A Look At the Safety of Google Public DNS 213
darthcamaro writes "Yesterday we discussed Google's launch of its new Public DNS service. Now Metasploit founder and CSO at Rapid7, H D Moore, investigates how well-protected Google's service is against the Kaminsky DNS flaw. Moore has put together a mapping of Google's source port distribution on the Public DNS service. In his view, it looks like the source ports are sufficiently random, even though they are limited to a small range of ports. The InternetNews report on Moore's research concludes: 'What Moore's preliminary research clearly demonstrates to me is that Google really does need to live up to its promise here. Unlike a regular ISP, Google will be subject to more scrutiny (and research) than other DNS providers.'"
Privacy for what? (Score:2, Interesting)
My real concern with Google DNS is privacy. Your DNS records are extremely valuable to google, so I sincerely doubt google is not going to record them.
I'm not even entirely convinced about the benefit of using google's; your local DNS server hierarchy is going to be far more responsive, even if it does have a higher miss rate.
Re:Privacy for what? (Score:5, Interesting)
The especially odd part about the complaint is that Google has an upfront, posted policy about what they are doing as far as retaining your DNS requests, which I've never seen from an ISP.
Re:Privacy for what? (Score:4, Interesting)
An excellent point. That's why I think OpenDNS is a better option. They at least appear to give you a choice in the matter. I'm not sure Google's services are equitable. There's a good blog post from the founder of OpenDNS where he critiques Google's service. It's a good read.
http://blog.opendns.com/2009/12/03/opendns-google-dns/ [opendns.com]
Re:I don't really get it. (Score:3, Interesting)
Re:Privacy for what? (Score:3, Interesting)
When you use GoogleDNS, you're providing the request to both of them, as your ISP can see your DNS requests anyway.
Re:And the worst case scenario? (Score:3, Interesting)
Live Mesh, is pretty cool.. Live Writer is actually quite good, IMO, and produces very clean HTML (at least, in my brief tests with it with Wordpress... a custom install, too, with a custom theme and everything; integrated just fine and was a very good WYSIWYG editor). Skydrive - 25gb for free - isn't too shabby, either. I don't like hotmail, but it has sure been around for a while. Bing is actually pretty nice for some things. Microsoft's birds-eye-view is sometimes very useful, and it looks like they are doing a street view now, too.
Google DNS Benchmarks (Score:2, Interesting)
Re:I don't really get it. (Score:3, Interesting)
Yes, it might be useful for people whose ISP DNS server is slow. That didn't happen to me since my dialup days. Besides, now I simply run my own caching DNS server. It's not hard to set up at all.
I wonder about this myself. Google is a marketing company so you would generally expect them to always appeal to the widest audience possible. As valuable as DNS service is, it's also not something that average users care about or think about. Most users who are dissatisfied with their DNS performance would say "the Internet is slow today" and not "I am experiencing unusually high latency from my ISP's DNS server". This is just a guess but they seem to be targeting two broad categories of user:
Personally, I just run my own caching nameserver.
Everyone will have a web presence (if not already) (Score:2, Interesting)
Re:Privacy for what? (Score:3, Interesting)
As I said in the other story, Google stands to gain NOTHING by alienating their whole freaking market for this. Only mega nerds will bother changing their DNS to Google's since only nerds have even heard of DNS. And said nerds will abandon Google DNS in a matter of days if they fuck with the ToS. And the streisand effect would be fucking huge in the group that uses the service.
I think it is a bit more likely that Google is doing this for the data that they SAY they are taking since that alone is valuable. The extra data they'd get by fucking their privacy policy would be minimal, the downside huge.
% of users that don't use DHCP assigned DNS (Score:3, Interesting)
What percentage of total users use DNS that is not assigned from their ISP? I would guess a good percentage of the /. crowd uses a DNS that is not assigned via their ISP. But out of the total population of internet users, using non-IPS DNS servers has got to be pretty small.
Re:Privacy for what? (Score:4, Interesting)
My real concern with Google DNS is privacy. Your DNS records are extremely valuable to google, so I sincerely doubt google is not going to record them.
I'm not even entirely convinced about the benefit of using google's; your local DNS server hierarchy is going to be far more responsive, even if it does have a higher miss rate.
So what you are saying is, you are upset at the idea of google logging your dns traffic, yet NOT upset with the idea of your ISP logging your DNS traffic and selling it to google?
Because google only gave you a legal document stating they wouldn't record your traffic longer than 48 hrs and would not tie those results with any other google service. You know, a legal document that you can use in court.
Your ISP has provided no such document, and as you admit to sincerely doubt google would avoid doing what is now illegal, so you must equally doubt your ISP would avoid doing it too, probably more so since your ISP likely has no such legal document.
Sounds to me the only way you can sleep easy at night would be to switching to google, and letting your doubt rest easy knowing you now have the law on your side, and moving away from your ISP that most likely IS (and if not, could legally do so) what you are so worried of.
Re:Privacy for what? (Score:2, Interesting)
I'm astonished at how seriously paranoid you are. There's literally no way Google could EVER prove to you that they weren't 'spying' on you. There are almost infinitely many ways you could prove they WERE spying on you. Now who do you think would provide a guarantee against spying on you, and who do you think would simply omit the issue and do their spying without bringing attention to it? Now, where exactly in your current DNS server's TOS does it say that they don't log data?