What Goes Around Comes Around: Google's Recursive DNS

Google's announcement about their DNS service is naturally making waves among the Interneterati. Some think it's risky (no, encryption won't help). Some think it's good for DNS in general. It's neither of these things. It's a DNS service that Google thinks will make browsing better and a potential research tool.

Mike Fratto

December 5, 2009

4 Min Read
NetworkComputing logo in a gray background | NetworkComputing

Google's announcement about their DNS service is naturally making waves among the Interneterati. Some think it's risky (no, encryption won't help).  Some think it's good for DNS in general. It's neither of these things. It's a DNS service that Google thinks will make browsing better and a potential research tool.

I don't have to speculate on why Google launched their DNS service. In the announcement, Prem Ramaswami, product manager, told us why they are doing it. "Our research has shown that speed matters to Internet users, so over the past several months our engineers have been working to make improvements to our public DNS resolver to make users' web-surfing experiences faster, safer and more reliable."

Research conducted by Google and research by other organizations into user behavior indicates similar results, pointing out that delays as small is half a second cause significant drop off rates. Google aims to improve performance by leveraging their existing clustering and HA technology and to do smart things like refreshing DNS names that expire so that they don't have to keep asking for the names over and over. It will be interesting to see the impact on sites that use DNS for load balancing.
Ramaswami  also said "As people begin to use Google Public DNS, we plan to share what we learn with the broader web community and other DNS providers to improve the browsing experience for Internet users globally." That's the research part. The benefits are going to be more for the organizations like large scale providers that run DNS, resolvers will hopefully be more efficient and effective at resolving domain names. That's a benefit for everyone, including Google.

Are there privacy concerns? Perhaps, but Google's own privacy policy seems pretty clear to me. They are not going to store identifiable information longer than 24-48 hours (for troubleshooting purposes) and in the long term storage, they won't even keep your IP address. Nor will they correlate queries with other activity they already know about if you use any of their services like Gmail, search, Apps and so on.Some have suggested that encrypting DNS would be beneficial. There is even an experimental draft, but there's no benefit in encrypting DNS. If an attacker can snoop on your DNS requests, it follows that they can probably snoop on your Internet traffic, thus, they already know where you're going by the only address that matters—the IP address of the host you are trying to reach. There are two cases that I want to address, however:

  • The IP address that you are contacting may be for a host that contains many web servers in a virtual hosting platform. Any of the low cost hosting sites like BlueHost or GoDaddy house many web sites per IP address. The only way to know which site you are talking to is to examine the HOST: header in the HTTP protocol. Like I already said, if an attacker can snoop on your DNS queries, they can probably snoop on your web traffic as well.

  • The other case is SSL web sites. SSL negotiation occurs before the HTTP request is made, and that means the HOST: header has not been sent yet. An SSL host has to have a dedicated IP address, so snooping the IP address of the destination SSL host is sufficient to see where you're going.

Encrypting DNS is not useful. In fact, it would make look-ups slower. Imagine the load a recursive DNS server would be under just encrypting and decrypting queries.

The question is, why would you want to use Google's DNS? The biggest benefit is going to be for consumers whose ISP hijacks DNS requests for names that don't exist and returns an address for an advertising page. These helpful pages from the companies like Verizon, Comcast, OpenDNS and others are supposedly to help you find what you were really looking for, but really the purpose is to point you to a page with paid links generating revenue for the provider. It's not helpful for you. It is helpful for the provider.

In reality, using DNS in this manner breaks applications. Paul Vixie penned a decent overview in ACM Queue What DNS Is Not. Vixie takes issue with a number of ways DNS is used beyond its original intention, such as location identification and load balancing, but those uses don't really break anything. Hi-jacking does. There are many applications other than web browsers (browsing is the most visible, natch) that use DNS for name resolution and we should expect there to be more in the future. For those applications to work properly, they need to receive notification that hostnames don't exist. As Vixie points out, since DNS redirection is a revenue generator, good luck getting providers to stop.

If you can't opt out from your providers DNS redirection (as a Verizon FiOS customer, I know their instructions on opting out of DNS Assistance are incorrect), then using Google Recursive DNS may be your only option. For most consumers, if they don't opt out, the only real impact will be a search screen for typo'ed addresses.

About the Author

Mike Fratto

Former Network Computing Editor

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights