, not DOS…
N0ah says:
i'm also getting this for port 993 (i think it's an imap thing or something as i'm usinng google for email hosting and stuff)
Oliver Slay says:
GoogleMail, Blogger, GTalk … all appear to open connections to 1e100 …
confi says:
ekrn.exe (nod32 antivirus) keeps connecting to 1e100…

ekrn.exe:296 TCP 192.168.*.*:* 74.125.127.147:80 ESTABLISHED

74.125.127.149 resolves to
“pz-in-f149.1e100.net”
Top Level Domain: “1e100.net”
Country IP Address: UNITED STATES

Jim Cooper (of course) says:
I wonder who has the job of dreaming up all the sub-domain and sub-sub-domain names to use with 1e100.net … : ))
helpful_zombie says:
First of all, they’re randomly generated. Second of all, there is no sub-sub domains.
Nick says:
You’re right that the googol has one hundred zeros but your scientific notation is off. 10*10^100 is 1e101, whereas a googol is 1*10^100 (or just 10^100 or 1e100).
doesprivacyexist says:
haha Googol. officially it’s caching or attack site verification (a “service”, but personally i think it’s to collect info on habbits… Cheaper then phoning ppl for inquiries and big money it is. Yet nobody hangs up when google is phoning you ;)… Stange. Anyhow if you’re up to it: Best learn about how to get rid of flash cookies and read about unique id’s, afterwards never visit google, youtube, etc… (yes they are the same) Don’t forget to also set search bar to something different then google too if using firefox. Maybe check out http://www.scroogle.org/cgi-bin/scraper.htm :-)

As a final note, I want to mention, if it will not be google, it will be another. Get used to it or don’t use internet

toddboyle says:
OK thanks for all the information.

Where can I get a utility to BLOCK GOOGLE EVERYTHING?

How hard is that. Sheesh. GIVE ME THE UTILITY.

DOna says:
SterJo NetStalker will block the connection attempts from the 1e100 remote host unless you update the policy file to mark it acceptable. So far I have not marked this one Accept in the policy file, with no problems being caused that I can detect. NetStalker notifies me of the address that was blocked and I have the option to “resolve host” to see who owns the address. All connections are shown in the daily log and a daily history of GB received and sent and number of blocked attempts. There is a premium version that saves a detailed daily log of connections – or some such additional feature – but I use the freebie. Pretty cool – maybe some people don’t know about it.
Mel says:
Excellent information….I agree with Jase. Sadly, its becoming harder to stay one step ahead of the unethical.
Jase says:
is google the new microsoft?

first we had microsft everything, now it’s google everything.

Rich Menga says:
You are definitely not the first person to say that. :)
José says:
Microsoft still charges for his operative system / office suit. Still doesn’t release it’d code.
aaa says:
Neither does Google, and it charges by putting ads everywhere

Leave a Reply

Your email address will not be published. Required fields are marked *


Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.

Todays Highlights
Zoom How to Change Name