Slashdot Mirror
Google Implements DNSSEC Validation For Public DNS
wiredmikey writes "Google on Tuesday announced that it now fully supports DNSSEC (Domain Name System Security Extensions) validation on its Google Public DNS resolvers. Previously, the search giant accepted and forwarded DNSSEC-formatted messages but didn't actually perform validation. 'With this new security feature, we can better protect people from DNS-based attacks and make DNS more secure overall by identifying and rejecting invalid responses from DNSSEC-protected domains,' Yunhong Gu, Team Lead, Google Public DNS, wrote in a blog post. According to Gu, about 1/3 of top-level domains have been signed, but most second-level domains remain unsigned. According to NIST, there has been no progress in enabling DNSSEC on 98 percent of all 1,070 industry domains tested as of March 18, 2013. 'Overall, DNSSEC is still at an early stage and we hope that our support will help expedite its deployment,' Gu said."
I think your ISP has a much better log of your activities.
Could Slashdot please put in some sort of filter to automatically detect this nut and not let him post this on every story? Most the time I am against censorship, but this same comment does not belong on every story posted.
Back then, there were two DNS servers out there:
LWN has a good article from that era to give people an idea how limited choices were with open-source DNS servers. Since then, we got Unbound and NSD, PowerDNS, and (shameless plug warning) MaraDNS (there are also a lot of DNS server projects which never were finished or were abandoned years ago, such as OakDNS, Dents, Posadis, etc.)
The idea behind DNSSEC is that is is, within a margin of error (I'm already awaiting a somewhat pedantic correction from a neckbeard), it is the HTTPS of DNS: It makes it impossible (cue neckbeard pedantic correction) to spoof a DNS reply. DNS without DNSSEC is like HTTP without HTTPS: There are security issues where an attacker can make someone go to the wrong web site.
(Yes, I am aware of DNScurve. I'm also aware that, like Esperanto, the best idea doesn't always win--or even get implemented in a mainstream DNS server)
(Slashdot: 2001 called and wants its lack of Unicode support back. Why can't I use use smart quotes or real em dashes in my replies?)
MaraDNS is an open-source DNS server.
Awesome... now more people will be tricked into switching to Google's DNS servers, and therefore, more people can be tracked by Google.
Before, Google just watched your browsing habits, your email, your phone calls and cell phone activities, your physical connection, tracked you through advertising, monitored your connections to your friends, and, well, when you took a dump too.
Now, Google plans to monitor every other activity your computer partakes in, as it watches all the DNS lookups you make. Any website you go to, that is not done via a Google search. What other software you use. What forums you go to. What *threads* you look at in forums, as the dns entries will sync with threads Google has already cached. Do you download torrents? Do a lot of MX record lookups?
Google can determine a vast amount of info via DNS lookups.
Google -- can you PLEASE just focus on making your core, search technology less inane? Not everyone wants to search for random, unrelated responses to searches. When they search for "bob cat", they don't want "Robert Kats".
Oh? And while you're at it, please make Verbatim searches work again. You've only had that for what, a year since you SCREWED UP + SEARCHES, and you've already started to DEGRADE IT!
Cornholes!
Show me an ISP or host who supports IPv6 and DNSSEC for a reasonable price and I'll switch.
Fact is, usually your hosting provider runs your DNS for you, and until they change there's nothing I can do. Setting up a nameserver is within my realm of possibility but it's something that I pass off to third-parties for a reason (for a start, you need two and ideally they should be on different IP spaces and connections). Also, configuring and updating DNSSEC is, from what I've seen, a bitch and even the initial signing can be a pain in the arse. Sod all that hassle just for the convenience of a minority of visitors.
Combine that with the fact that for almost EVERYONE who owns a domain, someone else other than them actually hosts it (and the big guys who DO host their own domain nameservers? Well, they can and are enabling DNSSEC where they need it, but it's no small task) and you have a problem.
You can bitch at me as much as you like but that ain't going to DNSSEC-enable my domains that I don't host any more than bitching that my IPv6-ready setup isn't actually on an IPv6-compatible / supported connection / ISP-supplied router will get me online.
Talk to my ISP and domain host. Get a few of them moving, then we can talk. Until then, it's all just another technology that I can do nothing about without a lot of expense for virtually zero gain.
P.S. The domains I do have on VPS / external servers on hosts which offer DNSv4 control publish AAAA records which work. In the same way they publish SPF records that work, and DKIM records that work, and reverse DNS records that are valid. And they ALL get used. But not really enough to justify even the small effort it took to do all that.
I've done my bit. Call me when my ISP host gets off their arse and does theirs. In fact, call me when Slashdot does the same. 10 years on and they're still publishing articles about the doom of IPv4 without a single AAAA record to their name.
The only one I have found so far is Dyn. Now to convince our company to move all our domains off NetSol.
(Slashdot: 2001 called and wants its lack of Unicode support back. Why can't I use use smart quotes or real em dashes in my replies?)
While I support your idea, smart quotes need to die in fires. I also do not understand the need for different types of dashes - a dash is a dash!
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
My ISP, AT&T has terrible DNS, at least in this area. They randomly take down DNS servers, without replacing them. In case you don't know this leaves customers without any way to access the internet.
They occasionally stop serving requests to competitors. For a while the only way that I could reach my work home page from home was to type in the IP address, at least until I switched to Google DNS. It was sort of important because I was an admin.
Google DNS just works. I can go to any page I need to go to.
Non bene pro toto libertas venditur auro
Never assume ISPs like Comcast or Time-Warner would ever invest the time or money into such an egress filter.
@Mindless Drivel: 100% of Twitter posts ever Tweeted.
Google has not correctly implemented DNSSEC. If you send them a normal DNS query and the response is not validly signed, they just pass the answer back to you without any indication that it's invalid. They only tell you that the answer failed to validate if you set the DO ("dnssec okay") or AD ("authentic data") bits in your query, which almost no DNS clients currently do.
If the answer is invalid, a validating name server is supposed to respond with SERVFAIL, so that even if the client doesn't know anything about DNS security, it will still be protected against spoofing. Google is claiming to provide protection against spoofing, and then they aren't providing *any protection at all*.
If you want DNSSEC protection, you're still going to have to run a validating name server yourself: either BIND 9 or Unbound. (Disclosure: I'm a BIND 9 author.) It is, nowadays, extremely easy to configure a validating name server using BIND 9; in any version since 9.8.0, a one-line named.conf will do it:
options { dnssec-validation auto; };
Run named with that configuration and "nameserver 127.0.0.1" in resolv.conf and you're good to go. Google public DNS is not ready to trust yet.