Forgot your password?
typodupeerror
Google The Internet Technology

Google Proposes DNS Extension 271

Posted by CmdrTaco
from the you-know-my-name dept.
ElusiveJoe writes "Google, along with a group of DNS and content providers, hopes to alter the DNS protocol. Currently, a DNS request can be sent to a recursive DNS server, which would send out requests to other DNS servers from its own IP address, thus acting somewhat similar to a proxy server. The proposed modification would allow authoritative nameservers to expose your IP address (instead of an address of your ISP's DNS server, for example) in order to 'load balance traffic and send users to a nearby server.' Or it would allow any interested party to look at your DNS requests. Or it would send a user from Iran or Libya to a 'domain name doesn't exist' server."
This discussion has been archived. No new comments can be posted.

Google Proposes DNS Extension

Comments Filter:
  • by Saishuuheiki (1657565) on Thursday January 28, 2010 @01:12PM (#30937140)
    If you read the entire post by google, you'll notice they are suggesting only the first 3 octects of the IP address are transmitted. Now while this could theoretically be used to censor regions of users, it could not be used to expose you (since it isn't the complete IP address)
    • Doesn't that theoretically nail you down to somewhere within 252 ish machines? (Assuming IPv4).

      The first 3 octets seem like they could be enough to personally identify you based on your DNS Search records.

      • No, it narrows you down to somewhere within 252ish public IP addresses (even considering IPv6, which contains a standard rest-of-the-address to "encapsulate" IPv4). Very few people (I'll even go so far as to say "the majority of users") on broadband services across most of the world truly appear to the outside world as an actual unique IP address, which is to say you and the guy at the desk/apartment/house/whatever next to you has a discrete and separate network address from you. Your connection is genera
        • I was under the impression my ISP was giving me a public IP Address - and thats what I was paying for. I am of course behind my own NAT Table on my Personal Router.

      • by peragrin (659227)

        Well if your like my house it is closer to 1 in 765. NATs are wonderful for that. As they can determine IP but not one of the four users across 9 computers with Internet access.

    • Re: (Score:3, Interesting)

      by gstoddart (321705)

      If you read the entire post by google, you'll notice they are suggesting only the first 3 octects of the IP address are transmitted. Now while this could theoretically be used to censor regions of users, it could not be used to expose you (since it isn't the complete IP address)

      No, but given that only an additional 255 (or is it 254?) users besides you can be coming from that range, it's not like over time someone can't correlate this to you.

      I'm not convinced this doesn't have privacy implications, or that

      • by Talisein (65839) on Thursday January 28, 2010 @01:34PM (#30937760) Homepage

        Web sites already know where you're coming from. They have your IP address. Every single one of them, unless you're using a proxy. The problem is they can't easily redirect you to the server closest to you once you've already resolved their address. The only in the whole system who do not know your IP when you're browsing the web is potentially the authoritative DNS server; the usual case is the same people who run the authoritative DNS server also run the web server, so while they don't get your IP when you do the DNS lookup they will when you eventually land on the site.

        • The problem is they can't easily redirect you to the server closest to you once you've already resolved their address.

          What's wrong with an http redirect? They seem to work just dandy for akamai.

      • by gparent (1242548)

        No, but given that only an additional 255 (or is it 254?) users besides you can be coming from that range, it's not like over time someone can't correlate this to you.

        Could be 256.

      • Its 254, assuming that its not being natted in any way. And the IP addresses change randomly for most users, at random intervals.

        Somehow all these people are super concerned with THIS idea, but have no qualms about everything they do online being logged in weblogs. But then, its google (or microsoft, or apple), so we have to bash them; theyre too successful to be allowed to have good, non-evil ideas!
    • only the first 3 octects of the IP address are transmitted...could not be used to expose you

      Combining this with the information from the already quite pervasive tracking google does, I can't imagine that identifying your one-of-256-addresses is anything other than trivial.

      • How are they going to correlate a random DNS entry with you, without access to a cookie, or session data?
    • Re: (Score:3, Interesting)

      by TheRaven64 (641858)

      The first three octets limit you to a maximum of 256 machines. In practice, most addresses are assigned in /24s, so you end up with two of these used for the router and broadcast addresses. Most broadband ISPs don't recycle addresses often, so you end up with the same IP for weeks, if not months, at a time. Of the other 200 people on your /24, how many are online at the same time as you? Maybe 10-20? Of these, how many have sufficiently similar surfing patterns that, when you combine the DNS results wi

      • by natehoy (1608657)

        Of course, since this is only to give them enough information so you can access a Google server nearby as opposed to one somewhere else, they'll have your FULL IP ADDRESS about 1/100 of a second later.

        Google doesn't need this to track you. In fact, this information is less useful than what they already have. This is about Google (and anyone else who has distributed datacenters) being able to make better decisions about which datacenter to send you to. This saves them bandwidth charges, which adds up to B

    • by poetmatt (793785)

      even the first 2 octets can be enough to reliably identify with some digging. what do you think 3 is gonna do?

      • Re: (Score:2, Informative)

        by Saishuuheiki (1657565)
        Isn't it a moot discussion anyways? Generally speaking they're going to get your IP address anyways when you connect to their server; so why is it important if they get your IP earlier when you're looking up their server?

        I guess there could be some way to track what sites you're looking up from different tiers of DNS servers. If you were using google DNS, they'd have your entire DNS anyways, and if you were using another, then they'd only get your IP if you're connecting to google.com
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      I'm not worried about the "evil" aspect of it. This just doesn't sound like what DNS should be used for.

    • by D Ninja (825055)

      Thank you! Came in here to say this. Did the submitter even read the article?

      And for those interested:

      Our proposed DNS protocol extension lets recursive DNS resolvers include part of your IP address in the request sent to authoritative nameservers. Only the first three octets, or top 24 bits, are sent providing enough information to the authoritative nameserver to determine your network location, without affecting your privacy.

    • by Imagix (695350)
      And that defeats the purpose. The internet got away from classes of IPs and went to classless delegation for a reason. Now they want to bring it back. And if the concern was really for geolocation purposes, then the ISP can simply put a recursive nameserver close to the clients (say only 1 hop up from the client). Since all of the client's traffic must pass by that hop anyway, that DNS will be close enough to determine where the client is.
    • by tlambert (566799) on Thursday January 28, 2010 @03:48PM (#30940756)

      To: DNSEXT (DNS Extension Working Group, Internet Engineering Task Force)
      From: Paul Vixie
      Date: Thu, 28 Jan 2010

      "I don't think that's a general enough solution to be worth standardizing.
      please investigate the larger context of client identity, beyond the needs
      of CDN's."

      I also agree with his later statement in the same thread:

      "it may be too dangerous in any form but that's a separate issue."

      -- Terry

    • Now while this could theoretically be used to censor regions of users, it could not be used to expose you (since it isn't the complete IP address)

      Sure it could expose me. I have my own Class-Cs - two of 'em. When I'm on one the first three octets point straight to me.

      When I'm running from my DSL I have an eight-IP address block (broadcast / broken-broadcast / modem / five-usable) so first three octets point to a group of 32 of which I'm one. For DSL users with one-usable it points to a group of 64 users

      • doesn't impress the babes anymore

        now you have to own your own Class-C before a woman even gives you a second glance

        and even then, they'll still flock to those assholes strutting around with those Class-Bs

  • Bad summary (Score:3, Informative)

    by Talisein (65839) on Thursday January 28, 2010 @01:12PM (#30937148) Homepage

    The proposal says they would only use the first three octets. And users could just use a different DNS server if they had a restrictive servers that blacklisted Iran or whatever.

  • by Anonymous Coward on Thursday January 28, 2010 @01:12PM (#30937150)

    The summary isn't even close to correct. What the hell is going on with Slashdot these days?

  • How's that evil? (Score:5, Insightful)

    by Anonymous Coward on Thursday January 28, 2010 @01:18PM (#30937324)

    What a load of crap. There is no way to exploit that. If a someone wants to block certain IP ranges, it is much more efficient to do so at the HTTP (or whatever the protocol in use is) level, rather than in DNS.

    Even if this gets introduced, every DNS server will continue supporting the old (without 'IP forwarding') way of doing things, so it's easy enough to pick a DNS server which doesn't forward your IP. Everything will work just as it does now (you won't have the potential speed advantage you might get with the new system though).

    Whoever wrote TFS doesn't know the first thing about how networks work. Looking at what just happened in China, do you think that Google of all companies really wants to endanger your privacy?

    The reason why Google offers public DNS servers and why they came up with this is because they want to make the internet faster for everyone. And they're doing it in an open, backwards-compatible way.

    This is a good idea and should be implemented.

    • by slyborg (524607)

      > The reason why Google offers public DNS servers and why they came up with this is because they want to make the internet faster for everyone.

      BAHHAHAHAHAHAHAAAHAA...Yes, Google only wants rainbows and ponies for ALL the good children!

      My good AC, I actually think you aren't a Google astroturf, but how naive can this be? Google is a public corporation whose fiduciary duty is to make money for their shareholders, not make the intertubes flow more smoothly, unless that causes Google to make more money.

      Googl

  • This is important! (Score:5, Insightful)

    by HaeMaker (221642) on Thursday January 28, 2010 @01:19PM (#30937338) Homepage

    This is extraordinarily important for efficient operation of the internet. If people want to block you, they can, DNS or no DNS. However, for global load balancing, this is vital. You want to connect to a server near you, not near your DNS server.

    This will not stop the proper function of proxies.

  • by Tei (520358) on Thursday January 28, 2010 @01:20PM (#30937364) Journal

    Internet already work withouth the need to propagate this information. Following the OS concept of "Less power", the less information about you that is propagated, the less problems.

    "By returning different addresses to requests coming from different places, DNS can be used to load balance traffic and send users to a nearby server. For example, if you look up www.google.com from a computer in New York, it may resolve to an IP address pointing to a server in New York City. If you look up www.google.com from the Netherlands, the result could be an IP address pointing to a server in the Netherlands. Sending you to a nearby server improves speed, latency, and network utilization."

    It seems this balancing is already possible withouth the need to propagate that data. I choose here safety/privacy, over a potential speed gain. Also the risk is for everyone, but the gain is just for a few ones (the people that has lots of servers and need a balancing solution)... hence, is unfair. My view of this.

    • Then choose a dns server that doesnt use these extensions, or choose one you trust.
  • What about IPv6 (Score:2, Interesting)

    by wadey (215252)

    It seems IPv6 will be in use soon; so why tinker with DNS requests on IPv4 ?

    Also, does anybody know how GEO locating an IP will be done on IPv6 (at least down to country level) ?

  • this is what anycast routing was invented for. the root servers use it, why not secondaries?

  • by nweaver (113078) on Thursday January 28, 2010 @01:26PM (#30937508) Homepage

    There are already many uses where the IP address of the resolver is used to determine service, basically every CDN etc uses this technique.

    This extension is needed if you want OpenDNS and the like to Not Suck when fetching Akamai sourced content, youtube videos, etc.

    And its not like the owner of the DNS authority won't find out who you are anyway, after all, you then CONTACT THEM DIRECTLY WITH YOUR IP ADDRESS!!

    • That's the part that I don't get about what people are moaning about. You're obviously connecting to the host server at the end, it's inherent in the DNS request (unless you're doing a whois or something, but that's not the same is it?).

      I think most people are getting jacked up about "could be used for tracking purposes".

    • ++ Mod parent up. I wish I had mod point.

  • There are several products currently on the market that allow you to perform geographic load distribution via DNS. These products look at your LDNS server's address and either attempt to triangulate using a reverse DNS lookup to the LDNS server, calculating number of hops and/or round-trip times to that LDNS from each of your sites, or they use static IP range tables broken down by region. The assumption is that a client in somewhat close proximity to their LDNS server.

    The problem with these methods is
    • by amorsen (7485)

      That work around has the nasty side effect of increasing your DNS load by an exponential factor, which isn't good either.

      Imagine you're hosting web servers. If you can handle N HTTP queries, you can also handle N DNS requests, unless your DNS servers are completely useless. Even with TTL 0, you'll only get at most the same number of DNS requests as you're getting HTTP queries.

  • by TheSunborn (68004) <tiller&daimi,au,dk> on Thursday January 28, 2010 @01:31PM (#30937650)

    I can't se how this does give any more information to Google or other users.

    Example: If i do a lookup on www.slashdot.org then this query should newer hit any dns server controlled by Google.

    The only way a query would end up on a google controlled dns server, would be if the domain i looked up were owned by google, and in that case I don't care, because then I am about to visit the site anyway which mean they will have my entire ip.

  • look, you can already use whatever DNS server you want. if you're worried about your traffic being analyzed by someone else's DNS, just use your own (or a privacy-respecting) DNS elsewhere.

    DNS is just the obvious way to ensure that clients use the best path to content.

    • by cpghost (719344)

      DNS is just the obvious way to ensure that clients use the best path to content.

      Isn't the obvious way a combination of anycast + bgp? It works quite well, and is administred by knowledgable network specialists who also happen to know the exact topology of their backbones. Putting it in DNS instead opens the door to endless misuse by domain owners who believe in geo-specific discrimination. CDNs should work transparently, but allowing end users (a.k.a. domain owners in this particular case) to tinker that

      • by amorsen (7485)

        You can't reliably anycast TCP. The session might switch servers in the middle.

  • ...don't fix it.

    • So youre a fan of sitting on internet explorer 7 for the next 10 years? Or firefox 2.0? Thats called stagnation.
      • So youre a fan of sitting on internet explorer 7 for the next 10 years? Or firefox 2.0?

        No, those both have plenty of vulnerabilities. They're broken.

        The DNS protocol is not broken. In fact, besides the tricks and hacks corporate Earth have tried with it (404 redirection as an example), it's worked pretty damn well for me for the past 20 years.

  • Ups and Downs (Score:5, Insightful)

    by LaminatorX (410794) <sabotage AT praecantator DOT com> on Thursday January 28, 2010 @01:39PM (#30937878) Homepage

    I like it. I don't know what the aggregate increase in efficiency across the net would be, but I'm betting if Google is suggesting it, it could be significant. While there are some potential abuses, they're really no different than what can already be done at the router/server level currently.

  • The use of the word 'marginal' needs to be disambiguated too. It means 'not of central importance.'

  • The reason the internet is so successful is that it has a core that doesn't try to think too much. Get packet, forward packet, etc..

    If load balancing is a concern, the client node should determine where the best place to get content from is at, NOT some hack which makes DNS less reliable, and noisier.

    Use digital fountains and give out multiple sources to get streams from, and let the end user's computer figure it out. They are the ones in the best place to determine which is a more reliable stream of packet

  • While this don't identify you for a lot of reasons, there are some good points of using this. Hitting local caches/distribution network nodes/etc will make internet actually faster (a good percent of total bandwidth comes from places where this applies, and going to somewhat local resources unclogs international links). At least where i live where around 200 ms is the avg ping time with the rest of the world, but 30 or lower to local ones, accessing most of static resources local should make a difference.

    An
  • " Or it would send a user from Iran or Libya to a 'domain name doesn't exist' server."

    Why limited to these countries? How about Australia? Remember, this is a country that blocked Wikileaks thru its state sanctioned banlist. Politicians there are on board [stuff.co.nz].

    Even Linden Labs(makers of Second Life) have set up servers there(only 2-3 countries to have their servers outside the US). Critics theorize this is little to with technical distributed computing reasons but to be in readiness to self censor their cont
  • This is bad (Score:2, Insightful)

    by BhaKi (1316335)
    This is crap. You don't need user's IP address for load balancing. The only motives behind this are propaganda and psyops. For instance, this move will allow US to block traffic to certain sites from certain countries and then claim that access failures are due to censorship imposed by that country's government.
    • by TheSunborn (68004)

      So how do I redirect the user to the server that is closest to them without knowing their ip?

      • by BhaKi (1316335)

        So how do I redirect the user to the server that is closest to them without knowing their ip?

        Firstly, geographical proximity has nothing to do with quality of connectivity. (Some helpful fellow slashdotter pointed that to me, a few days back). So, redirecting user to nearest server doesn't help much. In fact, it could even slow down connectivity because of the computation involved in calculating proximities.

        Secondly, the existing system works just fine for location-based DNS redirection.

  • The way things currently work, really makes sense for most people. Your ISP is a single hop away and you want the authorities to talk to it (not you) so that it can cache the result. And it's ok to have that extra traffic between the recursive resolver and you, because it's not a long ride.

    But what Google is asking for also makes sense -- if you're using a far-away recursive resolver.

    And the very premise of that is stupid. Why the fuck would anyone want to use Google for DNS, instead of something closer

    • Re: (Score:3, Insightful)

      by nedlohs (1335013)

      Because their ISP plays stupid games with DNS and setting the DNS numbers on the computer is a tad easier than setting up and running a DNS server.

  • Or it would send a user from Iran or Libya to a 'domain name doesn't exist' server.

    And who would be the victims? The same people whom Google is claiming to be fighting for.

  • So even if your resolver DNS already has the answer cached, it's supposed to transmit the request again so the authoritative server can see the requesting client's IP network, and possibly return a different answer. Is it supposed to cache that, or not? Is a resolver supposed to use this extension for all queries, or only load-balanced ones? The draft includes no mechanism for specifying whether a particular query should or should not use the extension. I assume then that a resolver patched with this ex

  • This all sounds totally crazy if you're Paul Vixie and have written a little article titled What DNS Is Not [acm.org] which specifically mentions that it shouldn't be used for this.

    How quickly we forget [slashdot.org].

  • This will completely destroy IP rotation aka load balancing. I hope they aren't allowed to do it.

  • Sounds like a terrible idea to me.

    If a caching DNS server that serves multiple users in multiple countries, then suddenly, it's not caching anymore.
    If there are multiple possible IP addresses that I can be directed to, why not just send all of them to me, and let me (my DNS server) decide which one is best?
    What if have more than one IP? Which one should I use?
    How often is it, really, that the route to the DNS server isn't the best route anyway? I.e. is the tiny benefit of a slightly better route for a han

  • The company I work for has a Class A IP network and is not based on the US.

    I'm physically located in Atlanta, but all of the existing geolocation services which I am aware of that use my exposed IP address seem to want to place me in the center of Europe somewhere.

    Will this be smart enough to do better?

  • We've been running into this wall for a while, and let me tell you, the workaround is the most disgusting mess imaginable. Trying to manage views/geolocation when everything is hidden behind a caching server is horrible. There is no car analogy.

    Sure, this might give google more information about you, but frankly, they already have it if you're querying their servers (directly). Where this benefits them, and other content players, is when they aren't the default DNS server. This allows them to know that

With all the fancy scientists in the world, why can't they just once build a nuclear balm?

Working...