Slashdot Mirror
Google Proposes DNS Extension
ElusiveJoe writes "Google, along with a group of DNS and content providers, hopes to alter the DNS protocol. Currently, a DNS request can be sent to a recursive DNS server, which would send out requests to other DNS servers from its own IP address, thus acting somewhat similar to a proxy server. The proposed modification would allow authoritative nameservers to expose your IP address (instead of an address of your ISP's DNS server, for example) in order to 'load balance traffic and send users to a nearby server.' Or it would allow any interested party to look at your DNS requests. Or it would send a user from Iran or Libya to a 'domain name doesn't exist' server."
If you read the entire post by google, you'll notice they are suggesting only the first 3 octects of the IP address are transmitted. Now while this could theoretically be used to censor regions of users, it could not be used to expose you (since it isn't the complete IP address)
The proposal says they would only use the first three octets. And users could just use a different DNS server if they had a restrictive servers that blacklisted Iran or whatever.
"The right to do something does not mean doing it is right." William Safire
The summary isn't even close to correct. What the hell is going on with Slashdot these days?
Not really. Load balancers provide features like constant service checks and "sticky" sessions that DNS isn't going to be able to provide (theoretically, service checks could be done, but it's going to be faster and more accurate to have the appliance on-site doing the checks). You don't want your load balancing flapping because some point between you and the DNS servers is suffering from congestion, negating your service checks to perform said load balancing.
I'm trying to think of a legitimate reason for Google to want this pushed through, other than to track their users. I can understand an IP wanting to use the "load balancing" reasoning, but tracking user activity is the ONLY thing Google stands to gain.
Q.E.D.
IF governments couldn't get Big Brother information from Corporations, then I wouldn't have a problem with data mining. What is scary about Big Brother is a government using the information to use the force of the state to put people in jail. A corporation uses that information to provide products that consumers want. The government uses that information to control the population through force.
If Google could be trusted to never hand that information over to the government, then I would have no problem with them data mining as much as they want.
Those were really big IF's since we all know the government can easily get the information from Google, therefore we don't want them to have it.
There are lots of value add services that can be done because of data mining that consumers and the population want, they just ignore the consequences of the government also having access to the same data.
What a load of crap. There is no way to exploit that. If a someone wants to block certain IP ranges, it is much more efficient to do so at the HTTP (or whatever the protocol in use is) level, rather than in DNS.
Even if this gets introduced, every DNS server will continue supporting the old (without 'IP forwarding') way of doing things, so it's easy enough to pick a DNS server which doesn't forward your IP. Everything will work just as it does now (you won't have the potential speed advantage you might get with the new system though).
Whoever wrote TFS doesn't know the first thing about how networks work. Looking at what just happened in China, do you think that Google of all companies really wants to endanger your privacy?
The reason why Google offers public DNS servers and why they came up with this is because they want to make the internet faster for everyone. And they're doing it in an open, backwards-compatible way.
This is a good idea and should be implemented.
This is extraordinarily important for efficient operation of the internet. If people want to block you, they can, DNS or no DNS. However, for global load balancing, this is vital. You want to connect to a server near you, not near your DNS server.
This will not stop the proper function of proxies.
Internet already work withouth the need to propagate this information. Following the OS concept of "Less power", the less information about you that is propagated, the less problems.
"By returning different addresses to requests coming from different places, DNS can be used to load balance traffic and send users to a nearby server. For example, if you look up www.google.com from a computer in New York, it may resolve to an IP address pointing to a server in New York City. If you look up www.google.com from the Netherlands, the result could be an IP address pointing to a server in the Netherlands. Sending you to a nearby server improves speed, latency, and network utilization."
It seems this balancing is already possible withouth the need to propagate that data. I choose here safety/privacy, over a potential speed gain. Also the risk is for everyone, but the gain is just for a few ones (the people that has lots of servers and need a balancing solution)... hence, is unfair. My view of this.
-Woof woof woof!
It seems IPv6 will be in use soon; so why tinker with DNS requests on IPv4 ?
Also, does anybody know how GEO locating an IP will be done on IPv6 (at least down to country level) ?
There are already many uses where the IP address of the resolver is used to determine service, basically every CDN etc uses this technique.
This extension is needed if you want OpenDNS and the like to Not Suck when fetching Akamai sourced content, youtube videos, etc.
And its not like the owner of the DNS authority won't find out who you are anyway, after all, you then CONTACT THEM DIRECTLY WITH YOUR IP ADDRESS!!
Test your net with Netalyzr
Are you sure there's *no* good reason? I can understand saying that you think the downsides outweigh the benefits, but they claim that it would help them to "load balance traffic and send users to a nearby server," and it seems very possible that this functionality could be used that way. Yes, I'm sure you could accomplish this in other ways, too, but maybe Google feels like this will help them do it more efficiently. With all the traffic Google gets, efficiency is a big deal.
Maybe there's another solution though? Like providing multiple DNS results for each query with enough information to let the client-side intelligently pick their own server out of the list?
I don't know. I just know enough to know that DNS isn't so perfect as to be beyond improvement.
Are you being deliberately obtuse? Region-based load balancing also helps content providers reduce latency and get better bandwidth by reducing the number of network hops between you and the web server. This could be very beneficial to sites like Youtube and other high-bandwidth sites.
And the privacy issues strike me as semi-bullshit. You are looking up the DNS for a website YOU WERE PLANNING TO VISIT ANYWAY. When you visit the web site, they have your full IP address anyway. Sure, there are potential man-in-the-middle issues, and maybe some worries in cases where the web server operator (which presumably you want to give your IP address to) and the DNS server operator are different people. But seriously, web browsing is not IP address anonymous in any way, so I see no reason why DNS has to be either. If you want that level of privacy, you should be using Tor.
Anyway, the privacy/efficiency debate is worth having, but you have to first acknowledge that Google's legitimate reason for this extension might actually be the reason they stated.
I can't se how this does give any more information to Google or other users.
Example: If i do a lookup on www.slashdot.org then this query should newer hit any dns server controlled by Google.
The only way a query would end up on a google controlled dns server, would be if the domain i looked up were owned by google, and in that case I don't care, because then I am about to visit the site anyway which mean they will have my entire ip.
Well, the summary lists two ways that this could be used for "evil":
1) Or it would allow any interested party to look at your DNS requests.
2) Or it would send a user from Iran or Libya to a "domain name doesn't exist" server.
Violating privacy and enabling censorship have no place in the Western world.
You are assuming that the summary bears any relation to reality!
The proposal is that your ISP's resolver will pass your approximate IP address when doing DNS a request on your behalf so that you can be sent to a close-by server for your actual TCP connection.
What extra information does someone get here? How does this allow "any interested party to look at your DNS requests"?
On the Iran point, if the website wants to block users from Iran, they can do that when you make the TCP connection - at that time they get your exact IP address and can apply any filtering policy they like.
With this DNS extension, they can see what sites buckets of people are visiting when they're NOT on google sites or where goog ads are being served.
Umm, how is that, exactly? Assume this gets adopted - Google's DNS servers aren't authoritative for anyone other than Google - so they won't see your DNS requests... and even if they were, they'd only see traffic for the sites that Google DNS is authoritative for.
Consider the fact that Google runs a caching DNS already, they don't need this - they'll already have the data for everyone using their resolver service, which would be much more data than this would get them.
In short, I think your tinfoil hat is a little tight. This sounds to me like Google's DNS service has turned out to be using more of their bandwidth than they anticipated, and they're looking to reduce it.
I like it. I don't know what the aggregate increase in efficiency across the net would be, but I'm betting if Google is suggesting it, it could be significant. While there are some potential abuses, they're really no different than what can already be done at the router/server level currently.
On your point about the Iran point...I think there is still the issue of intermediate servers sending "domain doesn't exist" messages to Libyan requests before the packet even reaches the intended destination.
Three days from now?? Thats tomorrow!! ~Peter Griffin
Oh because they're not going to get all four octets a fraction of a second later when you CONNECT TO THEIR SERVER?
Critical thinking people... This would actually let people not use their ISP provided LDNS' without getting asstastic performance from every big site out there!
On your point about the Iran point...I think there is still the issue of intermediate servers sending "domain doesn't exist" messages to Libyan requests before the packet even reaches the intended destination.
What intermediate servers? The only parties involved here are you, the website and a 3rd-party resolver that you have chosen to use.
If you don't trust your 3rd-party resolver then you're screwed with or without this extension because this resolver can see your full IP address and can lie to you about DNS (e.g. sending you to an ad site instead of saying "no such domain" or whatever).
If you don't trust the website then why are you trying to connect to it? The website will get your full IP address as soon as you connect and can then do whatever it likes with that.
Assuming you are actually planning on connecting to the website and not just doing DNS requests for the sake of it, nobody gets any information that they weren't going to get anyway and nobody has any opportunity to block you that they weren't going to have anyway.
From: http://arstechnica.com/tech-policy/news/2010/01/google-wants-to-see-client-addresses-in-dns-queries.ars
"Google does have a plan to avoid the most egregious privacy concerns. "Recursive Resolvers are strongly encouraged to conceal part of the IP address of the user by truncating IPv4 addresses to 24 bits." Coincidentally, 24 bits maps directly to the minimum address block that can be carried in the Internet's routing system. Carrying any more than that won't help solve the network distance problem using the routing tables. For IPv6, there is no corresponding number that everyone agrees to, but the authors of the draft suggest truncating IPv6 addresses as well. Of course, the owner of the authoritative DNS server still gets to see the client's full IP address when the HTTP request for the actual content is sent."
When ideas fail, words become very handy.
Oh, how I wish that was true!
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
If you don't trust the website then why are you trying to connect to it?
Free ringtones.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
Just because evil could be done with this does not mean evil will be done. People are entirely to paranoid
I'm confused at your assertion. Maybe I'm missing something in the article (as opposed to the summary, which is just making shit up to be scary).
At the moment, I make a DNS request for a given domain. The DNS server sees if it has an entry cached and, if it does not, it asks an authoritative server for that domain what IP address should be used. Then it returns that IP address to me. That IP address is a fixed entity and could be located anywhere in the world. My initial connection to the domain, at least, is made using the server attached to that IP address. Then, if the data center wants to get clever, they can redirect me to a local data center by mangling the domain on all of their image loads, etc, to refer to a server closer to me. But it's clumsy, and I still have to talk to a distant server.
Under Google's proposal, my DNS server would send the domain I'm interested in and my approximate location (first three octets of my four-octet IPv4 address). The authoritative DNS server can then make a decision whether to send me to a data center in my general area, or a data center located on the other side of the planet. The IP address I receive is determined accordingly, so I contact the local data center. The local server represents the actual domain as far as I'm concerned, so no mangling is necessary, and I never have to talk to a datacenter half a planet away. I get faster results, the domain giving me the results has a greatly simplified time doing so, and life is good.
The only new information going to the authoritative DNS server is my approximate location. If I'm using Google's DNS servers, hell, they already have all four octets with the original DNS request. If I'm using someone another DNS server that supports this and I'm visiting Google, they'll give Google the first three octets. But, as soon as I have the IP address, I'm visiting the website itself and therefore the website has my full IP address. So it's not like I'm giving away any new information.
About the only "evil" I could see is an authoritative DNS server looking at the first three octets and deciding to return a black holed address because they don't like that country. But that's already very possible without it. I do it all the time on my PHPNuke discussion boards - NukeSentinel allows me to enter large ranges of IP addresses to block, and anyone visiting from those ranges gets a very low-bandwidth "go away" message.
I suppose my authoritative DNS server could gather more information about people looking up my domain, but then again they are my host provider, so if they want the data all they need to do is pull the IP connection logs and get the full IP.
So I'm really struggling to figure out how this introduces any new risks of monitoring or censorship. The only entity that will receive this new data already gets far more data as soon as you visit the site. And censorship is far more easily done at the routing layer, not the DNS layer.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
Because their ISP plays stupid games with DNS and setting the DNS numbers on the computer is a tad easier than setting up and running a DNS server.
To: DNSEXT (DNS Extension Working Group, Internet Engineering Task Force)
From: Paul Vixie
Date: Thu, 28 Jan 2010
"I don't think that's a general enough solution to be worth standardizing.
please investigate the larger context of client identity, beyond the needs
of CDN's."
I also agree with his later statement in the same thread:
"it may be too dangerous in any form but that's a separate issue."
-- Terry
That would depend on the DNS server you chose to use. You might be able to set it to slightly randomize the first three octets to something still in your vicinity but not quite as close, or you might be able to ask your DNS server to spoof it entirely.
But think about the flow of data as it stands today:
1. You do a DNS lookup. Your DNS server has your full IP address.
2. Your DNS server does an authoritative lookup (assuming it's not cached). The authoritative DNS server now has the first three octets of your DNS server.
3. Authoritative DNS server returns poorly geolocated IP address to your DNS server.
4. Your DNS server returns the IP address to you.
5. You use that IP address to visit the web site. That web site now has your full IP address.
Chances are, the authoritative DNS server is run by the same organization that runs the host you are accessing, or at least the last few routers leading to it.
If the authoritative DNS server wants your IP address, they've already got it the instant you try to use the IP address they gave you as a result of the DNS lookup. Having the first three octets is now useless to them.
From the censorship side, having you spoof those first three octets to get an IP address to reach them will do you no good because it's FAR more effective to block or redirect requests through their routers by your source IP address. In other words, they'd give you an accurate IP address but you wouldn't be able to use it.
Yes, you could use TOR or a proxy, but then you'd already be proxying the DNS lookup anyway, so again there's nothing to gain by spoofing the first three octets in the DNS lookup.
This scheme has no impact on privacy - the organization that runs the authoritative server gets FAR more information the instant you use the IP address they gave you.
It also has little impact on censorship, because censorship via DNS is going to be highly ineffective. If I knew my country used DNS-based censorship, I'd just give out IP-address-based URLs that don't need to use a DNS lookup at all. Countries that do blocking will (and already do) use blocking at the HTTP or routing layer, not DNS.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
Why the fuck would anyone want to use Google for DNS, instead of something closer (e.g. either their ISP or even a box on their very own LAN)?
Sadly, Google's DNS is something closer than the DNS server my ISP tells me to use if I don't want them hijacking misses.
"Convictions are more dangerous enemies of truth than lies."
Now while this could theoretically be used to censor regions of users, it could not be used to expose you (since it isn't the complete IP address)
Sure it could expose me. I have my own Class-Cs - two of 'em. When I'm on one the first three octets point straight to me.
When I'm running from my DSL I have an eight-IP address block (broadcast / broken-broadcast / modem / five-usable) so first three octets point to a group of 32 of which I'm one. For DSL users with one-usable it points to a group of 64 users of which they're one. For unfettered PPP (such as dialup), where the IP addresses can be arbitrary, it's still one-in-256.
Sorry, guys. One-in-64 (or even one-in-256) is too close to home for me.
Doubly so because, once it's down to one-in-256, some governments will be willing to bust up to 255 innocents to get one guy they REALLY don't like. I don't like the idea, when I'm on the road, of being one of the innocent up-to-255 when some terrorist, spy, or whatever uses a dialup and we "win the lottery" and end up with the same first-three-octets.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Maybe I'm misunderstanding this, but it sounds like this DNS "fix" will require that before I can read web sites I have to submit some information about my location.
You absolutely are misunderstanding it (or rather you are correctly understanding most of the posts here but they have little to do with the real proposal). You will not have to submit anything before doing anything. Nobody is getting any extra information here. If you think websites don't already know where you are, think again!
In terms of telephone calls, DNS is the telephone directory service. You want to phone www.google.com, so you phone .com and ask them for the google.com number. Then you phone google.com and ask them for the www.google.com number. Because google has branches of www all over the country, they give you a number for www in your local area, so the call is cheaper and better line quality. They can do this because they can see your caller id so they know roughly where you live.
Now lets say you don't like having to do so many steps all the time so you use a 3rd party service, let's call it ultraphone. You always ring the same number for ultraphone and they perform all the steps and give you back the final answer. The problem is that the google.com now sees ultraphone's caller id not yours so you get back a number that's in ultraphone's home-town not your home-town.
This proposed extension just allows ultraphone to tell google "I'm calling on behalf of please give me the number you would give them".
So you get a number that's local for you instead of one that's local for ultraphone.
The problem that is being fixed here is that ultraphone saves you hassle while getting the phone number but it gets you a bad phone number (not a wrong one just not the best one for you). Right now you have to decide which you prefer, fast lookups with sub-optimal results or awkward lookups with optimal results.
This extension lets you have fast lookups with optimal results.
Assuming you were going to call www.google.com (and not just looking up their number for fun) then google was going to see your caller id anyway. This extension just changes when it sees it. Right now if you use a 3rd party DNS provider it gets your IP too late to do good load balancing and that hurts users and may consume extra bandwidth.
Chances are that if you don't know about this stuff then you're using your ISP's DNS service and for some big ISPs that may mean a server hundreds of miles away, giving you sub-optimal answers.
doesn't impress the babes anymore
now you have to own your own Class-C before a woman even gives you a second glance
and even then, they'll still flock to those assholes strutting around with those Class-Bs
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it