Google Launches Public DNS Resolver

AdmiralXyz writes "Google has announced the launch of their free DNS resolution service, called Google Public DNS. According to their blog post, Google Public DNS uses continuous record prefetching to avoid cache misses — hopefully making the service faster — and implements a variety of techniques to block spoofing attempts. They also say that (unlike an increasing number of ISPs), Google Public DNS behaves exactly according to the DNS standard, and will not redirect you to advertising in the event of a failed lookup. Very cool, but of course there are questions about Google's true motivations behind knowing every site you visit."

At least they have a clear privacy policy

[Edgewize]

They state very bluntly that IP addresses are expunged from the logs after 48 hours, and that no data is shared with Google Accounts or other Google services. They still get to play with a lot of aggregated data, but this seems like a fairly non-evil way to do it. Good for them. http://code.google.com/speed/public-dns/faq.html#privacy

No IPv6 records :-(

[Cronq]

They don't publish own IPv6 records via this resolver :-(

NTP pool & GeoIP

[avij]

The NTP pool (which probably needs even more NTP servers, btw) was recently changed so that the project's DNS servers return a list of nearest available NTP servers when queried. If you change your settings to use Google's DNS servers, the pool will now respond with a list of NTP servers close to Google's DNS servers, which may not be what you wanted.

Re:SPDNSY

[SanityInAnarchy]

everything resolves to Google's proxies.

Really?

$ host slashdot.org
slashdot.org has address 216.34.181.45
slashdot.org mail is handled by 10 mx.corp.sourceforge.com.
$ host slashdot.org 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
 
slashdot.org has address 216.34.181.45
$ host 216.34.181.45
45.181.34.216.in-addr.arpa domain name pointer slashdot.org

You, sir, are a liar.

Cue *whoosh* in 3..2.. actually, I still don't get it. Either you're trolling because you hate Google, or there's some obscure joke that I still don't understand. I really don't get how your list of crap it requires (most of which doesn't exist or doesn't apply to DNS) is funny -- are Google known for requiring random stuff like that?

I mean, they don't even touch NX:

$ host aoeusnth.com
Host aoeusnth.com not found: 3(NXDOMAIN)
$ host aoeusnth.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
 
Host aoeusnth.com not found: 3(NXDOMAIN)

That's more than you can say for most ISP-level resolvers.

Re:Questions?

[SanityInAnarchy]

Except in this case, they claim your IP will be gone from their logs in 24 hours, and it'll never be associated with anything else you do at Google.

My guess is, they want broad statistics like the most popular domains visited, maybe even traffic patterns of which domains people tend to go to after which other domains.

So you're right, the motives are quite transparent. Except in this case, I have no idea why I wouldn't want to participate. It's likely to be a hell of a lot more responsive than my ISP's DNS.

Re:What's their motivation?

[SanityInAnarchy]

RTFA:

Google Public DNS stores two sets of logs: temporary and permanent. The temporary logs store the full IP address of the machine you're using. We have to do this so that we can spot potentially bad things like DDoS attacks and so we can fix problems, such as particular domains not showing up for specific users.

We delete these temporary logs within 24 to 48 hours.

In the permanent logs, we don't keep personally identifiable information or IP information. We do keep some location information (at the city/metro level) so that we can conduct debugging, analyze abuse phenomena and improve the Google Public DNS prefetching feature. We don't correlate or combine your information from these logs with any other log data that Google might have about your use of other services, such as data from Web Search and data from advertising on the Google content network. After keeping this data for two weeks, we randomly sample a small subset for permanent storage.

So in other words, for less than two days, their DNS log, and nothing else, will know that a particular request was made from a particular IP. Other than that, they'll know that someone from your ISP, or perhaps from your whole fscking city, made that request -- maybe. I'm guessing they'll be looking at overall trends.

Re:trying it...

[Sir_Lewk]

disregard that, I suck cocks.

Re:DDoS attacks

[darkmeridian]

Google's DNS service defends against DDoS amplification attacks by using rate-limiting techniques. From Google:

The best approach for combating DoS attacks is to impose a rate-limiting or "throttling" mechanism. Google Public DNS implements two kinds of rate control:
Rate control of outgoing requests to other nameservers. To protect other DNS nameservers against DoS attacks that could be launched from our resolver servers, Google Public DNS enforces per-nameserver QPS limits on outgoing requests from each serving cluster.
Rate control of outgoing responses to clients. To protect any other systems against amplification and traditional distributed DoS (botnet) attacks that could be launched from our resolver servers, Google Public DNS performs two types of rate limiting on client queries:
To protect against traditional volume-based attacks, each server imposes per-client-IP QPS and average bandwidth limits.
To guard against amplification attacks, in which large responses to small queries are exploited, each server enforces a per-client-IP maximum average amplification factor. The average amplification factor is a configurable ratio of response-to-query size, determined from historical traffic patterns observed in our server logs.

Re:I guess it is good news...

[ahecht]

4.2.2.2 and their ilk are free and non-redirecting. You can use 4.2.2.1 4.2.2.2 4.2.2.3 4.2.2.4 4.2.2.5 or 4.2.2.6

They are run by L-3 and sitting on major backbones, and the ip addresses are pooled, so that you will likely get a server that is geographically near you when you use one of those addresses.

Re:8.8.8.8/4

[ChaosDiscord]

If your network security relies on limiting DNS lookups, you don't really have any network security at all. You might as well take the house numbers off the front of your house to make it harder for burglars to find your house to break in.

Re:It is not the fastet DNS, at least not for me

[WARM3CH]

Oh crap! I reported the Minimum time, not the average! Here is the full report:

(Min | Avg | Max | Std.Dev |Reliab%)

My university:
Cached Name | 0.001 | 0.002 | 0.003 | 0.000 | 100.0
Uncached Name | 0.008 | 0.060 | 0.225 | 0.065 | 100.0
DotCom Lookup | 0.181 | 3.984 | 4.203 | 0.633 | 100.0

OpenDNS (208. 67.220.220)
Cached Name | 0.005 | 0.006 | 0.008 | 0.001 | 100.0
Uncached Name | 0.008 | 0.066 | 0.190 | 0.053 | 100.0
DotCom Lookup | 0.009 | 0.131 | 0.198 | 0.064 | 100.0

Level 3 (4. 2. 2. 3)
Cached Name | 0.024 | 0.025 | 0.028 | 0.001 | 100.0
Uncached Name | 0.026 | 0.071 | 0.206 | 0.056 | 100.0
DotCom Lookup | 0.025 | 0.081 | 0.191 | 0.058 | 100.0

Google (8.8.8.8)
Cached Name | 0.044 | 0.061 | 0.206 | 0.038 | 100.0
Uncached Name | 0.048 | 0.144 | 0.322 | 0.075 | 97.9
DotCom Lookup | 0.069 | 0.158 | 0.261 | 0.051 | 100.0

Re:I guess it is good news...

Brief history lesson:

DARPA asked BBN to build the arpanet. They built and owned Autonomous System Number 1. (ASN1)
BBN split into BBN Technologies and BBN Networking. BBN Technologies went of and did their own thing. BBN Networking kept ASN1 and grew into a tier 1 ISP.
GTE bought BBN Networking and renamed the division GTE Internet ( aka GTEI )
Southern Bell bought GTE but wasn't allowed to keep all of it due to monopoly laws put in place during the Ma Bell breakup. They renamed the Telco part Verizon and spun off the infringing internet bit as Genuity.
Genuity was funded through a 'guaranteed' $2B revolving credit line by Verizon.
Verizon lobbied enough people to overturn enough of regulations such that they no longer needed Genuity at all, and dumped the loan.
Genuity's remaing assets were sold in bankruptcy to Level 3 Communications, including ASN1, the 4.0.0.0/8 and 8.0.0.0/8 ARIN allocations and the gtei.net name.

Re:I guess it is good news...

[SnowZero]

If they're just after datamining the DNS requests, this service can happily run on negative income, because it improves Google's other things and provides them even more data.

This is untrue. From the Google DNS privacy page, linked from the blog post (emphasis added):

Google Public DNS stores two sets of logs: temporary and permanent. The temporary logs store the full IP address of the machine you're using. We have to do this so that we can spot potentially bad things like DDoS attacks and so we can fix problems, such as particular domains not showing up for specific users. We delete these temporary logs within 24 to 48 hours.

In the permanent logs, we don't keep personally identifiable information or IP information. We do keep some location information (at the city/metro level) so that we can conduct debugging, analyze abuse phenomena and improve the Google Public DNS prefetching feature. We don't correlate or combine your information from these logs with any other log data that Google might have about your use of other services, such as data from Web Search and data from advertising on the Google content network. After keeping this data for two weeks, we randomly sample a small subset for permanent storage.

That page also details exactly what features are logged. Does your current upstream DNS provider document their logging policies?

Disclaimer: I work for Google, but I will cite my sources.