Google has just launched its very own public Domain Name System resolver, with which the company hopes to speed up internet traffic. The search giant claims its DNS is more secure (through protection against cache poisoning attacks) and faster than others.
I’m sure most of you are aware of what the Domain Name System does. When you type in a web address, you expect to be taken to said web address. DNS takes care of that for you by converting the address you typed in into its numerical variant, the IP address, making sure you actually get to the page you typed in.
Google claims that its DNS service is faster than others. “In addition to load-balancing user traffic to ensure shared caching, Google Public DNS implements ‘smart’ caching to increase the speed of responses,” the company states, “Google Public DNS independently resolves domain names and keeps the resolutions in the cache until their time-to-live expires, at which point they are automatically refreshed. The cycle of caching and refreshing is performed offline, asynchronously with user requests, so that responses are almost always available directly from cache.”
When it comes to security, Google is trying hard to prevent cache poison attacks. “Google has implemented several recommended solutions to help guarantee the authenticity of the responses it receives from other nameservers, and to ensure our servers are not used for launching DoS attacks,” Google explains, “These include adding entropy to requests, rate-limiting client traffic, and more.”
“The average Internet user ends up performing hundreds of DNS lookups each day, and some complex pages require multiple DNS lookups before they start loading. This can slow down the browsing experience,” explains Prem Ramaswami, product manager at Google, “Our research has shown that speed matters to Internet users, so over the past several months our engineers have been working to make improvements to our public DNS resolver to make users’ web-surfing experiences faster, safer and more reliable.”
Google has put together a document detailing the configuration instructions for Google Public DNS for Windows, Mac OS X, Linux, routers, and other devices. Google warns that playing with these settings is for advanced users only, so be warned.
An obvious concern here is privacy. There seems to be nothing but good news. Google explicitly states that “Google Public DNS never blocks, filters, or redirects users”. Good, but what about logging? The privacy policy for Google Public DNS is very reasonable, claims Lauren Weinstein, co-founder of PFIR (People For Internet Responsibility) and founder of the PRIVACY Forum.
“Google has obviously recognized the sensitivity of this issue,” Weinstein writes, “Their separate privacy policy for the Google Public DNS strikes me as utterly reasonable, particularly given its very rapid (24-48 hours) deletion of what I would consider to be the key privacy-sensitive data.”
If you’re adventurous, feel free to try it out.
Is it me, or is google going to own everything critical to life in future – your connectivity, your access to information, it’ll choose what you can and can’t see, it’ll know you and your thoughts and habits better than you, … it’ll be more powerful than any government.
edit – “google respects privacy and never redircts, blocks” – we’ve seen this to be false. Google v China?
Edited 2009-12-03 23:03 UTC
They said they wouldn’t do that for the DNS — it has a completely separate privacy policy, like it said in the article.
And I’ll cut Google some slack there. A totalitarian government comes to you and says you can either censor some things or get out. Assuming that you care at all about getting information to the citizens who need it… as a search provider from a less totalitarian country, can you help most by getting out or by staying in the game? And yes. Despite my criticisms of my home country, I do think that we are less totalitarian than China.
Edited 2009-12-04 01:19 UTC
You’re exactly right, and besides, no one forces people to use Google. It’s only useful to a totalitarian or other oppressive regime if said regime controls the company. Fortunately for us, there is no Oceania in existence to use such a tool against its citizens.
//I do think that we are less totalitarian than China. //
Ya think?
So long as the technology is open (as are a lot of their technologies) then developers can use Googles R&D for their products (so long as said developers don’t infringe on Googles license)
Sure, Google might own the code, but unfortunately the big leaps can only be accomplished by corporations with big budgets.
So I’d favour corporation like Google and Sun (RIP) who open their technologies than corporations like Microsoft and Apple who close theirs.
That’s a whole other debate.
Google were faced with the choice of being censored or banned entirely. At least this way, they can provide some service even if it’s a limited one.
In a free country, Google will still stick to their “freedom” policy (as proven with the Google vs White House case recently regarding photoshopped pictures of the US Presidents wife).
What do you suggest? Should a corporation act against governmental law? Consequence? It will be kicked out of the country and justifiably so.
You should respect the laws of the country you’re doing your business!
Censorship sucks but constitutionality is more important. In Germany there is also censorship and Germany is a democracy but nobody talks about German or EU censorship because China is the bad red guy?
To the point: Corporations should obey the law of the countries they are doing their business and Google did it. Whether this law is “right” or “false” is a completely other question.
Edited 2009-12-04 13:20 UTC
So if South Africa were still under Apartheid, and the government made laws prohibiting websites which were critical of the system and called for reform, you would support Google in its decision to go ahead and delist & block those sites? It is after all, the law, right?
Wait, what? I assume by ‘constitutionality’, you roughly mean sovereignty, or a government’s right to have its own laws. And assuming that, I’ll completely disagree! You realize what you’re saying? You’re saying that a government’s rights are somehow MORE important than the people of that country. Nope, sorry, a government is there to serve its people. “The government” as some entity does not have more rights than human beings. At least, it shouldn’t.
The censorship in Germany is completely different than the censorship in China. Don’t even pretend they’re comparable. This isn’t about unfounded anti-red anger; I don’t care what label you give China’s government: call it communist, call it a Democracy for all I care. What matters are the pervasive human rights violations perpetrated against anyone who dissents against a government run by a small, elitist, racist, sexist minority which seeks only its own benefit at the peril of its people and squelches out those who would have it another way.
Why do you put right and false in quotes? There is Truth. Not everything is relative. For example, this is True: laws exist for the good of people. They exist so people can live and flourish safely. The second they cease to be for the good of people they cease to be valid laws. To paraphrase what Martin Luther King wrote in an Alabama jail, an unjust law is not a law worth following. Google’s decision to go along with the demands of China’s government is motivated by profit alone. At very least they should refuse to do business there.
So now they want to own also your DNS traffic?
Scary.
Somehow this doesn’t quite reassure me:
Edited 2009-12-03 23:17 UTC
Not at all. They own your email. Your spreadsheets. Your wordprocessing documents. Your search history. Your browsing history. The successor to the http protocol. And DNS. Your old Usenet posts. And, oh, all the satellite imagery of your work, home, and the the neighborhood where any mistress might live.
That’s a long way from owning you. And besides, they’re going to make it all faster.
Only after you start using Chomium OS will they own you outright.
Edited 2009-12-03 23:21 UTC
“The Party seeks power entirely for its own sake. We are not interested in the good of others; we are interested solely in power. Not wealth or luxury or long life or happiness: only power, pure power. What pure power means you will understand presently. We are different from all the oligarchies of the past, in that we know what we are doing. All the others, even those who resembled ourselves, were cowards and hypocrites. The German Nazis and the Russian Communists came very close to us in their methods, but they never had the courage to recognize their own motives. They pretended, perhaps they even believed, that they had seized power unwillingly and for a limited time, and that just round the corner there lay a paradise where human beings would be free and equal. We are not like that. We know that no one ever seizes power with the intention of relinquishing it. Power is not a means; it is an end. One does not establish a dictatorship in order to safeguard a revolution; one makes the revolution in order to establish the dictatorship. The object of persecution is persecution. The object of torture is torture. The object of power is power.”
They’ll do it by taking advantage of ignorance, apathy and distraction.
adbusters.org
Heh.
“Leela: Didn’t you have ads in the 21st century?
Fry: Well sure, but not in our dreams. Only on TV and radio, and in magazines, and movies, and at ball games… and on buses and milk cartons and t-shirts, and bananas and written on the sky. But not in dreams, no siree.”
Is it just me, or has Google gone from “just maybe evil” to “absolutely, unmistakeably, totally, 1984 style evil” since they started trying to replace the Internet’s actual underlying infrastructure with their own stuff? Say… in the last few weeks?
No, it is not just you.
I don’t know what is the most frightening thing about this all. That one company controls everything for those poor souls that get along with it? Or that the future of the internet looks more and more commercial? Or that the future of the internet looks much like the television, spiced up with advertisements from the Cloud and 1984-style infrastructure for the possible 1984-style controls in the future?
Well they’re doing it using the standards. So really – anyone could come along and do the same thing. There’s no tie-in to Google. You are free to use Google or not to use Google – it’s your choice.
As opposed to Microsoft who does with their own pseudo-standards that only work with Microsoft and Microsoft Partner software.
I’d say that’s not being evil [EDIT ->] on Google’s part.
Edited 2009-12-04 15:43 UTC
I’m kind of on the fence about Google. On one hand, they’re approaching Microsoft-levels of dominance in several areas – but on the other hand, they do seem to have largely come by it honestly (by putting out stuff that usually works well). And while I don’t really like the idea of Google having an undue amount of influence over fundamental Internet technologies, it does appear that they’re acting out of “enlightened self-interest.”
I’ll probably reserve judgment until I see Google do something actively, umabiguously evil – as opposed to actions that are potentially-evil. But I certainly wouldn’t E.g. use Google Docs to store any sensitive information, or use GMail-for-domains for company EMail.
It’s a slippery slope, and I can’t even imagine why I would ever want to use Google’s DNS servers. Ever. Certain infrastructure should never be monopolized by a single company — and, clearly, Google aims to do precisely that.
Edited 2009-12-04 03:45 UTC
And, somehow, by offering you the choice to use their DNS resolvers, they’re planning monopolize the infrastructure of the Internet? You might want to put the tinfoil hat away and get a little perspective. Verisign’s old plan to redirect invalid queries to ad pages does much more harm than a choice of another DNS resolver.
I am getting a ping time of about 180ms to these Google DNS servers from New Zealand. It is probably hitting their US or Japan servers. Would be lower if they had DNS in Australia but doesn’t appear to be the case.
Get 10ms to my ISP DNS servers. It is unlikely their lookups would be slower than going across the Pacific ocean to Google.
Yeah, it’s kind of an odd idea, this one. Their implementation might be good, but an ISP also offers a caching name server, as near to my computer as can possibly be achieved… I don’t see how Google can offer any real advantage over that…
I don’t know how NZ ISPs behave, but the ones most people use in North America are slimy, paint-huffing crack addicts.
AFAIK “all” of the big ISPs in Canada and the US are hijacking failed DNS requests to redirect you to their own services instead of just telling you it’s a bad host name.
My ISP (Teksavvy) doesn’t, but they’re a rather small player compared to Rogers and Bell.
I think almost all ISPs here don’t hijack DNS. You simply get the “Page not found” error in your web browser.
Rogers Cable certainly does, I haven’t seen that from Aliant/Bell yet (just a matter of time, though, since the two appear to be on a relay-race-to-the-bottom). They have some sort of partnership with Yahoo, so failed lookups redirect you to a Rogers-branded Yahoo search page.
For my money, the most annoying thing is that it breaks Firefox’s ability to keep invalid URLs out of the auto-complete history. Fortunately, it’s fairly simple to “fix” by adding the URL of the search page to your hosts file, pointed at 127.0.0.1 (the old-school ad blocking trick).
Now everyone should get out of google search engine, including OSAlert before 2084.
Orson? Wells? Orwell?
Edited 2009-12-03 23:59 UTC
It’s Welles, Wells was the novelist that wrote the book.
H.G.? I thought he wrote “Princess of Mars”. Orson Welles did “The War of the Worlds” on radio, and that thing about “Rosebud” on the silver screen. George Orwell wrote the book about about Microsoft, Google, and Carnivore. And that other one about the pigs.
Edited 2009-12-04 02:39 UTC
H.G. Wells wrote War of the worlds, Orson Welles just read it on radio.
Yah, duh, just use Google to look up …. nevermind.
Or at least, use a proper, for this case, DNS IP addresses: 6.66.6.66 or 66.6.66.6
Fortunely for me my name is out of Google (I did a test) and from FaceBook.
Try search “Hiev comments”. Scary.
I don^A't see myself using Google DNS service in any period of my entire life. We have enough “big brothers” already on our societies and make them even more powerful is out of question to me.
yes, but my real name is no Hiev.
Being “visible” on the Internet is often a side effect of having contributed to our common culture – by leading a charity campaign, publishing and presenting technical papers, or creating new media such as books, audio, video, or software. While I suppose you could use a fake name for your contributions, is that really better than using your “real” name?
Guess I’m more puzzled by your view that on-line anonymity is a valuable goal. *shrugs*
Edited 2009-12-04 12:35 UTC
Anonimous altruism is the best.
this is probably just for chrome os and browser
building in their own dns server was probably found to be an easy way to reduce configuration trouble (less to do with it built in) and downtime (google is confident they are better than your ISP)
I don’t see how this benefits my domain name. Once it’s in your local DNS cache, hell, your ISP’s DNS cache, it’s as fast as it’ll get, no? And a one time lookup saves my visitors some odd miliseconds once? And all my base are belong to google afterwards?
I like it, it is fast.
-t
“apt-get install bind”, and putting “nameserver 127.0.0.1” in /etc/resolv.conf, is faster.
Sure, until you update to Lactating Llama and it borks all your conf files.
Any advantage to this over OpenDNS.com?
I don’t think so, at least not from London (Virgin):
ping 208.67.222.222 (opendns)
rtt min/avg/max/mdev = 15.446/15.996/16.719/0.543 ms
ping 8.8.8.8 (google)
rtt min/avg/max/mdev = 22.754/24.848/31.586/3.396 ms
ping 4.2.2.3 (level3)
rtt min/avg/max/mdev = 16.166/16.956/17.564/0.594 ms
Sure, not really a benchmark, but better than nothing.
So for me, opendns and level3’s “open” dns are better.
But the absolute best:
rtt min/avg/max/mdev = 0.044/0.044/0.045/0.005 ms
You guessed, 127.0.0.1
You own DNS still need forwarders to ask when you enter new URLs.
Ping isn’t really a good way to test a DNS server’s response time. However my tests pretty much bear out what yours implied:
slight@flight@12:34:02:~$ dig [email protected]
; <<>> DiG 9.6.1-P1 <<>> [email protected]
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;yahoo.com\@8.8.8.8. IN A
;; AUTHORITY SECTION:
. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2009120400 1800 900 604800 86400
;; Query time: 200 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Dec 4 12:34:16 2009
;; MSG SIZE rcvd: 110
slight@flight@12:34:16:~$ dig [email protected]
; <<>> DiG 9.6.1-P1 <<>> [email protected]
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58477
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;yahoo.com\@4.2.2.2. IN A
;; AUTHORITY SECTION:
. 86400 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2009120400 1800 900 604800 86400
;; Query time: 128 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Dec 4 12:34:29 2009
;; MSG SIZE rcvd: 110
slight@flight@12:34:29:~$ dig [email protected]
; <<>> DiG 9.6.1-P1 <<>> [email protected]
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12802
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;yahoo.com\@127.0.0.1. IN A
;; AUTHORITY SECTION:
. 86400 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2009120400 1800 900 604800 86400
;; Query time: 60 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Dec 4 12:34:40 2009
;; MSG SIZE rcvd: 112
It’s by google. Come on, that alone should make you wet your pants in excitement.
Also, it has no blocking feature so obviously it’s really good for companies where..uhmm…you want to…ehh…control access…never mind.
It’s by Google!
None of that redirection when you misspell a domain, unlike OpenDNS. You can turn this off with OpenDNS but IIRC you have to have an account and maybe even install some sort of client software for it to work.
This is great if you are a Comcast customer.
Why not just run your own DNS server? It’s just a few keystrokes.
Or just use OpenDNS, which is even simpler.
A local caching nameserver is much faster than OpenDNS.
I said simpler, not faster.
Plus you can use both.
If I were truly paranoid, I’d think that Google’s best advertisers would control my browsing experience with this and I’d be directed to a page where I had to buy something before I could continue.
However, I think everyone outside Google is a bit spooked by their all-encompassing range of products to let them go too far. In a battle with the Chinese government, they always seem to cooperate, which seems odd.
Most of the U.S.A. could probably benefit from their DNS, regardless of where it takes them. In my experience the DNS always seems to be a weak link. If you don’t mind being watched even more, this could be positive.
I can’t understand why the appearance of a Google DNS is suddenly the second coming of Stalin.
It’s a DNS. Not a proxy. Google can’t track your internet activities with a DNS. Theoretically they could know what unique websites you go to, but they already get a lot of this information from their ads, and they get more information from their search engine.
If you’re paranoid, then don’t use the Google DNS. By default, all internet connections will use their ISPs DNS anyway which makes Google’s DNS very much an opt-in proposition.
Now everybody, let’s stop being so silly.
Well, which specific web sites you visit could be valuable info to Google. Still, apart from getting additional advertisement data (damn you and your ads, Google!) I can’t see what advantage there would be to this. Unless your ISP’s DNS is so horribly slow, it will always be faster to use that over Google’s.
It almost seems like Google wants to have one of every internet-related service just for the sake of having it, whether it’s actually useful or not.
A lot of the posts about how this can’t be faster than their local ISP’s DNS server simply don’t seem to understand how DNS works…
First off, comparing ping times to the DNS server itself is meaningless – you are just measuring the 1st hop. The point of Google’s implementation is that (for a majority of popular sites) there is _never_ any additional hops. Your local ISP’s server may _frequently_ have the answer to a query cached, but it is guarenteed to expire every so often (the authoritive server’s TTL), so it will at least occasionally have to perform a recursive query. I used to be the admin of a small ISP. You would be quite surprised how unique traffic patterns are – the vast majority of what was in our caches was there because of a single customer. If they didn’t show up for work the next day, the entry would likely expire… Sure it is a shared cache, but that doesn’t mean a whole lot when everyone is going to different sites.
A recursive query hits the root servers to get the authoritative server for the domain. Then it has to query that server. This may go through multiple cycles to get an answer, although it is usually only 2 round trips. The point is that THAT traffic is on the backside of the DNS server (it has nothing to do with your locality to _your_ DNS resolver).
So, would you rather have that backside traffic being transferred over you local ISP’s rinky-dink connection to the internet, or Google’s? I don’t have any special knowledge of this, but I would be quite surprised if Google’s DNS servers had to send packets very far to get to the root servers…
Anyway, the usefulness of this, imo, depends alot on the resources of your ISP… The fewer customers sharing your ISP’s DNS server the less useful it’s cache is going to be. Orthogonally, the more customers your ISP has the more burden their server is under, which depending on their hardware and network resources may prove to be a bottleneck.
Regardless, I’m not saying Google’s servers will always be better, but they certainly _can_ be better under the right conditions.
To me, the ideal scenario for all of you hardcore geeks out there is to run your own caching DNS server on your machine, and have it use Google’s server as a forwarder. That would let you maintain your cache locally to speed up cached responses, but non-cached queries would be handled by Google’s servers, which _may_ perform better than your ISP’s server (and would almost certainly perform better than doing your own recursive queries). You would have to measure and see, but measuring this way would be meaningful as opposed to measuring simple ping times…
i tried it, it was way slower than at&t’s DNS.
I for one welcome our new google overlords.
While google may be a little evil, changes like this still feel like that small triumph of technology over “Business objectives”. I have a hick ISP with an over the air connection and my DNS lookup time is terrible.
I’ve switched my router to default to google and secondary to the local ISP.
Now, if google would only assign me a nice, unique serial code I could feel complete..
Morglum
found in Google’s hosts file:
127.0.0.1 bing.com
I’ve been using and recommending OpenDNS for awhile, and the performance of OpenDNS + my Untangle server is much better than my old Netgear plus ISP provided DNS. And I have the added protection of both OpenDNS and the Untangle box filtering crap, and I control the filtering.
… and ignoring the “they’re going to see what domain names I’m looking up” tinfoil hat nonsense, this is going to be a godsend for people who’s ISP’s are inept at responding to DNS requests (Time Warner Cable that I’m on for example) or for people with servers who’s hosting provider provides slow/buggy/painful reverse lookups – making things like user tracking/banning on forums painful. (much less hostname lookups)
I’m wondering though on the ‘faster’ part if that’s going to be placebo effect more than fact. While I’m certain their monster server farms are more likely to respond to a request quickly since they can leverage more database processing power than your average ISP puts in place for the job – is that difference going to make up for what should be longer ping time and more hops to get their than your own ISP…
Well, hang on, let’s test that… by pinging google DNS
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=38ms TTL=244
Reply from 8.8.8.8: bytes=32 time=27ms TTL=244
Reply from 8.8.8.8: bytes=32 time=24ms TTL=244
Reply from 8.8.8.8: bytes=32 time=24ms TTL=244
Wow, that’s pretty damned fast… Let’s see what my time-warner DNS returns for ping time here in New England:
Pinging 209.18.47.61 with 32 bytes of data:
Reply from 209.18.47.61: bytes=32 time=33ms TTL=115
Reply from 209.18.47.61: bytes=32 time=30ms TTL=115
Reply from 209.18.47.61: bytes=32 time=30ms TTL=115
Reply from 209.18.47.61: bytes=32 time=27ms TTL=115
Hmm, that’s impressive then, for me at least google pings about the same as my ISP’s DNS server… Which means if google’s DNS lookups run faster than my ISP’s…
SHWEET.
Oh noes, the evil corporations are giving us a free service with improved security… Those of you kvetching about it, do us a favor and go back to figuring out who shot JFK and talking about how listening to a crunchy groove is going to show those evil Eichmann’s.
Edited 2009-12-05 18:23 UTC