On Google's Public DNS Service
December 06 2009 by 
Cricket Liu (Infoblox)
With the press frenzy over Google's announcement of their Public DNS Service, you'd think that they'd announced that they had taken over running the root name servers. At the very least, the press is presenting it as a power grab, a way for Google to insert themselves into still more Internet transactions. Others have suggested that Google's looking to replace the Internet's DNS infrastructure entirely, and possibly introduce new, private top-level domains. (I'm skeptical about this.)
What is Google really doing? Put simply, they're offering recursive name service from their cloud, based on their own implementation of a recursive name server. From the writeup, they included nearly every anti-spoofing mechanism known to man in their name server, which means it should be highly resistant to cache poisoning. I say "nearly" because they don't support the DNS Security Extensions yet, so they can't take advantage of the long-term solution to cache poisoning, which is being deployed either "soon" or "now," depending on what part of the namespace you live in. They also pre-fetch information about popular domain names, which should provide better performance than your average recursive name server.
They pointedly don't do NXDOMAIN redirection, which is intercepting responses that would normally return a "No such domain name" reply and replacing them with the address of a web server. Once you're there, the web server typically tries to guess which domain name you meant to type, and probably displays some ads, too. Companies including OpenDNS use this technique, ostensibly to try to help users find what they're after, but also to generate cash to fund their operations.
Google stops short of calling NXDOMAIN redirection evil, but they plainly don't like it. Others have reservations about NXDOMAIN redirection, too: Many Internet services count on DNS to return those "No such domain name" responses. For example, mail servers often check to see whether the domain name used in an email address really exists to help decide whether the email is spam or not. But NXDOMAIN redirection makes every domain name look like it exists.
Does that mean that you should dump OpenDNS and move to Google's Public DNS service? That depends on your needs and your priorities. OpenDNS does more than NXDOMAIN redirection: They maintain a dynamic list of domain names associated with different kinds of malicious (or simply unproductive) activity, and if you inadvertently try to look up one of these, they'll head you off. And they provide the ability to customize this behavior and choose, category by category, which types of domain names you don't want your users to resolve. (For their part, Google's blog suggests they disapprove of this kind of blacklisting, too.) Plus OpenDNS runs the same kind of anycast infrastructure Google does, and they have their own tricks for improving performance.
If you don't need or want NXDOMAIN redirection or OpenDNS's blacklisting capabilities, why wouldn't you use Google's service? Well, there's no SLA, first of all - Google's refreshingly candid about that. And there's no such thing as a free lunch: Google will undoubtedly analyze your DNS "query stream" to their advantage, though they've published a data privacy policy that says that they'll anonymize the record of your queries before they throw it in their big hopper. But heck, if you use your ISP's name servers, you're giving them your query stream, too, and your ISP probably has no published privacy policy.
So the upshot is that Google looks like another worthy entrant into the world of cloud-based recursive name service, but it's by no means a juggernaut. I think it's great that they offer a functionally and philosophically different flavor of DNS to users - choice is generally good, after all - but I also think there are lots of folks who find what OpenDNS does useful. Even the purists who are morally opposed to NXDOMAIN redirection might be uneasy using Google's name servers, since those same purists are more likely to worry about the privacy of their query stream.
And we should keep in mind that all of this is really a tempest in a very modest teapot, since the user base we're so worried about consists only of the small percentage of people capable and motivated enough to reconfigure their computers' resolvers to use name servers other than the defaults.
Posted in | 
12 comments
Dec 8, 2009 at 2:23 PM
Choice is very good. Glad to see more attention on the DNS space, as I'm sure you are.
For what it's worth, Dyn Inc. offers a free recursive DNS service that offers content filtering and phishing protection called DynDNS.com Internet Guide.
What makes it unique is that you get the content filtering while being able to disable the NXDOMAIN redirection if you so choose.
http://dyn.com/dd-nx-domain-redirection-opt-out
Dec 8, 2009 at 2:39 PM
DNS is of the few 'crucial' services on the Internet.
Google is a large corporation, infultrated by the CIA. (please check this for yourself!)
The Internet has the NWO on the run, yet is a key tool for them in the track and control grid, so although they threaten to shut it down (please check this out too!) ... they are loathe to. It would seem more like to me that they totally take it over. DNS would be a neato way to do so.
Thanks for listening. I encourage everyone out there to check this out for yourselves ... peace. :)
Dec 8, 2009 at 3:18 PM
OPenDNS does the same and have been online from some time.
The advantage of this is that you have more specific information about which sites the people are interested in, which are the point of access, etc.
Dec 8, 2009 at 3:43 PM
Very interesting article, although I confess I struggled with it a bit. Bookmarking - CIA or no :-)
BB
Dec 8, 2009 at 8:08 PM
I wonder how Google's introduction of this will impact existing CDN routing services like Akamai, LimeLight, AWS, etc. Will they use local caching or will all queries be returned from the west coast?
Dec 8, 2009 at 8:17 PM
Jack, Google's blog says that their DNS service is hosted on servers all around their infrastructure. Even though it looks like just two name servers (8.8.4.4 and 8.8.8.8), Google is using anycast to distribute queries to the closest instance to the querier. That won't always be right next-door, but it should still work for coarse-grained decisions by CDNs.
It's only fair to mention that both OpenDNS and DynDNS also use anycast to get you to their closest instance of a recursive name server.
Dec 9, 2009 at 5:09 AM
I'm suprised no mention of the long-standing anycasted resolvers run quietly by Level(3) and available to the public. Rodney fired those up in the Genuity days and (3) has kept them running (4.2.2.1 - 4.2.2.5). They tend to be suggested often on broadbandreports's fora and elsewhere to bypass service providers who can't run a simple recurser.
Several providers run on-net anycasted resolvers for their customers as well. Unfortunately, most of these don't seem to be limited to the provider's customers, so there's more open resolvers to worry about (http://
www.team-cymru.org/Services/Resolvers/). Not sure how google's entry into the realm does anything more than hurt there.
Dec 9, 2009 at 4:12 PM
Thanks for the analysis, Cricket - very helpful as always!
Dec 11, 2009 at 12:55 PM
<i>And we should keep in mind that all of this is really a tempest in a very modest teapot, since the user base we're so worried about consists only of the small percentage of people capable and motivated enough to reconfigure their computers' resolvers to use name servers other than the defaults.</i>
Absolutely correct! I made the same point the other day -- it will be a very long time before a critical mass of users make the change, since the vast majority of consumers can't be bothered. BUT, if Google's entry makes ISPs take recursion more seriously, and take more seriously how they can make it more secure, then all the better.
Nice writeup.
Dec 13, 2009 at 2:19 PM
I agree wholeheartedly, Chris!
Jan 6, 2010 at 2:26 AM
What happens if an ISP decides to assign Google DNS for their ADSL users? will it work properly?
I have seen an ISP having some problems with their DNS servers have tried to assign google DNS servers for few days, i am not sure of the outcome of this, but this ISP is having at least half a million ADSL subscribers.
Jan 6, 2010 at 10:19 AM
Sure, an ISP could hand out the anycast IP addresses of Google's name servers to their subscribers. Google's Public DNS FAQ says as much, though it cautions ISPs that the service has no SLA:
http://code.google.com/speed/public-dns/faq.html#isp