[gentoo-user] [OT] Google's public DNS service

[gentoo-user] [OT] Google's public DNS service

[walt]

I just found out that google is offering its DNS servers to the public
for free. as usual.

I know that anyone can use any DNS server that's exposed to the internet,
also for free, so what's the big deal about google?

Well, they say that their DNS servers are more resistant to cache poisoning
and other disgusting forms of toxicity:

http://code.google.com/speed/public-dns/docs/security.html

Any comments from you security geeks out there?

Re: [gentoo-user] [OT] Google's public DNS service

[Bill Kenworthy]

looks interesting ...

I think many ISP's use DNS to manage/direct traffic internally so will
this bypass or break parts of their network for the google DNS user?

off the top of my head, the explanations I have seen give a reasonable
approach to security of your footprints as you travel the Internet - but
what they don't say is what happens if a legal entity requests the data
- all bets are off then I think.

Google is a data aggregator - they already have your emails if even one
of the respondents you send to use a google a/c (and you may not even
know if there are redirects to a google a/c for a user) - how much more
do you want them to know?  They know your search requests and have
access to data from many other sources as well - google toolbar
anyone :)

On the other side of the coin, they (and their partners) already pool a
huge amount of information in such a way as to be almost impossible to
avoid and use the Internet at all productively so I think your only
protection is to be very careful what you say and do in public and
private communications as you just do not know who is listening.  

If you are using something like Tor to muddy your tracks, could using
google DNS give enough clues to hobble Tor? - not sure.  Though they
(Tor) must have covered this I think.

Note that I am not thinking "security" organizations here - though I
think google and their competitors must be a data source too good to
ignore, but commercial services like targeted advertising, SPAM and
other objectionable practices.  Its not small scale data collection (one
company) data collection that concerns me, but googles global reach and
aggregation of data. 


Billk



On Mon, 2009-12-07 at 18:11 -0800, walt wrote:
> I just found out that google is offering its DNS servers to the public
> for free. as usual.
> 
> I know that anyone can use any DNS server that's exposed to the internet,
> also for free, so what's the big deal about google?
> 
> Well, they say that their DNS servers are more resistant to cache poisoning
> and other disgusting forms of toxicity:
> 
> http://code.google.com/speed/public-dns/docs/security.html
> 
> Any comments from you security geeks out there?
> 
> 

Re: [gentoo-user] [OT] Google's public DNS service

[Adam]

> I know that anyone can use any DNS server that's exposed to the internet,
> also for free, so what's the big deal about google?

IMO a DNS server configured that way is poorly configured (unless you're
actually trying to run a public service, as google is). Instead the use
of BINDs allow-recursion statement (or equivalent) should limit
recursion to only the ISPs customers. So, anyone can use the DNS to look
up any hosted zones, but only the ISPs customers can lookup other zones.
The network will need anti-spoofing controls as well. FWIW bigger ISPs
will split their DNSes, with some dedicated to hosting zones and others
dedicated to recursive lookups.

Limiting recursion helps with amplifications attacks.