Slashdot Mirror
Google Implements DNSSEC Validation For Public DNS
wiredmikey writes "Google on Tuesday announced that it now fully supports DNSSEC (Domain Name System Security Extensions) validation on its Google Public DNS resolvers. Previously, the search giant accepted and forwarded DNSSEC-formatted messages but didn't actually perform validation. 'With this new security feature, we can better protect people from DNS-based attacks and make DNS more secure overall by identifying and rejecting invalid responses from DNSSEC-protected domains,' Yunhong Gu, Team Lead, Google Public DNS, wrote in a blog post. According to Gu, about 1/3 of top-level domains have been signed, but most second-level domains remain unsigned. According to NIST, there has been no progress in enabling DNSSEC on 98 percent of all 1,070 industry domains tested as of March 18, 2013. 'Overall, DNSSEC is still at an early stage and we hope that our support will help expedite its deployment,' Gu said."
I think your ISP has a much better log of your activities.
WTF?
Sadly this is closer to on-topic than an actual APK post is.
Could Slashdot please put in some sort of filter to automatically detect this nut and not let him post this on every story? Most the time I am against censorship, but this same comment does not belong on every story posted.
http://en.wikipedia.org/wiki/Alexander_Kowalski
...probably the most unsexy story I've seen on Slashdot in ages. It's minimally controversial. And it leads to a minimum number of jokes and ridicule. I predict that the Limit, as time approaches infinity, of number of posts = 150.
We should learn what we need to know about issues, before we decide what we need to feel about them.
Just ban any post with "apk", "host file", or "hosts file", as that would take care of the original apk too. The original has been shitposting Slashdot much longer & more intensively than the parody guy. Or ban all Tor exit nodes, as they both use Tor to circumvent IP bans.
Here's my big complaint about DNSSEC. Most of the registrars in the world either don't support this, or make it more than a pain to implement it. Try to find one that supports adding DNSSEC and IPv6 simultaneously is a nightmare.
I'm not up to scratch on the whole DNSSEC thing, but last I heard the protocol allowed DNSSEC-respecting servers to be trivially used as DOS nodes by having a control server. A machine could spoof the originating host on a lookup request for something nonexistent, and the payload of whatever the DNS is supposed to return is significantly larger than the lookup requests themselves, so you could trick one of the nameservers into bombarding your victim for you. What ever happened with that?
facebook has a good idea too...
It does. It's called the moderation system.
Are you kidding me?! If we don't cast the enchantment of APK banishment in every story about DNS, general networking or privacy, soon the real APK will be summoned, and NOBODY wants that.
Awesome... now more people will be tricked into switching to Google's DNS servers, and therefore, more people can be tracked by Google.
Before, Google just watched your browsing habits, your email, your phone calls and cell phone activities, your physical connection, tracked you through advertising, monitored your connections to your friends, and, well, when you took a dump too.
Now, Google plans to monitor every other activity your computer partakes in, as it watches all the DNS lookups you make. Any website you go to, that is not done via a Google search. What other software you use. What forums you go to. What *threads* you look at in forums, as the dns entries will sync with threads Google has already cached. Do you download torrents? Do a lot of MX record lookups?
Google can determine a vast amount of info via DNS lookups.
Google -- can you PLEASE just focus on making your core, search technology less inane? Not everyone wants to search for random, unrelated responses to searches. When they search for "bob cat", they don't want "Robert Kats".
Oh? And while you're at it, please make Verbatim searches work again. You've only had that for what, a year since you SCREWED UP + SEARCHES, and you've already started to DEGRADE IT!
Cornholes!
Slashdot: 2001 called and wants its lack of Unicode support back.
I've explained before how vandals forced Slashdot to stop supporting Unicode.
Also, Zalgo.
A machine could spoof the originating host
How does spoofing the originating host get past an ISP's egress filter? As I see it, the attacker and the victim of such an amplification attack would have to be on the same ISP.
Or permit us to just collapse these sorts of long posts. I don't mind that there are long posts here, but it's annoying to have to scroll past them.
Just ban any post with "apk"
So how would one discuss sideloading Android applications?
Could be true, but my ISP is not in the business of serving banner ads, building a profile of all my personal interests, habits, and vices, and there is actually somebody who will pick up the telephone at my ISP unlike Google, which has no actual humans that one is likely to be able to speak with about these concerns.
Google should be viewed as an adversary, and they didn't build that new building right across from spook central for nothing.
Show me an ISP or host who supports IPv6 and DNSSEC for a reasonable price and I'll switch.
Fact is, usually your hosting provider runs your DNS for you, and until they change there's nothing I can do. Setting up a nameserver is within my realm of possibility but it's something that I pass off to third-parties for a reason (for a start, you need two and ideally they should be on different IP spaces and connections). Also, configuring and updating DNSSEC is, from what I've seen, a bitch and even the initial signing can be a pain in the arse. Sod all that hassle just for the convenience of a minority of visitors.
Combine that with the fact that for almost EVERYONE who owns a domain, someone else other than them actually hosts it (and the big guys who DO host their own domain nameservers? Well, they can and are enabling DNSSEC where they need it, but it's no small task) and you have a problem.
You can bitch at me as much as you like but that ain't going to DNSSEC-enable my domains that I don't host any more than bitching that my IPv6-ready setup isn't actually on an IPv6-compatible / supported connection / ISP-supplied router will get me online.
Talk to my ISP and domain host. Get a few of them moving, then we can talk. Until then, it's all just another technology that I can do nothing about without a lot of expense for virtually zero gain.
P.S. The domains I do have on VPS / external servers on hosts which offer DNSv4 control publish AAAA records which work. In the same way they publish SPF records that work, and DKIM records that work, and reverse DNS records that are valid. And they ALL get used. But not really enough to justify even the small effort it took to do all that.
I've done my bit. Call me when my ISP host gets off their arse and does theirs. In fact, call me when Slashdot does the same. 10 years on and they're still publishing articles about the doom of IPv4 without a single AAAA record to their name.
In Soviet Russia, mother uses log on you!
You are your ISPs customer and therefor their use of your private date is strictly regulated by federal law under penalty if quite substantial fines.
In most countries I believe that they're allowed to a anonymize it and use it that way. P
Pretty much the same thing the search companies do.
https://en.wikipedia.org/wiki/Flamebait
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Google beats the military and the government to something that helps authenticate their identity online? Say it ain't so!
My ISP, AT&T has terrible DNS, at least in this area. They randomly take down DNS servers, without replacing them. In case you don't know this leaves customers without any way to access the internet.
They occasionally stop serving requests to competitors. For a while the only way that I could reach my work home page from home was to type in the IP address, at least until I switched to Google DNS. It was sort of important because I was an admin.
Google DNS just works. I can go to any page I need to go to.
Non bene pro toto libertas venditur auro
I wasn't remarking on the relative effectiveness of the domain name servers at AT&T vs. Google, I was pointing out that Google seeks more and more information about you, to use for whatever purposes they see fit.
AT&T might do this too but at least they aren't building a profile of you and selling it to anybody with two bits to spend.
Oh, maaan - you went and fed the troll. At least it wasn't after midnight, but c'mon, Internet 201.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
personally I have been looking forward to this !!
thank you finally validation works
John
One does not simply censor 4 SIMULTANEOUS posts.
I don't mind that there are long posts here, but it's annoying to have to scroll past them.
Um, poor baby? Do you not know how lame that is, you and those above complaining about the same thing? Gahd! Syrians are re-inventing WW1 warfare, ffs. It takes max. three seconds to spacebar past that crap. Sheesh!
"Tongue tied and twisted, just an Earth bound misfit
Since you PAY your ISP for your service, you are bound to a contract with them. That contract is binding, and if they break it, by providing your information to someone else, then you have due cause for a case to be leveled against them. With Google, no such contract exists.
Neither is Google.
What do Syrians have to do with this? Or are you just an asshole by nature. This is a usability thing that a website developer ought to care about and no, it takes me longer than that, this computer isn't the fastest out there, not with all the larding up of this web 2.0 stuff.
Google has not correctly implemented DNSSEC. If you send them a normal DNS query and the response is not validly signed, they just pass the answer back to you without any indication that it's invalid. They only tell you that the answer failed to validate if you set the DO ("dnssec okay") or AD ("authentic data") bits in your query, which almost no DNS clients currently do.
If the answer is invalid, a validating name server is supposed to respond with SERVFAIL, so that even if the client doesn't know anything about DNS security, it will still be protected against spoofing. Google is claiming to provide protection against spoofing, and then they aren't providing *any protection at all*.
If you want DNSSEC protection, you're still going to have to run a validating name server yourself: either BIND 9 or Unbound. (Disclosure: I'm a BIND 9 author.) It is, nowadays, extremely easy to configure a validating name server using BIND 9; in any version since 9.8.0, a one-line named.conf will do it:
options { dnssec-validation auto; };
Run named with that configuration and "nameserver 127.0.0.1" in resolv.conf and you're good to go. Google public DNS is not ready to trust yet.
This would be great for me in China. That is, until google DNS gets blocked completely. Even using Google DNS in mainland China gives very odd random-seeming replies for requests to certain sites like facebook. It really seems like even request to foreign DNS servers get spoofed (though not consistently, about 1 in 20 reuqests seemed to acually give a facebook server).
I don't mind that there are long posts here, but it's annoying to have to scroll past them.
Syrians are re-inventing WW1 warfare, ffs.
What do Syrians have to do with this?
Wow you're shallow, as a pane of glass. People are dying out there fighting civil wars, and you're complaining about having to page past stuff you'd prefer not to see. :-|
"Tongue tied and twisted, just an Earth bound misfit
Google is certainly building up a profile of everybody who uses any of their sites, and anybody using a page that uses any Google API, and selling this information. No need to lie to me, especially when everybody already knows the truth about Google.
Ya kidding?
There's always been an option about the text length display on Slashdot. I've adjusted mine more than once.
And then there's the ACs. For me, all ACs get a -2 on their score. It too is in the Slashdot options. Can't be bothered to create an account? I rarely read your shite.
Thirdly, replying to trolls, and then getting modded up in some way simlar to Reddit, Facebook, and any other site that does the thumbs-up shit, only serves to highlight the post to me. I then end up reading the parent troll. Gee Mister, thanks for that.
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
You can see what's in this "profile" by visiting your Google account page. This "profile" consists of some of the pages you visited and things you searched for. Basically, clues to what ads you might be likely to click on. That's all.
Google never has and never will sell your information to anyone.
yes, yes, yes, I get it, you are the tech-age hipster crying wolf. Don't let me spoil your fun.
Shallow? Again, I ask what does this have to do with a complaint about a usability problem with a website?
Just because there's a civil war going on somewhere else in the world doesn't make it any less of a problem with the site. There's always a civil war going on somewhere in the world. By your reasoning, we shouldn't ever complain about anything because somewhere in the world there is something worse going on.
And BTW, a pane of glass isn't shallow, it's transparent. If you're so poorly educated that you don't know that, your views mean nothing.
I don't mind that there are long posts here, but it's annoying to have to scroll past them.
Syrians are re-inventing WW1 warfare, ffs.
What do Syrians have to do with this?
Wow you're shallow, as a pane of glass. People are dying out there fighting civil wars, and you're complaining about having to page past stuff you'd prefer not to see. :-|
Again, I ask what does this have to do with a complaint about a usability problem with a website?
"Shallow" refers to your lack of "depth", as in "deep thinking" or "inability to prioritize." Lots of things can be complained about. There's lots that's wrong in the world. But, max. three seconds to spacebar past annoying posts?!? Come on.
I see !@#$ like this all the time. People get five spams a day, and they think it's the end of the world. It drives them to avoid email and use FaceFuck to communicate instead.
Dumbth!
... a pane of glass isn't shallow, it's transparent.
Pardon me. I was previously unaware that you were an idiot. Carry on. Bon chance.
"Tongue tied and twisted, just an Earth bound misfit
We have no guarantee that everything Google knows about you is in your Google profile. They are keeping tabs on everybody who lands on a page that uses Google APIs, they have been busted circumventing privacy controls in browsers, and they are not to be trusted.
The wolf is right there. Everybody can see it. You just need to take your blinders off.
Read up on the details the case where Google was "circumventing privacy controls in browsers". All Google was doing was trying to the the status for the +1 button on the page. A bug in Safari was piling on the extra cookies, which Google ignored.
Or, let's tape on our tin foil hats and look at it from YOUR perspective:
There were a relatively tiny number of people who actually enabled DNT in Safari. And those were people who were not likely to click on ads anyway. But, according to you, the people at Google made an active decision to that this was a market worth pursuing. So, knowing full well that privacy advocate would quickly discover that Safari was still tracking Google users, the decision was made to exploit a bug in Safari that piled on cookies to an outgoing connection.
I mean, come on, this is Google, some of the top web experts on the planet. If they knew about this Safari bug, and decided to exploit it, then they also would have known that the exploit would be discovered almost immediately and have to be removed. So you are asking us to believe that Google decided to engage in a huge PR fiasco just so that they could get a months worth of tracking info on a handful of people who were unlikely to click on ads anyway?
Is that what you want us to believe? Better add another layer of tin foil.
Boohoo. They have information about me that they use to advertise, woe is me, I am dying. You know what they don't do? Serve ads and search results over what should be 404 pages. Remember when Comcast did that? If Google's privacy policies were so evil you'd think their DNS would do the same thing, but no it just works. If the price is that I get some spam email that I never see because G-Mail does a wonderful job of filtering it out, so be it.
He can't so he downmods ya here + in the link of apk's too.
I know (not believe, kow) that Google is doing anything and everything it can to build up profiles of everybody who uses any Google service - visible or not - all of the time. This is their primary job. They are advertisers, trying to make money by selling targeted ads (and perhaps information that allows targeting) to anybody. And yes, I know they were purposefully targeting this Safari bug.
I do not believe that it is possible for advertisers, attorneys, loan brokers, and certain other classes of people to have souls, morals, or a conscience. I personally know some of the highest ranking Googlers, having grew up with them and gone to school with them, and they are not fully human. I know how they think. I know how Google works, and I think it's funny that you mention tinfoil hats in this age of total surveillance on the Internet. By resorting to such a cheap tactic you are basically admitting that I am correct.
Can you share with us how you "know" this? Not "believe", but "know"?
Did the "voices" tell you? Or can you offer us even a tidbit to verify that your claims are anything other than "beliefs"?
Are you saying that you are currently in contact with "some of the highest ranking Googlers" and that they are sharing their nefarious plans with you? Or are you saying that you once went to the same school as someone who now works at Google and you did not like that person at the time?
We await you fabulous stories with bated breath.