
My Chromecast Ultra would not start until I began answering 8.8.8.8 - baptou12
https://mailarchive.ietf.org/arch/msg/dnsop/WCVv57IizUSjNb2RQNP84fBclI0
======
anilakar
In case the name of the original poster does not ring a bell:
[https://en.wikipedia.org/wiki/Paul_Vixie](https://en.wikipedia.org/wiki/Paul_Vixie)

~~~
paulddraper
Co-designer of DNS and member of the Internet Hall of Fame

------
calibas
This should bother people here more than it does. The last thing the Internet
needs is even more dependence upon Google. They've made it quite clear through
their actions that they're not supporters of a free and open Internet:
[https://theintercept.com/2018/09/14/google-china-
prototype-l...](https://theintercept.com/2018/09/14/google-china-prototype-
links-searches-to-phone-numbers/)

If people don't push back against these kinds of things, Google will continue
to abuse their power. There shouldn't be an army of apologists here making
excuses for them.

As far as a solution goes, they can simply make 8.8.8.8 a fallback when
something goes wrong. It's a disturbing trend to see them forcing things like
this upon users.

~~~
reaperducer
_The last thing the Internet needs is even more dependence upon Google_

Watching Big G's actions over the last few years, I've sometimes wondered if
it's laying the groundwork to fork the internet.

People talk about China and Russia's actions balkanizing the internet. But I
have a sense that Google could do it, as well, and bring us back to the days
when people didn't know the difference between the real internet and America
Online.

~~~
linuxftw
We're already there. Younger generation knows little about the web, but they
all participate in the walled-garden-net via their app store.

~~~
darpa_escapee
Yep. In many places in the world, the internet _is_ Facebook/WhatsApp/YouTube
and whatever portal each of your apps allows you to peer into.

~~~
ryandrake
This is no different than the late 90s, when the Internet was AOL for a huge
number of people. In 20 years it'll surely be some other platform, too, as
long as the relatively open "Internet" foundation persists.

~~~
anfilt
The concern is those foundations though since google obviously has influence
when it comes to it.

------
RickS
More concerning to me was the fairly recent removal of non-phone-app setup. It
used to be that a chromecast would display a 4 character code on screen, which
could be used to activate it from the browser.

Now, they require that it be managed with the google Home app, and have
discontinued the method that allowed chromecast use without installing
additional google software on your phone.

This made for a really disheartening christmas experience, when I first
assured my mother that no, we could skip this stuff with your phone, only to
find out that no, she would indeed have to make that sacrifice.

Especially frustrating is that my same devices, validated with the old method,
continue to function just fine.

Does anyone with more knowledge than I have know of a reason for this that
isn't data-greedy or consumer-hostile? From my perspective, "Don't be evil"
has been dead long enough that the bones are sunbleached.

~~~
05
The obvious reason is that any local browser config pages cannot be SSL
protected because the device can not provide a valid certificate for
192.168.0.33 or chromecast.local

Phone app can use a custom TLS CA to make sure the stick was produced by
Google and is not a rogue neighbor phishing for your WiFi password..

~~~
djrogers
No, that's not how it worked - you got a code on the screen you could use to
activate the device _with google_ from any browser - much like many many many
TV apps use (visit foo.com/activate and enter code NNNN). You weren't browsing
to any local devices...

~~~
dragonwriter
> No, that's not how it worked

Yes, it is; Chromecast activation has always used the Chromecast itself as the
WiFi host; you have to do that to even set it up to use another network.

> you got a code on the screen you could use to activate the device with
> google from any browser - much like many many many TV apps use (visit
> foo.com/activate and enter code NNNN).

TV _apps_ can do that because the TV _device_ is already configured to connect
to a network. And both the app and your browser can connect to the same remote
server. Chromecast activation can't work that way, since it occurs as a
necessary prerequisite to connecting the Chromecast to a network.

~~~
RickS
(OP of complaint)

This matches my understanding as well.

05's answer about security and rogue devices is a good one. It makes a lot of
sense. For my (and I expect most people's) threat model, google's prying eyes
are a more credible concern than my neighbor's, and I wish they hadn't changed
it, but it's nonetheless a defensible reason for making the change.

------
AdmiralAsshat
Knowing who he is, my takeaway _should_ be, "Wow! An Internet Hall of Famer
weighing in against a Google product!"

But my actual takeaway is, "Legends of the CS world write informal, pithy
rants to Google just like the rest of us mortals."

~~~
slim
IETF should be concerned since one solution to this problem is to hijack the
DNS. Namely 8.8.8.8

~~~
justizin
Right, realistically what Vixie is saying is: This is a major vendor failing
to comply with IETF standards and using their market dominance to undermine
open standards and protocols.

~~~
dragonwriter
> This is a major vendor failing to comply with IETF standards

What IETF standard is violated by a device using a known DNS server rather
than the one offered by DHCP?

------
unethical_ban
Jared Mauch's response was pretty rude.

I don't mind defaults, but I do not like the inability to change.

I wonder if it was clearly documented as a device requirement that 8.8.8.8 was
needed. All prerequisites of function should be in the Quick Start Guide of
the tool in question. Furthermore, users aren't always in control of the
firewall/ACL on their network. If I go to Jack's Organic Coffee for a meeting
and they only allow 1.1.1.1 out for DNS, I can't use my cast device? That's
screwy.

~~~
eertami
Maybe I'm missing the forest for the trees but... what possible reason would
you have for taking a Chromecast to a coffee shop?

~~~
pixl97
The problem here is you are falling in the same trap as the Google engineers
here.

Why would ______ want to do _______ with their ______ device?

You can make a locked down device that only does a very limited subset of
functions, but you really should make that known to the user before hand.
"This device requires access to $X servers to function".

If you have secret requirements that go far beyond user expectations, expect
that your users might get pissy about it.

~~~
hannasanarion
The fact that we got six years into the chromecast world before anybody
complained is a pretty good indicator that, no, in fact, most people who want
to watch youtube on their TVs don't configure their firewalls to block
8.8.8.8.

~~~
Sendotsh
It has actually been a common issue for many years, including for myself, but
the rest of us don't have the social clout for it to make it to HN front page.

These days you have no chance of getting any form of tech support or even
issue acknowledgement unless you have a large follower count online.

------
rasz
Chrome is just as insistent on using 8.8.8.8. Took me >2 years of constant
pestering to make Vivaldi finally patch some of it out.

[https://www.reddit.com/r/vivaldibrowser/comments/a23071/how_...](https://www.reddit.com/r/vivaldibrowser/comments/a23071/how_private_is_vivaldi/ebgz0zx/)

~~~
dvdgsng
I had no idea. thank you for this! I assume the setting is "use google dns
service to help resolve navigation errors"?

~~~
rasz
Yes, except Chrome has very liberal definition of what it considers an error.

~~~
ballenf
Is there any combination of settings in Chrome that will disable this
behavior?

~~~
sixothree
Uninstall chrome?

------
alias_neo
It's not new, and but limited to Chromecast Ultra, I detected this from
several Android devices (phones) pre-Pie and configured my firewall to
redirect those requests to my own DNS.

Regardless of their reason, many of us don't want to use Google DNS and the
just using their control over these devices to force people to
8.8.8.8/8.8.4.4.

I haven't checked how Pie behaves yet but it provides an option in the UI to
specify private DNS.

Also, I found some time ago, and am not sure if it's still the case, but some
of their first-party apps hard coded Google DNS, so seeing one at the system
level was irrelevant.

~~~
metalliqaz
Google's business is built on web services, and we know for a fact that ISP
occasionally try to inject bullshit into their customers browsing sessions via
all kinds of dirty tricks. Their DNS is also designed to be faster than
typical DNS. I wouldn't be surprised if Google sees this as a way to ensure
the proper function of their devices.

~~~
darpa_escapee
This is an incredibly generous reading of the situation that, as far as I can
tell, has no basis in reality. Google is circumventing how the internet works
at pretty basic level by not respecting users' DNS preferences in favor of
their own.

~~~
Rapzid
The consumer of the DNS is the Chromecast. Its preference is 8.8.8.8 .

~~~
darpa_escapee
A Chromecast isn't an agent with free will and intentions, the user is. When I
set my DNS settings to a different DNS server than Google's, my preference is
just that: different from Google's.

~~~
jtms
I think your humor detection algorithm needs some enhancement.

------
dastx
I posted this a while ago on the /r/pihole subreddit. Since my router is a bit
more restricted, I ended up blocking Google's DNS as they've been doing this
in other devices and software as well. It seems that they only add one of the
dns servers and fallback onto the DNS server provider by DHCP. My pihole
number of queries suddenly jumped up after I blocked those IPs.

------
jasonjayr
I agree with the shadiness of this, but just to play devil's advocate here, is
this to work around shitty ISP's that play games with DNS? Residential ISPs
have not exactly been good faith actors in this game ...

~~~
megous
Yes, but how does it help hardcoding one IP address that ISPs can simply route
to their own DNS server?

~~~
tialaramex
Today the ISP could, with a bunch of effort, re-route the traffic, though I
haven't seen any evidence that any of them do that. So it helps materially
because for today it works.

Tomorrow these devices will do DPRIV, probably DNS over HTTPS, and so the ISP
won't be different from any other man-in-the-middle, unable to meddle with the
contents of protected traffic.

~~~
oarsinsync
> Today the ISP could, with a bunch of effort, re-route the traffic

Injecting a route into your IGP is pretty trivial, any ISP with an engineer
with more than 6 month's experience could manage this.

> though I haven't seen any evidence that any of them do that

Unless you've actually looked, and performed pcap analysis of what your dns
request/response looks like to try and determine if your ISP is intercepting,
you can't be sure.

That said, several ISPs used to do this _quite transparently_ (pun not
intended) in the early 2000s, to return advertising pages whenever a DNS query
failed. Some of them would do this on their own DNS servers (that were the
default pushed to your CPE, which was then the default for your network), some
of them would actually hijack anything going to udp/53\. This used to be
prevalent for a while.

Then again, who's making more money monetising your activity? Your ISP or
Google? Given that your ISP can already see every IP you visit and how much
traffic you exchange with that counterparty, who would you rather protect your
DNS requests from? Them or Google?

~~~
JohnFen
> several ISPs used to do this quite transparently (pun not intended) in the
> early 2000s, to return advertising pages whenever a DNS query failed.

Yep. This was what spurred me to start running and using my own DNS server in
the first place.

> who would you rather protect your DNS requests from? Them or Google?

I don't think one of them is better than the other on that count.

------
josteink
Expect more of this once “DNS over HTTPS” takes hold.

Nothing Google makes will ever respect your DHCP-server or local network
settings ever again.

~~~
JohnFen
> Expect more of this once “DNS over HTTPS” takes hold.

I do. DNS-over-HTTPS is why I've modified my network so I can MITM all HTTPS
connections.

~~~
chaz6
(Un)fortunately, TLS 1.3 will prevent MITM from working unless you are able to
install a trusted root ca cert on the device, which I doubt is possible on
Chromecast devices.

~~~
userbinator
TLS and SSL before it has _always_ prevented MITM from working without
configuring your own certificates --- that's the whole point of the security
it provides, after all. AFAIK TLS 1.3 doesn't change that.

------
chewz
Set DNS to Google and do

dig +short TXT whoami.ds.akahelp.net

Then set to other DNS provider and do the same

You will see that Google DNS is delivering ECS which helps with directing
traffic to nearest CDN.

I have quite secure DNS setup but still forward some queries to Google DNS
(HBO, Spotify, etc.) just to take advantage of using ECS.

~~~
X-Istence
When you run your own DNS server, then you don't need ECS, since it will have
the real IP address at the authoritative server.

------
richardwhiuk
I've seen this been done before, and IME it's reasonable behavior.

I've seen so many instances of computers configured with DNS servers which are
extremely slow, or provide garbage results, that adding a known good DNS
server to the list, and then parallel resolving across all of them is a
perfectly legitimate thing to do.

~~~
jon-wood
We hardcode known good DNS servers in IoT devices that we ship from work
because a significant proportion of issues being reported by customers were
caused by ISP resolvers doing things they shouldn't - mostly either
redirecting all domains to a splash screen telling people about bandwidth
quotas/other things, or not respecting the TTL returned by our resolvers,
which could cause data to get directed to the wrong place for extended
periods.

~~~
creeble
Been there too, sad to say. We haven't gone so far as to hard-code DNS servers
yet, but it's shocking how bad some ISPs' DNS support can be.

There should be a better way to fight it, but I fear Google may win here
because I haven't been able to find anything _wrong_ with the way their
servers work. I.e., 8.8.8.8 isn't doing anything evil afaict... Yet.

~~~
JohnFen
Doing that can be (barely) acceptable, provided that you also do two other
things: make it clear to users that you're doing that, and allow a way for the
user to change that behavior if they desire.

------
kop316
What I ended up doing to ensure this for any of the devices I have is use
pfSense to force all DNS queries to go to my DNS server:

[https://docs.netgate.com/pfsense/en/latest/dns/blocking-
dns-...](https://docs.netgate.com/pfsense/en/latest/dns/blocking-dns-queries-
to-external-resolvers.html)

~~~
1over137
This may be helpful too:
[https://docs.netgate.com/pfsense/en/latest/dns/redirecting-a...](https://docs.netgate.com/pfsense/en/latest/dns/redirecting-
all-dns-requests-to-pfsense.html)

------
cotillion
Just the fact that you can't cast your own local content when the mothership
is down makes me want to throw out all cast devices. Ignoring DNS servers
seems like a very minor issue.

~~~
fixermark
Have you verified you can't cast your own local content if 8.8.8.8 is down? I
thought it did a fallback.

~~~
mthoms
I've not tried it myself, but the title does say the device _won 't start_
without it.

------
ChuckMcM
Gotta love Paul's approach. Amazing to see things that break when you run a
black hole DNS server on your inside network. I have a Samsung TV that won't
complete boot until it has verified there aren't any firmware updates at
Samsung. I finally resorted to copying the http response traffic and having an
a bit of code on my RasPi return it when the TV asks (it says "no new firmware
for you"). Of course these sorts of tricks will fail when vendors get wise to
them and start returning an encrypted time and date nonce in the response.

~~~
mrweasel
The extend to which modern appliances feel a need to be internet connected is
getting ridicules. My TV isn't going to be internet connected, even if it's
able to. It simply have no reason to.

Smart TVs in particular should not be a thing. The TV manufactures have proven
themself incapable of writing and maintaining software, so at this point they
should accept defeat and just produce the TVs with enough HDMI connections.

~~~
ChuckMcM
> _My TV isn 't going to be internet connected, even if it's able to._

I admire your sentiment but recognize that on the current path that means at
some point in the future this choice will mean "I don't have a TV." What is
missed here, and alluded to in other comments, is that the costs for things
are being subsidized by selling the digital exhaust they generate. Creating
more exhaust means more margin, less (or even zero) exhaust means less margin.
Since consumer electronics compete on price, a zero exhaust device will cost
more and won't sell as well. So the market won't produce them. Further, the
ability to convert a consumer device to one that generates zero exhaust will
get targeted, and since there is no way to "win" that race, the final act will
be a consumer device that refuses to operate if its ability to spew digital
breadcrumbs is disrupted. Just like HP "all in one" printers will refuse to
scan a document if they are low on ink. They don't need ink to scan, but the
purpose of the printer is to create a recurring revenue stream for high margin
ink, so all functions are in service to that purpose. Allowing utility that
would mitigate the need to buy ink is unacceptable.

~~~
userbinator
This article from a while back (almost 6 years!) turned me off the idea of
"smart" TVs completely:
[https://news.ycombinator.com/item?id=6759426](https://news.ycombinator.com/item?id=6759426)

Fortunately, you can currently still spend a little extra to "stupify" a smart
TV --- figure out what LCD panel it uses, then replace the "smart" part of it
with a suitable driver board (search the Internet for "HDMI LVDS" \--- these
are basically what computer monitors use.) Interfaces are reasonably standard
so they're compatible with a wide range of panels. Example:
[https://www.aliexpress.com/item/10-bit-lvds-controller-
for-p...](https://www.aliexpress.com/item/10-bit-lvds-controller-for-
panel-T420HW08-V1-42-LCD-with-HDMI-VGA-and-audio-Output/32864868790.html)

------
mrcarruthers
My Roku does (almost) the same thing. It defaults to 8.8.8.8 to attempt to
block dns proxies, but if you block 8.8.8.8 on your router, unlike the
Chromecast, it will actually use the DNS server my router provides.

~~~
nickspacek
I believe that this approach also used to work with the Chromecast.

------
cfv
My oven should not refuse to work if my gas pipes are not from the same maker.
The ability to set up my own products to whatever config I like is not an
extraordinary request. Especially when it's the default operating mode with an
off brand product. Google should collectively be ashamed.

------
crankylinuxuser
For those running Linux machines for networking..

    
    
         sudo iptables -t nat -I OUTPUT --dst 8.8.8.8 -p tcp --dport 53 -j REDIRECT --to-ports 53
         sudo iptables -t nat -I OUTPUT --dst 8.8.4.4 -p tcp --dport 53 -j REDIRECT --to-ports 53
         sudo iptables -t nat -I OUTPUT --dst 8.8.8.8 -p udp --dport 53 -j REDIRECT --to-ports 53
         sudo iptables -t nat -I OUTPUT --dst 8.8.4.4 -p udp --dport 53 -j REDIRECT --to-ports 53
    

What that does, is catches requests coming in from the network going to
Google's DNS, and redirects them to that local machine's port 53 (be it tcp or
udp).

Its an ugly hack, but things like PiHoles can reliably do this with little to
no extra load, _and_ keep the google spy engine off your tracks. But then
we'll have to discuss using a chrome..

------
scrollaway
I'm always shocked at how easy it is for people to fall into the "Google is
evil!!1" trap on such trivial stuff (and funnily enough, much more serious
privacy issues related to Google are ignored/downvoted).

Hardcoded DNS servers are common. _Extremely_ common in a bunch of IOT
devices, given how broken some ISPs are. This is a non-story and the only
reason it's being upvoted is because Google is doing it, and they also control
the DNS server.

You know what _would_ be an actual story though? If Google used Google DNS to
spy on people. If anyone has concrete evidence that they're doing that, _that_
is a big fucking deal. Not some email about a google-complaint-of-the-week.

Edit: To be clear I'd agree that in a high quality product there needs to be a
way to change the DNS servers. Then again, this is a $30 device to hook up
TVs, and I've seen $200 routers lacking that ability.

\----

Edit 2, elaborating on the above: You make a cheap device that will likely end
up in millions of homes and your #1 support issue is "It doesn't work [because
my ISP is terrible therefore my network configuration is shit]!". What do you
do? Do you tell your consumers to suck it up and talk to their ISP? Or do you…
hardcode a DNS server that you at least know will work?

"Issues" like this one are non-issues and distract from the myriad of very
real privacy issues coming out of Google. Yes, this _should_ be configurable
at the very least… then again, Google products aren't exactly known for their
wonderful configurability.

~~~
apostacy
This isn't a case of an IOT device though. My Chromecast went through massive
amount of trouble to use Google's DNS servers, to serve ads behind my pi-hole.

It would respect all of my DHCP parameters, but silently ignore DNS settings.

It was clearly intentional to serve ads. I had to set up a firewall to force
it to use _my_ DNS server. And eventually even that stopped working with an
update (which themselves are really hard to block).

I think the Chromecast is the ideal Google device, and a preview of what
Google's model is: It slowly removes features through updates that you cannot
turn off, and would rather fail completely than not be able to serve you ads.

~~~
scrollaway
I can't really entertain the suggestion that pi-holes are considered by Google
as a serious-enough threat that they'd go through this trouble _just_ to fuck
with it.

Seriously, think about the venn diagram of Chromecast users and pi-hole users.
It looks a lot like a tennis ball being dropped into the sun.

~~~
quickben
At a maximum rate of $58 per tenis ball:

[https://www.statista.com/statistics/195680/share-of-
keywords...](https://www.statista.com/statistics/195680/share-of-keywords-
prices-in-google-adwords-advertising/)

~~~
mrep
Mesothelioma cost 319$ 5 years ago and I'm pretty sure it's only gone up since
then: [https://www.adgooroo.com/the-most-expensive-keywords-in-
paid...](https://www.adgooroo.com/the-most-expensive-keywords-in-paid-search-
by-cost-per-click-and-ad-spend/)

------
koolba
This is pretty crappy and is the type of thing that would prevent you from a
bunch of purely local use cases like pointing it at your local media server.

Is this _the_ Paul Vixie?

~~~
fixermark
I don't think it prevents streaming from a local media server, as that use-
case is already supported.

[https://allaboutchromecast.com/chromecast-how-to-
guide/compa...](https://allaboutchromecast.com/chromecast-how-to-
guide/comparison-of-5-methods-for-streaming-local-media-files-to-chromecast/)

------
ctime
Its not just this device, its others like the Google Home.

Why? Because ISPs and home networks are awful a non-trivial amount of time. It
also gives leverage to Evil ISPs to hold Google ransom for the DNS queries
needed to make the thing work propertly.

I dont think the average person knows or cares how fragile the internet
actually is (unless, of course, you happen to live in China, which activiely
manipulates and breaks DNS routinely for glorious reasons)

------
EastSmith
We desperately need PrivacyFirst product reviews with 1 to 5 ratings, links to
buy, reviews, etc. Someone please build it and put your referral links there -
I will click on them all.

Recently I wanted to buy home speakers and realized that all devices with top
reviews need an app to function, and I need to agree to some privacy terms,
etc.

We need to have have old school products where I am giving you X bucks and you
leave me alone.

------
imagiko
I'm a dumdum when it comes to understanding stuff about DNS. Why is this bad,
and are there any good resources for understanding how these are used by
companies to extract more information about our habits?

~~~
pbhjpbhj
If someone controls your DNS they can monitor and/or control your internet
traffic flow.

Like controlling your phone exchange, one can either watch who you connect to,
or connect you to other phones regardless of the phones you try to connect to.

~~~
kllrnohj
Except in this case nobody is controlling your DNS, as Chromecast doesn't let
you make arbitrary DNS requests via it.

So Google/Chromecast only knows what DNS lookups Chromecast makes, which
changes nothing with regards to privacy or anything else. It can't watch what
you're doing, it can't snoop on your web traffic, etc...

------
deagle50
DNAT 8.8.8.8:53 back to your own DNS server.

~~~
brandeded
Came here to say exactly this. Why even make a fuss about it? Bro, do you even
NAT?

The argument is Google can record what you're sending your Chromecast. Well,
(sorry for the crudeness) no shit... You're using Google hardware. If you're
going to act like the DoD and not use Huawei switches, then don't use Huawei
switches.

If you so choose, you must look at Google as malevolent as the US DoD would
see an attacking nation state, and actively do things about it (like not buy
their hardware). Otherwise, shut yo trap.

~~~
mthoms
Cool, I'll be sure to tell my mother-in-law that if she's concerned about her
privacy, she just needs to use NAT "bro".

~~~
growse
Tell her that if she's worried about Google spying on her, it's probably best
not buy a Google-made device with Google-owned software on it transmitting
usage data back to Google.

~~~
mthoms
This may be fair for "free" service like search. It gets way more complicated
when the consumer is (a) paying for the device, (b) paying for the content
they consume and (c) paying for the bandwidth it uses.

All I have to do now is explain to my mother-in-law that she hasn't paid
"enough". I'm sure she'll totally understand.

------
hannob
Given that ISPs like to play with traffic and have been using censoring DNS
servers again and again I can't blame Google for taking away one piece of
potentially failing networking infrastructure and using their own.

It's not nice, but it's not Google who started this.

~~~
joshstrange
You are missing the point, it's not that they first try 8.8.8.8 then falling
back to ISP/defaults, they are requiring 8.8.8.8 for DNS which is BS.

~~~
hannob
If they would fallback to the ISP's DNS server they'd encourage the ISP to
block access to their DNS, which arguably would be even worse.

~~~
mthoms
Honest question: is that even legal?

~~~
CobrastanJorji
In the US? Oh man, it's even worse than that. ISPs can probably legally choose
to block whatever, including editorially blocking content they find offensive.
Your ISP could legally choose to just start blocking port 443 because they
want to make sure you're not looking at anything inappropriate. Comcast will
straight up mutate HTML content sometimes to insert their own JavaScript:
[https://news.ycombinator.com/item?id=15890551](https://news.ycombinator.com/item?id=15890551)

------
bubblethink
This is not necessarily to force ads, although that is a good side benefit.
It's more to force geoblocking of content which smartdns operators circumvent.
chromecast is afterall is a consumption device. If you stop consuming things
you are fed, what are you ?

------
Fnoord
I have and use a Chromecast Ultra and redirect all traffic outward to port 53
to an internal DNS server which blocks ads and utilizes DNSSEC. I don't block
8.8.8.8 specifically though but it cannot be used by normal means as it would
get redirected

------
kissgyorgy
My bigger issue with this kind of behavior (beside that I have the exact same
issue with it) that I can't watch anything even from my local network when the
internet is down from my ISP. Very frustrating.

------
jdc0589
ouch. I've got a free 4k Apple TV on the way I was planning on selling, but I
may sub it in for my old Chromecast....

No way Im turning pihole off, and Im not gonna get a legit router setup to
reroute 8.8.8.8.....

------
fixermark
This guy sure is angry that his consumer electronics device is architected to
be maximally convenient to set-up and use for the common user.

He may want to consider an alternative product. Or use his 1337 hacker skills
to modify his already-customized local routing configuration to just do the
thing this consumer electronics device is assuming is standard (i.e. accessing
services by IP on the Internet) by telling his network to proxy 8.8.8.8 to
some other IP he designates.

~~~
bobthedino
Not sure what you meant by "1337 hacker skills" (sounds sarcastic to me) but
the guy in question helped create the Domain Name System!

~~~
fixermark
I know, and yes, it was intended to be sarcastic. ;)

He of all people should understand that the practical implementation of DNS
and DHCP has become so broken by bad-acting ISPs that consumer electronics
devices end up side-stepping the spec entirely so the thing works for the
common consumer user.

~~~
bobthedino
Fair enough!

------
hendersoon
I redirect all outbound DNS queries from my untrusted/IoT and guest VLANs to
an internal caching DNS server for this reason. I use Pihole [1] which also
blocks ads in mobile apps and such, very convenient.

Providing a DNS server via DHCP is insufficient as many IoT devices ignore it
for tracking purposes. Similar deal with blocking port 53 outbound, they just
refuse to work.

[1]: [https://pi-hole.net/](https://pi-hole.net/)

------
walrus01
Something that's always highly amusing is when people _who have no idea who
Paul Vixie is_ try to school him about anything DNS related...

Never fails to make me chuckle.

------
accrual
I don't disagree that this is a Bad Thing.

I like to use a BSD based router and a PF firewall. My solution:

    
    
        match in on $i inet proto udp from any to !($i) port {53 123} rdr-to ($i)
    

"Any UDP packet destined for port 53 (DNS) or 123 (NTP) that is not the
gateway ("$i"), redirect them to gateway ("$i").

The gateway has daemons listening and caching requests for performance. The
client has no idea this is happening.

It works great for me.

------
r3vrse
Just static route Google DNS back to your gateway. Works fine for me.

As others have said though, who buys a Google device thinking it's not gonna
talk to Google?

------
sasasassy
Chromecast didn't even need a Google account a while back. Now (last few
years) it forces it on you for no discernible reason. Supposedly now you can
use their Google Home app to search for apps to install that work with
Chromecast, which is already possible in the Play Store. The easy solution is
to use an old version.

------
muppetman
I reject (not just drop, reject as in send back an ICMP message) 8.8.8.8 and
8.8.4.4 in my home network, and my Chromecast Ultra works just fine. I know
it's talking to the PiHole too because I see it in my logs.

So I don't believe the OP, even though it's the living legend that is PV.

------
leowinterde
Very questionable, as fallback possibly ok but not forced. Is it the same with
home mini devices?

~~~
dastx
I've confirmed that this is the case a while ago. Google Home, Google Home
Mini. Netflix seems to do this as well with their apps.

------
llacb47
This might explain why whenever I use a different DNS, some google subdomains
refuse to connect.

------
homero
My router enforces quad9 and my Chromecast is fine. How's that different?

Maybe my router masquerades the dns port and answers vs blocking other dns
outright?

------
johnmarcus
Why didn’t he just return the device if he doesn’t like the way the Google
product used Google services to function?

------
sadris
Just DNAT 8.8.8.8 to your DNS server.

------
chemmail
SO this guy is complaining that he is using a google product to use another
google product and needs to use google in between to have that happen. Right.

------
collsni
1to1 Nat your traffic that is what I did

------
reneberlin
No more wonders?!

------
reneberlin
tldr-shortcut: expectation doesn't "meat" crushed tech-stack. Maybe there is a
wet-ware problem 2b solved. (It's friday night,guess - i'm too drunk to be
xpected gentle conv.)

------
Zecar
This is really shady of Google to do, and the fact that they think that it's
acceptable just shows how far we've come. "Don't be evil" apparently means
"spy on people, censor based on politics, help dirtbags stuck in the 12th
century treat women as property, and assist totalitarian regimes to stay in
power and censor their populace".

Google is literally cartoonishly evil at this point. That slogan of theirs is
an absolute joke.

~~~
givinguflac
Oh they know, it’s why they got rid of it and it lives on as a sub note in
employee guidelines. Because no one reads those.

------
gsich
Shitty device then. Or is there a legitimate usecase for such behaviour?

~~~
isostatic
Google DNS came about because of a very real problem of shitty ISPs giving
shitty DNS servers that gave fake results (especially in NXDomain cases)

I can see why you would want to use a known-good dns provider in your product,
however at the very least there should be an ability to turn off such
behaviour.

~~~
vetinari
It is not shitty ISPs giving fake results.

It is me. My resolver does that and it is for a reason. Disrespecting what the
local network tells you to use just leads to arms race.

~~~
creeble
This is easy to say until you've found yourself supporting 10s of thousands of
devices across the world and are the guy support calls when people complain
about (what turns out to be) broken DNS servers at hundreds of ISPs.

People who buy little internet devices usually don't respond well to "it's
your ISP" when their day-to-day web browsing experience is just fine to them.

If your resolver does that, you're going to be the 0.01% that complains,
rather than the 2-5% that is crushing customer support.

Not saying that makes it "right", just saying it fixes it.

~~~
vetinari
I know, that it looks just like a quick fix, and it gets things done.

However, that quick fix does a damage. Why don't you use it just like a
fallback. Why use it, when everything works right?

~~~
creeble
Because it often doesn't work right, and there's no way to tell.

One of the most common complaints we get is that things "are slow to start" or
that "I click and it's slow to respond". After long and expensive remote
diagnosis, this turns out to be slow DNS, and 8.8.8.8 fixes it. Falling back
to it wouldn't change the user experience.

------
optimuspaul
I don't understand, why does he have a google product if he doesn't want to
support google?

------
nemonemo
From this post, it is unclear whether the DNS given by DHCP should be 8.8.8.8,
or the device only needs reachability to 8.8.8.8. I think if the latter is
true, it seems acceptable, given the internet can be unpredictable, and Google
network reachability would be correlated among services.

~~~
izuchukwu
I could be misunderstanding, but if subsequent requests are to be made with
the DNS provided by DHCP, reachability to 8.8.8.8 would only be helpful to
disambgiuate what kind of network error is causing a failure to make network
calls regularly. Otherwise, reachability would be best tested with, for
example, a Google domain using the provided DNS.

