Google DNS Glitch Caused Outage

An anonymous reader writes "Google suffered a pretty long outage saturday evening, due to some DNS glitches, according to company spokesperson. All Google services were down for a while, including Gmail and Google AdSense. There seems to be a DNS hijack, as some screen grabs show that Google.com was redirecting to another site, SoGoSearch.com. "

Whois Entries Not Indicative of a Hack

[LogicX]

Everyone keeps freaking out because when they run a whois query they get this:

GOOGLE.COM.SUCKS.FIND.CRACKZ.WITH.SEARCH.GULLI.C OM
GOOGLE.COM.HAS.LESS.FREE.PORN.IN.ITS.SEARCH.ENGI NE .THAN.SECZY.COM
GOOGLE.COM

This is NOT at ALL indicative of a hack.

All this means is that gulli.com chose to register a DNS server with their registrar called 'GOOGLE.COM.SUCKS.FIND.CRACKZ.WITH.SEARCH.GULLI.CO M' instead of ns1.gulli.com -- to do EXACTLY what they just did -- got your attention.

Simmer down everyone. If you whois ANY major site you'll see similar things. (Just try Microsoft.com)

Re:Whois Entries Not Indicative of a Hack

You're not very good at explaining things. I understand what's going on, but:

"GOOGLE.COM.HAS.LESS.FREE.PORN.IN.ITS.SEARCH.ENG IN E .THAN.SECZY.COM
GOOGLE.COM

This is NOT at ALL indicative of a hack."

followed by

"All this means is that gulli.com chose to register a DNS server with their registrar called 'GOOGLE.COM.SUCKS.FIND.CRACKZ.WITH.SEARCH.GULLI.CO M' instead of ns1.gulli.com"

are two facts which don't have any logical connection. You should point out how gulli registering this appeared when people did a whois on Google.

Re:Whois Entries Not Indicative of a Hack

[A+beautiful+mind]

Also the Screenshots are just about BROWSER GUESSES. The screenshots show http://www.google.com.net!

You know, it's what happens when the browser can't find the given domain name (dns servers are down), that it tries www.google.com.com, then www.google.com.net and it happened to be already taken by the site in the screenshots.

Re:Whois Entries Not Indicative of a Hack

[AndroidCat]

Because, by default, whois does a search match on the entire record rather than just the name. Since the names of a domain's DNS servers are part of that record, some smartasses with spare domains load up the DNS server names with useless extra strings that will match lookups against popular domains like google.

This only confuses humans, and has nothing to do with Google's outage and overly helpful browser code.

Re:Whois Entries Not Indicative of a Hack

[thedustbustr]

AndroidCat (229562) says:
It probably depends on whose whois server that you're querying and the default command used by whatever program you're using.

AndroidCat (229562) says:
There's a whois *program*? Damn, I've just been using telnet whois.internic.net 43 all these years!

...

Re:Whois Entries Not Indicative of a Hack

[Wieland]

Mozilla Suite: Edit -> Preferences -> Navigator -> Smart Browsing -> Domain Guessing

Firefox: Go to about:config and set user_pref("browser.fixup.alternate.enabled", false);

Re:Whois Entries Not Indicative of a Hack

[thsths]

Yes, you can append a . to the name. http://www.google.com./ will only ever get you google, or nothing at all.

This "trick" is a lot older than mozilla, it applies to all DNS lookups. It also prevents the name from matching a machine on the local network. Mozilla also seems to recognise the dot, and it avoids the "guessing" step.

Pre-FP

[LogicX]

Ironically people have been freaking out about this, even before slashdot posted the story; leaving comments in other articles

SoGoSearch didn't hijack

SoGoSearch didn't hijack Google's DNS. They registered a domain name google.com.net. Because the browser couldn't find google.com it tried as google.com.net. It has nothing to do with them hijacking any DNS.

I do think it is unethical to register a domain such as google.com.net if you are not Google, but that is a different thing.

Re:SoGoSearch didn't hijack

[ryanjensen]

Thing is, they didn't register "google.com.net" - they registered "com.net". The "google" part is called a wildcard, and any "*.com.net" would go to SoGoSearch. (See this report about yahoo.sex.com).

The real problem lies in web browsers that append ".net" to a domain name when the .com version cannot be accessed.

Re:SoGoSearch didn't hijack

[jmaslak]

Uh, no, this is not a browser bug.

Yes, IE does do some bizare stuff on its own, but this is a RESOLVER issue.

Let's say you have a domain called "example.com". Let's say you have a host called "foo.example.com". What happens, with the common configuration, when you telnet to "foo.example.com" from a machine called "bar.example.com"? Well, if your resolve.conf contains search example.com, it will try to look up foo.example.com, then foo.example.com.example.com, then foo.example.com.com. The relevant section from resolv.conf (5) on my RH9 box:

Most resolver queries will be attempted using each component of the search path in turn until a match is found.

IE has a different broken component, but that doesn't come into effect until AFTER the resolver does its thing - it appends a bunch of TLDs to the name, not just ones in your search path. But IE does show you the proper URL when *it* (instead of the resolver) does this.

Yes, this all is very dangerous behavior and some systems have learned "Only append the primary domain, not each subdomain". I think Windows is one of these systems actually. That's why if you are quux.baz.example.com, a Window's machine can't telnet to foo.example.com by simply typing in "telnet foo". This was a departure from the Unix resolver rules for security reasons - a good idea IMHO. (if a user typed "secureexampleintrant", you wouldn't want a phisher out there to have set up secureexampleintrant.com so your user unknowingly goes there instead of secureexampleintranet.example.com). Of course I am of the opinion that these "DNS shortcuts" are bad in general and the search kewyord in BIND needs to go away. Let people type the whole URL.

A little DNS knowledge is a dangerous thing indeed, though, as there is all sorts of FUD with this. This is DEFINATELY not a browser problem.

Re:SoGoSearch didn't hijack

[autocracy]

It's definitely a browser problem. The resolver doesn't do that... the browser makes the other requests after being told NXDOMAIN by the resolver. So, while the issue comes from getting the wrong DNS response, it's because the browser asked the wrong questions thereafter. This also doesn't have to do with search directives. I'm sure there's something you're saying that I'm calling differently than you mean, but it's still an issue of the browser in this case.

Re:SoGoSearch didn't hijack

[jmaslak]

RTFM!

This has been default resolver behavior on Unix (including Mac OS X and Linux, IIRC) since early versions of the resolver libraries.

I am NOT talking about the DNS server itself, rather the client libraries.

On a Linux machine (at least RH9), look at
"man 3 resolver".

Note the "RES_DNSRCH" option:

"If set, res_search() will search for host names in the current domain and in parent domains. This option is used by gethostbyname(3). [Enabled by default]."

Note also that it is enabled unless someone turns it off in the code of the calling application.

Note that "gethostbyname" is the common way in Unix C programming to find out the IP address of a DNS name. And gethostbyname() *is* using this option.

If someone wants to disagree with this, I'm going to say "read the source" and then post that source to disprove this.

In this case, when google.com returned NXDOMAIN, the resolver (accessed by gethostbyname on OS X and Linux) then looks up google.com.localdomain.tld. It then looks up google.com.tld. So, if your local domain was "example.net", it would try google.com.example.net followed by google.com.net - exactly the behavior we saw yesterday. It also explains why some people got "page not found" instead (there is no "google.com.com" - no DNS wildcard under com.com)

Not a hijack

[Kip]

They were just taking advantage of browser behavior.

www.google.com.net leads to sogosearch.com

When a browser fails to resolve an address, they will try adding .net and .com to the end of the address on the assumption maybe the user forgot to add it.

Re:SoGoSearch

[Dachannien]

Never mind. See posts below indicating that these schmucks registered the .com.net domain and have a host named "google" in that domain, hence google.com.net.

Just a DNS glitch

[Eric(b0mb)Dennis]

Lots of rumor of DNS getting poison and/or google site getting hacked. The reason benig is people thought google.com was going to SoGoSearch.com..

But apparently it was just their browser's not finding google.com and trying to go to Google.com.net

Stop flipping out!

Best explanation I've seen was on BroadbandReports

koitsu posted there:

[some content removed to get past the lameness filter, see original post]

Looks to me like Google broke their own DNS zones. Querying their nameservers DIRECTLY for e.l.google.com works -- I get an A record back -- but going through normal means, I don't.

So, my guess is that someone forgot to increase the serial number when changing zones, the hostmaster updated the zones but forgot to toss in an A record for e.l.google.com initially (then later updated the zones, but haven't been updated in peoples' DNS cache tables because the queries for e.l.google.com failing are already cached and wont de-cache until the expiry is reached), or there's something majorly screwed with their DNS setup entirely.

In English: all of the above basically says that 1 out of 4 DNS requests will fail, until DNS caches everywhere are flushed, or newer records are pulled down from Google's nameservers.

How to avoid it

Go to about:config and change browser.fixup.alternate.enabled to false.

Re:So the DNS was down...

[srblackbird]

I have 2 DNS bookmarks for Google.com, and other website I visit frequently
In case there is an attack at the DNS-servers.

http://216.239.39.99/ and http://216.239.57.104/

Re:It's time to end our dependence on google

[dfjghsk]

Google with it's 85% market share. Google with its total control of the web search market.

Except, its market share is only 35%.. which is far from a monopoly. (For comparison, yahoo is at 32%)

Only here on slashdot does everyone think google completely controls the web search market.

Those schmucks were first

[AndroidCat]

com.net: Record created on 28-Sep-1994

google.com: Created on..............: 1997-Sep-15.

Re:SoGoSearch

[AndroidCat]

Google's DNS was down, browsers did something that most people don't expect. Nothing to see, move along.

Re:Slashdot and Google

[jdgeorge]

I wonder if Google's shareholders feel the same way or if they understand that they do owe their customers? They're a business; they owe me whatever it is I feel like asking for or I'll go elsewhere.

Are you an advertiser on Google? If not, it sounds as if you are confusing what Google owes shareholders (return on investment) and their customers (advertisers) with what Google owes the user, (technically, nothing).

It is true that Google tries to provide a good experience for users, and that helps provide value to the advertisers and return on investment the shareholders are owed.

If, on the other hand, you are an advertiser, you should realize that Google's first obligation is to its shareholders, not its customers or its users.

(Okay, I realize that Google has other customers than advertisers, e.g. those who purchase Google's search services, users of Google Answers, etc., but my impression is that advertising generates the bulk of Google's revenue.)

Re:Has it gotten to this point yet?

[jmaslak]

I'm sorry, but "important" email being sent to a free email account?

If you get important email, I suggest paying for an account that provides support as part of the price. "Free" doesn't typically mean "great support", not even in the case of Google.

none of the regional googles

[DJCF]

Actully, none of the regional googles were affected -- google.co.uk, google.co.th, etc.