Google Proposes DNS Extension

ElusiveJoe writes "Google, along with a group of DNS and content providers, hopes to alter the DNS protocol. Currently, a DNS request can be sent to a recursive DNS server, which would send out requests to other DNS servers from its own IP address, thus acting somewhat similar to a proxy server. The proposed modification would allow authoritative nameservers to expose your IP address (instead of an address of your ISP's DNS server, for example) in order to 'load balance traffic and send users to a nearby server.' Or it would allow any interested party to look at your DNS requests. Or it would send a user from Iran or Libya to a 'domain name doesn't exist' server."

Re:Do no evil, my ass.

[jwinster]

I'm trying to think of a legitimate reason for Google to want this pushed through, other than to track their users. I can understand an IP wanting to use the "load balancing" reasoning, but tracking user activity is the ONLY thing Google stands to gain.

Re:Not as evil as suggested

[gstoddart]

If you read the entire post by google, you'll notice they are suggesting only the first 3 octects of the IP address are transmitted. Now while this could theoretically be used to censor regions of users, it could not be used to expose you (since it isn't the complete IP address)

No, but given that only an additional 255 (or is it 254?) users besides you can be coming from that range, it's not like over time someone can't correlate this to you.

I'm not convinced this doesn't have privacy implications, or that we're not better off with our requesting DNS being the one who is shown. I don't necessarily want web sites to know where I'm coming from.

Cheers

What about IPv6

[wadey]

It seems IPv6 will be in use soon; so why tinker with DNS requests on IPv4 ?

Also, does anybody know how GEO locating an IP will be done on IPv6 (at least down to country level) ?

Re:Not as evil as suggested

[TheRaven64]

The first three octets limit you to a maximum of 256 machines. In practice, most addresses are assigned in /24s, so you end up with two of these used for the router and broadcast addresses. Most broadband ISPs don't recycle addresses often, so you end up with the same IP for weeks, if not months, at a time. Of the other 200 people on your /24, how many are online at the same time as you? Maybe 10-20? Of these, how many have sufficiently similar surfing patterns that, when you combine the DNS results with tracking data from all sites that use Google analytics, they can't be distinguished from you?

If Google can't track your Internet usage from the first three octets of your IP address and DNS results then they haven't got nearly as much expertise in data mining as you'd need to operate a successful search engine.

Re:Do no evil, eh?

[nine-times]

Are you sure there's *no* good reason? I can understand saying that you think the downsides outweigh the benefits, but they claim that it would help them to "load balance traffic and send users to a nearby server," and it seems very possible that this functionality could be used that way. Yes, I'm sure you could accomplish this in other ways, too, but maybe Google feels like this will help them do it more efficiently. With all the traffic Google gets, efficiency is a big deal.

Maybe there's another solution though? Like providing multiple DNS results for each query with enough information to let the client-side intelligently pick their own server out of the list?

I don't know. I just know enough to know that DNS isn't so perfect as to be beyond improvement.

Re:This is important!

[madddddddddd]

NO IT ISN'T.

domains can already manage their own worldwide content distribution networks, and route requests after they get to them.

when large volumes of bits are involved, like most responses from cdn servers, then YES, "This is important!"... but for the dns request packets to also be pooled and routed in this fashion is unnecessary and as the submitter points out opens up massive privacy holes currently plugged.

this isn't about single points of failure... it's purely load balancing that can already be done without sacrificing anything. google just has their hands on so much of the system that it makes sense to them, the same sense it would make for a video software developer to put a mpeg codec directly in the OS kernel...

the layers are there for a reason.

Re:Google, you are wrong here.

I agree. If Google wants my computer to use an IP nearer to my physical location they will move to extend DNS to include the geographic data in the replies. That way they send me a list of IPs + geography data for each and I get to choose to honor or ignore it.

To quote Paul Vixie, inventor of DNS:

[tlambert]

To: DNSEXT (DNS Extension Working Group, Internet Engineering Task Force)
From: Paul Vixie
Date: Thu, 28 Jan 2010

"I don't think that's a general enough solution to be worth standardizing.
please investigate the larger context of client identity, beyond the needs
of CDN's."

I also agree with his later statement in the same thread:

"it may be too dangerous in any form but that's a separate issue."

-- Terry

Could actually give us Swedes more privacy!

[Dreadrik]

Since all Swedish internet traffic that crosses our borders is nowadays monitored by FRA (roughly NSA to you Americans), this could give companies an option to route traffic from Sweden directly to Swedish servers, without needing a redirect from the foreign servers. Of course, FRA could still see the request from the local DNS to the authorative DNS, but assuming this traffic is encrypted, it would make the FRA law look increasingly stupid and ineffective.