Google Launches Public DNS Resolver

AdmiralXyz writes "Google has announced the launch of their free DNS resolution service, called Google Public DNS. According to their blog post, Google Public DNS uses continuous record prefetching to avoid cache misses — hopefully making the service faster — and implements a variety of techniques to block spoofing attempts. They also say that (unlike an increasing number of ISPs), Google Public DNS behaves exactly according to the DNS standard, and will not redirect you to advertising in the event of a failed lookup. Very cool, but of course there are questions about Google's true motivations behind knowing every site you visit."

I guess it is good news...

[ls671]

> They also say that (unlike an increasing number of ISPs), Google Public DNS behaves exactly according to the DNS standard.

Congratulations, this would then be the first free service that I know of which doesn't do redirect ! ;-)

I setup my own DNS but I guess it is a little overkill for the common every day user. Setting your own DNS means you have to go to the network (e.g. internet) less often because your locally hosted DNS caches the already visited sites for a TTL period of time. This is especially true if you have several computers and that they tend to visit the same sites.

Let me add that if your ISP or firewall intercepts requests to port 53, you will still be stuck with it ;-(

Re:I guess it is good news...

[sopssa]

Congratulations, this would then be the first free service that I know of which doesn't do redirect ! ;-)

I guess they're using that as a selling point and to come of "nicer". If they're just after datamining the DNS requests, this service can happily run on negative income, because it improves Google's other things and provides them even more data.

Google is datamining everywhere and everything already.

Re:I guess it is good news...

[Jophish]

Oh boo hoo. I know I am going to get modded down for this, but: I don't mind Google knowing this, or knowing what sites I visit, if it means that they can deliver more relevant ads to me, cater more to my needs. This is a good think, kudos too Google, Inventing a business model that makes everybody happy.

Re:I guess it is good news...

[ahecht]

4.2.2.2 and their ilk are free and non-redirecting. You can use 4.2.2.1 4.2.2.2 4.2.2.3 4.2.2.4 4.2.2.5 or 4.2.2.6

They are run by L-3 and sitting on major backbones, and the ip addresses are pooled, so that you will likely get a server that is geographically near you when you use one of those addresses.

Re:I guess it is good news...

[ChikMag777]

I'd be more impressed if they blocked out ads entirely.

You do know how Google makes their money, right?

Re:I guess it is good news...

[Nefarious+Wheel]

4.2.2.2 and their ilk are free and non-redirecting

Yes, but who is gtei.net?

Re:I guess it is good news...

[afidel]

Actually L3 is turning off public access to those resolvers and has been for a while, sometimes you will not get any response at other times they just degrade response times.

Re:I guess it is good news...

[node+3]

This is a good think

It's also double plus ironic.

Re:I guess it is good news...

[sexconker]

Of course you can still have cache misses.

You: Gimme goat.se
Google: That's not in my cache, hold on.

Google: Hey auth DNS gimme goat.se
Auth: K, here.

Google: Hey you, here.
You: K.

Your mom: Gimme goat.se:
Google: Yeah, I have that, here.
Your mom: K.

Your dad: I NEED the goat.se !
Google: Yeah I have that, but I need to recache it. Here's what I already have, it's probably still good.

Google: Hey auth DNS gimme goat.se
Auth: K, here.

Your dad: WTF? Where's the gaping anus?!
Google: Yeah, looks like the one I gave you before was wrong. No worries, this one is fresh.
Your dad: Sweet mother of corn holes.

Updating your cache early doesn't solve anything. You get less of a chance of misses only because you've checked more frequently. This comes at a performance cost on Google's end. Any DNS provider can cache anything for however long they want and return whatever result they think is valid.

The obvious thing to do is return your most recent authoritative result for cached domains or get one if it's not a cached domain. Choosing to empty out your cache after something has expired vs. refreshing it from auth is a performance decision. As is choosing whether or not to dump something when updating, or keep it around in case you get requests for it while you're updating. As is the overall frequency with which you update your cache.

No magic, brilliance, or good will on Google's part here - just horsepower and the willingness to operate at a financial loss in order to mine more data.

Re:I guess it is good news...

[ceeam]

> this would then be the first free service that I know of which doesn't do redirect

Well, there are *tons* of them. And fast. Download this program (if you're on Windows), run it, and see which are good for you. Redirecting and "strict" are marked with different colors.

http://www.grc.com/dns/benchmark.htm

Re:I guess it is good news...

[Rich0]

Yup, I run my own DNS - in part because I also want to have local hostnames and a bit more control over dhcp/etc.

It also is nice to be able to blackhole any domain I like and kill 80% of the ads and intrusive cookies out there. When I'm browsing on wi-fi from the cellphone I'm amused to see all the banner ads go away desipte it not having an ad blocker.

Re:I guess it is good news...

[Huh?]

Actually L3 is turning off public access to those resolvers and has been for a while

Link(s) to corroborate?

Re:I guess it is good news...

[Knara]

Those aren't personally targeted ads, they're just matched well to the demographic and geographic in which they're placed.

They may not be individually targeted, but they *are* targeted.

Re:I guess it is good news...

[Gilmoure]

My browsing history would likely result in spammy poppups.
  *sigh*

Re:I guess it is good news...

Brief history lesson:

DARPA asked BBN to build the arpanet. They built and owned Autonomous System Number 1. (ASN1)
BBN split into BBN Technologies and BBN Networking. BBN Technologies went of and did their own thing. BBN Networking kept ASN1 and grew into a tier 1 ISP.
GTE bought BBN Networking and renamed the division GTE Internet ( aka GTEI )
Southern Bell bought GTE but wasn't allowed to keep all of it due to monopoly laws put in place during the Ma Bell breakup. They renamed the Telco part Verizon and spun off the infringing internet bit as Genuity.
Genuity was funded through a 'guaranteed' $2B revolving credit line by Verizon.
Verizon lobbied enough people to overturn enough of regulations such that they no longer needed Genuity at all, and dumped the loan.
Genuity's remaing assets were sold in bankruptcy to Level 3 Communications, including ASN1, the 4.0.0.0/8 and 8.0.0.0/8 ARIN allocations and the gtei.net name.

Re:I guess it is good news...

[afidel]

Note: they also said they would eventually restrict 4.2.2.1 and 4.2.2.2 to customer access only, so if you're not a Level(3) customer, you probably need to find another solution.
link
I've seen a bunch of other comments like that from people who seem to know tech people over at L3, combined with the behavior we saw after these comments started popping up and I have to assume that L3 was intentionally introducing the delay to wakeup non-customers to switch off them.

Re:I guess it is good news...

[AmiMoJo]

Google is datamining everywhere and everything already.

Yeah, but so is my ISP.

Virgin Media keep extensive logs of DNS requests, as the government requires them to, for at least one year. Google keep your IP address logged for 24 hours, then remove it and keep the other DNS request data for an indefinite period.

What is more concerning to me is that my ISP knows who I am. They can easily link up DNS requests with my account and billing details. Google probably could link it up with their other data pools if they wanted to, but they don't require you to have a Google account to use their servers so you don't have to provide them with any more details than your current IP address. E.g. you could use Yahoo for all searches and never send Google any more than just an IP address.

What it boils down to is that I trust Google a lot more than I trust Virgin Media. At least Google publishes what they do with your data and doesn't sell it to third parties.

Re:I guess it is good news...

[Hucko]

I think that Google gets the free pass because they have so far shown themselves to be the least intrusive, paternalistic and/or come the closest to giving us what we want. And they stand out a fair distance from the rest of the bunch.

Most of us acknowledge that there isn't a free lunch, so Google *so far* has been enabling the internet to function on its technical capabilities while making a profit. Surely you recognise that a lot of business models block the capabilities of technology to bolster their profits? Google seems to take the opposite approach. This often leads to businesses complaining about their methods, but consumers/customers/collaborators are enabled.

Re:I guess it is good news...

[Eil]

They're not doing any datamining with the resolvers, beyond keeping an eye out for performance and abuse issues. From their privacy page:

Google Public DNS stores two sets of logs: temporary and permanent. The temporary logs store the full IP address of the machine you're using. We have to do this so that we can spot potentially bad things like DDoS attacks and so we can fix problems, such as particular domains not showing up for specific users.

We delete these temporary logs within 24 to 48 hours.

In the permanent logs, we don't keep personally identifiable information or IP information. We do keep some location information (at the city/metro level) so that we can conduct debugging, analyze abuse phenomena and improve the Google Public DNS prefetching feature. We don't correlate or combine your information from these logs with any other log data that Google might have about your use of other services, such as data from Web Search and data from advertising on the Google content network. After keeping this data for two weeks, we randomly sample a small subset for permanent storage.

It seems they're actually playing relatively nice here and aren't adding the DNS queries to your "Google profile" like they do with search engine queries and other Google activity. They can already track the majority of your movements online through their advertising and stats programs and can gather even more detailed information if you use their web browser. Adding DNS profiling into the mix is probably a bit redundant.

Assuming they're telling the truth, Google's goal with their public resolvers is just to make DNS faster and more efficient.

Re:I guess it is good news...

[node+3]

Read 1984. Not just to get my joke, but it's also a great book. Plus you'll understand what people mean by Big Brother (it's *much* more sinister than just someone else taking care of you).

Re:I guess it is good news...

[Shakrai]

Virgin Media keep extensive logs of DNS requests, as the government requires them to, for at least one year.

Your country requires them to keep logs of your DNS requests for 12 months? You have my sympathy.

Re:I guess it is good news...

[jthill]

Guess the mods aren't heavily into reading comprehension these days? Preemptive caching will mean querying upstream before the TTL expires even in the absence of a client request, so by the time Dad wants to see it Google has already fetched the new record. The only question is when to allow a RR to age out of the cache.

Re:I guess it is good news...

Just a few clarifications...GTEI was GTE Internetworking, and GTE was bought by Bell Atlantic.

Re:I guess it is good news...

[SnowZero]

If they're just after datamining the DNS requests, this service can happily run on negative income, because it improves Google's other things and provides them even more data.

This is untrue. From the Google DNS privacy page, linked from the blog post (emphasis added):

Google Public DNS stores two sets of logs: temporary and permanent. The temporary logs store the full IP address of the machine you're using. We have to do this so that we can spot potentially bad things like DDoS attacks and so we can fix problems, such as particular domains not showing up for specific users. We delete these temporary logs within 24 to 48 hours.

In the permanent logs, we don't keep personally identifiable information or IP information. We do keep some location information (at the city/metro level) so that we can conduct debugging, analyze abuse phenomena and improve the Google Public DNS prefetching feature. We don't correlate or combine your information from these logs with any other log data that Google might have about your use of other services, such as data from Web Search and data from advertising on the Google content network. After keeping this data for two weeks, we randomly sample a small subset for permanent storage.

That page also details exactly what features are logged. Does your current upstream DNS provider document their logging policies?

Disclaimer: I work for Google, but I will cite my sources.

Re:I guess it is good news...

[Fred_A]

4.2.2.2 and their ilk are free and non-redirecting. You can use 4.2.2.1 4.2.2.2 4.2.2.3 4.2.2.4 4.2.2.5 or 4.2.2.6

They are run by L-3 and sitting on major backbones, and the ip addresses are pooled, so that you will likely get a server that is geographically near you when you use one of those addresses.

But with Google you don't have to use those complicated numbers any more. It's all much more simple. All you have to use is
dns.google.com
Much simpler to remember.

If it doesn't work, it's because it's still in beta. Just try again.

Re:I guess it is good news...

[TheRaven64]

That was what I was assuming; does this mean that Google is going to DoS things like DynDNS out of existence?

Re:I guess it is good news...

[jthill]

No, I read it alright.

The TTL on a DNS cache entry is supplied by the record's owner, and is an authoritative statement by that owner that the contents will remain valid at least until the TTL has expired. No DNS server will ever return a reply whose TTL has expired simply because anything that does return such a reply isn't a DNS server.

So your Dad scenario, the "probably still good" reply, and of course your absolute assertion just now that you can "get an invalid entry", isn't just a little wrong, it's completely and blatantly ignorant.

I've pulled boners just as bad myself, mind.

DDoS attacks

[avij]

But I thought open recursive DNS servers were bad -- haven't you heard of DNS DDoS amplification attacks? Why would Google's open recursive DNS service be any better in this regard?

Re:DDoS attacks

http://code.google.com/speed/public-dns/faq.html#issues

Re:DDoS attacks

[mea37]

I'm no expert on DNS DDoS amplification attacks, but reading up on them (including what Google has to say about them) I don't know what makes you say they only apply to consumer lines.

First of all, even if it were impossible to overwhelm Google's bandwidth, that wouldn't stop an attacker from using Google's open resolver in an amplification attack against some other target; in that regard, it woudl be better if Google were running it from an employee's basement.

Besides, it appears this type of attack has been used to create orders of mangitude more traffic than would be needed to just flood a consumer line.

According to Google's site, they recognize this as a problem and have mitigation strategies in place; the most relevant one seems to be throttles on sending of response packets to any given target.

Re:DDoS attacks

[darkmeridian]

Google's DNS service defends against DDoS amplification attacks by using rate-limiting techniques. From Google:

The best approach for combating DoS attacks is to impose a rate-limiting or "throttling" mechanism. Google Public DNS implements two kinds of rate control:
Rate control of outgoing requests to other nameservers. To protect other DNS nameservers against DoS attacks that could be launched from our resolver servers, Google Public DNS enforces per-nameserver QPS limits on outgoing requests from each serving cluster.
Rate control of outgoing responses to clients. To protect any other systems against amplification and traditional distributed DoS (botnet) attacks that could be launched from our resolver servers, Google Public DNS performs two types of rate limiting on client queries:
To protect against traditional volume-based attacks, each server imposes per-client-IP QPS and average bandwidth limits.
To guard against amplification attacks, in which large responses to small queries are exploited, each server enforces a per-client-IP maximum average amplification factor. The average amplification factor is a configurable ratio of response-to-query size, determined from historical traffic patterns observed in our server logs.

Re:DDoS attacks

[neoform]

Unlike Google docs, DNS is relatively simple.. the idea of recursive queries being misused is quite commonplace and would be a huge oversight if they neglected to takes actions to avoid the abuse..

Re:DDoS attacks

[digitalunity]

DNS is simple?

BIND has what, 200 releases in the 9.x branch alone? There are more BIND releases than there are Linux kernels, and that's saying something!

Re:DDoS attacks

[digitalunity]

That's indicative of the fact that DNS is a fundamental piece of the internet framework and those who develop it realize security issues must be fixed as soon as possible. I can't tell you how many BIND releases have been to only address one security issue.

Re:DDoS attacks

[neoform]

Does this mean it would be a bad idea to use Google as my own DNS server's source?

At least they have a clear privacy policy

[Edgewize]

They state very bluntly that IP addresses are expunged from the logs after 48 hours, and that no data is shared with Google Accounts or other Google services. They still get to play with a lot of aggregated data, but this seems like a fairly non-evil way to do it. Good for them. http://code.google.com/speed/public-dns/faq.html#privacy

Re:At least they have a clear privacy policy

[Z00L00K]

Add to that the fact that some IP addresses are shared by a lot of virtual sites which makes statistics about as precise as the slashdot polls.

Re:At least they have a clear privacy policy

[Hatta]

I don't see any reason Google (or any other for profit company) would offer a service like this and say that they will never ever look at any of the data.

Oh they'll look at the data. They'll just pseudonymize it first.

Re:At least they have a clear privacy policy

[TheModelEskimo]

Uh, actually it's their service and the ToS changes anytime they want it to. This is also known as a phased takeover, in case you haven't noticed other corporations *starting out* with a beautifully ethical ToS before.

Re:At least they have a clear privacy policy

[TheGratefulNet]

mod parent up!

the current google is somewhat evil; we have no idea what happens LATER when, uhh, the TOS get changed (somehow...)

"the first one is free". remember that phrase. it applies here, too, in concept.

Re:At least they have a clear privacy policy

[Idiomatick]

Point to one instance of a Google ToS getting worse. We are talking about a DNS server. Only /. types know what that is nvm would be willing to change theirs. Were Google to change their policy it would be pretty widespread news in the tiny group of people that use it. I don't know what you think they'd have to gain from annoying a bunch of nerds (re: people that support and build their whole business). More likely they made something for internal/personal use and just decided to release it because... well it's Google, they can.

Re:At least they have a clear privacy policy

[HeronBlademaster]

Other companies, perhaps. But when has Google ever made their ToS more evil?

As far as I'm concerned, Google has done nothing to undermine our trust in their sincerity. If you have examples, though, I'm more than willing to dig in to it.

Re:At least they have a clear privacy policy

[symbolset]

Since the ISP that I currently pay to resolve my DNS does redirection (Comcast), I'm going to go with "Google is less evil" here, since they're willing to provide DNS service for free without redirection. I'll worry about potential evil after I escape the active, palpable, real evil I'm dealing with now.

Don't get me wrong, I love Google.

[olsmeister]

But it sure seems like they're getting more and more of my personal information lately. What I search for, where I surf to, with my Droid where I navigate to, my e-mails, my documents. WOW.

Re:Don't get me wrong, I love Google.

[mcgrew]

Yeah, Google knows everything about me... except who I am!

Re:Don't get me wrong, I love Google.

[TrippTDF]

I'm not fearful of the current Google, I'm fearful of the Google when we're three generations of leadership down the road and someone with fewer scruples is at the helm. What we need now more than ever is rock-solid privacy laws in this country that put looking at someone's data on par with searching their home... it can be done, but you need to get warrants and have a damn good reason to be doing it.

There is a lot of amazing advantages to having your data aggregated the way that Google has it, and it's not rocket science to manage the downsides.

Re:Don't get me wrong, I love Google.

[Atario]

I'm hoping the current leadership is/will be smart enough to put some kind of clever legal strictures in place that ties the hands of whoever may run the company after them in such a way as to enforce the "don't be evil" ethic.

Re:Don't get me wrong, I love Google.

[ArsonSmith]

"What I search for, where I surf to, with my Droid where I navigate to, my e-mails, my documents. WOW."

They follow your world of warcraft account? That's going too far.

Re:Don't get me wrong, I love Google.

[mcgrew]

Underwear and t-shirt? Why would I need underwear and a t-shirt?

Why?

[sopssa]

But why would one change to use Google's DNS? If you're technical enough and care about such, you're way better off setting up your own recursive DNS server.

Google is just datamining from DNS requests here, it's another source of information. At least with your own ISP you can reasonably think that theres no datamining going on (excluding US ISP's, of course, who serve ads on non-existing domains for their users anyway)

Re:Why?

[slashkitty]

Uh, yeah. Comcast switched ads on non domains.. and i'm sure they are datamining it too. Unfortunately, I trust google more than comcast more than some independent group with open dns.

Re:Why?

[zunger]

Because setting up and maintaining your own recursive DNS server is a pain in the ass? (Especially compared to the workload of "here, just change this one setting and it will go faster")

Re:Why?

[Nadaka]

You know what? If I did what comcast has done with intercepting DNS requests and corrupting DNS responses, I would be committing 2 or more federal felonies, for profit no less. I would like some justice.

Re:Why?

[ickleberry]

I hear this excuse about every type of service. "Look change to to our wonderful new cloud based data mining/advertising supported service and let us do all the work for you"

But really, I have been running servers of all sorts for years now and the only ones that require any significant amount of maintenance are the HTTP ones due to their content going stagnant (gopher does not count here as its OK to have stagnant content, makes it look more 'nostalgic' if it hasn't been updated in years I suppose)

A DNS server is pretty much set and forget, to the point where most consumer grade routers have one built in. Yeah sure its not the latest DNSSeC doohickey but i'm sure the next generation will have that

Re:Why?

[Grishnakh]

Because it's not a crime when some big faceless company does it.

Re:Why?

[TooMuchToDo]

Their pipes, their rules. Feel free to buy service from another last mile provider.

Re:Why?

[rhathar]

OpenDNS doesn't follow the DNS standards, whereas Google's DNS does. From Wikipedia:

While the OpenDNS name resolution service is free, people have complained about how the service handles failed requests. If a domain cannot be found, the service redirects you to a search page with search results and advertising provided by Yahoo!. A DNS user can switch this off via the OpenDNS Control Panel but will lose content filtering ability. This behavior is similar to that of many large ISP's who also redirect failed requests to their own servers containing advertising. [12]

In 2007, David Ulevitch explained that in response to Dell installing "Browser Address Error Redirector" software on their PCs, OpenDNS started resolving requests to Google.com. Some of the traffic is handled by OpenDNS typo-correcting service which corrects mistyped addresses and redirects keyword addresses to OpenDNS's search page, while the rest is transparently passed through to the intended recipient.[13]

Also, a user's search request from the address bar of a browser that is configured to use the Google search engine (with a certain parameter configured) may be covertly redirected to a server owned by OpenDNS without the user's consent (but within the OpenDNS Terms of Service).[14] Users can disable this behavior by logging in to their OpenDNS account and unchecking "OpenDNS proxy" option.[15] Additionally, Mozilla users can fix this problem by installing an extension[16] or by simply changing or removing the navclient sourceid from their keyword search URLs.

This redirection breaks some non-web applications which rely on getting an NXDOMAIN for non-existent domains, such as e-mail spam filtering, or VPN access where the private network's nameservers are consulted only when the public ones fail to resolve.

Re:Why?

[Lincolnshire+Poacher]

> if you think a business is not going to collect
> all the information they can about their
>customers, you are quite deluded.

``We don't run any sort of transparent proxies or other systems to covertly log what you do on the internet, and do not sell data to anyone.''

That's from my ISP. Doesn't yours say something similar?

If not, change.

Re:Why?

[zunger]

That depends on whether you're running a Linux box at home in a "reliable enough" way to be functioning as a server. And in the example you give, as your primary machine as well. While I realize that many /. users do this, I would certainly say that most people don't.

I actually stopped doing it several years ago. I concluded that I have to maintain enough complex systems at work; I don't see any need to be a sysadmin for a complex system that requires nonstop patching and understanding of 30-year-old system internals at home, too. Plus the desktop environment was frankly primitive compared to modern machines. So I ditched it and started running OS X. (And I should say that I'm an experienced Linux sysadmin and engineer professionally, so this was not the "I don't know how to use it and it appears to have been designed by badgers" issue)

It's definitely true that, if you're already doing all of the work to run your own system at home, adding a DNS server isn't a big deal. But that's really a hobbyist thing to do. If your home system is primarily for the purpose of getting things done, rather than for playing with systems, it's an enormous amount of extra work. Yet having faster DNS lookups is still a win.

Re:Why?

[HeronBlademaster]

Why would I invest two hours and a spare machine into setting up my own DNS server when I can spend thirty seconds changing a setting on my router?

As for maintenance... Why should I invest time updating the software that runs these servers every time a new security vulnerability is discovered? Why should I even have to check for updates, when someone else is doing it all for free? Why should I pay for the electricity to run the additional machine? (You're going to say "run it on your desktop", but what if I dual-boot? Why should my wife's laptop be unable to resolve sites while I'm rebooting or shut down for the night?) And so on and so forth.

Maybe you like spending your free time dealing with all of that crap. Most of us don't.

As for "most consumer-grade routers have a DNS server built-in", I'm not sure you know what you mean. Sure, most have a caching DNS server built-in, but they merely defer to your ISP's DNS server when they don't have the address cached, which means you're going to be querying your ISP's DNS servers every $TTL anyway - so if your ISP is redirecting NXDOMAIN queries to ad pages, you're still going to get them.

Re:Why?

[thuerrsch]

Using dnsmasq, which runs on pretty much any Linux-based router, it's trivial to defeat any OpenDNS evilness. Just add these settings to your /etc/dnsmasq.conf:

server=208.67.222.222
server=208.67.220.220
bogus-nxdomain=67.215.65.132
bogus-nxdomain=67.215.66.132

That's it, no more redirects for invalid or temporarily unavailable addresses, respectively. To also stop OpenDNS from interfering with searches initiated via the Firefox address bar, just remove the sourceid=navclient parameter from the keyword.URL string in about:config.

These simple precautions allow me to use OpenDNS anonymously without ever noticing it -- a real treat in a country like mine, where it's not only ISPs who fiddle with DNS but the government too. That said, I'll give Google's new service a try anyway.

8.8.8.8/4

[Xacid]

"To try it out:

Configure your network settings to use the IP addresses 8.8.8.8 and 8.8.4.4 as your DNS servers..."

Simple enough to remember which is great. Also - could this be used to circumvent some of the internet security at some workplaces where they seem to run a blacklist of specific sites?

Re:8.8.8.8/4

[sopssa]

Would be interesting to know how much Google paid for those two 256 ranges to Level 3. One would think simple ip's like 8.8.8.8 would cost some nice amount too.

Or maybe they should had used the coolest ip on the net, aka

> host 69.69.69.69
69.69.69.69.in-addr.arpa domain name pointer the-coolest-ip-on-the-net.com.

Re:8.8.8.8/4

[dave562]

Anyone running Windows Server as their internal DNS server is probably forwarding DNS requests to an external name server. The workstation DNS settings are most likely controlled with DHCP, and if the admin has half a brain (I know, that's a big assumption), the users don't have rights to change the network settings.

Most internet security applications are usually proxy servers, or something like a Websense box. Those filter all traffic regardless of where the name resolution takes place. In fact, Websense can be configured to block DNS requests to non-approved / external servers (as can any firewall, etc).

Do your network admins a favor and use your work computer for work. Don't try to get around their access controls. Most of the time they'd love to give you free access to the internet, but the reality is that they are responsible for keeping Windows boxes secure. That isn't an easy job. What you might perceive as network admin Nazi behaviors is really just them protecting you from yourself... or your co-workers from themselves, etc.

Re:8.8.8.8/4

[ChaosDiscord]

If your network security relies on limiting DNS lookups, you don't really have any network security at all. You might as well take the house numbers off the front of your house to make it harder for burglars to find your house to break in.

Re:Yet another privacy risking tool I won't mind u

[FooAtWFU]

But I doubt it'll be as memorable as 4.2.2.2 for those emergency DNS outages.

8.8.8.8, 8.8.4.4.

OpenDNS

[SillyWilly]

Wow the people at OpenDNS are going to be pissed by this.

Still 8.8.8.8 is a bit more memorable than 208.67.222.222

Re:OpenDNS

[yakatz]

OpenDNS hijacks Google searches, which could be part of Google's motivation also.

Re:OpenDNS

[zlogic]

If you register with OpenDNS, you can opt out of the hijacking. Basically turn off all additional services (like malware checking, keywords and typing correction) and OpenDNS works just like any normal DNS server out there. The problem is that you have to submit your IP, or their server's won't recognize you; this can be done either by your router or with a Windows app that periodically submits the IP (not sure about Linux or MacOS).

Re:OpenDNS

[sildur]

OpenDNS is not hijacking google searches. They simply fix broken google searches.

Not everyday

[dmayle]

Forget everyday use, but on public wifi, I'm all about this!

Re:Not everyday

[Joce640k]

Mod parent up - DHCP on a public node can make dragons fly out of your nose.

Questions?

[whisper_jeff]

...but of course there are questions about Google's true motivations behind knowing every site you visit.

No there aren't. You'd have to have been living under a rock for the past decade to have any questions about their motives. It's dead simple - they want to know what people are looking at so that they can better target people with advertising thereby increasing the value of their service. In return for offering various free services, all they ask for is some information on you so that they can better target advertising that interests _YOU_. It's not rocket science - it's just incredibly effective marketing.

Re:Questions?

[SKPhoton]

You can view the Google Public DNS privacy and logging policies here. (It's nice and relatively short. Very un-EULA-ish.)

From the page:

We don't correlate or combine your information from these logs with any other log data that Google might have about your use of other services, such as data from Web Search and data from advertising on the Google content network.

Re:Questions?

[SanityInAnarchy]

Except in this case, they claim your IP will be gone from their logs in 24 hours, and it'll never be associated with anything else you do at Google.

My guess is, they want broad statistics like the most popular domains visited, maybe even traffic patterns of which domains people tend to go to after which other domains.

So you're right, the motives are quite transparent. Except in this case, I have no idea why I wouldn't want to participate. It's likely to be a hell of a lot more responsive than my ISP's DNS.

Re:Questions?

[nine-times]

And sorry, but just to complete the thought, there's a very good reason why Google would want to do this even if they don't get any data mining or ad revenue in any direct way: Think about all the other services (OpenDNS or ISPs) that redirect failed searches to their own search page. Every time that happens, that's a search that doesn't go through Google. As far as Google is concerned, you getting a proper response of "This page doesn't exist" is good for them, because they know your next stop will be Google.com.

Re:Questions?

[TooMuchToDo]

Half-credit. They're trying to make the web faster, but to an extent to further their webapps agenda. Why? That's their playground. If the web is faster (Google DNS, Google's SPDY architecture), you won't rely on that desktop so much for apps now will you?

Re:Questions?

[vitaflo]

"My guess is, they want broad statistics like the most popular domains visited, maybe even traffic patterns of which domains people tend to go to after which other domains."

I'd go further. Given the announcement of Chrome OS, I wouldn't doubt they want to test a huge number of DNS requests and tweak the system to be as fast as possible to speed up Chrome. Google knows latency is an issue with web apps, and is trying to do all they can to reduce this. I think this is just another step in that direction.

Google was going to hire DJB to make this work

[fotoguzzi]

but they didn't want too much brilliance all in one place.

Re:so?

[metamechanical]

fEEL FREE TO OPT OUT AT ANY TIME.

They have a great program for that!

Why all the paranoia over Google?

[Fished]

Very cool, but of course there are questions about Google's true motivations behind knowing every site you visit.

Look.. Google's in the advertising and data aggregation business, yes. But ... there is a level of suspicion and fear directed at Google that just seems extreme. Has Google actually done something "Evil" that I missed? Or it is just paranoia? I personally think that it's much more likely that OpenDNS or my ISP would do something crazy with this sort of information than Google.

Re:Why all the paranoia over Google?

[MushMouth]

Any intelligence service that doesn't have at least one mole in Google is worthless.

Re:Why all the paranoia over Google?

[lennier]

"But ... there is a level of suspicion and fear directed at Google that just seems extreme. Has Google actually done something "Evil" that I missed?"

They might have. Would we be able to know, at this point, if they did? Do we still have third parties able to compete with them and provide checks and balances over the information they feed us?

The problem with Google (and the other big players, such as the social networks) is that they are increasingly *centralising* control over the data we see. In the 1990s, the Net was a very decentralised place. You'd get an IP address, DNS lookup and SMTP from your ISP, a domain name from a domain registrar, web hosting somewhere else, webmail from a fourth place, search from a fifth place... and all of those would be different from your hardware and your operating system... and all this decentralisation kept the big corps mostly honest. There were people like AOL and Microsoft trying for lock-in and vertical integration, yes. Which is why Google initially seemed like a shining knight, a different force. And them funding Mozilla gave us a breathing space from the Microsoft lock-in empire.

But now Google themselves are becoming the Microsoft of the Web. Not in terms of abusive practices - necessarily. But in terms of edging towards single-provider monopoly power, which gives the *potential* for abusive practices on a huge scale.

Remember Sandra Bullock, The Net, mid 1990s? Back then it seemed total science fiction because it was really silly to think that any one organisation could get censorship control over the fractious, decentralised Net of that era. It's not so funny now. You could now have:

* a Google Android phone or a Google ChromeOS device
* running Google Chrome
* getting DNS from Google DNS
* using Gmail for mail
* using Google Wave for social networking
* using Google Search for all searching
* getting their news from Google News
* buying their books from Google Books
* doing academic research on Google Scholar and patent searches on Google Patents
* sharing documents on Google Docs
* viewing Usenet through Google Groups

and all of that information is logged, analysed, data-mined and cross-checked by a single organisation answerable to a very few people. And potentially modified in transit.

Fortunately it's still possible to compare most of what Google tells us with the source websites, so they can't easily change the information we receive. Yet. But they certainly can get a very close-up view of exactly who we are and what lines of knowledge we're interested in, and flick this on to whatever organisation - private, criminal, government - asks nicely enough.

Centralisation is always scary, because you just. don't. KNOW. what is being done with that data, either coming or going.

Google's best weapon against paranoia is openness... but what if we end up seeing just the *appearance* of openness and not openness itself?

For that reason I hope Google never becomes the only information service we use on the Web, and I'm even unhappy with the way we all rely on its search results to such a huge extent. It's a potential choke point in the Net, a single point of failure. Right now it seems okay... but.... loss of alternatives is never a safe place to be. Why has open source search never taken off?

No IPv6 records :-(

[Cronq]

They don't publish own IPv6 records via this resolver :-(

Re:No IPv6 records :-(

[Wowlapalooza]

Google has a special "Cluefulness Test" when it comes to IPv6: http://www.google.com/intl/en/ipv6/. In order to get IPv6 resolution, you need to register the source addresses of your nameservers with them, and claim/prove that you and your provider have "good" IPv6 connectivity to Google. You're also expected to troubleshoot any IPv6 problems that may occur, as opposed to your clueless users bugging Google directly about it.

If you don't meet those criteria, you're still welcome to use ipv6.google.com for searches, of course. But that's not the whole suite of Google tools/products, and the URL is just not as convenient...

NTP pool & GeoIP

[avij]

The NTP pool (which probably needs even more NTP servers, btw) was recently changed so that the project's DNS servers return a list of nearest available NTP servers when queried. If you change your settings to use Google's DNS servers, the pool will now respond with a list of NTP servers close to Google's DNS servers, which may not be what you wanted.

Re:NTP pool & GeoIP

[TooMuchToDo]

What sort of NTP servers do they need? I have several locations I can host from (I own a technology services firm) and could provide Stratum 1 services, as several of our NTP servers have GPS receivers attached.

Re:NTP pool & GeoIP

[avij]

Any NTP server at any stratum is welcome to join the pool. The only actual requirement is that the server should have a static IP address. The how do I join page has further information. If you already have a functioning NTP server, all you have to do is to log in and add your server's DNS name/IP address and its available bandwidth (for load balancing purposes). I'd say it's a rather simple process.

Re:NTP pool & GeoIP

[TooMuchToDo]

Awesome. Away I go adding 6 servers.

Re:NTP pool & GeoIP

[avij]

At the moment, running 'dig @8.8.8.8 pool.ntp.org' gives me servers that are across the pond, ie. not relatively close to me. This particular 8.8.8.8 DNS server instance seems to be physically close to me, but based on the responses it gives me, it still acts like it's in the U.S.

Even though there may be several Google DNS servers around the world, I'd guess they're interconnected so they share the same cache. Obviously Google could choose to have a global cache for most domains, but have a local cache for some domains. Whether this is going to be implemented or not remains to be seen..

Why not do both?

[FranTaylor]

Set up your own DNS server and point it at google's.

Then you can take advantage of your cache and their cache.

google could do us a great service by also making it available on some other port, that way we can get around the ISP interception of DNS requests.

Re:Why not do both?

We put a cache in your cache so you can browse while you browse.

Re:Why not do both?

[Richy_T]

Definitely this. My ISP changed their upstream provider and *their* network was intercepting requests on port 53. Luckily, I also administer DNS on another network so set up a bypass on port 54. Personally, I think providing false DNS information should count as fraud.

Re:Why not do both?

Soviet Russia?

Re:Yet another privacy risking tool I won't mind u

[SanityInAnarchy]

So not only as memorizable, but explicitly public, whereas 4.2.2.2 and 4.2.2.1 are both technically being abused when you do that.

Latency: most ISPs should win hands down

[olden]

RTT to my own resolver: microseconds
RTT to my ISP's resolver (Speakeasy = no redirect and such): ~21ms
RTT to Google's: 80+ms
No-brainer for me.

Re:Latency: most ISPs should win hands down

[osu-neko]

Interesting.

RTT to my ISP's (Comcast) resolver: ~50ms
RTT to Google's resolver: ~30ms

No-brainer here, too. Also, Comcast sucks... (but you already knew that...)

and there's the other motive for Google.

[FooAtWFU]

If you're on $garbage_DNS and you're served an advertisement/search page instead of NXDOMAIN, you (or your browser's auto-search) won't search Google. For that matter, just having something like this around will discourage $garbage_DNS.

Google cares about the Internet. It's where they make their money.

end game in sight

[MrDoh!]

So...
Google voice first for voice. Last week Gizmo5 for voip and now rolling out their own DNS?

Looks like all the infrastructure pieces are in place for the mass change of how cell phones are going to work.

For years I've wondered why we still have phone numbers. With address books stored on the phones to map names (hosts) to phone numbers (ip's).
With all the phones these days having decent data connections as standard, looks like we're going to get a central way of handling this.
So my phone contact will be 'Fred@Domain.com' If I send an email with that address, it gets sent to their mail. If I make a call to that address, does the DNS lookup, finds out their phone number (that we can re-configure our end to handle calling home phone or cell phone, and with location based rules on an android phone, you'd be able to automate it as you left your house, it lets the phone DNS know to call the cell phone, then as you get to your desk location, remap to office phone for non-personal calls). All possible as standard.

We're not going to get phone and choose to have a dataplan, we're going to have phones + dataplans and that's it.
telcoms industry HAVE to know this surely?

(personal wish, as calls are made to someone, there's a quick lookup for capabilities of the device you're calling, then popup the choices to make normal call, send a text, allow the webcam to work, or most importantly, present a URL to an MP3 that's YOUR ringtone, so you can set up a theme tune and as you call people, they hear your tune (as long as they've not turned that off))

Re:SPDNSY

[SanityInAnarchy]

everything resolves to Google's proxies.

Really?

$ host slashdot.org
slashdot.org has address 216.34.181.45
slashdot.org mail is handled by 10 mx.corp.sourceforge.com.
$ host slashdot.org 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
 
slashdot.org has address 216.34.181.45
$ host 216.34.181.45
45.181.34.216.in-addr.arpa domain name pointer slashdot.org

You, sir, are a liar.

Cue *whoosh* in 3..2.. actually, I still don't get it. Either you're trolling because you hate Google, or there's some obscure joke that I still don't understand. I really don't get how your list of crap it requires (most of which doesn't exist or doesn't apply to DNS) is funny -- are Google known for requiring random stuff like that?

I mean, they don't even touch NX:

$ host aoeusnth.com
Host aoeusnth.com not found: 3(NXDOMAIN)
$ host aoeusnth.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
 
Host aoeusnth.com not found: 3(NXDOMAIN)

That's more than you can say for most ISP-level resolvers.

Re:What's their motivation?

[SanityInAnarchy]

RTFA:

Google Public DNS stores two sets of logs: temporary and permanent. The temporary logs store the full IP address of the machine you're using. We have to do this so that we can spot potentially bad things like DDoS attacks and so we can fix problems, such as particular domains not showing up for specific users.

We delete these temporary logs within 24 to 48 hours.

In the permanent logs, we don't keep personally identifiable information or IP information. We do keep some location information (at the city/metro level) so that we can conduct debugging, analyze abuse phenomena and improve the Google Public DNS prefetching feature. We don't correlate or combine your information from these logs with any other log data that Google might have about your use of other services, such as data from Web Search and data from advertising on the Google content network. After keeping this data for two weeks, we randomly sample a small subset for permanent storage.

So in other words, for less than two days, their DNS log, and nothing else, will know that a particular request was made from a particular IP. Other than that, they'll know that someone from your ISP, or perhaps from your whole fscking city, made that request -- maybe. I'm guessing they'll be looking at overall trends.

Re:trying it...

[Sir_Lewk]

disregard that, I suck cocks.

Re:trying it...

It's hilarious that that's modded as 'Informative'.

Maybe They Just Want People To Access Their Site

[HannethCom]

I seem to recall that there are a few ISPs that are threatening to block all requests to Google sites because of the bandwidth that is being used. I think it stands to reason that the reason Google is running an free DNS is so that people can still access their sites, no matter what their ISP does.

no thanks

[voodoowizard]

I will still use my free http://www.opendns.com/ servers. The only redirect you get is a search page with is this what you mean. Other than that it will still try and get you where you want to be while also blocking a variety of sites, by your own choosing.

motives

[Tom]

Very cool, but of course there are questions about Google's true motivations behind knowing every site you visit.

Nonsense.

They want to cut the ISPs and other DNS providers out of their (dishonest) ad revenue streams. For a lot of competitors, this is virtually the only straw left (AOL, anyone? I know at least in Germany if they hadn't forced the marketing of the "Alice" ISP to add such a DNS-misdirect, their portal and search space would be able to count its visits in "hits per hour").

It hurts their competitors while giving Google an image plus. And the amount of overhead and traffic is neglectable if you already operate on the scale that Google does.

Re:OpenNIC has been offering this for years now...

[svtdragon]

You still haven't read the privacy page, have you? They don't correlate it with search queries or any other data they have from you:

"Google Public DNS stores two sets of logs: temporary and permanent. The temporary logs store the full IP address of the machine you're using," the company said. "We have to do this so that we can spot potentially bad things like DDoS attacks and so we can fix problems, such as particular domains not showing up for specific users. We delete these temporary logs within 24 to 48 hours.

"In the permanent logs, we don't keep personally identifiable information or IP information. We do keep some location information (at the city/metro level) so that we can conduct debugging, analyze abuse phenomena and improve the Google Public DNS prefetching feature. We don't correlate or combine your information from these logs with any other log data that Google might have about your use of other services, such as data from Web Search and data from advertising on the Google content network. After keeping this data for two weeks, we randomly sample a small subset for permanent storage."

Re:OpenNIC has been offering this for years now...

[rhathar]

Except that Google only stores records for 24-48 hours and then deletes them and does not share the data with its ads department or any other Google services.

Not EVERY site you visit

[EverlastingPhelps]

Technically, they only get to track the sites that you access by domain name. You can always punch an IP address in and circumvent the DNS system. Start memorizing those porn IPs now!

Go for it...

[Joce640k]

I just tried it and it's *WAY* faster than my ISP - web pages start loading a couple of seconds sooner than before.

Re:ComCast does this re-routing routinely.

[Dewin]

You can opt-out of the Comcast rerouting.

https://dns-opt-out.comcast.net/

It's not cookie-based either, it actually disables it for your cablemodem's MAC address.

It is not the fastet DNS, at least not for me

[WARM3CH]

I just run a simple benchmark to see how fast these are. It turns out that Google's DNS is slower than our university's (I'm in Oregon), OpenDNS and L-3.

• ISP: Cashed Name: 1 ms, Uncached Name: 8 ms
• OpenDNS: Cashed Name: 5 ms, Uncached Name: 8 ms
• L-3: Cached Name: 24 ms, Uncached Name: 26 ms
• Google: Cashed Name: 44 ms, Uncached Name: 48 ms

I guess for me it's clear: I'll skip it for now.

Re:It is not the fastet DNS, at least not for me

[WARM3CH]

Oh crap! I reported the Minimum time, not the average! Here is the full report:

(Min | Avg | Max | Std.Dev |Reliab%)

My university:
Cached Name | 0.001 | 0.002 | 0.003 | 0.000 | 100.0
Uncached Name | 0.008 | 0.060 | 0.225 | 0.065 | 100.0
DotCom Lookup | 0.181 | 3.984 | 4.203 | 0.633 | 100.0

OpenDNS (208. 67.220.220)
Cached Name | 0.005 | 0.006 | 0.008 | 0.001 | 100.0
Uncached Name | 0.008 | 0.066 | 0.190 | 0.053 | 100.0
DotCom Lookup | 0.009 | 0.131 | 0.198 | 0.064 | 100.0

Level 3 (4. 2. 2. 3)
Cached Name | 0.024 | 0.025 | 0.028 | 0.001 | 100.0
Uncached Name | 0.026 | 0.071 | 0.206 | 0.056 | 100.0
DotCom Lookup | 0.025 | 0.081 | 0.191 | 0.058 | 100.0

Google (8.8.8.8)
Cached Name | 0.044 | 0.061 | 0.206 | 0.038 | 100.0
Uncached Name | 0.048 | 0.144 | 0.322 | 0.075 | 97.9
DotCom Lookup | 0.069 | 0.158 | 0.261 | 0.051 | 100.0

So, are you volunteering?

[KingSkippus]

So Google fanboism has gotten to the point where people are HAPPY about getting more targetted ads?

No, but we're smart enough to realize that no one is going to pay out of pocket to provide all the services that Google does for free with no revenue model at all, not even to pay for the infrastructure servers and network necessary to do it.

I'll make you a deal. Multi-billionaire technology philanthropist that you seem to be, you set up a company to compete with Google, one that provides all that they do and that has exactly zero sources of revenue, and I'll willingly become your fanboy.

The practical situation is that there ain't no such thing as a free lunch. When Google came along, we were headed towards every web site--especially search engines and directories--pushing out more and more pop-ups, pop-unders, interstitials, graphics-heavy, annoying ads, and they changed that. God forbid any of them actually contribute back to the community in the form of numerous open source projects and free services.

Google changed all that by providing a much more customer-friendly "less is more" philosophy, and their customers have supported their efforts in a very free market-friendly way. So while you can take potshots at targeted advertising if you want, I honestly can't think of a less obtrusive and relatively harmless revenue model that can support all that Google does and how much they are contributing to advancing technology.

While I'd love for someone to volunteer to do all that Google does without making money for it, given that that's not going to happen, yeah, targeted advertising is about the least annoying way I can think of to get the bills paid and continue providing service.

Good question

[Spliffster]

For those too lazy to run whois:

spliffy@localhost:~$ whois gtei.net
...
Registrant:
Verizon Trademark Services LLC
Verizon Trademark Services LLC
1320 North Court House Road
Arlington VA 22201
US
domainlegalcontact@verizon.com +1.7033513164 Fax: +1.7033513669
...

Better Google than your ISP

[Charles+Dodgeson]

Google is datamining everywhere and everything already.

When I first read about this, I immediately thought about datamining. But after another second, I figured that I would prefer Google to have this information than Verizon (where my caching DNS server currently forwards to). It is true that Google is better at datamining, but do keep in mind that whoever is providing your DNS service has the information about your DNS requests.

Another difference between Google and your ISP is that your ISP knows who you are from your IP address. So they can link DNS resolution requests to specific, named, customers. Google can't do that directly.

Re:Better Google than your ISP

[Ginger+Unicorn]

it's easier, and perhaps routine practice for your isp to log dns requests to their dns servers, whereas i would have imagined that sniffing packets that are not destined for their servers and logging the contents would be a willful act of wiretapping

Re:Better Google than your ISP

[tftp]

What makes you think Verizon isn't doing packet inspection to datamine regardless?

It takes leaving a default setting unchanged to have logs of all DNS requests that Verizon's servers answer. The effort spent: zero. The data volume: minimal (only DNS requests.)

It takes a lot more to inspect all packets (TCP and UDP) that may be related to DNS. It has to be bought, then connected to the main data link(s), then configured to log what you want, then maintained. On Verizon's scale it's some serious money right here.

Since Verizon is not in datamining business, I don't see why they would want to trouble themselves with such a complex arrangement.

On top of that, logging users' Internet traffic is not something that Verizon needs to do as part of their usual business. Logs on the DNS server may be easily explained because the server is needed and they need to know what goes wrong when it does. However the packet inspection box has no business reason to be there, and it can affect Verizon's common carrier status.

Re:Better Google than your ISP

[Charles+Dodgeson]

Dude, all of your traffic are passing through your ISP already, what makes you think they won't log your DNS requests to Google if they found enough people are using it?

There is a big difference between keeping logs for a service you are running and doing deep packet inspection. And if our ISPs are doing that, then Google is the least of our worries with respect to privacy.

Re:What's their motivation?

[lennier]

"So in other words, for less than two days, their DNS log, and nothing else, will know that a particular request was made from a particular IP."

So they say. You have more than their word for that?

Oh right. A big US corporation would never lie, even in the service of compliance with national security and law enforcement directives which require them to.

Re:Cool!

[camperslo]

Besides 8.8.8.8 and 8.8.4.4 it looks like there's 4.3.2.1

$ whois 4.3.2.1
        Level 3 Communications, Inc. LVLT-ORG-4-8 (NET-4-0-0-0-1)
                                                                            4.0.0.0 - 4.255.255.255
        Google Incorporated LVLT-GOOGL-1-4-3-2 (NET-4-3-2-0-1)
                                                                            4.3.2.0 - 4.3.2.255

Re:trying it...

[Phroggy]

In case anyone missed the reference

David Ulevitch, Founder of OpenDNS

[va3atc]

David Ulevitch, Founder of OpenDNS blogs on the issue.