Forgot your password?
typodupeerror
Google The Internet Technology

Google Launches Public DNS Resolver 540

Posted by timothy
from the their-interest-is-understandable dept.
AdmiralXyz writes "Google has announced the launch of their free DNS resolution service, called Google Public DNS. According to their blog post, Google Public DNS uses continuous record prefetching to avoid cache misses — hopefully making the service faster — and implements a variety of techniques to block spoofing attempts. They also say that (unlike an increasing number of ISPs), Google Public DNS behaves exactly according to the DNS standard, and will not redirect you to advertising in the event of a failed lookup. Very cool, but of course there are questions about Google's true motivations behind knowing every site you visit."
This discussion has been archived. No new comments can be posted.

Google Launches Public DNS Resolver

Comments Filter:
  • by ls671 (1122017) * on Thursday December 03, 2009 @02:05PM (#30314340) Homepage

    > They also say that (unlike an increasing number of ISPs), Google Public DNS behaves exactly according to the DNS standard.

    Congratulations, this would then be the first free service that I know of which doesn't do redirect ! ;-)

    I setup my own DNS but I guess it is a little overkill for the common every day user. Setting your own DNS means you have to go to the network (e.g. internet) less often because your locally hosted DNS caches the already visited sites for a TTL period of time. This is especially true if you have several computers and that they tend to visit the same sites.

    Let me add that if your ISP or firewall intercepts requests to port 53, you will still be stuck with it ;-(

    • by sopssa (1498795) * <sopssa@email.com> on Thursday December 03, 2009 @02:12PM (#30314470) Journal

      Congratulations, this would then be the first free service that I know of which doesn't do redirect ! ;-)

      I guess they're using that as a selling point and to come of "nicer". If they're just after datamining the DNS requests, this service can happily run on negative income, because it improves Google's other things and provides them even more data.

      Google is datamining everywhere and everything already.

      • by Charles Dodgeson (248492) <jeffrey@goldmark.org> on Thursday December 03, 2009 @04:58PM (#30317142) Homepage Journal

        Google is datamining everywhere and everything already.

        When I first read about this, I immediately thought about datamining. But after another second, I figured that I would prefer Google to have this information than Verizon (where my caching DNS server currently forwards to). It is true that Google is better at datamining, but do keep in mind that whoever is providing your DNS service has the information about your DNS requests.

        Another difference between Google and your ISP is that your ISP knows who you are from your IP address. So they can link DNS resolution requests to specific, named, customers. Google can't do that directly.

      • by AmiMoJo (196126) <mojo@NOspAm.world3.net> on Thursday December 03, 2009 @05:36PM (#30317782) Homepage

        Google is datamining everywhere and everything already.

        Yeah, but so is my ISP.

        Virgin Media keep extensive logs of DNS requests, as the government requires them to, for at least one year. Google keep your IP address logged for 24 hours, then remove it and keep the other DNS request data for an indefinite period.

        What is more concerning to me is that my ISP knows who I am. They can easily link up DNS requests with my account and billing details. Google probably could link it up with their other data pools if they wanted to, but they don't require you to have a Google account to use their servers so you don't have to provide them with any more details than your current IP address. E.g. you could use Yahoo for all searches and never send Google any more than just an IP address.

        What it boils down to is that I trust Google a lot more than I trust Virgin Media. At least Google publishes what they do with your data and doesn't sell it to third parties.

        • Re: (Score:3, Insightful)

          by Shakrai (717556)

          Virgin Media keep extensive logs of DNS requests, as the government requires them to, for at least one year.

          Your country requires them to keep logs of your DNS requests for 12 months? You have my sympathy.

      • Re: (Score:3, Informative)

        by Eil (82413)

        They're not doing any datamining with the resolvers, beyond keeping an eye out for performance and abuse issues. From their privacy page [google.com]:

        Google Public DNS stores two sets of logs: temporary and permanent. The temporary logs store the full IP address of the machine you're using. We have to do this so that we can spot potentially bad things like DDoS attacks and so we can fix problems, such as particular domains not showing up for specific users.

        We delete these temporary logs within 24 to 48 hours.

        In the perm

      • by SnowZero (92219) on Friday December 04, 2009 @02:12AM (#30321590)

        If they're just after datamining the DNS requests, this service can happily run on negative income, because it improves Google's other things and provides them even more data.

        This is untrue. From the Google DNS privacy page [google.com], linked from the blog post (emphasis added):

        Google Public DNS stores two sets of logs: temporary and permanent. The temporary logs store the full IP address of the machine you're using. We have to do this so that we can spot potentially bad things like DDoS attacks and so we can fix problems, such as particular domains not showing up for specific users. We delete these temporary logs within 24 to 48 hours.

        In the permanent logs, we don't keep personally identifiable information or IP information. We do keep some location information (at the city/metro level) so that we can conduct debugging, analyze abuse phenomena and improve the Google Public DNS prefetching feature. We don't correlate or combine your information from these logs with any other log data that Google might have about your use of other services, such as data from Web Search and data from advertising on the Google content network. After keeping this data for two weeks, we randomly sample a small subset for permanent storage.

        That page also details exactly what features are logged. Does your current upstream DNS provider document their logging policies?

        Disclaimer: I work for Google, but I will cite my sources.

    • Why not do both? (Score:5, Insightful)

      by FranTaylor (164577) on Thursday December 03, 2009 @02:29PM (#30314696)

      Set up your own DNS server and point it at google's.

      Then you can take advantage of your cache and their cache.

      google could do us a great service by also making it available on some other port, that way we can get around the ISP interception of DNS requests.

    • by ahecht (567934) on Thursday December 03, 2009 @03:09PM (#30315312) Homepage

      4.2.2.2 and their ilk are free and non-redirecting. You can use 4.2.2.1 4.2.2.2 4.2.2.3 4.2.2.4 4.2.2.5 or 4.2.2.6

      They are run by L-3 and sitting on major backbones, and the ip addresses are pooled, so that you will likely get a server that is geographically near you when you use one of those addresses.

      • Re: (Score:3, Insightful)

        4.2.2.2 and their ilk are free and non-redirecting

        Yes, but who is gtei.net?

        • Good question (Score:3, Informative)

          by Spliffster (755587)
          For those too lazy to run whois:

          spliffy@localhost:~$ whois gtei.net
          ...
          Registrant:
          Verizon Trademark Services LLC
          Verizon Trademark Services LLC
          1320 North Court House Road
          Arlington VA 22201
          US
          domainlegalcontact@verizon.com +1.7033513164 Fax: +1.7033513669
          ...
        • by Anonymous Coward on Thursday December 03, 2009 @05:22PM (#30317580)

          Brief history lesson:

          DARPA asked BBN to build the arpanet. They built and owned Autonomous System Number 1. (ASN1)
          BBN split into BBN Technologies and BBN Networking. BBN Technologies went of and did their own thing. BBN Networking kept ASN1 and grew into a tier 1 ISP.
          GTE bought BBN Networking and renamed the division GTE Internet ( aka GTEI )
          Southern Bell bought GTE but wasn't allowed to keep all of it due to monopoly laws put in place during the Ma Bell breakup. They renamed the Telco part Verizon and spun off the infringing internet bit as Genuity.
          Genuity was funded through a 'guaranteed' $2B revolving credit line by Verizon.
          Verizon lobbied enough people to overturn enough of regulations such that they no longer needed Genuity at all, and dumped the loan.
          Genuity's remaing assets were sold in bankruptcy to Level 3 Communications, including ASN1, the 4.0.0.0/8 and 8.0.0.0/8 ARIN allocations and the gtei.net name.

      • by afidel (530433) on Thursday December 03, 2009 @03:33PM (#30315656)
        Actually L3 is turning off public access to those resolvers and has been for a while, sometimes you will not get any response at other times they just degrade response times.
    • Re: (Score:3, Informative)

      by ceeam (39911)

      > this would then be the first free service that I know of which doesn't do redirect

      Well, there are *tons* of them. And fast. Download this program (if you're on Windows), run it, and see which are good for you. Redirecting and "strict" are marked with different colors.

      http://www.grc.com/dns/benchmark.htm [grc.com]

    • Re: (Score:3, Interesting)

      by Rich0 (548339)

      Yup, I run my own DNS - in part because I also want to have local hostnames and a bit more control over dhcp/etc.

      It also is nice to be able to blackhole any domain I like and kill 80% of the ads and intrusive cookies out there. When I'm browsing on wi-fi from the cellphone I'm amused to see all the banner ads go away desipte it not having an ad blocker.

  • DDoS attacks (Score:4, Interesting)

    by avij (105924) * on Thursday December 03, 2009 @02:05PM (#30314350) Homepage

    But I thought open recursive DNS servers were bad -- haven't you heard of DNS DDoS amplification attacks? Why would Google's open recursive DNS service be any better in this regard?

    • Re:DDoS attacks (Score:5, Informative)

      by darkmeridian (119044) <.william.chuang. .at. .gmail.com.> on Thursday December 03, 2009 @03:06PM (#30315286) Homepage

      Google's DNS service defends against DDoS amplification attacks by using rate-limiting techniques. From Google: [google.com]

      The best approach for combating DoS attacks is to impose a rate-limiting or "throttling" mechanism. Google Public DNS implements two kinds of rate control:
      Rate control of outgoing requests to other nameservers. To protect other DNS nameservers against DoS attacks that could be launched from our resolver servers, Google Public DNS enforces per-nameserver QPS limits on outgoing requests from each serving cluster.
      Rate control of outgoing responses to clients. To protect any other systems against amplification and traditional distributed DoS (botnet) attacks that could be launched from our resolver servers, Google Public DNS performs two types of rate limiting on client queries:
      To protect against traditional volume-based attacks, each server imposes per-client-IP QPS and average bandwidth limits.
      To guard against amplification attacks, in which large responses to small queries are exploited, each server enforces a per-client-IP maximum average amplification factor. The average amplification factor is a configurable ratio of response-to-query size, determined from historical traffic patterns observed in our server logs.

      • Re: (Score:3, Interesting)

        by neoform (551705)
        Does this mean it would be a bad idea to use Google as my own DNS server's source?
  • by Edgewize (262271) on Thursday December 03, 2009 @02:07PM (#30314390)

    They state very bluntly that IP addresses are expunged from the logs after 48 hours, and that no data is shared with Google Accounts or other Google services. They still get to play with a lot of aggregated data, but this seems like a fairly non-evil way to do it. Good for them. http://code.google.com/speed/public-dns/faq.html#privacy [google.com]

    • Re: (Score:3, Insightful)

      by Z00L00K (682162)

      Add to that the fact that some IP addresses are shared by a lot of virtual sites which makes statistics about as precise as the slashdot polls.

    • by TheModelEskimo (968202) on Thursday December 03, 2009 @03:43PM (#30315786)
      Uh, actually it's their service and the ToS changes anytime they want it to. This is also known as a phased takeover, in case you haven't noticed other corporations *starting out* with a beautifully ethical ToS before.
      • Re: (Score:3, Insightful)

        mod parent up!

        the current google is somewhat evil; we have no idea what happens LATER when, uhh, the TOS get changed (somehow...)

        "the first one is free". remember that phrase. it applies here, too, in concept.

      • by Idiomatick (976696) on Thursday December 03, 2009 @04:38PM (#30316764)
        Point to one instance of a Google ToS getting worse. We are talking about a DNS server. Only /. types know what that is nvm would be willing to change theirs. Were Google to change their policy it would be pretty widespread news in the tiny group of people that use it. I don't know what you think they'd have to gain from annoying a bunch of nerds (re: people that support and build their whole business). More likely they made something for internal/personal use and just decided to release it because... well it's Google, they can.
      • Re: (Score:3, Insightful)

        Other companies, perhaps. But when has Google ever made their ToS more evil?

        As far as I'm concerned, Google has done nothing to undermine our trust in their sincerity. If you have examples, though, I'm more than willing to dig in to it.

  • by olsmeister (1488789) on Thursday December 03, 2009 @02:07PM (#30314392)
    But it sure seems like they're getting more and more of my personal information lately. What I search for, where I surf to, with my Droid where I navigate to, my e-mails, my documents. WOW.
  • Why? (Score:5, Insightful)

    by sopssa (1498795) * <sopssa@email.com> on Thursday December 03, 2009 @02:07PM (#30314394) Journal

    But why would one change to use Google's DNS? If you're technical enough and care about such, you're way better off setting up your own recursive DNS server.

    Google is just datamining from DNS requests here, it's another source of information. At least with your own ISP you can reasonably think that theres no datamining going on (excluding US ISP's, of course, who serve ads on non-existing domains for their users anyway)

    • Re:Why? (Score:4, Insightful)

      by slashkitty (21637) on Thursday December 03, 2009 @02:11PM (#30314456) Homepage
      Uh, yeah. Comcast switched ads on non domains.. and i'm sure they are datamining it too. Unfortunately, I trust google more than comcast more than some independent group with open dns.
    • Re: (Score:3, Insightful)

      by zunger (17731)

      Because setting up and maintaining your own recursive DNS server is a pain in the ass? (Especially compared to the workload of "here, just change this one setting and it will go faster")

      • Re: (Score:3, Interesting)

        by ickleberry (864871)
        I hear this excuse about every type of service. "Look change to to our wonderful new cloud based data mining/advertising supported service and let us do all the work for you"

        But really, I have been running servers of all sorts for years now and the only ones that require any significant amount of maintenance are the HTTP ones due to their content going stagnant (gopher does not count here as its OK to have stagnant content, makes it look more 'nostalgic' if it hasn't been updated in years I suppose)

        A
        • Re: (Score:3, Insightful)

          Why would I invest two hours and a spare machine into setting up my own DNS server when I can spend thirty seconds changing a setting on my router?

          As for maintenance... Why should I invest time updating the software that runs these servers every time a new security vulnerability is discovered? Why should I even have to check for updates, when someone else is doing it all for free? Why should I pay for the electricity to run the additional machine? (You're going to say "run it on your desktop", but what i

    • I seem to recall that there are a few ISPs that are threatening to block all requests to Google sites because of the bandwidth that is being used. I think it stands to reason that the reason Google is running an free DNS is so that people can still access their sites, no matter what their ISP does.
  • 8.8.8.8/4 (Score:4, Insightful)

    by Xacid (560407) on Thursday December 03, 2009 @02:08PM (#30314414) Journal

    "To try it out:

    Configure your network settings to use the IP addresses 8.8.8.8 and 8.8.4.4 as your DNS servers..."

    Simple enough to remember which is great. Also - could this be used to circumvent some of the internet security at some workplaces where they seem to run a blacklist of specific sites?

    • by sopssa (1498795) * <sopssa@email.com> on Thursday December 03, 2009 @02:16PM (#30314524) Journal

      Would be interesting to know how much Google paid for those two 256 ranges to Level 3. One would think simple ip's like 8.8.8.8 would cost some nice amount too.

      Or maybe they should had used the coolest ip on the net, aka

      > host 69.69.69.69
      69.69.69.69.in-addr.arpa domain name pointer the-coolest-ip-on-the-net.com.

    • Re:8.8.8.8/4 (Score:4, Informative)

      by dave562 (969951) on Thursday December 03, 2009 @02:45PM (#30314922) Journal

      Anyone running Windows Server as their internal DNS server is probably forwarding DNS requests to an external name server. The workstation DNS settings are most likely controlled with DHCP, and if the admin has half a brain (I know, that's a big assumption), the users don't have rights to change the network settings.

      Most internet security applications are usually proxy servers, or something like a Websense box. Those filter all traffic regardless of where the name resolution takes place. In fact, Websense can be configured to block DNS requests to non-approved / external servers (as can any firewall, etc).

      Do your network admins a favor and use your work computer for work. Don't try to get around their access controls. Most of the time they'd love to give you free access to the internet, but the reality is that they are responsible for keeping Windows boxes secure. That isn't an easy job. What you might perceive as network admin Nazi behaviors is really just them protecting you from yourself... or your co-workers from themselves, etc.

    • Re:8.8.8.8/4 (Score:5, Informative)

      by ChaosDiscord (4913) * on Thursday December 03, 2009 @03:31PM (#30315614) Homepage Journal
      If your network security relies on limiting DNS lookups, you don't really have any network security at all. You might as well take the house numbers off the front of your house to make it harder for burglars to find your house to break in.
  • Not everyday (Score:4, Insightful)

    by dmayle (200765) on Thursday December 03, 2009 @02:13PM (#30314486) Homepage Journal

    Forget everyday use, but on public wifi, I'm all about this!

    • Re: (Score:3, Informative)

      by Joce640k (829181)

      Mod parent up - DHCP on a public node can make dragons fly out of your nose.

  • Questions? (Score:5, Insightful)

    by whisper_jeff (680366) on Thursday December 03, 2009 @02:15PM (#30314518)

    ...but of course there are questions about Google's true motivations behind knowing every site you visit.

    No there aren't. You'd have to have been living under a rock for the past decade to have any questions about their motives. It's dead simple - they want to know what people are looking at so that they can better target people with advertising thereby increasing the value of their service. In return for offering various free services, all they ask for is some information on you so that they can better target advertising that interests _YOU_. It's not rocket science - it's just incredibly effective marketing.

    • Re: (Score:3, Informative)

      by SKPhoton (683703)
      You can view the Google Public DNS privacy and logging policies here [google.com]. (It's nice and relatively short. Very un-EULA-ish.)

      From the page:

      We don't correlate or combine your information from these logs with any other log data that Google might have about your use of other services, such as data from Web Search and data from advertising on the Google content network.

    • Re:Questions? (Score:5, Informative)

      by SanityInAnarchy (655584) <ninja@slaphack.com> on Thursday December 03, 2009 @02:39PM (#30314828) Journal

      Except in this case, they claim your IP will be gone from their logs in 24 hours, and it'll never be associated with anything else you do at Google.

      My guess is, they want broad statistics like the most popular domains visited, maybe even traffic patterns of which domains people tend to go to after which other domains.

      So you're right, the motives are quite transparent. Except in this case, I have no idea why I wouldn't want to participate. It's likely to be a hell of a lot more responsive than my ISP's DNS.

      • Re:Questions? (Score:5, Interesting)

        by vitaflo (20507) on Thursday December 03, 2009 @04:10PM (#30316200) Homepage

        "My guess is, they want broad statistics like the most popular domains visited, maybe even traffic patterns of which domains people tend to go to after which other domains."

        I'd go further. Given the announcement of Chrome OS, I wouldn't doubt they want to test a huge number of DNS requests and tweak the system to be as fast as possible to speed up Chrome. Google knows latency is an issue with web apps, and is trying to do all they can to reduce this. I think this is just another step in that direction.

    • Re: (Score:3, Insightful)

      by TooMuchToDo (882796)
      Half-credit. They're trying to make the web faster, but to an extent to further their webapps agenda. Why? That's their playground. If the web is faster (Google DNS, Google's SPDY architecture), you won't rely on that desktop so much for apps now will you?
  • by fotoguzzi (230256) on Thursday December 03, 2009 @02:18PM (#30314550)
    but they didn't want too much brilliance all in one place.
  • by Fished (574624) <amphigory@gAAAmail.com minus threevowels> on Thursday December 03, 2009 @02:20PM (#30314570)

    Very cool, but of course there are questions about Google's true motivations behind knowing every site you visit.

    Look.. Google's in the advertising and data aggregation business, yes. But ... there is a level of suspicion and fear directed at Google that just seems extreme. Has Google actually done something "Evil" that I missed? Or it is just paranoia? I personally think that it's much more likely that OpenDNS or my ISP would do something crazy with this sort of information than Google.

    • Re: (Score:3, Insightful)

      by lennier (44736)

      "But ... there is a level of suspicion and fear directed at Google that just seems extreme. Has Google actually done something "Evil" that I missed?"

      They might have. Would we be able to know, at this point, if they did? Do we still have third parties able to compete with them and provide checks and balances over the information they feed us?

      The problem with Google (and the other big players, such as the social networks) is that they are increasingly *centralising* control over the data we see. In the 1990s,

  • No IPv6 records :-( (Score:4, Informative)

    by Cronq (169424) on Thursday December 03, 2009 @02:22PM (#30314612) Homepage

    They don't publish own IPv6 records via this resolver :-(

  • NTP pool & GeoIP (Score:5, Informative)

    by avij (105924) * on Thursday December 03, 2009 @02:28PM (#30314688) Homepage
    The NTP pool [ntp.org] (which probably needs even more NTP servers, btw) was recently changed so that the project's DNS servers return a list of nearest available NTP servers when queried. If you change your settings to use Google's DNS servers, the pool will now respond with a list of NTP servers close to Google's DNS servers, which may not be what you wanted.
    • Re: (Score:3, Interesting)

      by TooMuchToDo (882796)
      What sort of NTP servers do they need? I have several locations I can host from (I own a technology services firm) and could provide Stratum 1 services, as several of our NTP servers have GPS receivers attached.
  • motives (Score:3, Insightful)

    by Tom (822) on Thursday December 03, 2009 @03:15PM (#30315414) Homepage Journal

    Very cool, but of course there are questions about Google's true motivations behind knowing every site you visit.

    Nonsense.

    They want to cut the ISPs and other DNS providers out of their (dishonest) ad revenue streams. For a lot of competitors, this is virtually the only straw left (AOL, anyone? I know at least in Germany if they hadn't forced the marketing of the "Alice" ISP to add such a DNS-misdirect, their portal and search space would be able to count its visits in "hits per hour").

    It hurts their competitors while giving Google an image plus. And the amount of overhead and traffic is neglectable if you already operate on the scale that Google does.

  • by WARM3CH (662028) on Thursday December 03, 2009 @04:13PM (#30316246)
    I just run a simple benchmark [grc.com] to see how fast these are. It turns out that Google's DNS is slower than our university's (I'm in Oregon), OpenDNS and L-3.
    • ISP: Cashed Name: 1 ms, Uncached Name: 8 ms
    • OpenDNS: Cashed Name: 5 ms, Uncached Name: 8 ms
    • L-3: Cached Name: 24 ms, Uncached Name: 26 ms
    • Google: Cashed Name: 44 ms, Uncached Name: 48 ms

    I guess for me it's clear: I'll skip it for now.

    • by WARM3CH (662028) on Thursday December 03, 2009 @04:20PM (#30316354)
      Oh crap! I reported the Minimum time, not the average! Here is the full report:

      (Min | Avg | Max | Std.Dev |Reliab%)

      My university:
      Cached Name | 0.001 | 0.002 | 0.003 | 0.000 | 100.0
      Uncached Name | 0.008 | 0.060 | 0.225 | 0.065 | 100.0
      DotCom Lookup | 0.181 | 3.984 | 4.203 | 0.633 | 100.0

      OpenDNS (208. 67.220.220)
      Cached Name | 0.005 | 0.006 | 0.008 | 0.001 | 100.0
      Uncached Name | 0.008 | 0.066 | 0.190 | 0.053 | 100.0
      DotCom Lookup | 0.009 | 0.131 | 0.198 | 0.064 | 100.0

      Level 3 (4. 2. 2. 3)
      Cached Name | 0.024 | 0.025 | 0.028 | 0.001 | 100.0
      Uncached Name | 0.026 | 0.071 | 0.206 | 0.056 | 100.0
      DotCom Lookup | 0.025 | 0.081 | 0.191 | 0.058 | 100.0

      Google (8.8.8.8)
      Cached Name | 0.044 | 0.061 | 0.206 | 0.038 | 100.0
      Uncached Name | 0.048 | 0.144 | 0.322 | 0.075 | 97.9
      DotCom Lookup | 0.069 | 0.158 | 0.261 | 0.051 | 100.0

Business is a good game -- lots of competition and minimum of rules. You keep score with money. -- Nolan Bushnell, founder of Atari

Working...