Forgot your password?
typodupeerror
Google Networking Security The Internet News

Google Implements DNSSEC Validation For Public DNS 101

Posted by Soulskill
from the internet-dragging-its-feet-slightly-less dept.
wiredmikey writes "Google on Tuesday announced that it now fully supports DNSSEC (Domain Name System Security Extensions) validation on its Google Public DNS resolvers. Previously, the search giant accepted and forwarded DNSSEC-formatted messages but didn't actually perform validation. 'With this new security feature, we can better protect people from DNS-based attacks and make DNS more secure overall by identifying and rejecting invalid responses from DNSSEC-protected domains,' Yunhong Gu, Team Lead, Google Public DNS, wrote in a blog post. According to Gu, about 1/3 of top-level domains have been signed, but most second-level domains remain unsigned. According to NIST, there has been no progress in enabling DNSSEC on 98 percent of all 1,070 industry domains tested as of March 18, 2013. 'Overall, DNSSEC is still at an early stage and we hope that our support will help expedite its deployment,' Gu said."
This discussion has been archived. No new comments can be posted.

Google Implements DNSSEC Validation For Public DNS

Comments Filter:
  • This story is ... (Score:1, Insightful)

    by briancox2 (2417470)
    ...probably the most unsexy story I've seen on Slashdot in ages. It's minimally controversial. And it leads to a minimum number of jokes and ridicule. I predict that the Limit, as time approaches infinity, of number of posts = 150.
    • Re:This story is ... (Score:5, Interesting)

      by MaraDNS (1629201) on Tuesday March 19, 2013 @03:48PM (#43216647) Homepage Journal
      DNS is really boring today, but let me tell you, between 1999 and 2001, DNS was a much more interesting topic.

      Back then, there were two DNS servers out there:

      1. BIND, which was horribly insecure and one of the more significant cause of remote root access security holes
      2. DJBDNS, which was and by and large [nist.gov] is secure, but had a weird maybe-not-open license and lots of quirks

      LWN has a good article from that era [lwn.net] to give people an idea how limited choices were with open-source DNS servers. Since then, we got Unbound [unbound.net] and NSD [nlnetlabs.nl], PowerDNS [powerdns.com], and (shameless plug warning) MaraDNS [maradns.org] (there are also a lot of DNS server projects which never were finished or were abandoned years ago, such as OakDNS, Dents, Posadis, etc.)

      The idea behind DNSSEC is that is is, within a margin of error (I'm already awaiting a somewhat pedantic correction from a neckbeard), it is the HTTPS of DNS: It makes it impossible (cue neckbeard pedantic correction) to spoof a DNS reply. DNS without DNSSEC is like HTTP without HTTPS: There are security issues where an attacker can make someone go to the wrong web site.

      (Yes, I am aware of DNScurve. I'm also aware that, like Esperanto, the best idea doesn't always win--or even get implemented in a mainstream DNS server)

      (Slashdot: 2001 called and wants its lack of Unicode support back. Why can't I use use smart quotes or real em dashes in my replies?)

      • Slashdot: 2001 called and wants its lack of Unicode support back.

        I've explained before how vandals forced Slashdot to stop supporting Unicode [slashdot.org].

        • by unixisc (2429386)
          How about /. lack of support for IPv6?
        • by Sloppy (14984)

          I'm a pure-7-bit-ASCII vandal, myself. I just embed escape [2;9y into my posts, to make your VT100 do a constantly-repeating self-test.

          Another fun fact: I just upgraded to MaraDNS about a week ago. Believe it or not, I had been using Twisted Names, and got away with it for several years. It mostly worked. Mostly.

          • by MaraDNS (1629201)
            Be sure to be using MaraDNS 2 and not MaraDNS 1; MaraDNS 1 is obsolete and support ends in about 2 years [samiam.org]. ObNeckbeard: 2 years, 6 months, and 2 days.
            • by MaraDNS (1629201)
              Make that 2 years, 3 months, and 2 days.

              Slashdot: 2001 called and wants their lack of ability to edit posts (perhaps with a timeout to stop some forms of abuse) back. I swear, this place is becoming almost as musty as Usenet.

            • by Sloppy (14984)

              I'm about 0.4.03-1.1+squeeze1 version units of the way in between 1 and 2. Bah, sounds like I have 2 years 6 months and 1 day to deal with upgrading.

              Damn, now that I think of it, I probably won't get to it in time.

      • by X0563511 (793323)

        (Slashdot: 2001 called and wants its lack of Unicode support back. Why can't I use use smart quotes or real em dashes in my replies?)

        While I support your idea, smart quotes need to die in fires. I also do not understand the need for different types of dashes - a dash is a dash!

      • by tqk (413719)

        I'm already awaiting a somewhat pedantic correction from a neckbeard ...

        Defensive much? I've used MaraDNS. It worked. Now I use bind9. It works.

        For me, when the US gov. thinks DNSSec would be a step back, hindering their ubiquitous surveillance of everyone and everything always, I like DNSSec. Rage against the machine.

        [My beard's a Van Dyke, and my neck's been shaved.]

  • by Anonymous Coward

    I'm not up to scratch on the whole DNSSEC thing, but last I heard the protocol allowed DNSSEC-respecting servers to be trivially used as DOS nodes by having a control server. A machine could spoof the originating host on a lookup request for something nonexistent, and the payload of whatever the DNS is supposed to return is significantly larger than the lookup requests themselves, so you could trick one of the nameservers into bombarding your victim for you. What ever happened with that?

    • A machine could spoof the originating host

      How does spoofing the originating host get past an ISP's egress filter? As I see it, the attacker and the victim of such an amplification attack would have to be on the same ISP.

      • by thejynxed (831517)

        Never assume ISPs like Comcast or Time-Warner would ever invest the time or money into such an egress filter.

    • Those attacks are still going on. This exploit does not require DNSSEC, but the large size of DNSSEC records makes it much more effective. Some DNS servers have implemented rate limiting to deal with this problem.

  • Awesome... now more people will be tricked into switching to Google's DNS servers, and therefore, more people can be tracked by Google.

    Before, Google just watched your browsing habits, your email, your phone calls and cell phone activities, your physical connection, tracked you through advertising, monitored your connections to your friends, and, well, when you took a dump too.

    Now, Google plans to monitor every other activity your computer partakes in, as it watches all the DNS lookups you make. Any websit

    • I wish I could mod you +1 paranoid schizophrenic.
    • by ledow (319597) on Tuesday March 19, 2013 @04:05PM (#43216833) Homepage

      Please explain how you know that, for example, Microsoft doesn't already do a lot of similar things?

      For a start, every new connection you check in with Microsoft by connecting to a Microsoft server and downloading a text file (look up NCSI - and, yes, you can change the registry entries to your own server if you wish, but so can you NOT use Google's DNS servers. I actually use it as a primitive "call home" device should someone be stupid enough to steal my laptop - as soon as it's turned on on an unknown Internet connection, it will try to talk to my server as a connection test, which would give me their IP).

      Or time.microsoft.com. Same sort of thing. Hell, a lot of security suites "call home" with details of what pages you're going to in order to see if they are malware, etc. Opera Mini/Mobile "calls home" to a server that could even cache your SSL connections in theory, etc. Just what precisely distinguishes Google from anything else that you have voluntarily installed on your computer?

      • by Blymie (231220)

        Your response is the equivalent of stating that since Microsoft murdered someone, I shouldn't be upset that Google did. Further, since we all know Microsoft murdered someone, I am out-of-line for mentioning that Google did.

        Guess what Jimmy -- lots of people mention the bad things that M$ does. My post is about the bad things Google does -- and they do LOTS of bad things.

        And I call them on those bad things, and the bad things they continue to do.

        • by ledow (319597)

          And not once have Google ever forced anyone to use 8.8.8.8 or 8.8.4.4 as their DNS server.

          But I can find you a lot of things that Microsoft has done to force such things on their customers. Even convicted in a court for it.

          Fact is, if you are that paranoid about Google, just stop using them or sites that support them. And if those sites were that worried, they'd stopped using them too.

          The point is that LOTS of companies do lots of things with your data and have to abide by the law in doing so. Google isn

          • Re: (Score:2, Insightful)

            by Blymie (231220)

            Ah, a new tact -- no one is forcing you to use Google, therefore it's OK that they do whatever they do.

            No one is forcing you to rent a particular apartment either, so I guess it's OK if the landlord puts cameras in it, and spies on you?

            No one is forcing you to go to a particular grocery store. I guess it is OK for that grocery store to poison your food, if you don't like it, shop elsewhere?

            Sorry, the "if you don't like that you're being spied on, just shut the hell up and stop using that product" is anothe

            • by Nerdfest (867930)

              What's your suggestion then, that all targeted advertising be stopped? Google as a company behaves pretty well in general and exceptionally well when compared to others. If I can get excellent free services in ex have for having targeted ads displayed, sign me up. The cost of the services without the ads is prohibitive. As the GP stated, if you don't like them, don't use them and block a by taking cookies. I don't think you're going to have a lot of luck making collecting information illegal.

              • by Blymie (231220)

                I suggest it be made very clear what data is collected and precisely how it is used.

                Then let people decide if they want to use the service.

                Right now, the only choice is to GUESS how the data is being used, and to GUESS precisely what is being collected. That needs to change.

                Outside of the above... Google behaves well? Pfft. They behave as poorly as any large corporation, from what I've seen. Further, as mentioned above, the sort of "if you don't like them, stop talking about it, just don't use them" tho

          • by thejynxed (831517)

            "The point is that LOTS of companies do lots of things with your data and have to abide by the law in doing so."

            Nope, what they do, is totally break the law whenever it makes financial sense to do so, while hoping nobody at places like the SEC or DOJ notices.

      • by Lennie (16154)

        Try using the SSL/TLS subsystem in Windows without sending information to Microsoft.

      • I'm willing to bet more people use Google products than MS products.

  • by ledow (319597) on Tuesday March 19, 2013 @04:15PM (#43216951) Homepage

    Show me an ISP or host who supports IPv6 and DNSSEC for a reasonable price and I'll switch.

    Fact is, usually your hosting provider runs your DNS for you, and until they change there's nothing I can do. Setting up a nameserver is within my realm of possibility but it's something that I pass off to third-parties for a reason (for a start, you need two and ideally they should be on different IP spaces and connections). Also, configuring and updating DNSSEC is, from what I've seen, a bitch and even the initial signing can be a pain in the arse. Sod all that hassle just for the convenience of a minority of visitors.

    Combine that with the fact that for almost EVERYONE who owns a domain, someone else other than them actually hosts it (and the big guys who DO host their own domain nameservers? Well, they can and are enabling DNSSEC where they need it, but it's no small task) and you have a problem.

    You can bitch at me as much as you like but that ain't going to DNSSEC-enable my domains that I don't host any more than bitching that my IPv6-ready setup isn't actually on an IPv6-compatible / supported connection / ISP-supplied router will get me online.

    Talk to my ISP and domain host. Get a few of them moving, then we can talk. Until then, it's all just another technology that I can do nothing about without a lot of expense for virtually zero gain.

    P.S. The domains I do have on VPS / external servers on hosts which offer DNSv4 control publish AAAA records which work. In the same way they publish SPF records that work, and DKIM records that work, and reverse DNS records that are valid. And they ALL get used. But not really enough to justify even the small effort it took to do all that.

    I've done my bit. Call me when my ISP host gets off their arse and does theirs. In fact, call me when Slashdot does the same. 10 years on and they're still publishing articles about the doom of IPv4 without a single AAAA record to their name.

    • you could always set up your own bind9 dns server hell my laptop has its own dns server running on it

      • by ledow (319597)

        Could.

        Won't.

        For a start, a home DNS server isn't suitable. And if I deploy a nameserver, as I said, you should be deploying two on separate networks. And it's STILL a pain in the arse to sign it all properly. It's just not worth the effort for a small home user, and those who run nameservers now can run DNSSEC now. The point is that few people run nameservers of their own, for good reason.

        • by PhrstBrn (751463)
          You know there is a difference between authoritative DNS servers and caching DNS servers, right?
    • by Anonymous Coward

      Show me an ISP or host who supports IPv6 and DNSSEC for a reasonable price and I'll switch.

      In which country?

      Some areas aren't technology backwaters as much as others.

    • I'm usually against advertising but in this case it is acceptable:

      https://www.transip.nl/ [transip.nl]

      These guys do DNSSEC and IPv6 for a reasonable price.
      Unfortunately their website is in Dutch, that might be a showstopper for you.

  • personally I have been looking forward to this !!

    thank you finally validation works

    John

  • FAIL. (Score:5, Interesting)

    by Ethanol (176321) on Tuesday March 19, 2013 @11:15PM (#43220455)

    Google has not correctly implemented DNSSEC. If you send them a normal DNS query and the response is not validly signed, they just pass the answer back to you without any indication that it's invalid. They only tell you that the answer failed to validate if you set the DO ("dnssec okay") or AD ("authentic data") bits in your query, which almost no DNS clients currently do.

    If the answer is invalid, a validating name server is supposed to respond with SERVFAIL, so that even if the client doesn't know anything about DNS security, it will still be protected against spoofing. Google is claiming to provide protection against spoofing, and then they aren't providing *any protection at all*.

    If you want DNSSEC protection, you're still going to have to run a validating name server yourself: either BIND 9 or Unbound. (Disclosure: I'm a BIND 9 author.) It is, nowadays, extremely easy to configure a validating name server using BIND 9; in any version since 9.8.0, a one-line named.conf will do it:

    options { dnssec-validation auto; };

    Run named with that configuration and "nameserver 127.0.0.1" in resolv.conf and you're good to go. Google public DNS is not ready to trust yet.

  • This would be great for me in China. That is, until google DNS gets blocked completely. Even using Google DNS in mainland China gives very odd random-seeming replies for requests to certain sites like facebook. It really seems like even request to foreign DNS servers get spoofed (though not consistently, about 1 in 20 reuqests seemed to acually give a facebook server).

"And do you think (fop that I am) that I could be the Scarlet Pumpernickel?" -- Looney Tunes, The Scarlet Pumpernickel (1950, Chuck Jones)

Working...