Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

IPv6 CoE Blog

On Google's Public DNS Service

With the press frenzy over Google's announcement of their Public DNS Service, you'd think that they'd announced that they had taken over running the root name servers. At the very least, the press is presenting it as a power grab, a way for Google to insert themselves into still more Internet transactions. Others have suggested that Google's looking to replace the Internet's DNS infrastructure entirely, and possibly introduce new, private top-level domains. (I'm skeptical about this.)

What is Google really doing? Put simply, they're offering recursive name service from their cloud, based on their own implementation of a recursive name server. From the writeup, they included nearly every anti-spoofing mechanism known to man in their name server, which means it should be highly resistant to cache poisoning. I say "nearly" because they don't support the DNS Security Extensions yet, so they can't take advantage of the long-term solution to cache poisoning, which is being deployed either "soon" or "now," depending on what part of the namespace you live in. They also pre-fetch information about popular domain names, which should provide better performance than your average recursive name server.

They pointedly don't do NXDOMAIN redirection, which is intercepting responses that would normally return a "No such domain name" reply and replacing them with the address of a web server. Once you're there, the web server typically tries to guess which domain name you meant to type, and probably displays some ads, too. Companies including OpenDNS use this technique, ostensibly to try to help users find what they're after, but also to generate cash to fund their operations.

Google stops short of calling NXDOMAIN redirection evil, but they plainly don't like it. Others have reservations about NXDOMAIN redirection, too: Many Internet services count on DNS to return those "No such domain name" responses. For example, mail servers often check to see whether the domain name used in an email address really exists to help decide whether the email is spam or not. But NXDOMAIN redirection makes every domain name look like it exists.

Does that mean that you should dump OpenDNS and move to Google's Public DNS service? That depends on your needs and your priorities. OpenDNS does more than NXDOMAIN redirection: They maintain a dynamic list of domain names associated with different kinds of malicious (or simply..., and if you inadvertently try to look up one of these, they'll head you off. And they provide the ability to customize this behavior and choose, category by category, which types of domain names you don't want your users to resolve. (For their part, Google's blog suggests they disapprove of this kind of blacklisting, too.) Plus OpenDNS runs the same kind of anycast infrastructure Google does, and they have their own tricks for improving performance.

If you don't need or want NXDOMAIN redirection or OpenDNS's blacklisting capabilities, why wouldn't you use Google's service? Well, there's no SLA, first of all - Google's refreshingly candid about that. And there's no such thing as a free lunch: Google will undoubtedly analyze your DNS "query stream" to their advantage, though they've published a data privacy policy that says that they'll anonymize the record of your queries .... But heck, if you use your ISP's name servers, you're giving them your query stream, too, and your ISP probably has no published privacy policy.

So the upshot is that Google looks like another worthy entrant into the world of cloud-based recursive name service, but it's by no means a juggernaut. I think it's great that they offer a functionally and philosophically different flavor of DNS to users - choice is generally good, after all - but I also think there are lots of folks who find what OpenDNS does useful. Even the purists who are morally opposed to NXDOMAIN redirection might be uneasy using Google's name servers, since those same purists are more likely to worry about the privacy of their query stream.

And we should keep in mind that all of this is really a tempest in a very modest teapot, since the user base we're so worried about consists only of the small percentage of people capable and motivated enough to reconfigure their computers' resolvers to use name servers other than the defaults.

Showing results for 
Search instead for 
Did you mean: