Google Proposes DNS Extension 271
ElusiveJoe writes "Google, along with a group of DNS and content providers, hopes to alter the DNS protocol. Currently, a DNS request can be sent to a recursive DNS server, which would send out requests to other DNS servers from its own IP address, thus acting somewhat similar to a proxy server. The proposed modification would allow authoritative nameservers to expose your IP address (instead of an address of your ISP's DNS server, for example) in order to 'load balance traffic and send users to a nearby server.' Or it would allow any interested party to look at your DNS requests. Or it would send a user from Iran or Libya to a 'domain name doesn't exist' server."
Not as evil as suggested (Score:5, Informative)
Re: (Score:2)
Doesn't that theoretically nail you down to somewhere within 252 ish machines? (Assuming IPv4).
The first 3 octets seem like they could be enough to personally identify you based on your DNS Search records.
252 Machines? Not really... (Score:2)
Re: (Score:2)
I was under the impression my ISP was giving me a public IP Address - and thats what I was paying for. I am of course behind my own NAT Table on my Personal Router.
Re: (Score:2)
Well if your like my house it is closer to 1 in 765. NATs are wonderful for that. As they can determine IP but not one of the four users across 9 computers with Internet access.
Re: (Score:3, Interesting)
No, but given that only an additional 255 (or is it 254?) users besides you can be coming from that range, it's not like over time someone can't correlate this to you.
I'm not convinced this doesn't have privacy implications, or that
Re:Not as evil as suggested (Score:4, Insightful)
Web sites already know where you're coming from. They have your IP address. Every single one of them, unless you're using a proxy. The problem is they can't easily redirect you to the server closest to you once you've already resolved their address. The only in the whole system who do not know your IP when you're browsing the web is potentially the authoritative DNS server; the usual case is the same people who run the authoritative DNS server also run the web server, so while they don't get your IP when you do the DNS lookup they will when you eventually land on the site.
Re: (Score:2)
The problem is they can't easily redirect you to the server closest to you once you've already resolved their address.
What's wrong with an http redirect? They seem to work just dandy for akamai.
Re: (Score:2)
No, but given that only an additional 255 (or is it 254?) users besides you can be coming from that range, it's not like over time someone can't correlate this to you.
Could be 256.
Re: (Score:2)
Somehow all these people are super concerned with THIS idea, but have no qualms about everything they do online being logged in weblogs. But then, its google (or microsoft, or apple), so we have to bash them; theyre too successful to be allowed to have good, non-evil ideas!
Re: (Score:2)
Combining this with the information from the already quite pervasive tracking google does, I can't imagine that identifying your one-of-256-addresses is anything other than trivial.
Re: (Score:2)
Re: (Score:3, Interesting)
The first three octets limit you to a maximum of 256 machines. In practice, most addresses are assigned in /24s, so you end up with two of these used for the router and broadcast addresses. Most broadband ISPs don't recycle addresses often, so you end up with the same IP for weeks, if not months, at a time. Of the other 200 people on your /24, how many are online at the same time as you? Maybe 10-20? Of these, how many have sufficiently similar surfing patterns that, when you combine the DNS results wi
Re: (Score:2)
Of course, since this is only to give them enough information so you can access a Google server nearby as opposed to one somewhere else, they'll have your FULL IP ADDRESS about 1/100 of a second later.
Google doesn't need this to track you. In fact, this information is less useful than what they already have. This is about Google (and anyone else who has distributed datacenters) being able to make better decisions about which datacenter to send you to. This saves them bandwidth charges, which adds up to B
Re: (Score:2)
even the first 2 octets can be enough to reliably identify with some digging. what do you think 3 is gonna do?
Re: (Score:2, Informative)
I guess there could be some way to track what sites you're looking up from different tiers of DNS servers. If you were using google DNS, they'd have your entire DNS anyways, and if you were using another, then they'd only get your IP if you're connecting to google.com
Re: (Score:2, Insightful)
I'm not worried about the "evil" aspect of it. This just doesn't sound like what DNS should be used for.
Re: (Score:2)
Thank you! Came in here to say this. Did the submitter even read the article?
And for those interested:
Our proposed DNS protocol extension lets recursive DNS resolvers include part of your IP address in the request sent to authoritative nameservers. Only the first three octets, or top 24 bits, are sent providing enough information to the authoritative nameserver to determine your network location, without affecting your privacy.
Re: (Score:2)
To quote Paul Vixie, inventor of DNS: (Score:4, Interesting)
To: DNSEXT (DNS Extension Working Group, Internet Engineering Task Force)
From: Paul Vixie
Date: Thu, 28 Jan 2010
"I don't think that's a general enough solution to be worth standardizing.
please investigate the larger context of client identity, beyond the needs
of CDN's."
I also agree with his later statement in the same thread:
"it may be too dangerous in any form but that's a separate issue."
-- Terry
Sure it could expose me. (Score:3)
Now while this could theoretically be used to censor regions of users, it could not be used to expose you (since it isn't the complete IP address)
Sure it could expose me. I have my own Class-Cs - two of 'em. When I'm on one the first three octets point straight to me.
When I'm running from my DSL I have an eight-IP address block (broadcast / broken-broadcast / modem / five-usable) so first three octets point to a group of 32 of which I'm one. For DSL users with one-usable it points to a group of 64 users
owning an IP address (Score:3, Funny)
doesn't impress the babes anymore
now you have to own your own Class-C before a woman even gives you a second glance
and even then, they'll still flock to those assholes strutting around with those Class-Bs
Bad summary (Score:3, Informative)
The proposal says they would only use the first three octets. And users could just use a different DNS server if they had a restrictive servers that blacklisted Iran or whatever.
Re: (Score:2)
How is this stupid? The DNS system already does this load balancing.
The DNS server you use today already sends ITS first three octets to the authoritative DNS server so the authoritative DNS server can make these load balancing decisions. In my case, with Comcast, this is less than optimal because my DNS server is located several states from me.
The only change Google is proposing is to make that location awareness a little more accurate by sending YOUR first three octets, so the authoritative server can
Wow, Slashdot editors hate Google (Score:5, Insightful)
The summary isn't even close to correct. What the hell is going on with Slashdot these days?
Re: (Score:3, Funny)
its ok they hate Micro$oft more (yes thats a dollar sign in there :D)
Re: (Score:2)
Does accuracy matter? They got you to surf and comment, didn't they?
Re:Wow, Slashdot editors hate Google (Score:5, Informative)
These days?
Re: (Score:2)
The summary isn't even close to correct. What the hell is going on with Slashdot these days?
Hormonal adolescence. To the new youth Google is the old guard. You mark my words, before long we'll be having deep and meaningful conversations about anarchy and the meaning of existance.
Re: (Score:2)
How's that evil? (Score:5, Insightful)
What a load of crap. There is no way to exploit that. If a someone wants to block certain IP ranges, it is much more efficient to do so at the HTTP (or whatever the protocol in use is) level, rather than in DNS.
Even if this gets introduced, every DNS server will continue supporting the old (without 'IP forwarding') way of doing things, so it's easy enough to pick a DNS server which doesn't forward your IP. Everything will work just as it does now (you won't have the potential speed advantage you might get with the new system though).
Whoever wrote TFS doesn't know the first thing about how networks work. Looking at what just happened in China, do you think that Google of all companies really wants to endanger your privacy?
The reason why Google offers public DNS servers and why they came up with this is because they want to make the internet faster for everyone. And they're doing it in an open, backwards-compatible way.
This is a good idea and should be implemented.
Re: (Score:2)
> The reason why Google offers public DNS servers and why they came up with this is because they want to make the internet faster for everyone.
BAHHAHAHAHAHAHAAAHAA...Yes, Google only wants rainbows and ponies for ALL the good children!
My good AC, I actually think you aren't a Google astroturf, but how naive can this be? Google is a public corporation whose fiduciary duty is to make money for their shareholders, not make the intertubes flow more smoothly, unless that causes Google to make more money.
Googl
This is important! (Score:5, Insightful)
This is extraordinarily important for efficient operation of the internet. If people want to block you, they can, DNS or no DNS. However, for global load balancing, this is vital. You want to connect to a server near you, not near your DNS server.
This will not stop the proper function of proxies.
Re: (Score:2)
So imagine we have servers in 2 different datacenters. Then an accident closes one of the datacenters. How would the current dns system allow os to redirect all trafic to our other datacenter?
Re: (Score:2, Informative)
If you're attempting to contact the domain, the DNS server will have your domain anyway. The privacy stuff here is specious.
You're thinking that this is about loadbalancing the DNS requests. That isn't the case, RTFA, etc. This about what HaeMaker said-- getting the user to the server closest to them, instead of to a completely arbitrary server halfway around the globe!
How are you proposing to do loadbalancing when:
0) If you haven't noticed, large sites DO have a sit-ton of traffic coming to and from them.
1
Re: (Score:2)
No, unfortunately, I actually know what I'm talking about while you're being irrational and insulting.
The analogy was an attempt to get you to understand the loadbalancing problem, which I'd really like for you to understand.
Re: (Score:2)
when large volumes of bits are involved, like most responses from cdn servers, then YES, "This is important!"... but for the dns request packets to also be pooled and routed in this fashion is unnecessary and as the submitter points out opens up massive privacy holes currently plugged.
What "privacy" issues? Your DNS already knows your IP - You just sent data to it on the IP layers. If it wants to send you a NXDOMAIN based on your subnet, it already can.
Google, you are wrong here. (Score:4, Informative)
Internet already work withouth the need to propagate this information. Following the OS concept of "Less power", the less information about you that is propagated, the less problems.
"By returning different addresses to requests coming from different places, DNS can be used to load balance traffic and send users to a nearby server. For example, if you look up www.google.com from a computer in New York, it may resolve to an IP address pointing to a server in New York City. If you look up www.google.com from the Netherlands, the result could be an IP address pointing to a server in the Netherlands. Sending you to a nearby server improves speed, latency, and network utilization."
It seems this balancing is already possible withouth the need to propagate that data. I choose here safety/privacy, over a potential speed gain. Also the risk is for everyone, but the gain is just for a few ones (the people that has lots of servers and need a balancing solution)... hence, is unfair. My view of this.
Re: (Score:2)
Re: (Score:2)
AC is right! Mod this up.
The response should include the geographic information and/or a priority which the resolver and/or client can use to determine best record for use.
Its important for people to understand that geographic locality does NOT always mean shortest/fastest/lowest latency path. For example, did a trace route between me, my brother, and friend. Brother lives in neighboring town while friend lives several states away. The result, friend is 9 hops away. My brother, who is in the next town, is 1
What about IPv6 (Score:2, Interesting)
It seems IPv6 will be in use soon; so why tinker with DNS requests on IPv4 ?
Also, does anybody know how GEO locating an IP will be done on IPv6 (at least down to country level) ?
yah but they are already close (Score:2)
this is what anycast routing was invented for. the root servers use it, why not secondaries?
Needed, not evil... (Score:5, Insightful)
There are already many uses where the IP address of the resolver is used to determine service, basically every CDN etc uses this technique.
This extension is needed if you want OpenDNS and the like to Not Suck when fetching Akamai sourced content, youtube videos, etc.
And its not like the owner of the DNS authority won't find out who you are anyway, after all, you then CONTACT THEM DIRECTLY WITH YOUR IP ADDRESS!!
Re: (Score:2)
That's the part that I don't get about what people are moaning about. You're obviously connecting to the host server at the end, it's inherent in the DNS request (unless you're doing a whois or something, but that's not the same is it?).
I think most people are getting jacked up about "could be used for tracking purposes".
Re: (Score:2)
++ Mod parent up. I wish I had mod point.
Re: (Score:2)
Re: (Score:2)
That work around has the nasty side effect of increasing your DNS load by an exponential factor, which isn't good either.
Imagine you're hosting web servers. If you can handle N HTTP queries, you can also handle N DNS requests, unless your DNS servers are completely useless. Even with TTL 0, you'll only get at most the same number of DNS requests as you're getting HTTP queries.
I can't se how this give google any more data (Score:4, Insightful)
I can't se how this does give any more information to Google or other users.
Example: If i do a lookup on www.slashdot.org then this query should newer hit any dns server controlled by Google.
The only way a query would end up on a google controlled dns server, would be if the domain i looked up were owned by google, and in that case I don't care, because then I am about to visit the site anyway which mean they will have my entire ip.
it's about CDN geocaching, not a conspiracy (Score:2)
look, you can already use whatever DNS server you want. if you're worried about your traffic being analyzed by someone else's DNS, just use your own (or a privacy-respecting) DNS elsewhere.
DNS is just the obvious way to ensure that clients use the best path to content.
Re: (Score:2)
Isn't the obvious way a combination of anycast + bgp? It works quite well, and is administred by knowledgable network specialists who also happen to know the exact topology of their backbones. Putting it in DNS instead opens the door to endless misuse by domain owners who believe in geo-specific discrimination. CDNs should work transparently, but allowing end users (a.k.a. domain owners in this particular case) to tinker that
Re: (Score:2)
You can't reliably anycast TCP. The session might switch servers in the middle.
If it ain't broke... (Score:2)
...don't fix it.
Re: (Score:2)
Re: (Score:2)
So youre a fan of sitting on internet explorer 7 for the next 10 years? Or firefox 2.0?
No, those both have plenty of vulnerabilities. They're broken.
The DNS protocol is not broken. In fact, besides the tricks and hacks corporate Earth have tried with it (404 redirection as an example), it's worked pretty damn well for me for the past 20 years.
Ups and Downs (Score:5, Insightful)
I like it. I don't know what the aggregate increase in efficiency across the net would be, but I'm betting if Google is suggesting it, it could be significant. While there are some potential abuses, they're really no different than what can already be done at the router/server level currently.
Marginal Good, Whole lot of Bad (Score:2)
The use of the word 'marginal' needs to be disambiguated too. It means 'not of central importance.'
Intelligence at the ends, not the middle (Score:2)
The reason the internet is so successful is that it has a core that doesn't try to think too much. Get packet, forward packet, etc..
If load balancing is a concern, the client node should determine where the best place to get content from is at, NOT some hack which makes DNS less reliable, and noisier.
Use digital fountains and give out multiple sources to get streams from, and let the end user's computer figure it out. They are the ones in the best place to determine which is a more reliable stream of packet
Privacy and internet (Score:2)
An
Censoring the Axis of evil (Score:2)
Why limited to these countries? How about Australia? Remember, this is a country that blocked Wikileaks thru its state sanctioned banlist. Politicians there are on board [stuff.co.nz].
Even Linden Labs(makers of Second Life) have set up servers there(only 2-3 countries to have their servers outside the US). Critics theorize this is little to with technical distributed computing reasons but to be in readiness to self censor their cont
This is bad (Score:2, Insightful)
Re: (Score:2)
So how do I redirect the user to the server that is closest to them without knowing their ip?
Re: (Score:2)
So how do I redirect the user to the server that is closest to them without knowing their ip?
Firstly, geographical proximity has nothing to do with quality of connectivity. (Some helpful fellow slashdotter pointed that to me, a few days back). So, redirecting user to nearest server doesn't help much. In fact, it could even slow down connectivity because of the computation involved in calculating proximities.
Secondly, the existing system works just fine for location-based DNS redirection.
Google is further away than your ISP (Score:2)
The way things currently work, really makes sense for most people. Your ISP is a single hop away and you want the authorities to talk to it (not you) so that it can cache the result. And it's ok to have that extra traffic between the recursive resolver and you, because it's not a long ride.
But what Google is asking for also makes sense -- if you're using a far-away recursive resolver.
And the very premise of that is stupid. Why the fuck would anyone want to use Google for DNS, instead of something closer
Re: (Score:3, Insightful)
Because their ISP plays stupid games with DNS and setting the DNS numbers on the computer is a tad easier than setting up and running a DNS server.
Countering censorship with more censorship (Score:2)
Or it would send a user from Iran or Libya to a 'domain name doesn't exist' server.
And who would be the victims? The same people whom Google is claiming to be fighting for.
Caching? Hello? (Score:2)
So even if your resolver DNS already has the answer cached, it's supposed to transmit the request again so the authoritative server can see the requesting client's IP network, and possibly return a different answer. Is it supposed to cache that, or not? Is a resolver supposed to use this extension for all queries, or only load-balanced ones? The draft includes no mechanism for specifying whether a particular query should or should not use the extension. I assume then that a resolver patched with this ex
What DNS Is Not (Score:2)
This all sounds totally crazy if you're Paul Vixie and have written a little article titled What DNS Is Not [acm.org] which specifically mentions that it shouldn't be used for this.
How quickly we forget [slashdot.org].
IP Rotation (Score:2)
This will completely destroy IP rotation aka load balancing. I hope they aren't allowed to do it.
So, no caching? (Score:2)
Sounds like a terrible idea to me.
If a caching DNS server that serves multiple users in multiple countries, then suddenly, it's not caching anymore.
If there are multiple possible IP addresses that I can be directed to, why not just send all of them to me, and let me (my DNS server) decide which one is best?
What if have more than one IP? Which one should I use?
How often is it, really, that the route to the DNS server isn't the best route anyway? I.e. is the tiny benefit of a slightly better route for a han
How will it work for large internationalcompanies? (Score:2)
The company I work for has a Class A IP network and is not based on the US.
I'm physically located in Atlanta, but all of the existing geolocation services which I am aware of that use my exposed IP address seem to want to place me in the center of Europe somewhere.
Will this be smart enough to do better?
Fantastic (Score:2)
We've been running into this wall for a while, and let me tell you, the workaround is the most disgusting mess imaginable. Trying to manage views/geolocation when everything is hidden behind a caching server is horrible. There is no car analogy.
Sure, this might give google more information about you, but frankly, they already have it if you're querying their servers (directly). Where this benefits them, and other content players, is when they aren't the default DNS server. This allows them to know that
Re: (Score:2, Insightful)
What's evil about this? All sorts of CDN systems could benefit from this. Hell, it could actually provide even the smallest web provider with a poor-man's version of expensive products like F5's global traffic manager.
Re: (Score:3, Informative)
Re: (Score:2)
So basically what you are saying is, let's find any way this can be marginally useful and attribute it to the only reason why Google is doing this and disregard everything else, thus they are not evil.
Re:Do no evil, eh? (Score:5, Insightful)
Well, the summary lists two ways that this could be used for "evil":
1) Or it would allow any interested party to look at your DNS requests.
2) Or it would send a user from Iran or Libya to a "domain name doesn't exist" server.
Violating privacy and enabling censorship have no place in the Western world.
You are assuming that the summary bears any relation to reality!
The proposal is that your ISP's resolver will pass your approximate IP address when doing DNS a request on your behalf so that you can be sent to a close-by server for your actual TCP connection.
What extra information does someone get here? How does this allow "any interested party to look at your DNS requests"?
On the Iran point, if the website wants to block users from Iran, they can do that when you make the TCP connection - at that time they get your exact IP address and can apply any filtering policy they like.
Re: (Score:3, Informative)
Re:Do no evil, eh? (Score:5, Informative)
On your point about the Iran point...I think there is still the issue of intermediate servers sending "domain doesn't exist" messages to Libyan requests before the packet even reaches the intended destination.
What intermediate servers? The only parties involved here are you, the website and a 3rd-party resolver that you have chosen to use.
If you don't trust your 3rd-party resolver then you're screwed with or without this extension because this resolver can see your full IP address and can lie to you about DNS (e.g. sending you to an ad site instead of saying "no such domain" or whatever).
If you don't trust the website then why are you trying to connect to it? The website will get your full IP address as soon as you connect and can then do whatever it likes with that.
Assuming you are actually planning on connecting to the website and not just doing DNS requests for the sake of it, nobody gets any information that they weren't going to get anyway and nobody has any opportunity to block you that they weren't going to have anyway.
Duh (Score:5, Funny)
If you don't trust the website then why are you trying to connect to it?
Free ringtones.
Re: (Score:2)
Re: (Score:2)
I'm not sure what you mean by the DNS server chain. If the dns resolver you're pointed to is doing a recursive lookup, then there is no chain per-se. A recursive resolver locates the NS for the address you want and then queries it on your behalf. A chain implies at least one of more servers acting as forwarders and not doing a recursive lookup. Or were you thinking of the chain of servers that get queried while the dns server is recursing to locate the authoritative server?
This notion of passing the req
Re: (Score:2)
And guess what, Google just publicised new domain resolvers...
So... You mean that besides logging all your search requests... they'd like to be able to not just log the dns queries of people, but also know the ultimate requester?
Hmm well that wouldn't be non-evil, but I would see them doing it, they just love having information.
If anything, I think it's a sign that they discovered that between caches and resolvers, their google dns servers aren't serving up crunchy enough data...
Re: (Score:3, Insightful)
Oh, how I wish that was true!
Re: (Score:2)
What on Earth have you been smoking?!
Google is proposing that DNS be improved for geolocating content. That's it.
This is a good thing and would drastically improve the technology and remove arbitrary limitations that exist today. What's more you certainly have the option of running your own DNS server and anonymizing your requests if you want, but it's not like Google gets to see your requests anyway. The request will be sent to the DNS server responsible for the site you were actually asking about, so if y
Re: (Score:2, Insightful)
Re: (Score:3, Interesting)
Are you sure there's *no* good reason? I can understand saying that you think the downsides outweigh the benefits, but they claim that it would help them to "load balance traffic and send users to a nearby server," and it seems very possible that this functionality could be used that way. Yes, I'm sure you could accomplish this in other ways, too, but maybe Google feels like this will help them do it more efficiently. With all the traffic Google gets, efficiency is a big deal.
Maybe there's another solut
Re: (Score:2, Insightful)
I think the issue here is that for a marginal amount of good there's a whole lot of bad that can come out of this idea.
Re:Do no evil, eh? (Score:5, Informative)
I'm confused at your assertion. Maybe I'm missing something in the article (as opposed to the summary, which is just making shit up to be scary).
At the moment, I make a DNS request for a given domain. The DNS server sees if it has an entry cached and, if it does not, it asks an authoritative server for that domain what IP address should be used. Then it returns that IP address to me. That IP address is a fixed entity and could be located anywhere in the world. My initial connection to the domain, at least, is made using the server attached to that IP address. Then, if the data center wants to get clever, they can redirect me to a local data center by mangling the domain on all of their image loads, etc, to refer to a server closer to me. But it's clumsy, and I still have to talk to a distant server.
Under Google's proposal, my DNS server would send the domain I'm interested in and my approximate location (first three octets of my four-octet IPv4 address). The authoritative DNS server can then make a decision whether to send me to a data center in my general area, or a data center located on the other side of the planet. The IP address I receive is determined accordingly, so I contact the local data center. The local server represents the actual domain as far as I'm concerned, so no mangling is necessary, and I never have to talk to a datacenter half a planet away. I get faster results, the domain giving me the results has a greatly simplified time doing so, and life is good.
The only new information going to the authoritative DNS server is my approximate location. If I'm using Google's DNS servers, hell, they already have all four octets with the original DNS request. If I'm using someone another DNS server that supports this and I'm visiting Google, they'll give Google the first three octets. But, as soon as I have the IP address, I'm visiting the website itself and therefore the website has my full IP address. So it's not like I'm giving away any new information.
About the only "evil" I could see is an authoritative DNS server looking at the first three octets and deciding to return a black holed address because they don't like that country. But that's already very possible without it. I do it all the time on my PHPNuke discussion boards - NukeSentinel allows me to enter large ranges of IP addresses to block, and anyone visiting from those ranges gets a very low-bandwidth "go away" message.
I suppose my authoritative DNS server could gather more information about people looking up my domain, but then again they are my host provider, so if they want the data all they need to do is pull the IP connection logs and get the full IP.
So I'm really struggling to figure out how this introduces any new risks of monitoring or censorship. The only entity that will receive this new data already gets far more data as soon as you visit the site. And censorship is far more easily done at the routing layer, not the DNS layer.
Re:Do no evil, eh? (Score:4, Informative)
That would depend on the DNS server you chose to use. You might be able to set it to slightly randomize the first three octets to something still in your vicinity but not quite as close, or you might be able to ask your DNS server to spoof it entirely.
But think about the flow of data as it stands today:
1. You do a DNS lookup. Your DNS server has your full IP address.
2. Your DNS server does an authoritative lookup (assuming it's not cached). The authoritative DNS server now has the first three octets of your DNS server.
3. Authoritative DNS server returns poorly geolocated IP address to your DNS server.
4. Your DNS server returns the IP address to you.
5. You use that IP address to visit the web site. That web site now has your full IP address.
Chances are, the authoritative DNS server is run by the same organization that runs the host you are accessing, or at least the last few routers leading to it.
If the authoritative DNS server wants your IP address, they've already got it the instant you try to use the IP address they gave you as a result of the DNS lookup. Having the first three octets is now useless to them.
From the censorship side, having you spoof those first three octets to get an IP address to reach them will do you no good because it's FAR more effective to block or redirect requests through their routers by your source IP address. In other words, they'd give you an accurate IP address but you wouldn't be able to use it.
Yes, you could use TOR or a proxy, but then you'd already be proxying the DNS lookup anyway, so again there's nothing to gain by spoofing the first three octets in the DNS lookup.
This scheme has no impact on privacy - the organization that runs the authoritative server gets FAR more information the instant you use the IP address they gave you.
It also has little impact on censorship, because censorship via DNS is going to be highly ineffective. If I knew my country used DNS-based censorship, I'd just give out IP-address-based URLs that don't need to use a DNS lookup at all. Countries that do blocking will (and already do) use blocking at the HTTP or routing layer, not DNS.
Re: (Score:3, Informative)
"Google does have a plan to avoid the most egregious privacy concerns. "Recursive Resolvers are strongly encouraged to conceal part of the IP address of the user by truncating IPv4 addresses to 24 bits." Coincidentally, 24 bits maps directly to the minimum address block that can be carried in the Internet's routing system. Carrying any more than that won't help solve the network distance problem usin
Re: (Score:2)
Re: (Score:2)
To do anycast DNS responses, you need to know the source of the request. Everyone using Google PublicDNS always gets the same response since it always looks like it's coming from 8.8.8.8. Sending the class C of the user asking for the query along with the request itself would allow anycast DNS responders to do a better job responding with the right "nearest" IP.
Re: (Score:2, Interesting)
Re:Do no evil, my ass. (Score:5, Insightful)
Are you being deliberately obtuse? Region-based load balancing also helps content providers reduce latency and get better bandwidth by reducing the number of network hops between you and the web server. This could be very beneficial to sites like Youtube and other high-bandwidth sites.
And the privacy issues strike me as semi-bullshit. You are looking up the DNS for a website YOU WERE PLANNING TO VISIT ANYWAY. When you visit the web site, they have your full IP address anyway. Sure, there are potential man-in-the-middle issues, and maybe some worries in cases where the web server operator (which presumably you want to give your IP address to) and the DNS server operator are different people. But seriously, web browsing is not IP address anonymous in any way, so I see no reason why DNS has to be either. If you want that level of privacy, you should be using Tor.
Anyway, the privacy/efficiency debate is worth having, but you have to first acknowledge that Google's legitimate reason for this extension might actually be the reason they stated.
Re: (Score:2)
Re: (Score:2)
Google stands to gain a LOT from this, and they do not stand to gain any benefits from additional tracking of any users. In fact, everyone on the Internet could easily benefit from this, and it's a relatively trivial change.
But the summary is deeply flawed. The sky is not falling, we just had a Chicken Little post a summary that bears almost no resemblance to the original source article or what is proposed there.
This is the important bit from the article, though there's a lot of background explanation b
Re:Do no evil, my ass. (Score:5, Insightful)
If Google could be trusted to never hand that information over to the government, then I would have no problem with them data mining as much as they want.
Those were really big IF's since we all know the government can easily get the information from Google, therefore we don't want them to have it.
There are lots of value add services that can be done because of data mining that consumers and the population want, they just ignore the consequences of the government also having access to the same data.
Re: (Score:2)
It strikes me that you could create a slashdot article stating that google had a plan to make it possible for websites to log who visit... and everyone would start bashing google, nevermind the fact that thats already the reality.
Re:Do no evil, my ass. (Score:4, Insightful)
Oh because they're not going to get all four octets a fraction of a second later when you CONNECT TO THEIR SERVER?
Critical thinking people... This would actually let people not use their ISP provided LDNS' without getting asstastic performance from every big site out there!
Re: (Score:2)
Oh because they're not going to get all four octets a fraction of a second later when you CONNECT TO THEIR SERVER?
Critical thinking people... This would actually let people not use their ISP provided LDNS' without getting asstastic performance from every big site out there!
Not if you're using a proxy server.
Think about how this is working... (Score:4, Informative)
With this DNS extension, they can see what sites buckets of people are visiting when they're NOT on google sites or where goog ads are being served.
Umm, how is that, exactly? Assume this gets adopted - Google's DNS servers aren't authoritative for anyone other than Google - so they won't see your DNS requests... and even if they were, they'd only see traffic for the sites that Google DNS is authoritative for.
Consider the fact that Google runs a caching DNS already, they don't need this - they'll already have the data for everyone using their resolver service, which would be much more data than this would get them.
In short, I think your tinfoil hat is a little tight. This sounds to me like Google's DNS service has turned out to be using more of their bandwidth than they anticipated, and they're looking to reduce it.