Slashdot Mirror
A Look At the Safety of Google Public DNS
darthcamaro writes "Yesterday we discussed Google's launch of its new Public DNS service. Now Metasploit founder and CSO at Rapid7, H D Moore, investigates how well-protected Google's service is against the Kaminsky DNS flaw. Moore has put together a mapping of Google's source port distribution on the Public DNS service. In his view, it looks like the source ports are sufficiently random, even though they are limited to a small range of ports. The InternetNews report on Moore's research concludes: 'What Moore's preliminary research clearly demonstrates to me is that Google really does need to live up to its promise here. Unlike a regular ISP, Google will be subject to more scrutiny (and research) than other DNS providers.'"
It fails miserably, Google revokes it, and we all go back to loving them.
Everyone loves taking a shot at Google, but when they are providing a new FREE service - I can't see it destroying their public image all that much.
The one thing that strikes me as silly about the "what if Google datamines our DNS requests" concern is that those people assume their ISPs aren't already doing so.
And what strikes me as even more silly is when people use the comeback of "But [insert person, group, company, etc] is (probably) already doing it too!" as if that justifies the actions of someone else.
Yes, it might be useful for people whose ISP DNS server is slow. That didn't happen to me since my dialup days. Besides, now I simply run my own caching DNS server. It's not hard to set up at all.
I'm not saying that it justifies it in any way. I'm merely pointing out that scapegoating a company that does genuinely good things while ignoring the company that routinely dicks its customers is odd. Plus, if you had read yesterday's article, you would understand that google is purging IP addresses from the records.
And what strikes me as even more silly is that Google has a privacy policy for the service that says all logs are deleted after 48 hours and aren't linked back to other Google services whereas I have no privacy statement at all about DNS from my ISP (since they slipped it in silently about 4 months ago).
Except that Google has a lot of other information on us already, too. Cross-referencing data sets provides true statistical power. Our ISPs do not have the same information that we voluntarily give Google. There's regulation against our ISPs stealing the information that gets passed through them. There's no stopping voluntarily giving Google control of our email, calendar, health records, DNS requests, marketing information, voicemail transcripts, blog articles ...
I find it amazing that nobody seems to notice that adding an ECHELON and a DCS1000 feed to Google is making it like the NSA, but where people actually VOLUNTEER data. In addition, it's Terms of Service give it more legal freedom to use and abuse your information and intellectual property than even the US border control can with accessing laptops of people entering the country.
It appears 8+ years of indoctrination is paying off big time - nobody appears to remember that privacy is a basic right. All it takes is some BS about "not being evil" for people to miss the shocking depth to which they can access all your personal data. Even the stuff they don't hold themselves will come up through the search engine. By matching up DNS records they will be able to add your entire Internet activity to your identity.
That's going to be fun when you catch some sort of virus downloading porn - and the next time you apply for a job..
Insert
First off, ANY DNS server will be getting your IP address. After all, that's how the hell it knows where to send the fracking reply.
Secondly, logging of IPs is a basic step in holding your clients accountable to make sure you aren't being abused. If some fucktard uses a hole to hack into your system, having a log of where he came from will help nail him.
Google doesn't really have a choice but to have your data. We should judge them based on what they DO with that data.
You do realize the inherent conflict of interest in criticism from a competitor right?
Do remember that at least and load up on grains of salt.
So I am giving Google DNS a try on my networks.
I do not see the privacy issues, as they are very limited if you are using a cache on your router with Google as the DNS server. Google gets to see one lookup, and then my home router (with dnsmaque) serves any repeat visits for me or the other computers on my network. For the majority of the sites I visit on a regular basis, my router provides the DNS.
I would suspect that a majority of people using home routers have some sort of cache now in the firmware that does similar work, in their OS, or their browser. It is not like Google is able to see me hit their DNS (although I am sure that is true for some users), every time I want to visit a site again. It is of little value, other than in the most general sense of determining what sites are popular.
Living in Chile
One advantage is that unlike 4.2.2.x, you have explicit permission to use this one.
Dan K has been on /., never could cite a single example of an in-the-wild, widespread exploit of the Kaminsky DNS flaw.
Kaminsky Bug == HOGWASH
Yes. A severe security flaw in one of the fundamental layers of the internet is hogwash... because it's not CURRENTLY being widely exploited 'in the wild'.
Please, make sure I never, ever, EVER, hire you to work anywhere near my network.
Google has motivation not to have a bad ToS -- if they do, everyone will switch to OpenDNS. Google is doing a GOOD thing -- more by attaching a ToS to their DNS service than by providing a free DNS. It adds competition to the DNS marketplace, and might challenge ISPs to put more thought/transparency into their DNS offerings too.
It might suprise you, but everyone has a contract with their ISP yet there are ISPs that act against their customer's best interest. That "comeback" didn't do squat. So much for accountability.
The point here is history. Show that Google is doing something wrong, and people WILL raise a stink about it. Google gets a lot of milage out of good will and that won't last long if they misstep.
So you're saying that a clear, readable statement about privacy is more suspicious than total and complete silence on the issue? Or am I missing something? That's not really what you meant, right?
Google feels the need to do this because every time they offer a new service "privacy" is the very first word off everyone's lips. How many times have we all read diatribes against Latitude, Gmail, etc for lack of a clear disclosure of privacy terms before the service even goes beta? And now that Google has released clear, plain English privacy statements about a new service, it's suspicious behavior? Sounds to me like Google is giving the general public what they asked for.
I'd say that if Google is the first ISP or service to have a privacy policy (which they are not, but let's say they are) then this is to be commended, not criticized. Again, they are not. OpenDNS, at least, has a clear policy and it seems to be a good one. And kudos to them for offering it.
I'd rather have a clear cut policy, even if it is subject to change, than total silence where the vendor can do anything they want without telling me. Google has been pretty good about telling me when the privacy policy for specific services changes, and for the most part they have been responses to accusations of what people THINK they MIGHT do with the data, and by and large they've been "no, we don't do that." I don't think I've ever seen them update a privacy policy for the purpose of giving them more rights than they had prior to the change.
If you don't trust Google, fine. They, like any other company or person, certainly could be lying. Fair enough.
I think they've certainly held up well to public scrutiny of their actual privacy practices, overall. They've certainly made some mistakes, but they've also been pretty good about discussing them openly, correcting them when their user base decides that a particular practice is unacceptable, and (like Microsoft with security) seem to be taking privacy extremely seriously.
Of course, Google also does not provide any core services. Email (Gmail), IM (GoogleTalk), DNS, search, mapping, collaboration (Wave), news aggregation (Google News) - every one of these services is available elsewhere. Just make sure you look at the privacy policies of your chosen vendor, and please consider that a lack of a written policy is generally not a good sign.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
I know I certainly trust Google more than my ISP (Comcast) and if I had the option to use Google as my ISP, I would.
That said, if my ISP wants my DNS data, they can have it. And by can I mean they're able to have it, not that I'd give it to them. DNS isn't an encrypted protocol, so even if I used Google's public DNS, it's relatively trivial for my ISP to watch everything that goes out on port 53.
So if you start with the presumption that your ISP is pure evil and will be doing this type of thing anyways (I'd say that's fairly safe in my case), the choice is not between the ISP and Google, it's between the ISP and both Google and the ISP.
That said, I made the choice to use Google's DNS for the simple reason that it's faster. I just don't care about the privacy aspect enough to base my decision on it. But I'm under no illusion that by choosing to use Google I've been able to keep Comcast from accessing the data.