Slashdot Mirror
Google Proposes DNS Extension
ElusiveJoe writes "Google, along with a group of DNS and content providers, hopes to alter the DNS protocol. Currently, a DNS request can be sent to a recursive DNS server, which would send out requests to other DNS servers from its own IP address, thus acting somewhat similar to a proxy server. The proposed modification would allow authoritative nameservers to expose your IP address (instead of an address of your ISP's DNS server, for example) in order to 'load balance traffic and send users to a nearby server.' Or it would allow any interested party to look at your DNS requests. Or it would send a user from Iran or Libya to a 'domain name doesn't exist' server."
If you read the entire post by google, you'll notice they are suggesting only the first 3 octects of the IP address are transmitted. Now while this could theoretically be used to censor regions of users, it could not be used to expose you (since it isn't the complete IP address)
The summary isn't even close to correct. What the hell is going on with Slashdot these days?
What a load of crap. There is no way to exploit that. If a someone wants to block certain IP ranges, it is much more efficient to do so at the HTTP (or whatever the protocol in use is) level, rather than in DNS.
Even if this gets introduced, every DNS server will continue supporting the old (without 'IP forwarding') way of doing things, so it's easy enough to pick a DNS server which doesn't forward your IP. Everything will work just as it does now (you won't have the potential speed advantage you might get with the new system though).
Whoever wrote TFS doesn't know the first thing about how networks work. Looking at what just happened in China, do you think that Google of all companies really wants to endanger your privacy?
The reason why Google offers public DNS servers and why they came up with this is because they want to make the internet faster for everyone. And they're doing it in an open, backwards-compatible way.
This is a good idea and should be implemented.
This is extraordinarily important for efficient operation of the internet. If people want to block you, they can, DNS or no DNS. However, for global load balancing, this is vital. You want to connect to a server near you, not near your DNS server.
This will not stop the proper function of proxies.
There are already many uses where the IP address of the resolver is used to determine service, basically every CDN etc uses this technique.
This extension is needed if you want OpenDNS and the like to Not Suck when fetching Akamai sourced content, youtube videos, etc.
And its not like the owner of the DNS authority won't find out who you are anyway, after all, you then CONTACT THEM DIRECTLY WITH YOUR IP ADDRESS!!
Test your net with Netalyzr
Are you being deliberately obtuse? Region-based load balancing also helps content providers reduce latency and get better bandwidth by reducing the number of network hops between you and the web server. This could be very beneficial to sites like Youtube and other high-bandwidth sites.
And the privacy issues strike me as semi-bullshit. You are looking up the DNS for a website YOU WERE PLANNING TO VISIT ANYWAY. When you visit the web site, they have your full IP address anyway. Sure, there are potential man-in-the-middle issues, and maybe some worries in cases where the web server operator (which presumably you want to give your IP address to) and the DNS server operator are different people. But seriously, web browsing is not IP address anonymous in any way, so I see no reason why DNS has to be either. If you want that level of privacy, you should be using Tor.
Anyway, the privacy/efficiency debate is worth having, but you have to first acknowledge that Google's legitimate reason for this extension might actually be the reason they stated.
Well, the summary lists two ways that this could be used for "evil":
1) Or it would allow any interested party to look at your DNS requests.
2) Or it would send a user from Iran or Libya to a "domain name doesn't exist" server.
Violating privacy and enabling censorship have no place in the Western world.
You are assuming that the summary bears any relation to reality!
The proposal is that your ISP's resolver will pass your approximate IP address when doing DNS a request on your behalf so that you can be sent to a close-by server for your actual TCP connection.
What extra information does someone get here? How does this allow "any interested party to look at your DNS requests"?
On the Iran point, if the website wants to block users from Iran, they can do that when you make the TCP connection - at that time they get your exact IP address and can apply any filtering policy they like.
On your point about the Iran point...I think there is still the issue of intermediate servers sending "domain doesn't exist" messages to Libyan requests before the packet even reaches the intended destination.
What intermediate servers? The only parties involved here are you, the website and a 3rd-party resolver that you have chosen to use.
If you don't trust your 3rd-party resolver then you're screwed with or without this extension because this resolver can see your full IP address and can lie to you about DNS (e.g. sending you to an ad site instead of saying "no such domain" or whatever).
If you don't trust the website then why are you trying to connect to it? The website will get your full IP address as soon as you connect and can then do whatever it likes with that.
Assuming you are actually planning on connecting to the website and not just doing DNS requests for the sake of it, nobody gets any information that they weren't going to get anyway and nobody has any opportunity to block you that they weren't going to have anyway.
If you don't trust the website then why are you trying to connect to it?
Free ringtones.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..