Slashdot Mirror
Google Launches Public DNS Resolver
AdmiralXyz writes "Google has announced the launch of their free DNS resolution service, called Google Public DNS. According to their blog post, Google Public DNS uses continuous record prefetching to avoid cache misses — hopefully making the service faster — and implements a variety of techniques to block spoofing attempts. They also say that (unlike an increasing number of ISPs), Google Public DNS behaves exactly according to the DNS standard, and will not redirect you to advertising in the event of a failed lookup. Very cool, but of course there are questions about Google's true motivations behind knowing every site you visit."
They state very bluntly that IP addresses are expunged from the logs after 48 hours, and that no data is shared with Google Accounts or other Google services. They still get to play with a lot of aggregated data, but this seems like a fairly non-evil way to do it. Good for them. http://code.google.com/speed/public-dns/faq.html#privacy
8.8.8.8, 8.8.4.4.
The World Wide Web is dying. Soon, we shall have only the Internet.
# nslookup
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> slashdot.org
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: slashdot.org
Address: 216.34.181.45
They don't publish own IPv6 records via this resolver :-(
The NTP pool (which probably needs even more NTP servers, btw) was recently changed so that the project's DNS servers return a list of nearest available NTP servers when queried. If you change your settings to use Google's DNS servers, the pool will now respond with a list of NTP servers close to Google's DNS servers, which may not be what you wanted.
Follow your Euro bills at EBT
From the page:
We don't correlate or combine your information from these logs with any other log data that Google might have about your use of other services, such as data from Web Search and data from advertising on the Google content network.
RTT to my own resolver: microseconds
RTT to my ISP's resolver (Speakeasy = no redirect and such): ~21ms
RTT to Google's: 80+ms
No-brainer for me.
everything resolves to Google's proxies.
Really?
You, sir, are a liar.
Cue *whoosh* in 3..2.. actually, I still don't get it. Either you're trolling because you hate Google, or there's some obscure joke that I still don't understand. I really don't get how your list of crap it requires (most of which doesn't exist or doesn't apply to DNS) is funny -- are Google known for requiring random stuff like that?
I mean, they don't even touch NX:
That's more than you can say for most ISP-level resolvers.
Don't thank God, thank a doctor!
Except in this case, they claim your IP will be gone from their logs in 24 hours, and it'll never be associated with anything else you do at Google.
My guess is, they want broad statistics like the most popular domains visited, maybe even traffic patterns of which domains people tend to go to after which other domains.
So you're right, the motives are quite transparent. Except in this case, I have no idea why I wouldn't want to participate. It's likely to be a hell of a lot more responsive than my ISP's DNS.
Don't thank God, thank a doctor!
RTFA:
Google Public DNS stores two sets of logs: temporary and permanent. The temporary logs store the full IP address of the machine you're using. We have to do this so that we can spot potentially bad things like DDoS attacks and so we can fix problems, such as particular domains not showing up for specific users.
We delete these temporary logs within 24 to 48 hours.
In the permanent logs, we don't keep personally identifiable information or IP information. We do keep some location information (at the city/metro level) so that we can conduct debugging, analyze abuse phenomena and improve the Google Public DNS prefetching feature. We don't correlate or combine your information from these logs with any other log data that Google might have about your use of other services, such as data from Web Search and data from advertising on the Google content network. After keeping this data for two weeks, we randomly sample a small subset for permanent storage.
So in other words, for less than two days, their DNS log, and nothing else, will know that a particular request was made from a particular IP. Other than that, they'll know that someone from your ISP, or perhaps from your whole fscking city, made that request -- maybe. I'm guessing they'll be looking at overall trends.
Don't thank God, thank a doctor!
Anyone running Windows Server as their internal DNS server is probably forwarding DNS requests to an external name server. The workstation DNS settings are most likely controlled with DHCP, and if the admin has half a brain (I know, that's a big assumption), the users don't have rights to change the network settings.
Most internet security applications are usually proxy servers, or something like a Websense box. Those filter all traffic regardless of where the name resolution takes place. In fact, Websense can be configured to block DNS requests to non-approved / external servers (as can any firewall, etc).
Do your network admins a favor and use your work computer for work. Don't try to get around their access controls. Most of the time they'd love to give you free access to the internet, but the reality is that they are responsible for keeping Windows boxes secure. That isn't an easy job. What you might perceive as network admin Nazi behaviors is really just them protecting you from yourself... or your co-workers from themselves, etc.
I'm no expert on DNS DDoS amplification attacks, but reading up on them (including what Google has to say about them) I don't know what makes you say they only apply to consumer lines.
First of all, even if it were impossible to overwhelm Google's bandwidth, that wouldn't stop an attacker from using Google's open resolver in an amplification attack against some other target; in that regard, it woudl be better if Google were running it from an employee's basement.
Besides, it appears this type of attack has been used to create orders of mangitude more traffic than would be needed to just flood a consumer line.
According to Google's site, they recognize this as a problem and have mitigation strategies in place; the most relevant one seems to be throttles on sending of response packets to any given target.
Because it's not a crime when some big faceless company does it.
Google's DNS service defends against DDoS amplification attacks by using rate-limiting techniques. From Google:
A NYC lawyer blogs. http://www.chuangblog.com/
4.2.2.2 and their ilk are free and non-redirecting. You can use 4.2.2.1 4.2.2.2 4.2.2.3 4.2.2.4 4.2.2.5 or 4.2.2.6
They are run by L-3 and sitting on major backbones, and the ip addresses are pooled, so that you will likely get a server that is geographically near you when you use one of those addresses.
"Google Public DNS stores two sets of logs: temporary and permanent. The temporary logs store the full IP address of the machine you're using," the company said. "We have to do this so that we can spot potentially bad things like DDoS attacks and so we can fix problems, such as particular domains not showing up for specific users. We delete these temporary logs within 24 to 48 hours.
"In the permanent logs, we don't keep personally identifiable information or IP information. We do keep some location information (at the city/metro level) so that we can conduct debugging, analyze abuse phenomena and improve the Google Public DNS prefetching feature. We don't correlate or combine your information from these logs with any other log data that Google might have about your use of other services, such as data from Web Search and data from advertising on the Google content network. After keeping this data for two weeks, we randomly sample a small subset for permanent storage."
I'd be more impressed if they blocked out ads entirely.
You do know how Google makes their money, right?
If your network security relies on limiting DNS lookups, you don't really have any network security at all. You might as well take the house numbers off the front of your house to make it harder for burglars to find your house to break in.
Search 2010 Gen Con events
While the OpenDNS name resolution service is free, people have complained about how the service handles failed requests. If a domain cannot be found, the service redirects you to a search page with search results and advertising provided by Yahoo!. A DNS user can switch this off via the OpenDNS Control Panel but will lose content filtering ability. This behavior is similar to that of many large ISP's who also redirect failed requests to their own servers containing advertising. [12]
In 2007, David Ulevitch explained that in response to Dell installing "Browser Address Error Redirector" software on their PCs, OpenDNS started resolving requests to Google.com. Some of the traffic is handled by OpenDNS typo-correcting service which corrects mistyped addresses and redirects keyword addresses to OpenDNS's search page, while the rest is transparently passed through to the intended recipient.[13]
Also, a user's search request from the address bar of a browser that is configured to use the Google search engine (with a certain parameter configured) may be covertly redirected to a server owned by OpenDNS without the user's consent (but within the OpenDNS Terms of Service).[14] Users can disable this behavior by logging in to their OpenDNS account and unchecking "OpenDNS proxy" option.[15] Additionally, Mozilla users can fix this problem by installing an extension[16] or by simply changing or removing the navclient sourceid from their keyword search URLs.
This redirection breaks some non-web applications which rely on getting an NXDOMAIN for non-existent domains, such as e-mail spam filtering, or VPN access where the private network's nameservers are consulted only when the public ones fail to resolve.
http://www.chaotickingdoms.com
If you register with OpenDNS, you can opt out of the hijacking. Basically turn off all additional services (like malware checking, keywords and typing correction) and OpenDNS works just like any normal DNS server out there. The problem is that you have to submit your IP, or their server's won't recognize you; this can be done either by your router or with a Windows app that periodically submits the IP (not sure about Linux or MacOS).
Except that Google only stores records for 24-48 hours and then deletes them and does not share the data with its ads department or any other Google services.
http://www.chaotickingdoms.com
OpenDNS is not hijacking google searches. They simply fix broken google searches.
> this would then be the first free service that I know of which doesn't do redirect
Well, there are *tons* of them. And fast. Download this program (if you're on Windows), run it, and see which are good for you. Redirecting and "strict" are marked with different colors.
http://www.grc.com/dns/benchmark.htm
Mod parent up - DHCP on a public node can make dragons fly out of your nose.
No sig today...
I just tried it and it's *WAY* faster than my ISP - web pages start loading a couple of seconds sooner than before.
No sig today...
You can opt-out of the Comcast rerouting.
https://dns-opt-out.comcast.net/
It's not cookie-based either, it actually disables it for your cablemodem's MAC address.
Of course nobody reads the FAQ! If people read the FAQ, the Questions wouldn't be so Frequently Asked.
I guess for me it's clear: I'll skip it for now.
DNS is simple?
BIND has what, 200 releases in the 9.x branch alone? There are more BIND releases than there are Linux kernels, and that's saying something!
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
Those aren't personally targeted ads, they're just matched well to the demographic and geographic in which they're placed.
They may not be individually targeted, but they *are* targeted.
For those too lazy to run whois:
...
...
spliffy@localhost:~$ whois gtei.net
Registrant:
Verizon Trademark Services LLC
Verizon Trademark Services LLC
1320 North Court House Road
Arlington VA 22201
US
domainlegalcontact@verizon.com +1.7033513164 Fax: +1.7033513669
Brief history lesson:
DARPA asked BBN to build the arpanet. They built and owned Autonomous System Number 1. (ASN1)
BBN split into BBN Technologies and BBN Networking. BBN Technologies went of and did their own thing. BBN Networking kept ASN1 and grew into a tier 1 ISP.
GTE bought BBN Networking and renamed the division GTE Internet ( aka GTEI )
Southern Bell bought GTE but wasn't allowed to keep all of it due to monopoly laws put in place during the Ma Bell breakup. They renamed the Telco part Verizon and spun off the infringing internet bit as Genuity.
Genuity was funded through a 'guaranteed' $2B revolving credit line by Verizon.
Verizon lobbied enough people to overturn enough of regulations such that they no longer needed Genuity at all, and dumped the loan.
Genuity's remaing assets were sold in bankruptcy to Level 3 Communications, including ASN1, the 4.0.0.0/8 and 8.0.0.0/8 ARIN allocations and the gtei.net name.
Note: they also said they would eventually restrict 4.2.2.1 and 4.2.2.2 to customer access only, so if you're not a Level(3) customer, you probably need to find another solution.
link
I've seen a bunch of other comments like that from people who seem to know tech people over at L3, combined with the behavior we saw after these comments started popping up and I have to assume that L3 was intentionally introducing the delay to wakeup non-customers to switch off them.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
That's indicative of the fact that DNS is a fundamental piece of the internet framework and those who develop it realize security issues must be fixed as soon as possible. I can't tell you how many BIND releases have been to only address one security issue.
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
Using dnsmasq, which runs on pretty much any Linux-based router, it's trivial to defeat any OpenDNS evilness. Just add these settings to your /etc/dnsmasq.conf:
server=208.67.222.222
server=208.67.220.220
bogus-nxdomain=67.215.65.132
bogus-nxdomain=67.215.66.132
That's it, no more redirects for invalid or temporarily unavailable addresses, respectively. To also stop OpenDNS from interfering with searches initiated via the Firefox address bar, just remove the sourceid=navclient parameter from the keyword.URL string in about:config.
These simple precautions allow me to use OpenDNS anonymously without ever noticing it -- a real treat in a country like mine, where it's not only ISPs who fiddle with DNS but the government too. That said, I'll give Google's new service a try anyway.
most of what follows is true
They're not doing any datamining with the resolvers, beyond keeping an eye out for performance and abuse issues. From their privacy page:
It seems they're actually playing relatively nice here and aren't adding the DNS queries to your "Google profile" like they do with search engine queries and other Google activity. They can already track the majority of your movements online through their advertising and stats programs and can gather even more detailed information if you use their web browser. Adding DNS profiling into the mix is probably a bit redundant.
Assuming they're telling the truth, Google's goal with their public resolvers is just to make DNS faster and more efficient.
Just a few clarifications...GTEI was GTE Internetworking, and GTE was bought by Bell Atlantic.
If they're just after datamining the DNS requests, this service can happily run on negative income, because it improves Google's other things and provides them even more data.
This is untrue. From the Google DNS privacy page, linked from the blog post (emphasis added):
Google Public DNS stores two sets of logs: temporary and permanent. The temporary logs store the full IP address of the machine you're using. We have to do this so that we can spot potentially bad things like DDoS attacks and so we can fix problems, such as particular domains not showing up for specific users. We delete these temporary logs within 24 to 48 hours.
In the permanent logs, we don't keep personally identifiable information or IP information. We do keep some location information (at the city/metro level) so that we can conduct debugging, analyze abuse phenomena and improve the Google Public DNS prefetching feature. We don't correlate or combine your information from these logs with any other log data that Google might have about your use of other services, such as data from Web Search and data from advertising on the Google content network. After keeping this data for two weeks, we randomly sample a small subset for permanent storage.
That page also details exactly what features are logged. Does your current upstream DNS provider document their logging policies?
Disclaimer: I work for Google, but I will cite my sources.