A Look At the Safety of Google Public DNS 213
darthcamaro writes "Yesterday we discussed Google's launch of its new Public DNS service. Now Metasploit founder and CSO at Rapid7, H D Moore, investigates how well-protected Google's service is against the Kaminsky DNS flaw. Moore has put together a mapping of Google's source port distribution on the Public DNS service. In his view, it looks like the source ports are sufficiently random, even though they are limited to a small range of ports. The InternetNews report on Moore's research concludes: 'What Moore's preliminary research clearly demonstrates to me is that Google really does need to live up to its promise here. Unlike a regular ISP, Google will be subject to more scrutiny (and research) than other DNS providers.'"
Re:Privacy for what? (Score:5, Informative)
Their public statements say that they are not linking the requests to other Google services, and that they are discarding ip addresses within a day or two.
Re:I don't really get it. (Score:1, Informative)
The authoritative DNS servers published at NIC?
Re:Privacy for what? (Score:1, Informative)
Re:Privacy for what? (Score:3, Informative)
Ya know, if I had an answer to that, I might have phrased my statement a little differently.
I guess the best answer at this point is simply to point out that they haven't done a great deal to suggest that you shouldn't believe them, and on some level, they are regulated by a reasonable government (depending quite a lot on how one chooses to define reasonable).
Re:Privacy for what? (Score:5, Informative)
For me, the dealbreaker with OpenDNS is that, when you type in a non-existant domain, OpenDNS resolves it to an IP that gives you their custom search page. The standards compliant response would be NXDOMAIN, which is what Google (and some others) provide. This alone was enough to make me switch away from OpenDNS.
Re:Privacy for what? (Score:3, Informative)
I think his article was well-thought-out and well articulated, but I have a few problems with it.
First, he does address Google's claim that Google does not redirect to ad-laden placeholders then cleverly redirects the argument to one of privacy. If OpenDNS is directing me to an ad-laden site if I mistype a URL or enter an invalid one, then I have a bunch of ad servers who now have my IP address and probably know what site I meant to go to. This may be better than giving all of my DNS lookups to a company, but at least with Google I'm giving them all to one company that I know and can decide if I want to trust. With OpenDNS, if I typo a URL, my error is, in effect, being sold to an unknown third party. I think it's somewhat disingenuous to tout privacy then use redirect pages to send users to third-party advertisers who may or may not respect the OpenDNS privacy policy. At least Google is subjecting my DNS lookups, both good and bad, to a consistent privacy policy.
He does, however, make an excellent point about their Dashboard service and the level of control you as an OpenDNS customer have over your experience. Of course, in return for that you do have to sign up for an account to use it, and you get usage logs associated with your account and email address. Their privacy policy on such information appears excellent, but Google promises to anonymize the data as well, so that boils down to a matter of who you trust more. Personally, I'd be inclined to trust both, so it really boils down to what features are most important to you - proper domain handling, or detailed controls over everything BUT proper domain handling?
Re:And the worst case scenario? (Score:2, Informative)
who uses Hotmail or Live messenger?
Long live ICQ!
Re:And the worst case scenario? (Score:3, Informative)
Re:And the worst case scenario? (Score:4, Informative)
Well , the being free part i guess.
Which is correct : it's not because it was free that it was a problem , but that it was completely integrated , giving it a near monopoly position in the browser market.
And in the case of IE , it's so much part of the OS , that you don't get it for free, you pay for it in the price ( the developers of IE don't work for free , they are payed with the money Microsoft gets from the sales ).
Re:Privacy for what? (Score:3, Informative)
Now read chapter 1 of their Terms of Service and see how it takes precedence over EVERYTHING else.
Actually, this is quite the opposite.
1.5 If there is any contradiction between what the Additional Terms say and what the Universal Terms say, then the Additional Terms shall take precedence in relation to that Service.
In the document, "Additional Terms" refers to additional ToS documents and Privacy Policy documents, etc., and "Universal Terms" refers to this [google.com]. I think this is pretty much the most straightforward legalese I've ever seen, and it very clearly states that if the privacy policy of their DNS solution says they're not going to keep your data more than 48 hours, they are not going to, regardless of what the Universal Terms document states.
Re:Privacy for what? (Score:4, Informative)
That may be true, but their preferences only work if OpenDNS can tell which networks are yours. They detect this [opendns.com] when you use your browser to log into the control panel, or if you install client-side software (OpenDNS Updater, which is Win\Mac only). You could do it with DynDNS [opendns.com] too, but not everyone uses that.
Anyway I'd rather not go through all that effort, and would prefer the NXDOMAIN behavior to be the default for anonymous requests.
Re:Privacy for what? (Score:3, Informative)
It looks like you can disable this behavior [opendns.com] if you have an account. I haven't tested it extensively but it seems to work as advertised.
Re:Privacy for what? (Score:2, Informative)
Already banned in China (Score:3, Informative)
how is opendns better than sitefinder? (Score:1, Informative)
They redirect to their own pages to make money just like Sitefinder. Everyone called Sitefinder evil, but because they are called "open" people seem to let them get away with this. Google's DNS won't do that at least.
Also, I seem to remember people catching OpenDNS hijacking google.com to inject different ads (again, to make money), and their excuse was that they were "protecting" their customers from Google. If they are doing that now it would be reason alone to not use them. I don't want my DNS responses mangled or filtered and that seems to be getting more common with even legitimate ISPs.
One place which OpenDNS might be better is in privacy. Someone should do a side-by-side comparison of their policies.
"Small range of ports"? Really? (Score:2, Informative)
"In his view, it looks like the source ports are sufficiently random,
even though they are limited to a small range of ports."
The distribution graph appears to show Google resolver using random ports
between 32768 and 65535. While that's only half the ports available,
it's misleading to characterize it as "a small range of ports".
You call that a small range? (Score:1, Informative)
From the picture in the article it looks like they have 15 bits of entropy in the port number and 16 bits of entropy in the ID. That's a total of 31 bits of entropy out of 32 theoretically possible. They also add entropy through the case of letters in the domain name itself (and maybe also the lower bits of the IP address, but I haven't verified that). Sounds like this all adds up to 40 or more bits of entropy. With 40 bits of entropy the chance of successful poisoning would be vanishing small.
How do they do the asynchronous updates of entries that are about to expire? If they randomize the timing of those and use TCP rather than UDP they can probably add another 20 bits of entropy right there.