Forgot your password?
typodupeerror
Security Google Technology

A Look At the Safety of Google Public DNS 213

Posted by kdawson
from the random-enough-maybe dept.
darthcamaro writes "Yesterday we discussed Google's launch of its new Public DNS service. Now Metasploit founder and CSO at Rapid7, H D Moore, investigates how well-protected Google's service is against the Kaminsky DNS flaw. Moore has put together a mapping of Google's source port distribution on the Public DNS service. In his view, it looks like the source ports are sufficiently random, even though they are limited to a small range of ports. The InternetNews report on Moore's research concludes: 'What Moore's preliminary research clearly demonstrates to me is that Google really does need to live up to its promise here. Unlike a regular ISP, Google will be subject to more scrutiny (and research) than other DNS providers.'"
This discussion has been archived. No new comments can be posted.

A Look At the Safety of Google Public DNS

Comments Filter:
  • by Monkeedude1212 (1560403) on Friday December 04, 2009 @12:43PM (#30325114) Journal

    It fails miserably, Google revokes it, and we all go back to loving them.

    Everyone loves taking a shot at Google, but when they are providing a new FREE service - I can't see it destroying their public image all that much.

  • Privacy for what? (Score:2, Interesting)

    by Dogun (7502)

    My real concern with Google DNS is privacy. Your DNS records are extremely valuable to google, so I sincerely doubt google is not going to record them.

    I'm not even entirely convinced about the benefit of using google's; your local DNS server hierarchy is going to be far more responsive, even if it does have a higher miss rate.

    • by beefnog (718146) on Friday December 04, 2009 @12:49PM (#30325218)
      The one thing that strikes me as silly about the "what if Google datamines our DNS requests" concern is that those people assume their ISPs aren't already doing so.
      • by LOLLinux (1682094) on Friday December 04, 2009 @12:51PM (#30325266)

        And what strikes me as even more silly is when people use the comeback of "But [insert person, group, company, etc] is (probably) already doing it too!" as if that justifies the actions of someone else.

        • by beefnog (718146) on Friday December 04, 2009 @12:54PM (#30325304)
          I'm not saying that it justifies it in any way. I'm merely pointing out that scapegoating a company that does genuinely good things while ignoring the company that routinely dicks its customers is odd. Plus, if you had read yesterday's article, you would understand that google is purging IP addresses from the records.
        • by MozeeToby (1163751) on Friday December 04, 2009 @01:01PM (#30325406)

          And what strikes me as even more silly is that Google has a privacy policy for the service that says all logs are deleted after 48 hours and aren't linked back to other Google services whereas I have no privacy statement at all about DNS from my ISP (since they slipped it in silently about 4 months ago).

          • And yet after all that, people still think that, out of the kindness of their hearts, Google will decree that its first ToS for this service is set in stone, and think that somehow a bad ToS is always better than no policy at all. Get real - a ToS is a very malleable document; ask anyone who owns a credit card. Just give Google some time and you'll wonder why on earth you thought their simplified legalese had no loopholes.
            • by Chyeld (713439)

              A 'bad' TOS is far far better than no TOS. At least if you have a bad TOS you know to avoid the service because you know what they say they can or can't do.

              No TOS basicly means they could be doing anything they wanted, and you'd never know.

            • Re: (Score:3, Interesting)

              by Idiomatick (976696)
              Give a single example of a Google ToS changing for the worst.

              As I said in the other story, Google stands to gain NOTHING by alienating their whole freaking market for this. Only mega nerds will bother changing their DNS to Google's since only nerds have even heard of DNS. And said nerds will abandon Google DNS in a matter of days if they fuck with the ToS. And the streisand effect would be fucking huge in the group that uses the service.

              I think it is a bit more likely that Google is doing this for the da
      • If I hadn't already posted I'd mod that insightful.

        Seriously, your ISP's have been following dirty underhanded tactics the moment you signed up, by delaying your installation, lacking in support, not offernig you full speeds, and disconnecting you when you approach your full speed. Now, given that they are in it for the money, and ALL of your traffic is going through them - they have every reason to take your information and sell it. You KNOW they have your information because the police can demand that inf

      • The one thing that strikes me as silly about the "what if Google datamines our DNS requests" concern is that those people assume their ISPs aren't already doing so.

        We already know they log our search requests. Call me naive, but what are they going to do with our DNS requests? As long as they aren't injecting ads or stealing data, that is...

      • Re:Privacy for what? (Score:5, Interesting)

        by DragonWriter (970822) on Friday December 04, 2009 @12:53PM (#30325290)

        The one thing that strikes me as silly about the "what if Google datamines our DNS requests" concern is that those people assume their ISPs aren't already doing so.

        The especially odd part about the complaint is that Google has an upfront, posted policy about what they are doing as far as retaining your DNS requests, which I've never seen from an ISP.

        • by cheros (223479)

          The especially odd part about the complaint is that Google has an upfront, posted policy about what they are doing as far as retaining your DNS requests, which I've never seen from an ISP

          Well, fine, but if a burglar puts a notice on his balaclava that he's going to rob my house I still reserve the right to prevent that from happening, polite notice or not.

          • Well, fine, but if a burglar puts a notice on his balaclava that he's going to rob my house I still reserve the right to prevent that from happening, polite notice or not.

            That's a fine attitude, I suppose, but not at all relevant, since its not even remotely a good analogy to Google with regard to datamining public DNS records to uncover personal information, since that's not what their notice says they are doing with the data.

            • by cheros (223479)

              OK, hit the brakes for a moment. You actually believe what they say without ANY evidence to back it up?

              Let me give you a heads up then. Read their privacy policy. So far, so good, no? Now read chapter 1 of their Terms of Service and see how it takes precedence over EVERYTHING else. Still feel comfortable?

              I'm astonished at how much leeway Google is given in spying on everyone's life..

              • Re: (Score:3, Informative)

                Now read chapter 1 of their Terms of Service and see how it takes precedence over EVERYTHING else.

                Actually, this is quite the opposite.

                1.5 If there is any contradiction between what the Additional Terms say and what the Universal Terms say, then the Additional Terms shall take precedence in relation to that Service.

                In the document, "Additional Terms" refers to additional ToS documents and Privacy Policy documents, etc., and "Universal Terms" refers to this [google.com]. I think this is pretty much the most straightforward legalese I've ever seen, and it very clearly states that if the privacy policy of their DNS solution says they're not going to keep your data more than 48 hours, they are not going to, regardless of what the Universal Terms document states.

              • by natehoy (1608657)

                Choices:

                1. Use my ISP, who never made any promises of privacy at all, and at least in the case of mine ALSO redirects me to an ad if I typo a DNS request (faked NX records). Comcastic!

                2. Use OpenDNS, which promises not to sell.. oh, yeah, that's right, promises don't really mean anything to you from Google, then they probably don't from OpenDNS either, but anyway they make the same promises as Google. And they redirect me to an ad-laden third party site if I typo a DNS request. So I get a little more p

              • OK, hit the brakes for a moment. You actually believe what they say without ANY evidence to back it up?

                Whether I believe Google's published policy or not is rather immaterial to the criticism I presented in GP of GGP's analogy comparing Google's notice to a burglar announcing intent to rob your house.

                So I congratulate you for, like GGP, posting something completely irrelevant to the material it is posted in "response" to.

              • Re: (Score:2, Interesting)

                by pwfffff (1517213)

                I'm astonished at how seriously paranoid you are. There's literally no way Google could EVER prove to you that they weren't 'spying' on you. There are almost infinitely many ways you could prove they WERE spying on you. Now who do you think would provide a guarantee against spying on you, and who do you think would simply omit the issue and do their spying without bringing attention to it? Now, where exactly in your current DNS server's TOS does it say that they don't log data?

      • Re:Privacy for what? (Score:4, Interesting)

        by octaene (171858) <bswilson@@@gmail...com> on Friday December 04, 2009 @01:00PM (#30325384) Homepage

        An excellent point. That's why I think OpenDNS is a better option. They at least appear to give you a choice in the matter. I'm not sure Google's services are equitable. There's a good blog post from the founder of OpenDNS where he critiques Google's service. It's a good read.

        http://blog.opendns.com/2009/12/03/opendns-google-dns/ [opendns.com]

        • by shentino (1139071) on Friday December 04, 2009 @01:24PM (#30325706)

          You do realize the inherent conflict of interest in criticism from a competitor right?

          Do remember that at least and load up on grains of salt.

          • by Kz (4332)

            You do realize the inherent conflict of interest in criticism from a competitor right?

            yeah, don't listen to the competitor's arguments! also, don't listen to the defendant attorney in court cases!

            c'mon, it's always important to read both sides. if they're the best they could say; but one of them is full of ad hominem's or similar bad arguments, then it's a good sign the the other side has a better point.

        • Re:Privacy for what? (Score:5, Informative)

          by markkezner (1209776) on Friday December 04, 2009 @01:48PM (#30326038)

          For me, the dealbreaker with OpenDNS is that, when you type in a non-existant domain, OpenDNS resolves it to an IP that gives you their custom search page. The standards compliant response would be NXDOMAIN, which is what Google (and some others) provide. This alone was enough to make me switch away from OpenDNS.

          • Amen! I use OpenDNS at home & work, but this irritates me non stop when I'm typing too fast and have a typo in a domain name. Don't take 5 seconds to respond with a custom search page. Return a not found immediately.
          • Re: (Score:3, Informative)

            by Gerald (9696)

            It looks like you can disable this behavior [opendns.com] if you have an account. I haven't tested it extensively but it seems to work as advertised.

          • Re: (Score:2, Informative)

            by Pearlswine (1121125)
            I use OpenDNS at home and it is possible to disable the NXDomain redirect if you setup a free account. http://www.opendns.com/support/article/312 [opendns.com]
        • Re: (Score:3, Informative)

          by natehoy (1608657)

          I think his article was well-thought-out and well articulated, but I have a few problems with it.

          First, he does address Google's claim that Google does not redirect to ad-laden placeholders then cleverly redirects the argument to one of privacy. If OpenDNS is directing me to an ad-laden site if I mistype a URL or enter an invalid one, then I have a bunch of ad servers who now have my IP address and probably know what site I meant to go to. This may be better than giving all of my DNS lookups to a company,

        • That blog posting reads like PR. It's so clearly not objective. The biggest reason I switched to Google's DNS is that it doesn't do any damn redirection. I hate that OpenDNS search page that comes up. I don't see any way to configure OpenDNS without having to sign up or something annoying. Google's doesn't require any signup; just 8.8.8.8 and 8.8.4.4 and go.
        • In what way do you feel that Google's services (Google Public DNS in particular) are not "equitable"?

          Also, that blog post is pure PR bullshit and FUD.
      • by sonnejw0 (1114901) on Friday December 04, 2009 @01:01PM (#30325412)
        Except that Google has a lot of other information on us already, too. Cross-referencing data sets provides true statistical power. Our ISPs do not have the same information that we voluntarily give Google. There's regulation against our ISPs stealing the information that gets passed through them. There's no stopping voluntarily giving Google control of our email, calendar, health records, DNS requests, marketing information, voicemail transcripts, blog articles ...
      • Re: (Score:3, Interesting)

        by icebraining (1313345)

        When you use GoogleDNS, you're providing the request to both of them, as your ISP can see your DNS requests anyway.

      • Re: (Score:3, Insightful)

        by shentino (1139071)

        First off, ANY DNS server will be getting your IP address. After all, that's how the hell it knows where to send the fracking reply.

        Secondly, logging of IPs is a basic step in holding your clients accountable to make sure you aren't being abused. If some fucktard uses a hole to hack into your system, having a log of where he came from will help nail him.

        Google doesn't really have a choice but to have your data. We should judge them based on what they DO with that data.

      • by iris-n (1276146)

        At least my ISP is a relatively small company who is not affiliated with Google.

        Google already has my email, my searches, (some of) my IMs, my social network, my maps. There's Google Docs, too, which I don't use.

        I don't need them to have my DNS records as well. If they have that too, the question becomes which information about me they don't have. And that is fucking scary.

      • by klui (457783)
        In general I like Google products. I'm paraphrasing someone who wrote the following and I can't find the link right now. It's either on Digg or Reddit. It's not the current Google I'm afraid of. It's the future Google 2 or 3 generations from now that scare me. Once the founders leave, whoever is left behind will not care about "do no evil," and will do whatever it can so it has any advantage. As Google gains more influence, the chances of its executives taking advantage of that influence beyond "do no evil
    • Re:Privacy for what? (Score:5, Informative)

      by maxume (22995) on Friday December 04, 2009 @12:53PM (#30325282)

      Their public statements say that they are not linking the requests to other Google services, and that they are discarding ip addresses within a day or two.

      • by mounthood (993037)

        Their public statements say that they are not linking the requests to other Google services, and that they are discarding ip addresses within a day or two.

        Google also has a Privacy Policy [google.com], but the thing is, it was "Last modified: March 11, 2009" and "Please note that this Privacy Policy may change from time to time."

        The lack of trust that so many people are venting isn't from thin air. The US government is spying on it's own citizens (and everyone else.) Sprint is working hard setting up websites to let local law enforcement to monitor citizens. Also, there are no standards for data privacy, and companies change their own policy whenever they want and chan

      • by gad_zuki! (70830)

        >Their public statements say that they are not linking the requests to other Google services, and that they are discarding ip addresses within a day or two.

        Right and when google started their business they didnt have a tracking cookie that expires in 2038. Things change. The DNS data has value and once google's shareholders realize this they will begin to mine it. Heck, if they dont then the executives can be sued for not running the business properly.

        • by mea37 (1201159)

          What's the most recent shareholder lawsuit you can think of?

          Yes, there is a financial responsibility to shareholders. However, people love to trot this out to "prove" how a business has acted or will act, and it just doesn't fly.

          The DNS data may be valuable, but customer goodwill may be more valuable (especially when loss of goodwill would decrease access to the data). The decision to retain and mine the data, or to avoid doign so, will be a business decision, and it's unlikely to result in a lawsuit eith

    • Re: (Score:2, Flamebait)

      by HangingChad (677530)

      your local DNS server hierarchy is going to be far more responsive, even if it does have a higher miss rate.

      I set it up on my laptop and I can't see any difference between that and my desktop in terms of speed. I'm going to leave it on my laptop which connects through different hotspots with different DNS providers.

      Google can have my DNS records while I'm on the road. I think it's a great service and the kind of really neat thing that's pretty rare in corporate culture these days. We should be giving

    • If you read about this at all, you would know that Google does use the records to generate stats (as in: people who visit slashdot.org have a 2% chance of visiting thinkgeek.com). Google claims they do not keep DNS records in a manner which can identify individuals.

      That said, the big telcos can snoop your DNS queries and DO turn that info over to government agencies. If your ISP or your government want to know who Dogun of Slashdot is IRL, they need only observe that the same IP which posts as you here also

    • by gandhi_2 (1108023)

      You are really that worries about privacy?

      Every time you google, you need to be logged out of all google services: includes blogger, blogspot, picassaweb, youtube, and all the others like analytics, adsense, gmail....

      Clear all your cookies.

      Then reboot your home cable/dsl modem or whatever to get a new IP.

      Then go ahead and do you searches.

      Clear all your cookies.

      Then reboot you home cable/dsl modem or whatever to get a new IP.

      Then it's safe to log back in to google services.

      That should cover you for all googl

      • by causality (777677)

        You are really that worries about privacy?

        Every time you google, you need to be logged out of all google services: includes blogger, blogspot, picassaweb, youtube, and all the others like analytics, adsense, gmail....

        Clear all your cookies.

        Then reboot your home cable/dsl modem or whatever to get a new IP.

        Then go ahead and do you searches.

        Clear all your cookies.

        Then reboot you home cable/dsl modem or whatever to get a new IP.

        Then it's safe to log back in to google services.

        That should cover you for all googlespying that involves google analytics and tieing your search queries to you.

        Oh, what's that? You aren't THAT worried?

        I appreciate that taking an idea to a ridiculous extreme, noting that the extreme to which you took it is ridiculous, and then concluding that the idea is therefore inherently flawed is a common discussion tactic around here. It's a good way to support a predetermined conclusion. By "predetermined" I mean that you take a position first and then look for ways to justify it, rather than researching the issue and seeking to understand the different approaches that can be taken. In that fashion you seem to h

    • your local DNS server hierarchy is going to be far more responsive, even if it does have a higher miss rate.

      I switched to OpenDNS a while back because we were having so many problems with our local ISP's DNS.

      The issue, at the time, was straight-up DNS failures. I don't know if they were making changes or if someone tripped over a power cord... But we weren't able to resolve anything - even though I could ping by IP address. So I plugged in the OpenDNS servers and everything started working again.

      Since that time I've done some un-scientific testing and found that OpenDNS's servers are consistently faster than m

      • by causality (777677)

        Since that time I've done some un-scientific testing and found that OpenDNS's servers are consistently faster than my local ISP's. It'll take several moments to even look up a name with my local IPS's DNS. OpenDNS can find the server almost instantly.

        This part interested me. All things being equal, you'd expect your ISP's server would respond more quickly because it's fewer hops away. However, all things are not equal because of the nature of OpenDNS. Specifically, I would assume that OpenDNS has many m

        • I have not run my own caching DNS server on my own home network.

          We have plenty of customers that we support who are running their own DNS servers simply because they're using Active Directory. These days we'll typically use OpenDNS's servers just because it is one set of numbers that works regardless of who the ISP is... But I haven't really noticed much difference between using OpenDNS's servers over the local ISP's servers once you've got your own DNS in-house.

          However... Given all the other issues I've

    • Re:Privacy for what? (Score:4, Interesting)

      by dissy (172727) on Friday December 04, 2009 @03:43PM (#30327714)

      My real concern with Google DNS is privacy. Your DNS records are extremely valuable to google, so I sincerely doubt google is not going to record them.

      I'm not even entirely convinced about the benefit of using google's; your local DNS server hierarchy is going to be far more responsive, even if it does have a higher miss rate.

      So what you are saying is, you are upset at the idea of google logging your dns traffic, yet NOT upset with the idea of your ISP logging your DNS traffic and selling it to google?

      Because google only gave you a legal document stating they wouldn't record your traffic longer than 48 hrs and would not tie those results with any other google service. You know, a legal document that you can use in court.

      Your ISP has provided no such document, and as you admit to sincerely doubt google would avoid doing what is now illegal, so you must equally doubt your ISP would avoid doing it too, probably more so since your ISP likely has no such legal document.

      Sounds to me the only way you can sleep easy at night would be to switching to google, and letting your doubt rest easy knowing you now have the law on your side, and moving away from your ISP that most likely IS (and if not, could legally do so) what you are so worried of.

  • Yes, it might be useful for people whose ISP DNS server is slow. That didn't happen to me since my dialup days. Besides, now I simply run my own caching DNS server. It's not hard to set up at all.

    • Re: (Score:3, Interesting)

      Why waste the power? A personal use DNS server is a waste; if your ISPs DNS is slow there are always alternatives (I used Verizon's DNS for years when living in an area where Comcast DNS performance was slow). I know DIY is fun, has geek cread and all that, but your local machine will cache frequently accessed sites anyway, and the benefit gained on uncached sites will be seen so infrequently that you're not benefiting.
      • by ftobin (48814) *

        ...your local machine will cache frequently accessed sites anyway...

        You need to be more clear about how this caching might actually take place; there is no magical program that would do this...except for a DNS server. On Linux you could be talking about nscd, but this doesn't necessarily abide by the DNS caching protocol correctly.

        • by Alrescha (50745)

          "You need to be more clear about how this caching might actually take place; there is no magical program that would do this...except for a DNS server."

          In Windows, I believe it's called the DNS Client service, on OS X it's called lookupd.

          A.

      • by gad_zuki! (70830)

        >Why waste the power? A personal use DNS server is a waste;

        Who is proposing a physical box? Just run bind as a service. How much cpu power is that thing using? Honestly? Pennies a month to run the service?

        Windows users can use the bind win32 port or Treewalk.

    • by fnj (64210)

      Guess where your caching DNS server gets its feed.

    • Re: (Score:3, Insightful)

      by Jellybob (597204)

      This also helps in situations where your ISP is highjacking responses stating that a domain doesn't exist, and rerouting them to a search engine.

      It's all very well having that happen for HTTP requests, but it can cause havoc with things like e-mail.

    • Re: (Score:3, Interesting)

      by causality (777677)

      Yes, it might be useful for people whose ISP DNS server is slow. That didn't happen to me since my dialup days. Besides, now I simply run my own caching DNS server. It's not hard to set up at all.

      I wonder about this myself. Google is a marketing company so you would generally expect them to always appeal to the widest audience possible. As valuable as DNS service is, it's also not something that average users care about or think about. Most users who are dissatisfied with their DNS performance would say "the Internet is slow today" and not "I am experiencing unusually high latency from my ISP's DNS server". This is just a guess but they seem to be targeting two broad categories of user:

      • Users wh
  • by cheros (223479) on Friday December 04, 2009 @01:04PM (#30325438)

    I find it amazing that nobody seems to notice that adding an ECHELON [wikipedia.org] and a DCS1000 [wikipedia.org] feed to Google is making it like the NSA, but where people actually VOLUNTEER data. In addition, it's Terms of Service [google.com] give it more legal freedom to use and abuse your information and intellectual property than even the US border control can with accessing laptops of people entering the country.

    It appears 8+ years of indoctrination is paying off big time - nobody appears to remember that privacy is a basic right [un.org]. All it takes is some BS about "not being evil" for people to miss the shocking depth to which they can access all your personal data. Even the stuff they don't hold themselves will come up through the search engine. By matching up DNS records they will be able to add your entire Internet activity to your identity.

    That's going to be fun when you catch some sort of virus downloading porn - and the next time you apply for a job..

    • by Chyeld (713439)

      Sometimes freedom isn't about saying no, but about the fact that you can. I can't say no to the border patrol, I can to Google.

      More relevant, I have knowledge of the border patrol misusing their power and little evidence that they've actually helped me in any concrete manner. The revese holds for Google.

    • Re: (Score:3, Insightful)

      by bigstrat2003 (1058574) *

      There's a very big difference between "government forcibly taking data from me" and "voluntarily giving up data to Google in exchange for services".

      Furthermore, I simply don't care and never have. You, along with others who raise concerns about privacy interests, miss that very basic possibility. Most people just don't give a damn.

  • Ahhh... freedom. Finally I can view YouTube from work. That's Google! ...until the network admins block these DNS servers...

    Freedom for a day is better than no freedom at all!

    • by Kaboom13 (235759)

      If you wanted to block outside dns, why would you blacklist instead of whitelist? Any decent firewall should be able to block DNS requests leaving the network except from the local dns server.

  • by bramp (830799)
    I ran some tests against Google DNS and some other DNS providers to measure if Google DNS was actually faster than say OpenDNS, or my local ISP. The results showed OpenDNS completely outperformed Google, but Google did do better than two local ISPs. Read my blog entry about this [bramp.net].
  • by cenc (1310167) on Friday December 04, 2009 @01:50PM (#30326056) Homepage

    So I am giving Google DNS a try on my networks.

    I do not see the privacy issues, as they are very limited if you are using a cache on your router with Google as the DNS server. Google gets to see one lookup, and then my home router (with dnsmaque) serves any repeat visits for me or the other computers on my network. For the majority of the sites I visit on a regular basis, my router provides the DNS.

    I would suspect that a majority of people using home routers have some sort of cache now in the firmware that does similar work, in their OS, or their browser. It is not like Google is able to see me hit their DNS (although I am sure that is true for some users), every time I want to visit a site again. It is of little value, other than in the most general sense of determining what sites are popular.

  • Think about it. Eventually each of us will have our own DNS entry to identify our individual web presence. The things we make available to do business, social networking etc will be identified through DNS. Why wouldn't Google want to be in on this? Just because there is a profit motive doesn't necessarily mean it is nefarious. This will allow them to add value at a fundamental level. I can see a day when Facebook is irrelevant and people create there own ad-hoc social networks through their own web-presence
  • by dUN82 (1657647) on Friday December 04, 2009 @03:17PM (#30327366)
    Reports from my friend inside the GFW, both DNS servers already banned by the Chinese government...wth...and openDNS stayed untouched for like ever...
    • by Wolfier (94144)

      Think about it this way. You know, given the Chinese obsession over the number 8, there must be some way to make better and more profitable uses of 8.8.8.8, so they have reserved that.

  • by HockeyPuck (141947) on Friday December 04, 2009 @03:19PM (#30327390)

    What percentage of total users use DNS that is not assigned from their ISP? I would guess a good percentage of the /. crowd uses a DNS that is not assigned via their ISP. But out of the total population of internet users, using non-IPS DNS servers has got to be pretty small.

[Crash programs] fail because they are based on the theory that, with nine women pregnant, you can get a baby a month. -- Wernher von Braun

Working...