Slashdot Mirror
Google Proposes DNS Extension
ElusiveJoe writes "Google, along with a group of DNS and content providers, hopes to alter the DNS protocol. Currently, a DNS request can be sent to a recursive DNS server, which would send out requests to other DNS servers from its own IP address, thus acting somewhat similar to a proxy server. The proposed modification would allow authoritative nameservers to expose your IP address (instead of an address of your ISP's DNS server, for example) in order to 'load balance traffic and send users to a nearby server.' Or it would allow any interested party to look at your DNS requests. Or it would send a user from Iran or Libya to a 'domain name doesn't exist' server."
If you read the entire post by google, you'll notice they are suggesting only the first 3 octects of the IP address are transmitted. Now while this could theoretically be used to censor regions of users, it could not be used to expose you (since it isn't the complete IP address)
The proposal says they would only use the first three octets. And users could just use a different DNS server if they had a restrictive servers that blacklisted Iran or whatever.
"The right to do something does not mean doing it is right." William Safire
The summary isn't even close to correct. What the hell is going on with Slashdot these days?
IF governments couldn't get Big Brother information from Corporations, then I wouldn't have a problem with data mining. What is scary about Big Brother is a government using the information to use the force of the state to put people in jail. A corporation uses that information to provide products that consumers want. The government uses that information to control the population through force.
If Google could be trusted to never hand that information over to the government, then I would have no problem with them data mining as much as they want.
Those were really big IF's since we all know the government can easily get the information from Google, therefore we don't want them to have it.
There are lots of value add services that can be done because of data mining that consumers and the population want, they just ignore the consequences of the government also having access to the same data.
What a load of crap. There is no way to exploit that. If a someone wants to block certain IP ranges, it is much more efficient to do so at the HTTP (or whatever the protocol in use is) level, rather than in DNS.
Even if this gets introduced, every DNS server will continue supporting the old (without 'IP forwarding') way of doing things, so it's easy enough to pick a DNS server which doesn't forward your IP. Everything will work just as it does now (you won't have the potential speed advantage you might get with the new system though).
Whoever wrote TFS doesn't know the first thing about how networks work. Looking at what just happened in China, do you think that Google of all companies really wants to endanger your privacy?
The reason why Google offers public DNS servers and why they came up with this is because they want to make the internet faster for everyone. And they're doing it in an open, backwards-compatible way.
This is a good idea and should be implemented.
This is extraordinarily important for efficient operation of the internet. If people want to block you, they can, DNS or no DNS. However, for global load balancing, this is vital. You want to connect to a server near you, not near your DNS server.
This will not stop the proper function of proxies.
Internet already work withouth the need to propagate this information. Following the OS concept of "Less power", the less information about you that is propagated, the less problems.
"By returning different addresses to requests coming from different places, DNS can be used to load balance traffic and send users to a nearby server. For example, if you look up www.google.com from a computer in New York, it may resolve to an IP address pointing to a server in New York City. If you look up www.google.com from the Netherlands, the result could be an IP address pointing to a server in the Netherlands. Sending you to a nearby server improves speed, latency, and network utilization."
It seems this balancing is already possible withouth the need to propagate that data. I choose here safety/privacy, over a potential speed gain. Also the risk is for everyone, but the gain is just for a few ones (the people that has lots of servers and need a balancing solution)... hence, is unfair. My view of this.
-Woof woof woof!
There are already many uses where the IP address of the resolver is used to determine service, basically every CDN etc uses this technique.
This extension is needed if you want OpenDNS and the like to Not Suck when fetching Akamai sourced content, youtube videos, etc.
And its not like the owner of the DNS authority won't find out who you are anyway, after all, you then CONTACT THEM DIRECTLY WITH YOUR IP ADDRESS!!
Test your net with Netalyzr
Are you being deliberately obtuse? Region-based load balancing also helps content providers reduce latency and get better bandwidth by reducing the number of network hops between you and the web server. This could be very beneficial to sites like Youtube and other high-bandwidth sites.
And the privacy issues strike me as semi-bullshit. You are looking up the DNS for a website YOU WERE PLANNING TO VISIT ANYWAY. When you visit the web site, they have your full IP address anyway. Sure, there are potential man-in-the-middle issues, and maybe some worries in cases where the web server operator (which presumably you want to give your IP address to) and the DNS server operator are different people. But seriously, web browsing is not IP address anonymous in any way, so I see no reason why DNS has to be either. If you want that level of privacy, you should be using Tor.
Anyway, the privacy/efficiency debate is worth having, but you have to first acknowledge that Google's legitimate reason for this extension might actually be the reason they stated.
I can't se how this does give any more information to Google or other users.
Example: If i do a lookup on www.slashdot.org then this query should newer hit any dns server controlled by Google.
The only way a query would end up on a google controlled dns server, would be if the domain i looked up were owned by google, and in that case I don't care, because then I am about to visit the site anyway which mean they will have my entire ip.
Well, the summary lists two ways that this could be used for "evil":
1) Or it would allow any interested party to look at your DNS requests.
2) Or it would send a user from Iran or Libya to a "domain name doesn't exist" server.
Violating privacy and enabling censorship have no place in the Western world.
You are assuming that the summary bears any relation to reality!
The proposal is that your ISP's resolver will pass your approximate IP address when doing DNS a request on your behalf so that you can be sent to a close-by server for your actual TCP connection.
What extra information does someone get here? How does this allow "any interested party to look at your DNS requests"?
On the Iran point, if the website wants to block users from Iran, they can do that when you make the TCP connection - at that time they get your exact IP address and can apply any filtering policy they like.
With this DNS extension, they can see what sites buckets of people are visiting when they're NOT on google sites or where goog ads are being served.
Umm, how is that, exactly? Assume this gets adopted - Google's DNS servers aren't authoritative for anyone other than Google - so they won't see your DNS requests... and even if they were, they'd only see traffic for the sites that Google DNS is authoritative for.
Consider the fact that Google runs a caching DNS already, they don't need this - they'll already have the data for everyone using their resolver service, which would be much more data than this would get them.
In short, I think your tinfoil hat is a little tight. This sounds to me like Google's DNS service has turned out to be using more of their bandwidth than they anticipated, and they're looking to reduce it.
I like it. I don't know what the aggregate increase in efficiency across the net would be, but I'm betting if Google is suggesting it, it could be significant. While there are some potential abuses, they're really no different than what can already be done at the router/server level currently.
Oh because they're not going to get all four octets a fraction of a second later when you CONNECT TO THEIR SERVER?
Critical thinking people... This would actually let people not use their ISP provided LDNS' without getting asstastic performance from every big site out there!
On your point about the Iran point...I think there is still the issue of intermediate servers sending "domain doesn't exist" messages to Libyan requests before the packet even reaches the intended destination.
What intermediate servers? The only parties involved here are you, the website and a 3rd-party resolver that you have chosen to use.
If you don't trust your 3rd-party resolver then you're screwed with or without this extension because this resolver can see your full IP address and can lie to you about DNS (e.g. sending you to an ad site instead of saying "no such domain" or whatever).
If you don't trust the website then why are you trying to connect to it? The website will get your full IP address as soon as you connect and can then do whatever it likes with that.
Assuming you are actually planning on connecting to the website and not just doing DNS requests for the sake of it, nobody gets any information that they weren't going to get anyway and nobody has any opportunity to block you that they weren't going to have anyway.
If you don't trust the website then why are you trying to connect to it?
Free ringtones.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
I'm confused at your assertion. Maybe I'm missing something in the article (as opposed to the summary, which is just making shit up to be scary).
At the moment, I make a DNS request for a given domain. The DNS server sees if it has an entry cached and, if it does not, it asks an authoritative server for that domain what IP address should be used. Then it returns that IP address to me. That IP address is a fixed entity and could be located anywhere in the world. My initial connection to the domain, at least, is made using the server attached to that IP address. Then, if the data center wants to get clever, they can redirect me to a local data center by mangling the domain on all of their image loads, etc, to refer to a server closer to me. But it's clumsy, and I still have to talk to a distant server.
Under Google's proposal, my DNS server would send the domain I'm interested in and my approximate location (first three octets of my four-octet IPv4 address). The authoritative DNS server can then make a decision whether to send me to a data center in my general area, or a data center located on the other side of the planet. The IP address I receive is determined accordingly, so I contact the local data center. The local server represents the actual domain as far as I'm concerned, so no mangling is necessary, and I never have to talk to a datacenter half a planet away. I get faster results, the domain giving me the results has a greatly simplified time doing so, and life is good.
The only new information going to the authoritative DNS server is my approximate location. If I'm using Google's DNS servers, hell, they already have all four octets with the original DNS request. If I'm using someone another DNS server that supports this and I'm visiting Google, they'll give Google the first three octets. But, as soon as I have the IP address, I'm visiting the website itself and therefore the website has my full IP address. So it's not like I'm giving away any new information.
About the only "evil" I could see is an authoritative DNS server looking at the first three octets and deciding to return a black holed address because they don't like that country. But that's already very possible without it. I do it all the time on my PHPNuke discussion boards - NukeSentinel allows me to enter large ranges of IP addresses to block, and anyone visiting from those ranges gets a very low-bandwidth "go away" message.
I suppose my authoritative DNS server could gather more information about people looking up my domain, but then again they are my host provider, so if they want the data all they need to do is pull the IP connection logs and get the full IP.
So I'm really struggling to figure out how this introduces any new risks of monitoring or censorship. The only entity that will receive this new data already gets far more data as soon as you visit the site. And censorship is far more easily done at the routing layer, not the DNS layer.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
To: DNSEXT (DNS Extension Working Group, Internet Engineering Task Force)
From: Paul Vixie
Date: Thu, 28 Jan 2010
"I don't think that's a general enough solution to be worth standardizing.
please investigate the larger context of client identity, beyond the needs
of CDN's."
I also agree with his later statement in the same thread:
"it may be too dangerous in any form but that's a separate issue."
-- Terry
That would depend on the DNS server you chose to use. You might be able to set it to slightly randomize the first three octets to something still in your vicinity but not quite as close, or you might be able to ask your DNS server to spoof it entirely.
But think about the flow of data as it stands today:
1. You do a DNS lookup. Your DNS server has your full IP address.
2. Your DNS server does an authoritative lookup (assuming it's not cached). The authoritative DNS server now has the first three octets of your DNS server.
3. Authoritative DNS server returns poorly geolocated IP address to your DNS server.
4. Your DNS server returns the IP address to you.
5. You use that IP address to visit the web site. That web site now has your full IP address.
Chances are, the authoritative DNS server is run by the same organization that runs the host you are accessing, or at least the last few routers leading to it.
If the authoritative DNS server wants your IP address, they've already got it the instant you try to use the IP address they gave you as a result of the DNS lookup. Having the first three octets is now useless to them.
From the censorship side, having you spoof those first three octets to get an IP address to reach them will do you no good because it's FAR more effective to block or redirect requests through their routers by your source IP address. In other words, they'd give you an accurate IP address but you wouldn't be able to use it.
Yes, you could use TOR or a proxy, but then you'd already be proxying the DNS lookup anyway, so again there's nothing to gain by spoofing the first three octets in the DNS lookup.
This scheme has no impact on privacy - the organization that runs the authoritative server gets FAR more information the instant you use the IP address they gave you.
It also has little impact on censorship, because censorship via DNS is going to be highly ineffective. If I knew my country used DNS-based censorship, I'd just give out IP-address-based URLs that don't need to use a DNS lookup at all. Countries that do blocking will (and already do) use blocking at the HTTP or routing layer, not DNS.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."