How Does the New Google DNS Perform? (and Why?)

Tarinth writes "Google just announced its new Google DNS platform. Many have viewed this as a move to increase ad revenue, or maybe capture more data. This article explores those questions, as well as the actual benchmarking results for Google DNS — showing that it is faster than many, but not nearly as fast as many others." We also recently discussed security implications of the Google Public DNS.

Pointless hype

[suso]

Its funny how the Google hype is driving so much talk about something like DNS, a service which probably 95% of non-tech people don't know exists. Most people
wouldn't care about DNS normally, but since its Google it must be something to get excited about. I doubt really that any significant number of people will
switch to using 8.8.8.8, but I worry that if they do, one of the the original goals for DNS will be lost. That its distributed.

Just ask yourself one question, if you don't trust your internet provider enough to do DNS correctly, should you trust them at all?

Re:Pointless hype

[drinkypoo]

Just ask yourself one question, if you don't trust your internet provider enough to do DNS correctly, should you trust them at all?

You trust your ISP? I sure don't. Perhaps I am asking for abuse, but I trust Google far more. On the other hand, I trust my hosting provider to provide sufficient DNS; but if I were hosting my application on a cloud somewhere, I'd want some cloud-based DNS; if I were hosting my application with Google, then Google would be the logical host for my name service. I'd probably want to use them as my registrar as well. :p

Google has the best uptime and the most distributed architecture of any single computer system, unless you consider the internet to be a single entity; it has slightly better reach overall.

I doubt really that any significant number of people will
switch to using 8.8.8.8, but I worry that if they do, one of the the original goals for DNS will be lost. That its distributed.

Google is distributed. Is there any reason using one IP is unworkable?

Re:Pointless hype

[omnichad]

They have two IP's - 8.8.4.4. So even if one IP fails to route to any anycast destination at all, they still have a backup.

Re:Pointless hype

[Anonymous Coward]

Fair enough -- you don't trust your ISP.

How does using google's DNS help you? You really think your ISP isn't logging your DNS traffic regardless of if you're using their DNS servers or not? A simple tcpdump udp port 53 on a passive tap is enough for them to collect your DNS traffic no matter what you do unless you use TOR or a vpn.

So, now google *and* your ISP have logs of what you've been looking up. How are you better off?

Oh -- and if you really don't trust your ISP, how are you to be sure that they aren't redirecting your port 53 traffic to their DNS servers *anyway*? Comcast -- I'm looking at you... Why is it that 5% of responses that *should* be an NXDOMAIN from a root server instead are an A record to some site that happens to be running a web server?

Re:

[omnichad]

Maybe, like me, GP simply doesn't trust their ISP to be reliable.

Re:Pointless hype

[Anonymous Coward]

If your ISP is like mine, they break basic DNS functionality. Instead of a correct could not find error, they serve up a page of badvertising. If you opt out of that, they serve up a page that says that it could not find, not returning the real error. If you have your iPhone connected to your home wifi, and you attempt to use the google app on your phone, it breaks the search results page...

ALL of these annoyances are fixed with gDNS.

Re:Pointless hype

[shentino]

I recently had to deal with a firewall that just flat out BLOCKS outbound DNS. You HAVE to use the network's DNS, which of course is site-filter enforcing.

Mandatory censorship.

Re:

[johny42]

Mandatory censorship.

That doesn't seem like a very mandatory way of censorship. Not being able to translate a site's domain name to its IP address has nothing to do with not being able to access the site.

Re:

[drinkypoo]

That's the one! I was already using a third-party DNS by their advice, and now I am using Google's. So far, so good.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Steeltoe]

Odds of this happening, zero. I think Google would face a lot of criticism if they made it that easy to dodge ISP tracking of their users.

DNS over encrypted channel? Would require some client-side changes on the OS / gateway level.

Google would get praise from me if they did something like that. DNS is far too insecure and open these days. UDP should be used for games, not for something you need to rely on.

Re:

[Zerth]

I ssh tunnel all my traffic to a rented box as it is, so I've got that already.

Now if you only wanted your DNS done, and didn't have a secure relay, then that'd require some changes on Google's end, but isn't anything particularly weird on the client end.

Re:

[drinkypoo]

?DNS over encrypted channel? Would require some client-side changes on the OS / gateway level.

False. It's called IPSEC and it's been around for quite some time now. Windows NT from Windows 2000 on provides administration tools to all users; there's a couple implementations for Linux but setup is generally not that torturous these days. It would require some configuration changes, but that's it; DNS will work just fine over IPSEC, as will pretty much everything else, which is what separates it from more or less all the other options. Of course, your ISP has to pass AH and ESP for you to get all the f

Re:

[David Jao]

Your examples of DNS hijacking are legitimate but extreme. There is a large middle ground of ISP behavior where using third party DNS is beneficial. In addition, if widespread adoption of Google DNS leads to increasingly extreme DNS hijacking on the part of ISPs, at least we'll have some concrete evidence of ISP misbehavior to cite in net neutrality debates and the like. (ISPs can hijack DNS, but they can't do so in secret.)

Re:

[theantipop]

Is it legal for your ISP to simply dump this information bound for another server into a log and keep it?

Re:Pointless hype

[sexconker]

Google has the best uptime and the most distributed architecture of any single computer system, unless you consider the internet to be a single entity; it has slightly better reach overall.

No it fucking doesn't you fucking moron.

Oh this is slashdot. I meant "Citation needed.".

Re:

[TheRaven64]

I've been to Google and found it down for a few minutes at least twice and there are numerous instances where gmail has been unavailable. Most financial systems would suffer insane losses if they had the kind of downtime that Google users won't even notice. If Google goes down for a few seconds, you hit refresh and blame your ISP. If, for example, the telephone company's accounting system goes down for a few seconds then they lose hundreds of thousands of dollars.

Re:Pointless hype

[nacturation]

If, for example, the telephone company's accounting system goes down for a few seconds then they lose hundreds of thousands of dollars.

There are 31,556,926 seconds in a year. At a hundred thousand dollars a second, your telephone company makes $3,155,692,600,000 a year from time-metered services?

Re:Pointless hype

[shutdown -p now]

At a hundred thousand dollars a second, your telephone company makes $3,155,692,600,000 a year from time-metered services?

That's easily explained if said telephone company is a mobile operator in USA.

Re:

[ckaminski]

That's not Billion, that's 3.1 TRILLION dollars - almost a 3rd of the US GDP.

For the newbs:

1000 Thousand
1000000 Million
1000000000 Billion
1000000000000 Trillion
- - - - - - - -
315569260,000 Trillions!!

Re:Pointless hype

[mcrbids]

On the other hand, I trust my hosting provider to provide sufficient DNS; but if I were hosting my application on a cloud somewhere, I'd want some cloud-based DNS;

Could you give me an example of an "Internet-based DNS" that isn't also "cloud-based"? The definition of "in the cloud" IS "on the Internet". Your arbitrary distinction simply makes no sense at all. You are asking for DNS with a "distributed architecture" but DNS itself IS a distributed architecture!

I hate to sound trollish, but your over-eager Google fanboyism betrays your underlying non-comprehension of the issues involved! DNS is a distributed architecture, and all that's necessary for you to provide extremely high availability is to provide two (or more) DNS servers at different locations. This eliminates the "single point of failure" and with each location providing better than 99.95% uptime, the odds of both going down at the same moment is measured in hundreds of years. When you consider DNS caching, due to its distributed architecture, (there's that word again) if your hosted DNS were actually completely down for an hour or so, that few of your customers would even notice, that makes the problem even that much more tractable.

PS: "Cloud-based" IS "Internet-based". Please don't treat "the cloud" as if it were different. "The cloud" only has relevance in sales meetings - it's otherwise just Internet-based computing! See what Larry Ellison has to say about this! [cnet.com]

Re:Pointless hype

[drinkypoo]

Could you give me an example of an "Internet-based DNS" that isn't also "cloud-based"?

DNS servers are just DNS servers. There's a pool of them that handle requests to a given server. If google Public DNS is implemented like other Google services, your queries will be handled by whichever google node is nearby, idle, and knows the address you're requesting. This seems robust than the way even the existing root servers are implemented. Google has more sites than almost anyone else non-government (there are a few notable exceptions, but none of them have an architecture like google's) and is continually opening more.

Re:Pointless hype

[mcrbids]

DNS servers are just DNS servers. There's a pool of them that handle requests to a given server. If google Public DNS is implemented like other Google services, your queries will be handled by whichever google node is nearby, idle, and knows the address you're requesting.

And... how is this different than your "local" DNS server? how do you know that Google's DNS is "nearby, idle, and knows the address"?

This seems robust than the way even the existing root servers are implemented. Google has more sites than almost anyone else non-government (there are a few notable exceptions, but none of them have an architecture like google's) and is continually opening more.

Perchance, because this is pretty much how existing root servers are implemented? There was a slashdork article a while back about the challenges of running a root DNS server. Let me assure you, redundancy is paramount - they've NEVER all been down. Ever.

Again, I defy you to please clarify what you mean by "cloud" computing to be any different than "Internet" computing? Because there is no difference. The Internet IS the cloud. Drawing a distinction between the two is like drawing a distinction between your pants and your britches.

And, once again, DNS is a redundant, multi-point, caching, distributed-architecture protocol, and has been for some 20 years.

Do you not know what this means?

"Cloud based" is a marketing term that describes what hosted application providers have been doing in various forms for some 20 years.

Re:

[omnichad]

I agree, but I switched anyway, just because Level3's aren't explicitly public. They plan to start locking down their DNS. I'd rather set it and forget it now. I can live with 20ms extra delay. It's still faster than my ISP.

Re:

[TooMuchToDo]

We had a bunch of customers call and complain that Level3's DNS servers weren't working when they used them for their dedicated servers, so I'm fairly certain Level3 has already started sticking IP restrictions into their DNS configuration files.

Re:Pointless hype

[jhoegl]

I got money on the fact that this DNS server will be a part of their Android and Chrome OS services. You know, a default setting.

Re:

[Idiomatick]

That is actually an interesting point. Before I didn't think the DNS could be used for evil based on the idea that only informed nerds would ever use it. But, if it were used in android/chrome it COULD be used for evil more easily. Doesn't really make Google guilty just because something could be misused but still, something to watch for.

Also, parent topic is not offtopic.

Re:

[interval1066]

Hey, that's fucking hilarious.

To continue, and briefly, a friend of mine worked for a company who had a network spur that was little used, and served by these two OpenBSD machines, and these machines sat for a few years almost forgotten when one day their whole network started acting funny, a few name queries would end up in strange and obviously incorrect domains. A days of poking around led me to these two machines. Seems whomever set them up wanted them as a back door into this intranet, so they let one

Re:

[thisnamestoolong]

I don't trust my ISP -- I use them because I have no other option where I live.

Re:

[thisnamestoolong]

How are we going to organize a boycott? How many nerds do you think really care enough about these issues? Do you really think Comcast is going to see 14 nerds out in front of their building and go OH NOES WE NEED TO CHANGE OUR WAYS? My options are Comcast or dial-up. As I need (not want, need) high speed Internet access to fulfill my work responsibilities, my options are Comcast, or move.

Re:Pointless hype

[Krneki]

I use OpenDNS because in my country they dared to censor the Internet twice using DNS.
Once it was for bwin.com and another time it was a leaked political document (both for 1 week). No, I don't bet, but I do not tolerate this political bulling.

Google DNS could be useful if they don't implement any censorship, considering how much hate P2P sites gets from corporations we will see if they manage to stay neutral.

Re:Pointless hype

[suso]

Then you are a fool. This is exactly what I mean by trusting your ISP. I sympathize with you and your situation (and I understand that it happens), but all your country has to do is implement some system that will change the UDP packets coming from Google DNS to change the answers, thus accomplishing the same censorship. The more people who use Google DNS, the more likely a country or ISP is to do this.

Re:

[Idiomatick]

The goal is to stay a step ahead of government. It might take them 5~10years to figure that one out.

Re:

[Bigjeff5]

Do you realise how difficult that would be? Color me stupid, but how many countries have a single ISP with that kind of control over what goes in and out of the country?

I honestly don't think most countries could pull it off. Look at China - they DO have 100% governmental control over their ISPs and they can't manage it, the have to threaten companies like Google to make this stuff happen.

And do you realise the hardware it would take to start sniffing the packets of the largest search provider in the worl

Re:

[suso]

I'm sorry but your comment is not insightful, its ignorant of reality. There are many countries that control the ISPs in their country. Not every place is a democracy. And not all democracies are as free as things are here. Internet access is slower in many other countries and people there probably wouldn't notice if their access was a bit slower because of some kind of DNS filter.

Remember, there are over 200 countries and not all of them have as fast of access as the handful that do.

Re:

[TheRaven64]

Spoofing DNS is trivial. It's connectionless, and you don't even need to block the reply, you just need to respond faster than the other party and the client will, in most cases, ignore the second reply. Any last-mile provider can do it with very little infrastructure investment (it's a trivial routing rule to redirect any UDP packets on the DNS ports to a government server, it doesn't need deep packet inspection). If a government asks them to then it's much cheaper to comply than to fight it.

Re:

[Krneki]

Then you are a fool. This is exactly what I mean by trusting your ISP. I sympathize with you and your situation (and I understand that it happens), but all your country has to do is implement some system that will change the UDP packets coming from Google DNS to change the answers, thus accomplishing the same censorship. The more people who use Google DNS, the more likely a country or ISP is to do this.

If and when this happens, I'll Google for a solution. I didn't implement OpenDNS before I was hit by the censure.

Like they say: trick me once, shame on you, trick me twice, shame on me.

Re:

[suso]

Did you realize what you just said? You'll Google for a solution. Was that a joke, because honestly that's starting to be scary. Obviously Google has way too much power on the Internet.

This is starting to sound like that sports drink that is used for everything in the movie Idiocracy [imdb.com].

Re:

[drinkypoo]

Then you are a fool. [...] all your country has to do is implement some system that will change the UDP packets coming from Google DNS to change the answers

I love to be the one to break this to you, but using packet inspection it's just as easy (perhaps easier) to just mangle every DNS response, not just the ones from Google, or insert_server_here. Not using your ISP's name servers (if they even have them, which many don't any more — you hit their provider's nameservers directly) will however successfully protect you from an attack against your ISP's name servers. If you think google's name servers will be compromised, that's a valid concern, but it seem

Re:Pointless hype

[Sleepy]

>Then you are a fool. This is exactly what I mean by trusting your ISP. I sympathize with you and your situation (and I understand that it happens), but all your country has to do is implement some system that will change the UDP packets coming from Google DNS to change the answers, thus accomplishing the same censorship. The more people who use Google DNS, the more likely a country or ISP is to do this.

A non-sequitur. More people using Google DNS or any other DNS resolver does NOT make it more likely that a country or corporation can impose censorship.

In your previous statement you even hint that you know this - you suggest that a country could "change the UDP packets coming from Google DNS to change the answers", but why would a country target JUST GOOGLE DNS for censorship?

If you took 30 seconds to Google the world's best known DNS censorship project (http://www.google.com/search?q=great+firewall+of+china) you would know that China does not target *specific* DNS resolvers (such as you suggest might be done with "Google DNS"). No, China hijacks ALL port 53 traffic which should be obvious then that the DNS provider is 100% irrelevant.

In fact, a third party DNS provider is MORE likely to offer DNS resolver service on a non-standard DNS port, thus becoming an ANTI-censorship tool that China can not defeat (not without blocking or filtering ALL ports which kills their Internet entirely).

You should be careful about calling someone else a "fool", when speaking of topics on which you have your facts wrong.

Re:

[suso]

I did say I sympathize with him. My wife is from Uzbekistan and I have some friends from other countries and who visit other countries, I know its hard. I'm not calling him specifically a fool, but I'm using strong wording because I'm hoping that people will read my warning so that they will understand that Google DNS is not a solution for security and privacy.

Re:

[sexconker]

He's a fool because, faced with internet censorship in his country, he decides OpenDNS will protect him.

Re:

[horza]

He's not a fool because, faced with internet censorship in his country, he decides to use OpenDNS that works for him now. At least he is doing something. When it fails, then he can turn his ingenuity to finding the latest innovation for privacy protection that does work. sexconker does not appear to appreciate the cat-and-mouse game that those that live in oppressive regimes have to play.

Phillip.

Re:

[Krneki]

Yap, still he has gave me an insightful comment.

If I'll be faced with a new type of censorship I'll know what to look for. Shame he didn't gave us a solution to this problem. Apart from the classic do a SSH / VPN tunnel.

Re:

[Jasonv]

I use OpenDNS because in my country they dared to censor the Internet twice using DNS.

Google DNS could be useful if they don't implement any censorship, considering how much hate P2P sites gets from corporations we will see if they manage to stay neutral.

As a non-American, I may trust Google's ethics, but unfortunately, I don't trusts America's. I don't want my personal data subject to American DMCA, wiretapping, or other laws any more than I have to. Fortunately my country hasn't gone that route... yet. I'll stick to my ISPs DNS and my local privacy laws.

Re:Pointless hype

[Akido37]

Just ask yourself one question, if you don't trust your internet provider enough to do DNS correctly, should you trust them at all?

Personally, I'm sick of DNS lookups resulting in a page of ads.

Re:

[bsDaemon]

and one of the world's largest advertising companies, masquerading as a technology company (though only as a vehicle for their advertising) isn't EVER going to start throwing up link farms or ads in response to NX queries? You, sir, have more faith than the pope.

Re:

[Bigjeff5]

one of the world's largest advertising companies, masquerading as a technology company

You realize that one does not exclude the other, right? In fact, they build on each other. The reason Google is such a successful advertising company is BECAUSE it is such a great technology company. Furthermore, as the advertising aspect of their company brings in money, they can funnel that back into the technology they make, which can then increase their advertising revenues.

Google makes the best internet search product on the planet. Period. Nobody, even a software giant like Microsoft or an search

Re:

[VGPowerlord]

I hate to say it, but this is an inverse ad hominem [wikipedia.org].

I suggest that Google will eventually redirect NX queries, because it follows their pattern of adding advertising to their previously ad-free products. I submit Google Maps and Google Earth as examples.

Re:

[bsDaemon]

Maybe I should turn in my geek card, but I'm just not really interested in most of the new stuff coming out of Google. I'm happy with my Blackberry on Verizon (they don't really lock down the BB devices, so I don't need Google Voice, or Android). I run my own mail servers, so I don't need to use Google Mail anymore.

I've taken a poke at Chrome, but I really wasn't that impressed with it. I don't have any interest at all in ChromeOS, either.

Most of my criticisms against Google could be levied at any other

Re:

[bendodge]

they don't really lock down the BB devices, so I don't need Google Voice, or Android

Really? Can the Curve use its GPS chip yet? Last time I tried Google Maps I was forced to use tower triangulation and it was worthless. VZW wanted me to buy their overpriced navigation software to use the GPS chip for anything but e911. And, last I checked, other carriers let me use the GPS chip normally.

Note: this post is not designed to defend Google, just to bash Verizon.

Re:

[sydneyfong]

If they started doing that, what's to stop you from changing your DNS provider to whatever you were using before?

What if slashdot becomes goatse? OMG block it quick!

Re:

[nacturation]

I thought the GP was referring to whois lookups returning a page of ads. A DNS lookup doesn't return a page of ads, it returns an IP address.

Re:

[dzfoo]

No, he actually meant a DNS server that, when asked about a non-existant domain, instead of returning an error, returns an IP address to a host running a web server hosting ads.

        -dZ.

Re:

[jimicus]

I thought the GP was referring to whois lookups returning a page of ads. A DNS lookup doesn't return a page of ads, it returns an IP address.

And a whois lookup sure doesn't return a page either, unless you're using a web-based search.

However, there are dozens of examples of DNS services providing an IP address where they should instead provide an error - and that IP address is a website which is there for the express purpose of advertising.

Re:

[dzfoo]

>> They aren't now. Their policy says they won't,

Read it again. It says that the will not mine the log files of their DNS service and correlate that with their other data. That's all it says they won't do. It says nothing about sampling traffic en route, or grabbing it outright with an intermediate proxy, or any of a hundred other ways they could access this (pressumably valuable) information.

          -dZ.

Re:

[i.r.id10t]

How about if I *know* my ISP sends out a search domain page instead of a NXDOMAIN response?

Re:

[Monkeedude1212]

Just ask yourself one question, if you don't trust your internet provider enough to do DNS correctly, should you trust them at all?

If the option were to trust my ISP or to go without Internet, I suppose I would have to "Trust" my ISP.

If the option were to Trust Google or Trust my ISP, I'd probably "Trust" Google.

Aside from the one time I saw a Google car doing streetview - Google has stayed out of my physical realm. And they can harness all the data they want from me, I don't really care. My ISP on the other hand, knows my home address with postal code, and continuously mails me information on how much of my money I owe them each month

Re:Pointless hype

[camcorder]

You don't need to trust your ISP, they are legally binded to protect your privacy on most of the countries. Since you have a contract that means that's a card in your hand which you can use in case of violation. However with Google, you have nothing. All the contracts you have with google is the legal aggreements to use their services in return of losing your privacy at all.

To summarize, your option to trust google is just useless since it doesn't matter if you trust them or not.

Re:

[Monkeedude1212]

It's also illegal to commit murder, sell sex slaves, and to pillage and rape and all that jazz. That doesn't mean it doesn't happen.

Being Legally binded to something means nothing if there is no one there to Enforce it, and even if there IS someone assigned to enforce it, I have no guarantee that they will do their job, or do it properly, or won't be corrupted by those in power.

My Privacy is essentially limited to what I put on the internet - if I never put my SSN, Credit card info, or DOB on the internet,

Re:

[Dog-Cow]

You mean "if no one puts up...". It's rather naive to think that this information is not available just because YOU never posted it.

Re:

[jimicus]

You don't need to trust your ISP, they are legally binded to protect your privacy on most of the countries. Since you have a contract that means that's a card in your hand which you can use in case of violation.

Indeed I can. I can:

• Complain to the regulator (who will spend 6 months sitting on their arse before coming back with an answer to a totally different problem)
• Take them to court - though if I win they'll likely ignore the verdict and appeal it until such time as I lose or I run out of time/money. That is assuming by sheer blind luck the judge I get is reasonably tech-savvy to begin with.
• Take my business elsewhere. Though seeing as there is one cable ISP in my country and one ISP supplying wholesale ADSL t

Re:

[omnichad]

Nobody's shutting down the root servers. Google still queries them and domain nameservers. This replaces your ISP's DNS. And no, I don't trust them either.

Re:

[QuantumRiff]

Just ask yourself one question, if you don't trust your internet provider enough to do DNS correctly, should you trust them at all?

I trust my ISP very much. However, I don't trust all the local Coffee shops, small businesses, hotels, airpots, etc to be secure, and not route me through proxies and man in the middle attacks.

This is a great thing for the mobile traveler.

Re:

[TheLink]

> and not route me through proxies and man in the middle attacks.

How would using Google's DNS help?

If your problem is man in the middle attacks, you'd have to use a VPN to a trusted network before you can trust DNS and other insecure protocols.

See also:

http://code.google.com/speed/public-dns/faq.html#dnssec [google.com]

Does Google Public DNS support the DNSSEC protocol?
At this time, Google Public DNS does not validate DNSSEC responses. We will continue to work on improving Google Public DNS.

Re:

[TheRaven64]

The problem is not that you have to trust Google or trust the connection provider, it's that you have to trust the connection provider or trust Google and the connection provider. If you connect from a hotspot then anyone on the local network segment can pretty trivially spoof DNS responses unless you are using DNSSEC, and if you (and the infrastructure) are using DNSSEC then the ISP can't tamper with the responses anyway so you don't need to trust them.

Re:

[shentino]

Well if the ISP can't tamper with it then they may as well block outbound DNS and FORCE you to use their own servers.

I found out because I had installed BIND and was using that...and it did not work.

Re:

[ls -la]

I won't be switching DNS servers until/unless I notice a problem with my ISP's, but if I do need to switch, or even just test my internet configuration, I'll probably use Google's servers because they have addresses I can memorize: 8.8.8.8 and 8.8.4.4.

Re:

[natehoy]

There's also 4.2.2.2, 4.2.2.3, and 4.2.2.4, all owned by Level3 Communications.

You can't get much more authoritative than that, though they aren't the fastest DNS servers by far.

Re:

[amicusNYCL]

The Level3 servers are actually at 4.2.2.1 through 4.2.2.6, not just those three.

Re:

[natehoy]

Sorry, good point. I forgot about 1 and 6.

Most ISP's DNS servers are broken.

[KingSkippus]

Just ask yourself one question, if you don't trust your internet provider enough to do DNS correctly, should you trust them at all?

My ISP's nameservers are broken. Whenever I try to resolve a name that doesn't exist, instead of the DNS server telling me it doesn't exist, it returns the address of one of my ISP's web servers, which presents me with an ad-laden search page for whatever name I typed in. This is clearly not what the DNS spec says it is supposed to do.

While this might not sound like such a big deal, for developers it's a pain in the butt. For one thing, if I want to test to see if, for example, a name I have registered has propagated, I can't just do an nslookup to see if I get a response; I have to actually verify that the address that is returned (since all lookups will resolve to something) is the actual correct address instead of my ISP's web server. Also, on the client side, when my applications communicate via the web, they have to not only verify that an address resolved, but actually verify with the back-end application that it is what it's supposed to be instead of an ISP's search page. Just since I changed my DNS servers last week, I've already saved at least a minute or two I shouldn't have had to spend in the first place.

Plus, even if all of that still doesn't convince you that Google is actually doing something helpful, there's the simple fact that my ISP's servers actually had on average an hour or so down time every couple of months. It wasn't scheduled or anything (that I know of, anyway), I would just all of a sudden not be able to resolve any addresses. If I called technical support, the goobs there would insist on me plugging my computer directly into their modem, and when it still wouldn't work, they'd schedule a time a few days out for a technician to come out to my house. They simply wouldn't acknowledge that the problem was on their end, not mine, and they didn't understand simple concepts like nslookups, tracerts, etc. I'd invariably just give up, tell them not to send anyone, and wait without Internet access for their network people to figure it out after a lot more people called in.

I started using OpenDNS a long time ago because of all of the problems with my ISP's DNS servers, even though they also redirect queries that aren't found to their search page. If I wanted other features OpenDNS offers like parental controls and such, I'd probably stay with them. As it is, though, consider me another happy consumer of another helpful Google service. As the informal tech support guy for most of my family and friends, I'll be switching as many of them over as I can too, so I can avoid just a few more "Hey, I can't get to the Internet" calls.

Re:Most ISP's DNS servers are broken.

[Shawndeisi]

If you're using a *nix box somewhere on your devel network, "dig +trace host.domain.tld" is a beautiful thing as you'll avoid the cache (and therefore any potentially broken caching nameserver behavior) as all the nameservers you hit will be authoritative. You can see if it truly has propagated, which you can't do with a simple nslookup due to negative caching if your first lookup wasn't successful. Right now you could have a negative record cached for the TTL in the SOA and would have to wait until it expires before you see the live record, while it was already live for everyone else. You'll also be able to devel your app faster because you won't hit the caching server until it's live. There may be an equivalent flag on nslookup but I haven't found it after a few minutes of poking around.

Re:

[David Jao]

Its funny how the Google hype is driving so much talk about something like DNS, a service which probably 95% of non-tech people don't know exists. Most people wouldn't care about DNS normally, but since its Google it must be something to get excited about.

I'm not normally a fan of Google, but if they spark some sort of increased public awareness on the issue of DNS, that can only be a good thing. DNS receives far too little public attention relative to its importance.

I doubt really that any significant number of people will switch to using 8.8.8.8, but I worry that if they do, one of the the original goals for DNS will be lost. That its distributed.

DNS stopped being distributed when people started abusing domain name registration. The resulting collapse of DNS into, effectively, a single level hierarchy meant that the original design goals (including the goal of distributed lookups) were already unachievable long ago. This is not really

Re:Pointless hype

[mzs]

Google is using anycast for their DNS servers. There are not just two machines at 8.8.8.8 and 8.8.4.4 as the sole DNS servers. You get a relatively close-by server. This is a tried and true technique for DNS. In fact there is a technical feature about the google approach that is neat. It is likely that google is using many of the same servers it is for search for the DNS servers as well. They are running the caching DNS at each facility, such that if one server at the facility gets a record, then any other DNS server at that facility uses that response. That is one cool way to limit the delays for someone else making a DNS request. I've not seen that mentioned much before, and that is neat. I wish slashdot comments about stories that are trying to be technical would have technical comments on them near the beginning, instead of rehashing of all this privacy stuff, for a third or fourth story.

Another approach that was mentioned a lot before is that after the DNS server provides a response, the server checks to see if time is running-out regarding the TTL. If it is and has not expired yet, it asks again and pretends that the TTL counter has begun again. This again is trying to limit a DNS delay for some poor schmuck.

Another technical detail I have not seen mentioned much is that google DNS servers are returning largely authoritive answers only, often in cases where other DNS servers do not. For example, look-up a private IPv4 such as 192.168.1.1 with google's servers and some others. Others typically return non-authoritive responses, say to RFC1918.private.net. There is a lot of subtly misconfigured software-out there, hopefully this will bring it to the fore front about dealing with non-authoritive answers more carefully.

As to regarding the performance of google DNS, from a few locations for me, seems very fast. Is faster (much) than AT&T, bit slower than comcast, bit slower than work, comparison with OpenDNS is in the noise. What is more important is that they treat all records correctly, so for example kx509 _kca._udp.REALM style SRV records are handled unlike the DNS servers from some ISPs which seem to think that DNS is only for A records.

Another interesting feature is that google DNS is playing tricks with case in DNS queries and replies as yet another stop-gap-measure against DNS cache poisoning attacks. That's clever, I believe it was proposed before, but bind folks presented some issues and left it at that.

Re:

[Bengie]

My ISP hijacks invalid DNS requests and forwards to their own version of yahoo search.

Since Chrome/etc let you type anything you want in your address bar and will just "google" search any invalid entries, this get's broken when the DNS returns "valid".

Re:

[Grayputer]

Ahhh, as far as I know, DNS is still distributed under this model. Google is not hosting DNS, they are providing a look-up server for DNS, just like your current ISP does (usually set when you get your IP address via DHCP). The root servers still exist, I'm still serving my domain's DNS, HP is still serving their DNS, ...

Google is providing an alternative to the ISP's servers for look-up, not hosting.

Google is average

[jhoegl]

This just in, Google is average at something they did. Google's parents are very upset and will not be posting this on their refrigerator. In other news, detractors of Google throw party.

My Testing Results

[Anonymous Coward]

Resolve www.yahoo.com

local.isp 12msec
4.2.2.2 30msec
208.67.222.222 55msec
8.8.8.8 57msec

Re:

[omnichad]

www.yahoo.com is a TERRIBLE test. It's likely to be in your ISP's local cache. On the other hand, 57ms is terrible for Google on the same task.

Re:

[omnichad]

It is, and that's what makes it look terrible for Google. But uncached results are an important test, too. Or less-likely to be cached. If Google has near-everything on the Internet cached, and the local ISP doesn't, Google might start winning battles.

It will be interesting to see

[bugs2squash]

if it makes satellite web browsing better. Setting a web proxy is a great way to cut down DNS chatter on a satellite link, perhaps Google have come up with something that is almost as good.

One time comcasts DNS servers were down...

[gblackwo]

Around 5 years ago, the internet was down for comcast subscribers in northern Indiana and a good chunk of the midwest- I figured out it was just their DNS servers that were down and quickly switched over to AT&T's. That evening I saw the fastest internet I've ever seen. It was glorious.

Re:

[Monkeedude1212]

Telus (Canadian Telco) DNS Servers go down for about 12 hours every other month or so. It's handy to have this kind of info online. I also have the Shaw (Canadian Cable Company) DNS servers written down, just in case.

Re:

[omnichad]

And bittorrent/P2P don't usually use DNS. Draw your own conclusions.

Re:

[bcmm]

Most people won't be able to find .torrent files without DNS.

Re:

[omnichad]

But if they already have a large download going, it would continue uninterrupted, and still find new peers.

Re:

[chill]

Yes, but just to clarify, your speed-up wasn't because AT&T's faster DNS. It was because all those other Comcast wankers were still offline and calling tech support. For a few glorious moments, the Comcast tubes were unclogged.

Re:

[gblackwo]

I use 4.2.2.1 and 4.2.2.2 a lot- it really does make comcast speedy.

My own more detailed analysis

[bramp]

I ran my own set of experiments benchmarking both Google DNS and OpenDNS as well as two UK ISPs. I showed more detailed results, and infer some information about how these systems are run. http://bramp.net/blog/google-dns-benchmarked [bramp.net]

Google one of the slower options for me...

[Scootin159]

Was considering a switch (for our locally cached DNS servers parent servers), but glad I ran a benchmark first:

Cached relative performance:

• Local (backed by ISP)
• ISP (unfiltered results)
• Level 3
• Google

Uncached relative performance:

• Level 3
• ISP
• Local (backed by ISP)
• Google

In all cases, Google's one of our slower options. If anything, it appears I'd be best off using local DNS backed by level 3 for non-cached results.

Surprising benchmarks

[gmuslera]

Essentially it showed that the ones from verizon (the one that provides him connection) are the fastest ones (not only the fios one, but the 151.202/3 ones too are from verizon), there are a few others faster than Googles (including 4.2.2.*), and then the rest of DNS tested were slower. Much of the speed that matters of a well installed DNS is how "close" is from you (as in i.e. ping time), and your upstream provider have usually the closest one.
Could be a speed improvement in the few, rare times when you a

Re:

[gmuslera]

The point is that "very good infrastructure" is not a factor. A simple caching DNS on any of the sides of your internet connection is faster than getting to Google servers, and in the normal use will be faster almost all the time. If that DNS is used by enough people hitting a domain not in the cache should not be very common.

No thanks.

[jim_v2000]

I'll stick with my ISP's DNS. One thing I've noticed about using third party DNS services like OpenDNS is that location aware sites that serve up content from different servers depending where you are (like YouTube) don't work well.

Re:

[bheer]

One thing I've noticed about using third party DNS services like OpenDNS is that location aware sites that serve up content from different servers depending where you are (like YouTube) don't work well.

OpenDNS is distributed too; for many users they're in the same geographic vicinity, so this really should not happen. Further, most servers that serve up geotargeted content (like Youtube) use geo-ip mapping to target their response to the client IP, not the server IP that was hit.

Do you have any specific exa

Multiple, parallel, DNS server settings?

[NevarMore]

I suspect this has been asked before. Is there some way to set up multiple DNS servers and simply query them in parallel?

That way whichever one is fastest gets me the address sooner. It is a little bit rude, but since it would seem that most DNS providers have the opportunity to be shady and feed landing pages or collect usage data, they'd be just as happy to have me make a request and discard the answer.

I'm starting to wear tin foil hats

[GodfatherofSoul]

This is my completely unfounded conspiracy theory, but I'm starting to see Google as a pretty clever rouse to capture user data, perhaps for our government? They provide great services, but they've got their hooks well sunk into much of our digital lives.

Win win situation

[horza]

Google offering free DNS makes sense for everybody:
a) it is a low cost / low bandwidth service Google can integrate into its infrastructure for negligible cost, and the public get free reliable DNS
b) ISPs are 'stealing' search traffic by hijacking millions of misspelled domains, Google can try and eliminate this fraud which will more than cover the costs of (a)
c) why do people need to invent a (c)?

At the end of the day, Google's money-spinner is ads on search results. The free DNS is a move to protect this. As people write above, a bonus side-effect is that makes life easier for developers of sites and browsers when ISPs don't corrupt the RFCs.

Phillip.

Re:

[sakdoctor]

For DNS I trust Google > North Korean state owned ISP > Virgin Media

Re:

[iammani]

What? They throttle DNS requests? I am not sure how effective it will be, since DNS requests are cached and you dont have to ask the DNS server when you revisit the website.

If you see improvement by switching to google DNS servers, it is very likely that RCN has a really slow server (or has an inefficient caching algo) handling DNS request or that the latency to reach RCN DNS servers are higher than google's.

This is incompetence, not malice.