Google Implements DNSSEC Validation For Public DNS 101
wiredmikey writes "Google on Tuesday announced that it now fully supports DNSSEC (Domain Name System Security Extensions) validation on its Google Public DNS resolvers. Previously, the search giant accepted and forwarded DNSSEC-formatted messages but didn't actually perform validation. 'With this new security feature, we can better protect people from DNS-based attacks and make DNS more secure overall by identifying and rejecting invalid responses from DNSSEC-protected domains,' Yunhong Gu, Team Lead, Google Public DNS, wrote in a blog post. According to Gu, about 1/3 of top-level domains have been signed, but most second-level domains remain unsigned. According to NIST, there has been no progress in enabling DNSSEC on 98 percent of all 1,070 industry domains tested as of March 18, 2013. 'Overall, DNSSEC is still at an early stage and we hope that our support will help expedite its deployment,' Gu said."
Re:What web sites and hosts do you visit? (Score:4, Insightful)
I think your ISP has a much better log of your activities.
Re: (Score:1)
Could be true, but my ISP is not in the business of serving banner ads, building a profile of all my personal interests, habits, and vices, and there is actually somebody who will pick up the telephone at my ISP unlike Google, which has no actual humans that one is likely to be able to speak with about these concerns.
Google should be viewed as an adversary, and they didn't build that new building right across from spook central for nothing.
Re:What web sites and hosts do you visit? (Score:4, Interesting)
My ISP, AT&T has terrible DNS, at least in this area. They randomly take down DNS servers, without replacing them. In case you don't know this leaves customers without any way to access the internet.
They occasionally stop serving requests to competitors. For a while the only way that I could reach my work home page from home was to type in the IP address, at least until I switched to Google DNS. It was sort of important because I was an admin.
Google DNS just works. I can go to any page I need to go to.
Re: (Score:1)
I wasn't remarking on the relative effectiveness of the domain name servers at AT&T vs. Google, I was pointing out that Google seeks more and more information about you, to use for whatever purposes they see fit.
AT&T might do this too but at least they aren't building a profile of you and selling it to anybody with two bits to spend.
Re: (Score:1)
Neither is Google.
Re: (Score:1)
Google is certainly building up a profile of everybody who uses any of their sites, and anybody using a page that uses any Google API, and selling this information. No need to lie to me, especially when everybody already knows the truth about Google.
Re: (Score:1)
You can see what's in this "profile" by visiting your Google account page. This "profile" consists of some of the pages you visited and things you searched for. Basically, clues to what ads you might be likely to click on. That's all.
Google never has and never will sell your information to anyone.
yes, yes, yes, I get it, you are the tech-age hipster crying wolf. Don't let me spoil your fun.
Re: (Score:1)
We have no guarantee that everything Google knows about you is in your Google profile. They are keeping tabs on everybody who lands on a page that uses Google APIs, they have been busted circumventing privacy controls in browsers, and they are not to be trusted.
The wolf is right there. Everybody can see it. You just need to take your blinders off.
Re: (Score:1)
Read up on the details the case where Google was "circumventing privacy controls in browsers". All Google was doing was trying to the the status for the +1 button on the page. A bug in Safari was piling on the extra cookies, which Google ignored.
Or, let's tape on our tin foil hats and look at it from YOUR perspective:
There were a relatively tiny number of people who actually enabled DNT in Safari. And those were people who were not likely to click on ads anyway. But, according to you, the people at Goog
Re: (Score:1)
I know (not believe, kow) that Google is doing anything and everything it can to build up profiles of everybody who uses any Google service - visible or not - all of the time. This is their primary job. They are advertisers, trying to make money by selling targeted ads (and perhaps information that allows targeting) to anybody. And yes, I know they were purposefully targeting this Safari bug.
I do not believe that it is possible for advertisers, attorneys, loan brokers, and certain other classes of people
Re: (Score:1)
Can you share with us how you "know" this? Not "believe", but "know"?
Did the "voices" tell you? Or can you offer us even a tidbit to verify that your claims are anything other than "beliefs"?
Are you saying that you are currently in contact with "some of the highest ranking Googlers" and that they are sharing their nefarious plans with you? Or are you saying that you once went to the same school as someone who now works at Google and you did not like that person at the time?
We await you fabulous stories w
Re: (Score:2)
You are your ISPs customer and therefor their use of your private date is strictly regulated by federal law under penalty if quite substantial fines.
Re: (Score:2)
In most countries I believe that they're allowed to a anonymize it and use it that way. P
Pretty much the same thing the search companies do.
Re: (Score:1)
Re: (Score:1)
https://en.wikipedia.org/wiki/Flamebait [wikipedia.org]
Re: (Score:3, Insightful)
APK (disambiguation) (Score:2)
Just ban any post with "apk"
So how would one discuss sideloading Android applications?
Re: (Score:2)
Or permit us to just collapse these sorts of long posts. I don't mind that there are long posts here, but it's annoying to have to scroll past them.
Re: (Score:2)
I don't mind that there are long posts here, but it's annoying to have to scroll past them.
Um, poor baby? Do you not know how lame that is, you and those above complaining about the same thing? Gahd! Syrians are re-inventing WW1 warfare, ffs. It takes max. three seconds to spacebar past that crap. Sheesh!
Re: (Score:2)
What do Syrians have to do with this? Or are you just an asshole by nature. This is a usability thing that a website developer ought to care about and no, it takes me longer than that, this computer isn't the fastest out there, not with all the larding up of this web 2.0 stuff.
Re: (Score:2)
I don't mind that there are long posts here, but it's annoying to have to scroll past them.
Syrians are re-inventing WW1 warfare, ffs.
What do Syrians have to do with this?
Wow you're shallow, as a pane of glass. People are dying out there fighting civil wars, and you're complaining about having to page past stuff you'd prefer not to see. :-|
Re: (Score:2)
I don't mind that there are long posts here, but it's annoying to have to scroll past them.
Syrians are re-inventing WW1 warfare, ffs.
What do Syrians have to do with this?
Wow you're shallow, as a pane of glass. People are dying out there fighting civil wars, and you're complaining about having to page past stuff you'd prefer not to see. :-|
Again, I ask what does this have to do with a complaint about a usability problem with a website?
"Shallow" refers to your lack of "depth", as in "deep thinking" or "inability to prioritize." Lots of things can be complained about. There's lots that's wrong in the world. But, max. three seconds to spacebar past annoying posts?!? Come on.
I see !@#$ like this all the time. People get five spams a day, and they think it's the end of the world. It drives them to avoid email and use FaceFuck to communicate instead.
Dumbth!
... a pane of glass isn't shallow, it's transparent.
Pardon me. I was previously unaware that you were an idiot. Carry on. Bon chan
Re: (Score:2)
There's always been an option about the text length display on Slashdot. I've adjusted mine more than once.
And then there's the ACs. For me, all ACs get a -2 on their score. It too is in the Slashdot options. Can't be bothered to create an account? I rarely read your shite.
Thirdly, replying to trolls, and then getting modded up in some way simlar to Reddit, Facebook, and any other site that does the thumbs-up shit, only serves to highlight the post to me. I then end up reading the parent troll. G
Re: (Score:1)
Oh, maaan - you went and fed the troll. At least it wasn't after midnight, but c'mon, Internet 201.
Re: (Score:2)
This story is ... (Score:1, Insightful)
Re:This story is ... (Score:5, Interesting)
Back then, there were two DNS servers out there:
LWN has a good article from that era [lwn.net] to give people an idea how limited choices were with open-source DNS servers. Since then, we got Unbound [unbound.net] and NSD [nlnetlabs.nl], PowerDNS [powerdns.com], and (shameless plug warning) MaraDNS [maradns.org] (there are also a lot of DNS server projects which never were finished or were abandoned years ago, such as OakDNS, Dents, Posadis, etc.)
The idea behind DNSSEC is that is is, within a margin of error (I'm already awaiting a somewhat pedantic correction from a neckbeard), it is the HTTPS of DNS: It makes it impossible (cue neckbeard pedantic correction) to spoof a DNS reply. DNS without DNSSEC is like HTTP without HTTPS: There are security issues where an attacker can make someone go to the wrong web site.
(Yes, I am aware of DNScurve. I'm also aware that, like Esperanto, the best idea doesn't always win--or even get implemented in a mainstream DNS server)
(Slashdot: 2001 called and wants its lack of Unicode support back. Why can't I use use smart quotes or real em dashes in my replies?)
Unicode support or lack thereof (5:erocS) (Score:2)
Slashdot: 2001 called and wants its lack of Unicode support back.
I've explained before how vandals forced Slashdot to stop supporting Unicode [slashdot.org].
Re: (Score:2)
determining the difference between a Unicode control character and a Unicode printable character is clearly an intractable problem
The problem comes when Unicode releases a new standard with new control characters before Slashdot administrators can implement the changes.
And hey, what do you have against that particular Germanic tribe anyway
What does the most widely used reference wiki have against them too [wikipedia.org]?
Re: (Score:2)
Re: (Score:1)
I'm a pure-7-bit-ASCII vandal, myself. I just embed escape [2;9y into my posts, to make your VT100 do a constantly-repeating self-test.
Another fun fact: I just upgraded to MaraDNS about a week ago. Believe it or not, I had been using Twisted Names, and got away with it for several years. It mostly worked. Mostly.
Re: (Score:1)
Re: (Score:1)
Slashdot: 2001 called and wants their lack of ability to edit posts (perhaps with a timeout to stop some forms of abuse) back. I swear, this place is becoming almost as musty as Usenet.
Re: (Score:2)
I'm about 0.4.03-1.1+squeeze1 version units of the way in between 1 and 2. Bah, sounds like I have 2 years 6 months and 1 day to deal with upgrading.
Damn, now that I think of it, I probably won't get to it in time.
Re: (Score:1)
Re: (Score:1)
Re: (Score:3)
(Slashdot: 2001 called and wants its lack of Unicode support back. Why can't I use use smart quotes or real em dashes in my replies?)
While I support your idea, smart quotes need to die in fires. I also do not understand the need for different types of dashes - a dash is a dash!
Re: (Score:2)
I'm already awaiting a somewhat pedantic correction from a neckbeard ...
Defensive much? I've used MaraDNS. It worked. Now I use bind9. It works.
For me, when the US gov. thinks DNSSec would be a step back, hindering their ubiquitous surveillance of everyone and everything always, I like DNSSec. Rage against the machine.
[My beard's a Van Dyke, and my neck's been shaved.]
Re: (Score:2)
Re: (Score:2)
I had the following conversation with my boss: ... ?
Check this link out
DNSSEC checker and your domain.. whats DNSSEC?
DNS SECURITY extension.. makes it much harder to redirect my domain by attacking the DNS layer
and you didnt do this on our domains because
Your registar hasnt bothered implementing DNSSEC yet.
OK were moving everything to one that does.
It was like I told him we had no firewall or backups when I put it that way. Bosses dont like to sound in
Re: (Score:2)
(We switched away to DNSMadeEasy years ago, but they don't yet do DNSSEC on "primary" domains. Which a
Re:Registrars need to step up to the plate (Score:2)
I have both DNSSEC and IPv6 working for all of the domains I moved to GANDI [gandi.net]
Re: (Score:2)
Boring anecdote: I had to call my credit card company and authorize it for French transactions before I could purchase domains through them. No bullshit!
Re: (Score:2)
Most of the registrars in the world either don't support this, or make it more than a pain to implement it. Try to find one that supports adding DNSSEC and IPv6 simultaneously is a nightmare.
So, do it yourself. You don't have to use others' DNS, and IPv6 can be tunnelled via IPv4. I don't use my ISP's DNS. I use OpenNIC.
Build (or buy, or rent) your own server to do this stuff. It's not that difficult or expensive, as others have mentioned. With experience in both, you should be more valuable in the future.
DOS risk still? (Score:1)
I'm not up to scratch on the whole DNSSEC thing, but last I heard the protocol allowed DNSSEC-respecting servers to be trivially used as DOS nodes by having a control server. A machine could spoof the originating host on a lookup request for something nonexistent, and the payload of whatever the DNS is supposed to return is significantly larger than the lookup requests themselves, so you could trick one of the nameservers into bombarding your victim for you. What ever happened with that?
ISP's egress filter (Score:2)
A machine could spoof the originating host
How does spoofing the originating host get past an ISP's egress filter? As I see it, the attacker and the victim of such an amplification attack would have to be on the same ISP.
Re: (Score:2)
Never assume ISPs like Comcast or Time-Warner would ever invest the time or money into such an egress filter.
Re: (Score:1)
Those attacks are still going on. This exploit does not require DNSSEC, but the large size of DNSSEC records makes it much more effective. Some DNS servers have implemented rate limiting to deal with this problem.
more data for google -- a LOT more (Score:2, Insightful)
Awesome... now more people will be tricked into switching to Google's DNS servers, and therefore, more people can be tracked by Google.
Before, Google just watched your browsing habits, your email, your phone calls and cell phone activities, your physical connection, tracked you through advertising, monitored your connections to your friends, and, well, when you took a dump too.
Now, Google plans to monitor every other activity your computer partakes in, as it watches all the DNS lookups you make. Any websit
Re: (Score:2)
Re:more data for google -- a LOT more (Score:4, Insightful)
Please explain how you know that, for example, Microsoft doesn't already do a lot of similar things?
For a start, every new connection you check in with Microsoft by connecting to a Microsoft server and downloading a text file (look up NCSI - and, yes, you can change the registry entries to your own server if you wish, but so can you NOT use Google's DNS servers. I actually use it as a primitive "call home" device should someone be stupid enough to steal my laptop - as soon as it's turned on on an unknown Internet connection, it will try to talk to my server as a connection test, which would give me their IP).
Or time.microsoft.com. Same sort of thing. Hell, a lot of security suites "call home" with details of what pages you're going to in order to see if they are malware, etc. Opera Mini/Mobile "calls home" to a server that could even cache your SSL connections in theory, etc. Just what precisely distinguishes Google from anything else that you have voluntarily installed on your computer?
Re: (Score:2)
Your response is the equivalent of stating that since Microsoft murdered someone, I shouldn't be upset that Google did. Further, since we all know Microsoft murdered someone, I am out-of-line for mentioning that Google did.
Guess what Jimmy -- lots of people mention the bad things that M$ does. My post is about the bad things Google does -- and they do LOTS of bad things.
And I call them on those bad things, and the bad things they continue to do.
Re: (Score:2)
And not once have Google ever forced anyone to use 8.8.8.8 or 8.8.4.4 as their DNS server.
But I can find you a lot of things that Microsoft has done to force such things on their customers. Even convicted in a court for it.
Fact is, if you are that paranoid about Google, just stop using them or sites that support them. And if those sites were that worried, they'd stopped using them too.
The point is that LOTS of companies do lots of things with your data and have to abide by the law in doing so. Google isn
Re: (Score:2, Insightful)
Ah, a new tact -- no one is forcing you to use Google, therefore it's OK that they do whatever they do.
No one is forcing you to rent a particular apartment either, so I guess it's OK if the landlord puts cameras in it, and spies on you?
No one is forcing you to go to a particular grocery store. I guess it is OK for that grocery store to poison your food, if you don't like it, shop elsewhere?
Sorry, the "if you don't like that you're being spied on, just shut the hell up and stop using that product" is anothe
Re: (Score:1)
What's your suggestion then, that all targeted advertising be stopped? Google as a company behaves pretty well in general and exceptionally well when compared to others. If I can get excellent free services in ex have for having targeted ads displayed, sign me up. The cost of the services without the ads is prohibitive. As the GP stated, if you don't like them, don't use them and block a by taking cookies. I don't think you're going to have a lot of luck making collecting information illegal.
Re: (Score:2)
I suggest it be made very clear what data is collected and precisely how it is used.
Then let people decide if they want to use the service.
Right now, the only choice is to GUESS how the data is being used, and to GUESS precisely what is being collected. That needs to change.
Outside of the above... Google behaves well? Pfft. They behave as poorly as any large corporation, from what I've seen. Further, as mentioned above, the sort of "if you don't like them, stop talking about it, just don't use them" tho
Re: (Score:1)
You keep describing bad behaviour. Please explain.
Re: (Score:2)
I suggest it be made very clear what data is collected and precisely how it is used.
https://developers.google.com/speed/public-dns/privacy [google.com]
Re: (Score:1)
"The point is that LOTS of companies do lots of things with your data and have to abide by the law in doing so."
Nope, what they do, is totally break the law whenever it makes financial sense to do so, while hoping nobody at places like the SEC or DOJ notices.
Re: (Score:2)
Try using the SSL/TLS subsystem in Windows without sending information to Microsoft.
Re: (Score:2)
I'm willing to bet more people use Google products than MS products.
Well (Score:3)
Show me an ISP or host who supports IPv6 and DNSSEC for a reasonable price and I'll switch.
Fact is, usually your hosting provider runs your DNS for you, and until they change there's nothing I can do. Setting up a nameserver is within my realm of possibility but it's something that I pass off to third-parties for a reason (for a start, you need two and ideally they should be on different IP spaces and connections). Also, configuring and updating DNSSEC is, from what I've seen, a bitch and even the initial signing can be a pain in the arse. Sod all that hassle just for the convenience of a minority of visitors.
Combine that with the fact that for almost EVERYONE who owns a domain, someone else other than them actually hosts it (and the big guys who DO host their own domain nameservers? Well, they can and are enabling DNSSEC where they need it, but it's no small task) and you have a problem.
You can bitch at me as much as you like but that ain't going to DNSSEC-enable my domains that I don't host any more than bitching that my IPv6-ready setup isn't actually on an IPv6-compatible / supported connection / ISP-supplied router will get me online.
Talk to my ISP and domain host. Get a few of them moving, then we can talk. Until then, it's all just another technology that I can do nothing about without a lot of expense for virtually zero gain.
P.S. The domains I do have on VPS / external servers on hosts which offer DNSv4 control publish AAAA records which work. In the same way they publish SPF records that work, and DKIM records that work, and reverse DNS records that are valid. And they ALL get used. But not really enough to justify even the small effort it took to do all that.
I've done my bit. Call me when my ISP host gets off their arse and does theirs. In fact, call me when Slashdot does the same. 10 years on and they're still publishing articles about the doom of IPv4 without a single AAAA record to their name.
Re: (Score:2)
you could always set up your own bind9 dns server hell my laptop has its own dns server running on it
Re: (Score:2)
Could.
Won't.
For a start, a home DNS server isn't suitable. And if I deploy a nameserver, as I said, you should be deploying two on separate networks. And it's STILL a pain in the arse to sign it all properly. It's just not worth the effort for a small home user, and those who run nameservers now can run DNSSEC now. The point is that few people run nameservers of their own, for good reason.
Re: (Score:3)
Re: (Score:1)
Show me an ISP or host who supports IPv6 and DNSSEC for a reasonable price and I'll switch.
In which country?
Some areas aren't technology backwaters as much as others.
Re: (Score:2)
Quote from their webpage (which doesn't mention DNSSEC anywhere where a potential buyer would ever find it):
"You need to be able to manage and administer your own DNS, because our hosted DNS does not allow you to manage DNSSEC directly."
Re: (Score:1)
I'm usually against advertising but in this case it is acceptable:
https://www.transip.nl/ [transip.nl]
These guys do DNSSEC and IPv6 for a reasonable price.
Unfortunately their website is in Dutch, that might be a showstopper for you.
thank you google !!! (Score:2)
personally I have been looking forward to this !!
thank you finally validation works
John
FAIL. (Score:5, Interesting)
Google has not correctly implemented DNSSEC. If you send them a normal DNS query and the response is not validly signed, they just pass the answer back to you without any indication that it's invalid. They only tell you that the answer failed to validate if you set the DO ("dnssec okay") or AD ("authentic data") bits in your query, which almost no DNS clients currently do.
If the answer is invalid, a validating name server is supposed to respond with SERVFAIL, so that even if the client doesn't know anything about DNS security, it will still be protected against spoofing. Google is claiming to provide protection against spoofing, and then they aren't providing *any protection at all*.
If you want DNSSEC protection, you're still going to have to run a validating name server yourself: either BIND 9 or Unbound. (Disclosure: I'm a BIND 9 author.) It is, nowadays, extremely easy to configure a validating name server using BIND 9; in any version since 9.8.0, a one-line named.conf will do it:
options { dnssec-validation auto; };
Run named with that configuration and "nameserver 127.0.0.1" in resolv.conf and you're good to go. Google public DNS is not ready to trust yet.
Useful in China (Score:1)