A Look At the Safety of Google Public DNS 213
darthcamaro writes "Yesterday we discussed Google's launch of its new Public DNS service. Now Metasploit founder and CSO at Rapid7, H D Moore, investigates how well-protected Google's service is against the Kaminsky DNS flaw. Moore has put together a mapping of Google's source port distribution on the Public DNS service. In his view, it looks like the source ports are sufficiently random, even though they are limited to a small range of ports. The InternetNews report on Moore's research concludes: 'What Moore's preliminary research clearly demonstrates to me is that Google really does need to live up to its promise here. Unlike a regular ISP, Google will be subject to more scrutiny (and research) than other DNS providers.'"
And the worst case scenario? (Score:4, Insightful)
It fails miserably, Google revokes it, and we all go back to loving them.
Everyone loves taking a shot at Google, but when they are providing a new FREE service - I can't see it destroying their public image all that much.
Re:Privacy for what? (Score:5, Insightful)
Re:And the worst case scenario? (Score:1, Insightful)
You mean like all the times that Microsoft gets blasted when they are just providing a new FREE service? *ducks*
Re:Privacy for what? (Score:5, Insightful)
And what strikes me as even more silly is when people use the comeback of "But [insert person, group, company, etc] is (probably) already doing it too!" as if that justifies the actions of someone else.
I don't really get it. (Score:2, Insightful)
Yes, it might be useful for people whose ISP DNS server is slow. That didn't happen to me since my dialup days. Besides, now I simply run my own caching DNS server. It's not hard to set up at all.
Re:Privacy for what? (Score:5, Insightful)
Re:And the worst case scenario? (Score:2, Insightful)
What service has Microsoft provided to me that was Free? Besides Bing - which is only "blasted" because people don't like it as much as Google.
Everything else Microsoft has, I've had to pay for, so when it doesn't live up to its claims, I can bitch legit because I wasted my money.
Re:And the worst case scenario? (Score:3, Insightful)
Most of the Live services, especially Hotmail.
Re:Privacy for what? (Score:5, Insightful)
And what strikes me as even more silly is that Google has a privacy policy for the service that says all logs are deleted after 48 hours and aren't linked back to other Google services whereas I have no privacy statement at all about DNS from my ISP (since they slipped it in silently about 4 months ago).
Re:Privacy for what? (Score:5, Insightful)
Yeah, sure, give them even more information (Score:4, Insightful)
I find it amazing that nobody seems to notice that adding an ECHELON [wikipedia.org] and a DCS1000 [wikipedia.org] feed to Google is making it like the NSA, but where people actually VOLUNTEER data. In addition, it's Terms of Service [google.com] give it more legal freedom to use and abuse your information and intellectual property than even the US border control can with accessing laptops of people entering the country.
It appears 8+ years of indoctrination is paying off big time - nobody appears to remember that privacy is a basic right [un.org]. All it takes is some BS about "not being evil" for people to miss the shocking depth to which they can access all your personal data. Even the stuff they don't hold themselves will come up through the search engine. By matching up DNS records they will be able to add your entire Internet activity to your identity.
That's going to be fun when you catch some sort of virus downloading porn - and the next time you apply for a job..
Re:And the worst case scenario? (Score:3, Insightful)
Don't be a troll. That was not the problem and you know it.
Re:And the worst case scenario? (Score:3, Insightful)
Everything?
If you're saying that because it runs on Windows (for thick-client apps), you can point the finger at Apple just as much or more, too.
If you're talking about providing software for Windows or online services...
Some of the above can be seen here [live.com]. There services can be seen here [live.com]. Zune is also free (the software, anyways). Media Player is free, I believe, and actually plays back better than iTunes on Windows, I think.
Nope. Nothing free!
Re:Privacy for what? (Score:3, Insightful)
First off, ANY DNS server will be getting your IP address. After all, that's how the hell it knows where to send the fracking reply.
Secondly, logging of IPs is a basic step in holding your clients accountable to make sure you aren't being abused. If some fucktard uses a hole to hack into your system, having a log of where he came from will help nail him.
Google doesn't really have a choice but to have your data. We should judge them based on what they DO with that data.
Re:Privacy for what? (Score:5, Insightful)
You do realize the inherent conflict of interest in criticism from a competitor right?
Do remember that at least and load up on grains of salt.
Re:And the worst case scenario? (Score:4, Insightful)
Except that no one I knows blasts Hotmail or Live messenger or those services because they do exactly what they aim to do.
Re:I don't really get it. (Score:3, Insightful)
This also helps in situations where your ISP is highjacking responses stating that a domain doesn't exist, and rerouting them to a search engine.
It's all very well having that happen for HTTP requests, but it can cause havoc with things like e-mail.
Limited privacy problem for cached routers (Score:4, Insightful)
So I am giving Google DNS a try on my networks.
I do not see the privacy issues, as they are very limited if you are using a cache on your router with Google as the DNS server. Google gets to see one lookup, and then my home router (with dnsmaque) serves any repeat visits for me or the other computers on my network. For the majority of the sites I visit on a regular basis, my router provides the DNS.
I would suspect that a majority of people using home routers have some sort of cache now in the firmware that does similar work, in their OS, or their browser. It is not like Google is able to see me hit their DNS (although I am sure that is true for some users), every time I want to visit a site again. It is of little value, other than in the most general sense of determining what sites are popular.
Re:first lookup (Score:1, Insightful)
One advantage is that unlike 4.2.2.x, you have explicit permission to use this one.
Re:Kaminsky DNS flaw == HOGWASH (Score:1, Insightful)
Dan K has been on /., never could cite a single example of an in-the-wild, widespread exploit of the Kaminsky DNS flaw.
Kaminsky Bug == HOGWASH
Yes. A severe security flaw in one of the fundamental layers of the internet is hogwash... because it's not CURRENTLY being widely exploited 'in the wild'.
Please, make sure I never, ever, EVER, hire you to work anywhere near my network.
Re:Privacy for what? (Score:1, Insightful)
Google has motivation not to have a bad ToS -- if they do, everyone will switch to OpenDNS. Google is doing a GOOD thing -- more by attaching a ToS to their DNS service than by providing a free DNS. It adds competition to the DNS marketplace, and might challenge ISPs to put more thought/transparency into their DNS offerings too.
Re:And the worst case scenario? (Score:5, Insightful)
Re:Yeah, sure, give them even more information (Score:3, Insightful)
There's a very big difference between "government forcibly taking data from me" and "voluntarily giving up data to Google in exchange for services".
Furthermore, I simply don't care and never have. You, along with others who raise concerns about privacy interests, miss that very basic possibility. Most people just don't give a damn.
Re:Privacy for what? (Score:3, Insightful)
It might suprise you, but everyone has a contract with their ISP yet there are ISPs that act against their customer's best interest. That "comeback" didn't do squat. So much for accountability.
The point here is history. Show that Google is doing something wrong, and people WILL raise a stink about it. Google gets a lot of milage out of good will and that won't last long if they misstep.
Re:Privacy for what? (Score:3, Insightful)
So you're saying that a clear, readable statement about privacy is more suspicious than total and complete silence on the issue? Or am I missing something? That's not really what you meant, right?
Google feels the need to do this because every time they offer a new service "privacy" is the very first word off everyone's lips. How many times have we all read diatribes against Latitude, Gmail, etc for lack of a clear disclosure of privacy terms before the service even goes beta? And now that Google has released clear, plain English privacy statements about a new service, it's suspicious behavior? Sounds to me like Google is giving the general public what they asked for.
I'd say that if Google is the first ISP or service to have a privacy policy (which they are not, but let's say they are) then this is to be commended, not criticized. Again, they are not. OpenDNS, at least, has a clear policy and it seems to be a good one. And kudos to them for offering it.
I'd rather have a clear cut policy, even if it is subject to change, than total silence where the vendor can do anything they want without telling me. Google has been pretty good about telling me when the privacy policy for specific services changes, and for the most part they have been responses to accusations of what people THINK they MIGHT do with the data, and by and large they've been "no, we don't do that." I don't think I've ever seen them update a privacy policy for the purpose of giving them more rights than they had prior to the change.
If you don't trust Google, fine. They, like any other company or person, certainly could be lying. Fair enough.
I think they've certainly held up well to public scrutiny of their actual privacy practices, overall. They've certainly made some mistakes, but they've also been pretty good about discussing them openly, correcting them when their user base decides that a particular practice is unacceptable, and (like Microsoft with security) seem to be taking privacy extremely seriously.
Of course, Google also does not provide any core services. Email (Gmail), IM (GoogleTalk), DNS, search, mapping, collaboration (Wave), news aggregation (Google News) - every one of these services is available elsewhere. Just make sure you look at the privacy policies of your chosen vendor, and please consider that a lack of a written policy is generally not a good sign.
Re:Privacy for what? (Score:1, Insightful)
I know I certainly trust Google more than my ISP (Comcast) and if I had the option to use Google as my ISP, I would.
That said, if my ISP wants my DNS data, they can have it. And by can I mean they're able to have it, not that I'd give it to them. DNS isn't an encrypted protocol, so even if I used Google's public DNS, it's relatively trivial for my ISP to watch everything that goes out on port 53.
So if you start with the presumption that your ISP is pure evil and will be doing this type of thing anyways (I'd say that's fairly safe in my case), the choice is not between the ISP and Google, it's between the ISP and both Google and the ISP.
That said, I made the choice to use Google's DNS for the simple reason that it's faster. I just don't care about the privacy aspect enough to base my decision on it. But I'm under no illusion that by choosing to use Google I've been able to keep Comcast from accessing the data.
Re:And the worst case scenario? (Score:1, Insightful)
Free! You only have to buy a Windows license!