Slashdot Mirror
A Look At the Safety of Google Public DNS
darthcamaro writes "Yesterday we discussed Google's launch of its new Public DNS service. Now Metasploit founder and CSO at Rapid7, H D Moore, investigates how well-protected Google's service is against the Kaminsky DNS flaw. Moore has put together a mapping of Google's source port distribution on the Public DNS service. In his view, it looks like the source ports are sufficiently random, even though they are limited to a small range of ports. The InternetNews report on Moore's research concludes: 'What Moore's preliminary research clearly demonstrates to me is that Google really does need to live up to its promise here. Unlike a regular ISP, Google will be subject to more scrutiny (and research) than other DNS providers.'"
It fails miserably, Google revokes it, and we all go back to loving them.
Everyone loves taking a shot at Google, but when they are providing a new FREE service - I can't see it destroying their public image all that much.
The one thing that strikes me as silly about the "what if Google datamines our DNS requests" concern is that those people assume their ISPs aren't already doing so.
And what strikes me as even more silly is when people use the comeback of "But [insert person, group, company, etc] is (probably) already doing it too!" as if that justifies the actions of someone else.
Their public statements say that they are not linking the requests to other Google services, and that they are discarding ip addresses within a day or two.
Nerd rage is the funniest rage.
The especially odd part about the complaint is that Google has an upfront, posted policy about what they are doing as far as retaining your DNS requests, which I've never seen from an ISP.
I'm not saying that it justifies it in any way. I'm merely pointing out that scapegoating a company that does genuinely good things while ignoring the company that routinely dicks its customers is odd. Plus, if you had read yesterday's article, you would understand that google is purging IP addresses from the records.
An excellent point. That's why I think OpenDNS is a better option. They at least appear to give you a choice in the matter. I'm not sure Google's services are equitable. There's a good blog post from the founder of OpenDNS where he critiques Google's service. It's a good read.
http://blog.opendns.com/2009/12/03/opendns-google-dns/
And what strikes me as even more silly is that Google has a privacy policy for the service that says all logs are deleted after 48 hours and aren't linked back to other Google services whereas I have no privacy statement at all about DNS from my ISP (since they slipped it in silently about 4 months ago).
Except that Google has a lot of other information on us already, too. Cross-referencing data sets provides true statistical power. Our ISPs do not have the same information that we voluntarily give Google. There's regulation against our ISPs stealing the information that gets passed through them. There's no stopping voluntarily giving Google control of our email, calendar, health records, DNS requests, marketing information, voicemail transcripts, blog articles ...
I find it amazing that nobody seems to notice that adding an ECHELON and a DCS1000 feed to Google is making it like the NSA, but where people actually VOLUNTEER data. In addition, it's Terms of Service give it more legal freedom to use and abuse your information and intellectual property than even the US border control can with accessing laptops of people entering the country.
It appears 8+ years of indoctrination is paying off big time - nobody appears to remember that privacy is a basic right. All it takes is some BS about "not being evil" for people to miss the shocking depth to which they can access all your personal data. Even the stuff they don't hold themselves will come up through the search engine. By matching up DNS records they will be able to add your entire Internet activity to your identity.
That's going to be fun when you catch some sort of virus downloading porn - and the next time you apply for a job..
Insert
Ya know, if I had an answer to that, I might have phrased my statement a little differently.
I guess the best answer at this point is simply to point out that they haven't done a great deal to suggest that you shouldn't believe them, and on some level, they are regulated by a reasonable government (depending quite a lot on how one chooses to define reasonable).
Nerd rage is the funniest rage.
You do realize the inherent conflict of interest in criticism from a competitor right?
Do remember that at least and load up on grains of salt.
For me, the dealbreaker with OpenDNS is that, when you type in a non-existant domain, OpenDNS resolves it to an IP that gives you their custom search page. The standards compliant response would be NXDOMAIN, which is what Google (and some others) provide. This alone was enough to make me switch away from OpenDNS.
Dangerous, sexy, turing complete: Femme Bots
So I am giving Google DNS a try on my networks.
I do not see the privacy issues, as they are very limited if you are using a cache on your router with Google as the DNS server. Google gets to see one lookup, and then my home router (with dnsmaque) serves any repeat visits for me or the other computers on my network. For the majority of the sites I visit on a regular basis, my router provides the DNS.
I would suspect that a majority of people using home routers have some sort of cache now in the firmware that does similar work, in their OS, or their browser. It is not like Google is able to see me hit their DNS (although I am sure that is true for some users), every time I want to visit a site again. It is of little value, other than in the most general sense of determining what sites are popular.
Living in Chile
Google, Google, who can I turn to? 8.67.53.09
What a fool believes, he sees, no wise man has the power to reason away.
Now read chapter 1 of their Terms of Service and see how it takes precedence over EVERYTHING else.
Actually, this is quite the opposite.
1.5 If there is any contradiction between what the Additional Terms say and what the Universal Terms say, then the Additional Terms shall take precedence in relation to that Service.
In the document, "Additional Terms" refers to additional ToS documents and Privacy Policy documents, etc., and "Universal Terms" refers to this. I think this is pretty much the most straightforward legalese I've ever seen, and it very clearly states that if the privacy policy of their DNS solution says they're not going to keep your data more than 48 hours, they are not going to, regardless of what the Universal Terms document states.
That may be true, but their preferences only work if OpenDNS can tell which networks are yours. They detect this when you use your browser to log into the control panel, or if you install client-side software (OpenDNS Updater, which is Win\Mac only). You could do it with DynDNS too, but not everyone uses that.
Anyway I'd rather not go through all that effort, and would prefer the NXDOMAIN behavior to be the default for anonymous requests.
Dangerous, sexy, turing complete: Femme Bots
Reports from my friend inside the GFW, both DNS servers already banned by the Chinese government...wth...and openDNS stayed untouched for like ever...
My real concern with Google DNS is privacy. Your DNS records are extremely valuable to google, so I sincerely doubt google is not going to record them.
I'm not even entirely convinced about the benefit of using google's; your local DNS server hierarchy is going to be far more responsive, even if it does have a higher miss rate.
So what you are saying is, you are upset at the idea of google logging your dns traffic, yet NOT upset with the idea of your ISP logging your DNS traffic and selling it to google?
Because google only gave you a legal document stating they wouldn't record your traffic longer than 48 hrs and would not tie those results with any other google service. You know, a legal document that you can use in court.
Your ISP has provided no such document, and as you admit to sincerely doubt google would avoid doing what is now illegal, so you must equally doubt your ISP would avoid doing it too, probably more so since your ISP likely has no such legal document.
Sounds to me the only way you can sleep easy at night would be to switching to google, and letting your doubt rest easy knowing you now have the law on your side, and moving away from your ISP that most likely IS (and if not, could legally do so) what you are so worried of.