Web Development

Should we be afraid of Google Public DNS?

Google has its own DNS service, slipping its tentacles into yet another fundamental aspect of online life. How bad can it be?

Google recently unveiled its Public DNS service. Like OpenDNS, it allows you to bypass your ISP's DNS servers. Unlike OpenDNS, it is managed by Google.

Sterling Camden, TechRepublic's IT Consulting guru, asked me whether this raises any particular security red flags for me. I think he might have been asking it facetiously, because the obvious answer is that it could allow Google to track your DNS requests. DNS is what tells your browser (for instance) what IP address it wants when you give it a domain name (such as google.com) to look up, and anyone whose DNS server you use for such lookups can track what domains you try to resolve if he or she wants to. At minimum, it can track DNS requests by associating them with the requesting IP address, and if you use Google Public DNS, you are putting some trust in Google's hands that it will not gather information on your online behavior in a way that can be traced back to you, or at least that it will not abuse such information or sell it to someone who will abuse it. Of course, maybe he wasn't facetious, and wanted to know if there were any other dangers that jumped out at me.

I rather strongly suspect that Google will not ever sell this information without anonymizing it first, at the very least, and the Google Public DNS FAQ page promises to delete all information it collects after 24 hours. The Internet giant may well use that information to make its ad targeting more accurate, however, just as it has with the contents of our emails handled by its GMail service. It also may just provide faster DNS service, which does benefit Google because the faster you can browse the Web the more Google ads you will see -- and, maybe, the more Google ads you will click.

There are some potential security benefits to using something like Google Public DNS. Google helpfully provides some explanation of some of these benefits, at its Public DNS Security Benefits page, so we need not belabor them here. In many respects, it seems that Google is doing this right in a way we simply cannot always expect our ISPs to do things right.

That leads to another reason this might be a good thing. If you think you cannot trust Google with your DNS request history, you really should think twice about trusting at least most ISPs. Consider, if nothing else, the fact that your ISP has a lot more information about you than just your IP address, regardless of whether you also have a GMail account -- including financial information, physical address and telephone number, name, age, gender, credit card information, and so on. One breach in security at Google -- an event most would consider highly unlikely -- could be no more damaging than revealing your browsing habits. The same at your ISP, on the other hand, could tell an attacker pretty much everything about you that is stored on almost any computer outside your home. Regardless of how much you distrust Google, you might want to ask yourself whether you at least trust it more than Comcast.

Still . . . the very fact of Google sliding its tentacles into yet another fundamental facet of online life might be enough to send a chill up your spine. The DNS addresses Google is using are 8.8.8.8 and 8.8.4.4, but Sterling suggested that maybe 6.6.6.6 is more appropriate. I quipped that 6.6.6.6 is reserved for Microsoft's use, but things do start feeling a little Orwellian when one considers how pervasively Google influences the Internet, at many levels.

I will not let that stop me from playing with Google Wave, though, and Google has done a lot of good for security with a number of tools (like RatProxy and Keyczar) it has released to the public under copyfree licenses.

There are many reasons to be grateful to, and perhaps fearful of, Google. How things balance out is up to you, in the end -- as is everything else about your security.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

18 comments
Spitfire_Sysop
Spitfire_Sysop

In short, this is a velvet revolution. I like google, personally. I use many of their products. I dislike monopoly or any company being this diversified. They can't do everything right and will eventually try to grab outside their reach.

Kris.J
Kris.J

Google DNS, OpenDNS, an ISP's DNS servers, etc. -- I don't need any of them. For years I've had DNS servers running on my private networks, that would go straight to Root Hints if they didn't already know the answer or have it cached. Why do it any other way?

domma
domma

"If you think you cannot trust Google with your DNS request history, you really should think twice about trusting at least most ISPs" The trust isn't from what the DNS provider knows about you, the trust is in the DNS provider not getting owned and pointing all my banks requests to a server in Russia you moron. For an IT Consultant your article points out you are pretty ignorant. Time to learn something about what happens when machines get owned instead of trying to get MS Certs. All that schooling was a waste.....

Sterling chip Camden
Sterling chip Camden

... of this topic. That pretty much confirms my own thoughts on the subject. And thanks for the mention!

Justin James
Justin James

... is my guess. Google's never been good at the enterprise play. They try to be, but not very hard. J.Ja

Spitfire_Sysop
Spitfire_Sysop

That is pretty harsh. What we are talking about is the largest AD company in the world. They collect information from all legally available sources to build a profile of you. If you use google search and google DNS at the same time, they get to analyze 100% of your HTTP destinations. That was point as I understand it. Sure, google could get hacked but so could you. I don't think Comcast is any more hardened against DNS poisoning than google but I won't claim to know anything about what security measures they employ. Are you familiar with their security hardware? Is it lower quality?

Neon Samurai
Neon Samurai

DNS rebinding sucks and limits trust in the protocol. Unless your doing DNS related research or programming, you can't do much more than understand the risk. It does no good to overhype the situation when it's already being publicly discussed. The trust in DNS alone has also been discussed in other articles. The part your missing is trust in the company providing the service regardless of the protocols it happens to use. Does it really matter than one can redirect your DNS responses when the organization collecting your string of DNS queries along with any other information available is willing to misuse that identifiable data? Consider an information spunge consolidating information from many other intimate sources; email, office documents, calendar, search queries, global positions, DNS, social associates (friends and .orgs).. You don't think it's worth taking at least a minute to consider the potential implications and compare them to other DNS sources? I'll give you one thing, you know how to start a conversation. I hope you'll continue the conversation if the article author responds.

StormForge
StormForge

Maybe 6.6.6.6 should be reserved for Karl Rove?

apotheon
apotheon

I've been thinking about whether I can come up with enough informative stuff to say about that to make an article of it.

AlexNagy
AlexNagy

What a fallacious argument. I shouldn't have to expose all of my data and browsing habits just because I have nothing to fear. If I want to do things privately and anonymously, I should be able to do so regardless of what I'm doing.

apotheon
apotheon

"Concise" is where I was aiming. How could I not mention you? That conversation is half the reason I wrote this article!

apotheon
apotheon

I brushed up against the problems of DNS server security itself, but that wasn't the topic of the article. The fact this person doesn't realize there's more to security than the strictly technical challenges of running a DNS server is not something I'm going to be able to address, and the fact that person thinks my life revolves around MS certifications is laughably off-target. What is there for me to say in response to this? I know that DNS spoofing is a security issue, but this article is about Google Public DNS, not DNS server configuration.

apotheon
apotheon

I didn't know you were writing for TFM (probably because I have only been to that site maybe twice, ever). Is this a regular gig for you?

Neon Samurai
Neon Samurai

I guess there isn't much productive that would come out of such a discussion given that the person is either lacking information or willfully ignoring.

Justin James
Justin James

Yup, been writing there from the beginning. :) I write there whenever I feel like it. No one involved in it gets any money for it, so it is really just a place for me to write stuff that doesn't fit in here at TR. I experimented a bit with stepping outside P&D on TR a bit, but with only one P&D writer for 2009, that would have left P&D short on content. I mostly post sys admin related tips/tricks there, the stuff that drives me nuts and I can't easily find an answer to them on search engines, but once in a blue moon I'll have an "analysis" type piece too. J.Ja