Web Development

Configuring Google's new public DNS

Google has launched an Internet-facing pair of public DNS addresses. In this TechRepublic blog, IT pro Rick Vanover shows configuration and usage of the new engines.

Is there anything Google isn’t going to do? Google has recently announced Google Public DNS services for Web engines and other systems to query for address resolution. This makes some sense, as Google crawls the Web frequently and has a good idea of where Web presences are located. The goals of this service are to provide an option for current DNS configuration, reduce ISP loads, and make the Web faster.

I have historically used ISP DNS information for all information but have supplemented that with another ISP’s public DNS servers as a secondary server. The thought of Google providing a DNS service is appealing at this point, and I’ve set it on a few servers in my test environment. So far, it works fine as expected.

Google’s DNS offers two IP addresses. They are 8.8.8.8 and 8.8.4.4, which are very easy to remember. Configuring a few systems with this DNS engine is straightforward and resolves in a standard fashion. Figure A shows a DNS query run against the Google DNS servers.

Figure A

Figure A

Click to enlarge

While taking advantage of this service may seem attractive, there are concerns with using a popular and very public DNS server. Above all, we are not given any information about how much traffic is going to use these addresses. This is not relevant for resolution, as the Google DNS is not authoritative for any domain,  but it is in the security area. Google has outlined a number of security features for this service, documented on the Google Code Web site.

Realistically, I see the Google DNS entries as being used in conjunction with your ISP’s DNS. Do you see yourself implementing Google’s DNS? Concerned about a target like this? Share your comments below.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

82 comments
wbaltas
wbaltas

We use our ISP and have not had any problems, last year I added OpenDNS as a secondary DNS server, I'd consider using Google DNS as a third option. Bill

jeslurkin
jeslurkin

Thanks for an article that started an informative discussion. I now know of OpenDNS and BIND. Thanks.

b4real
b4real

I'll follow up with an official answer on this.

wjames1
wjames1

I am using Comcast Cable as my ISP and I have configured Google's DNS at the router level for all the PC's to take advantage of. I am hoping that it will make my Hulu experience a little faster.

jparr
jparr

I think a lot of people have privacy concerns with Google, and I think DNS is one more reason to be concerned. Right now, they can only capture what you query in their search engine or data they collect if you use one of their applications. If you use Google DNS, NOW they can capture virtually every web request you make: 1. Every new host with which you communicate, whether surfing or IM'ing, or Twittering, or whatever requires that your PC go to DNS and look up the host IP address. Don't think Google won't capture this information and extrapolate / interpolate browsing habits as well as ugly things like statistical dwell times. 2. Who's to say that Google DNS doesn't point you to a Google-hosted IP address that redirects you to a resource. Just like DNS hijacking, they *could* (not would) capture virtually every mouse click you make. Keep in mind that things like SSL security are based on DNS. 3. Just as with Google widgets, all it takes is some enterprising hacker to compromise the system. Just like DNS poison attacks a few years back, all it takes is one opening and you get redirected from your bank website to Russia or Nigeria. Because DNS is consistent, your machine would NEVER know the difference. I just don't trust Google.

clamont9
clamont9

If someone in the UK queries AnycastDomain.com they get one IP. If someone in the US queries AnycastDomain.com they get the SAME IP. That is a bad thing

fahdim
fahdim

I live in Pakistan and the answer to question if I will use it is a definite Yes. I live at countryside with slow line and I only have a 1MB DSL line which even starts malfunctioning when rain starts. Its not weather protected I guess. Besides I use the PTCL service, which sucks when DNS lookup is concerned. I have been using opendns for over a year and it works fine but I have been using google DNS for 3/4 days now and it seems a better choice as its fast :)

ron
ron

Never mind about the new Google public DNS... The real story here is people who use bright background colors for their terminal window. Holy eye strain batman! lol

Lasagna329
Lasagna329

I think the article misses the real reason why Google is doing this ... Advertising. Someone mentioned OpenDNS -- I use it, like it and it indeed is a much more robust solution than what Google is presently offering. I suspect Google is about to make a play into this same space. While many requests every day are resolved normally from name to IP address (and the reference about shaping is way off the mark here, that's not how ISP's do the shaping), there are many requests that people fat finger or otherwise mistype. When this occurs, it used to be that you'd get a "not found" kind of error. However, a few years ago many of the registrars started mapping these failed queries to a server of their own and loading that page with advertisements. Enter the ISP's and they realized that could do that same thing and you have an opportunity to get some advertising in front of people without much effort. Google will likely do this themselves. Perhaps trying to figure out what you really meant to type and routing that through their search engine architecture and giving you some helpful suggestions (along with those obligatory little advertisements that decorate the search results page). As time goes by, they can then add similar features to OpenDNS in terms of content filtering, etc. and all the while gain valuable demographics on name resolution (i.e. who is looking up what names). Is this a bad thing? No, not really, but without any protection on how Google will collect and use this information, you should beware of the privacy concerns. It'll be interesting to see how this service develops. For now, I'm staying with OpenDNS because of their robust filtering capabilities.

neilb
neilb

A lot of known bugs in common DNS servers relate to servers who perform recursive DNS lookups. As someone who has run umpteen DNS servers over the last 15 years I ensure that they only perform recursive lookups if they are authoritative or otherwise only to those blocks of IP addresses they should expect to receive queries from. Anyone else asking gets told to go elsewhere. So I'd be interested in any hardening Google might have put on these servers before offering to perform recursive lookups to everyone for any query. Regards Neil

yojinbo
yojinbo

I'm always a little leery when for-profit corporations start acting like non-profit charities spending time, money and resources without any apparent ROI. While Google loves to trot out their "Do no evil" corporate slogan, let's not forget they were more than willing to actively support censorship in China in order to gain marketshare for their search engine despite the communists' blatant disregard for basic human rights. At least Microsoft doesn't pretend to be anything other than what it is: A greedy technology corporation bent on bent conquering the globe and recreating it in its own image. I might find their mercenary tactics despicable, but I appreciate their honesty. And if Google's altruism is genuine? Nothing in this world is more dangerous as when a powerful elite decide they know better than anyone else how to make the world a better place and decide to inflict their ideas on the rest of us.

your last hope
your last hope

I don`t see anything outstanding about this DNS, it work if what you ask, but i prefer OpenDNS is way more better because its features

TexasJetter
TexasJetter

I have been using OpenDNS http://www.opendns.com/ for some time now. Lots of features, for instance at home I can filter sites I don't want my kids going to. "Typo" redirection, phish blocking, other.

mford66215
mford66215

Seems like Google will get loads of new data on where people are going on the net in exchange for some infrastructure. Somebody's going to get a bonus over this one at Google.

seanferd
seanferd

which is the updated version of DJBDNS. If you want to set up your own server, that is.

pgit
pgit

you're just scratching the surface of the potential mayhem. Never, ever forget who founded google, and it ain't the wonder boys, aka "wet ware" provided by an allegedly "benevolent Stanford University:" http://www.flickr.com/photos/44948879@N00/3822977155/ You say *could,* I say they they launched this precisely for the increased data stream it provides them. SSL, we hardly knew ye...

b4real
b4real

But DNS request patterns are always subject to a log, even at the ISP level. Who is to say that the ISP doesn't have the intention of doing the same? Don't get me wrong, Google is more likely to use DNS data.

tom.marsh
tom.marsh

Google in the past has shown a habit of running very-large databases on Solid-State and/or RAM drives... So yeah, it should be fast!

seanferd
seanferd

OpenDNS does not have a server in Asia. It is difficult in Asia because the internets are so balkanized. But Google has the resources to cover that. Also, if you are using a DNS server which is distant, you may not be served well in some cases due to the way you are routed to servers close to the DNS server, but not necessarily close to you. This causes lag and timeouts.

b4real
b4real

I, too, have noticed it is fast. I am curious if it will remain fast as its popularity grows, however.

kaspencer
kaspencer

I cannot belive that you used such a hopeless colour combination for that screen shot. I am always equally annoyed when writers of email newsletters et cetera use similar unreadable colour choices. As an IT professional: shame on you! Ken.

b4real
b4real

Usually I'm black with green text, but went all holiday on ya.

tsears
tsears

Your data already flows through your ISP. This is just opening up your internet usage patterns to another company. If you have serious issues with your ISP, change your ISP or consider OpenDNS.

kevin.carrell
kevin.carrell

Could it be that a request was made by another power for Google to flirt with China? China might feel their naievity could be used to their advantage when in fact it was for the sole purpose of finding out what it was they (the chinese) considered suspicious in terms of looking at other chinese peoples profiles , mails, searches Etc. and how they decided what was suspicious. I mean if you knew an action of yours that would make someone you know or have dealings suspicious, wouldn't you then avoid that action? Especially if you were indeed up to no good? I have always thought the web was a bit of a pandoras box or at least has the potential to be misused by anyone with the correct knowledge. My take on it is never do anything too miscrient on it and you should be fine. I also believe we all have something to hide, and I do mean all of us. The internet and what some of us do within it will always give us some sort of profile that can be twisted in a way to make us look like the scummiest scumbags on the planet. A bit like the general concensus most people have on the press. But we still read the papers and we will always (as long as it is there) surf the net. To be honest I dont think anyone ever truly believed Google. Well not the realists or people older than 40. It was a nice concept which I personally wish could be a reality but a corporation that large with all that information? Any Government would be falling over themselves to have that corporation in their pockets. I think some corporations also believe they do have a say in world affairs. Now that is dangerous. Anyway I am rabbiting rubbish. Its already big brother. You just have to hope you can keep your head down and be ignored with all the other proles. God Bless Gin ...lol

techdude60
techdude60

Why fix 'what ain't broke'. I like to consider myself internet savvy for the most part but my daughter tends to wander a bit and between OpenDNS and WOT, her bacon has probably been saved a few times. I only let my grandkids surf kid sites but eventually they'll branch out and I like knowing their will be help when they do. Until Google proves themselves worthy, I'll stick to the tried and true.

kandyass
kandyass

I use it at home and got my employer on it as well.

fallout330
fallout330

Same here Texas! I've been using OpenDNS for the last two years, great service...even it's free based version!

Piffer
Piffer

OpenDNS just rocks! If Google DNS will offer some of the serivces that OpenDNS charges for, I might think about switching. But so far OpenDNS has not failed me once. -P

Kris.J
Kris.J

I prefer a DNS server on the LAN: if it doesn't know the anwer to a LAN host's query, it goes straight to ROOT HINTS. I can do all the things people like about OpenDNS and more - and I control it 100%.

Craig_B
Craig_B

OpenDNS has been around for years and works quite well. I have been using it for some time now.

alexisgarcia72
alexisgarcia72

OpenDNS is the best. I use it at home and work. Block lot of bad sites and redirect if you write an address with typos. Agree on this.

lgwhitlock
lgwhitlock

Considering they have been getting hammered on privacy and had to implement ways of not tracking usage of the internet this is the perfect way to circumvent those privacy blocks implemented in the last year. They may not have all the information they could obtain from cookies but it's a good reference for them.

b4real
b4real

There is a backside of this, they know what we are looking for - even if we don't use their engines.

tom.marsh
tom.marsh

And I think you're right: Its about the data for advertisers. With Google that's what it always comes down to. They already have Google Analytics but 1) Not everybody uses it and 2) Sites not using Analytics are not using it because they (presumably) don't buy Google's other services either. By placing themselves into the customers DNS chain they can do a number of things: 1) Develop statistics on who is using a competitors advertising services (they crawl the web, the know what servers host all the ads) 2) Develop statistics on how many views those competitors advertising services are getting by tallying DNS queries to those servers. Google can then work to determine what made those others options attractive in order to help refine their own offering.

hwarner
hwarner

I found another source for DNS that really gives me oversight, safety, and DNS: OpenDNS. No agenda unless you lose your way and then, just like Google, you get an ad-sponsored "did you mean" page. Just like MS saw and emulated the Intermedia model for cloud Exchange, Google saw the OpenDNS model. I don't disagree with previous poster about possibility of data mining but one should read the SLA.

b4real
b4real

Nowadays I've reverted to old school black with green text.

rkuhn040172
rkuhn040172

Why manage something you don't have to? I use OpenDNS mainly for the content filtering. Do you have something else in place for this?

b4real
b4real

Would be nice to have it somewhere on the list, no?

tom.marsh
tom.marsh

As in "What happens when you're hit by a bus and we need to change that system's configuration while you're in a coma?" Home-grown can be an awesome, cost-effective alternative. It can also be a quagmire of inefficiency. As an IT consultant I've seen both scenarios: Where the previous admin's documentation was meticulous and beautiful, and also where his idea of "acceptable" documentation and mine ...varied. By a wide-margin. In those situations, it was always dramatically more expensive for the client using the "home-grown" solution to have me first reverse-engineer the other guy's work, then figure out if what he has built can do what the customer wants it to do, then implement it. Where it really gets pricey is when the answer is "No, it doesn't do that. The only way to do that is to start over." Because then they've spent the pet-project money, the consulting fees for me to tell them what they have won't meet their needs any longer, and whatever I charge them to design and deploy a solution that will. In those situations, I'll often point this out and suggest we just jump straight to scrapping the "home-grown" solution altogether before the reverse-engineering phase. I do this mainly to cover-my-butt, because few customers want to get to the "No, what you have is useless" phase without being offered the chance to skip that set of fees. Sadly, few do so, and most eventually end up spending a lot more money than they would have otherwise.

rkuhn040172
rkuhn040172

Explain the process you use for content filtering. Surely you are relying on someone else's list of inappropiate sites, some kind of content rating system, etc. At that point, unless you are examining each and every website on-line yourself, you have "outsourced" some part of the process.

rkuhn040172
rkuhn040172

In essence, that's what I was trying to say. IT depts should focus their time, money and efforts on the core business functions of their company. I would rather spend my time trying to better maintain and control a sales process than I would content filtering. DNS and content filtering are important, but it's about priorities. Finite time and resources requires careful priorities.

tom.marsh
tom.marsh

...In other posts I've seen you say you can "do what openDNS does but maintain control." My challenge to you would be: Explain to me why spending thousands of dollars (in server hardware, licensing, support costs, and your time) of the company's money to achieve what OpenDNS offers for $0 is better for the company. What so many people in our line of work fail to realize is that all of this stuff costs money--a LOT of money. The more you blow on pet projects like this, the less there is for important IT needs. Next time you complain about that slow internet pipe, or the assistant your company perpetually can't afford, look at your pet-projects and ask yourself if the company is really getting any value out of them, or if they're just padding your ego (And making yourself "indispensable") at the expense of things that might make the company stronger overall.

Kris.J
Kris.J

"Why manage something you don't have to?" The way I operate, I think "Why outsource something I don't have to?" Control, it's all about having as much control as possible. Content filtering is easy when you have 100% control of your DNS.

seanferd
seanferd

If your own resolver is down, you fix it. If it is working, what do you need another recursive DNS provider for?

Kris.J
Kris.J

If Google's DNS server(s) don't know the answer, they are going to go straight to root hints anyway... I like to start at the top on the first hop. ;)

Editor's Picks