

OpenDNS warns about Google DNS - cr4zy
http://www.forbes.com/sites/eliseackerman/2012/02/25/a-closer-look-at-google-public-dns/2/

======
jemfinch
"We don’t persist logs for our users without accounts and configured networks,
I’m not sure Google makes the same statement."

What FUD. Was this statement from the FAQ[0] not explicit enough? "With Google
Public DNS, we collect IP address (only temporarily) and ISP and location
information (in permanent logs) for the purpose of making our service faster,
better and more secure. Specifically, we use this data to conduct debugging
and to analyze abuse phenomena. After 24 hours, we erase any IP information."

Or what about this more detailed explanation[1] on the linked privacy page?
[Originally posted, but removed on account of formatting issues]

If you don't know the answer to a question about a competitor's service, the
appropriate, ethical thing to say is, "I don't know." When you say, "We do
<good thing X>, I don't know if they do," you are by your omission sowing the
seeds of fear, uncertainty, and doubt in the audience, for your economic
reasons.

[0] [http://code.google.com/intl/en-EN/speed/public-
dns/faq.html#...](http://code.google.com/intl/en-EN/speed/public-
dns/faq.html#privacy)

[1] [http://code.google.com/intl/en-EN/speed/public-
dns/privacy.h...](http://code.google.com/intl/en-EN/speed/public-
dns/privacy.html)

~~~
huhtenberg
This might be a poorly written article, but it does lead to an interesting
question - what does Google expect to get back from offering a DNS service for
free?

They couldn't keep group archives up due to the "maintenance overhead", so
they are cost-conscious. They are way beyond being "no evil", so this is
hardly a charity for a greater good. There must be _the_ reason.

Changing the privacy policy is a very simple thing to do. Today they don't
recycle any DNS info, but - _click_ \- and tomorrow they suddenly do. And
being in the business of cross-correlating anything and everything, I can't
imagine how tempted they are. So the question is this - should they announce a
change to the privacy policy, how many sysadmins and laymen will get off their
lazy asses and switch away from Google? And how many would notice the change
to begin with.

~~~
tedivm
While they may erase "IP information", that doesn't mean they've erased the
aggregate data. They could easily take a list of the actual domains and figure
out how popular they are in various regions based off of the dns queries again
them.

~~~
chc
OpenDNS could do this too. I don't see how this is a disturbing outcome. If
Google wanted this information, it wouldn't really need GDNS (and it's
probably not even the best way for Google to do it).

------
waffle_ss
I switched from OpenDNS to Google for DNS because I was tired of seeing ad
pages when I mistyped a domain name in my browser. At least Google isn't
hijacking NXDOMAIN results to make money. You can check your own DNS provider
for this behavior as well as others with Berkeley's Netalyzr[1] Web service.

[1]: <http://netalyzr.icsi.berkeley.edu/>

~~~
mike-cardwell
Why didn't you just opt out of the ads? Google can subsidise their DNS service
with their other profit making products. OpenDNS needs an actual business
model, and they offer you a clean DNS feed if you want one.

~~~
waffle_ss
Well, it's mostly because Google just works "out of the box" for what I need,
but also because in order for OpenDNS to associate a dynamic IP address to an
OpenDNS account, you have to run some proprietary software[1] to notify their
service when your IP address changes. It looks like they don't have a Linux
client available, and to spend the amount of time trying to get a set up like
this to work for me, I could probably just as easily set up DNS caching on my
home server.

[1]: <http://www.opendns.com/support/dynamic_ip_downloads/>

------
jonknee
What a poor article. Full of "I don't know", "maybe" and just plain FUD. The
fact is between Google and OpenDNS, only one makes money at it. Google
provides DNS because it makes the internet more reliable, which helps their
business. OpenDNS provides DNS so they can sell you stuff (or ads).

<http://code.google.com/speed/public-dns/faq.html>

<http://code.google.com/speed/public-dns/privacy.html>

That's more information than anyone should need for Google DNS.

------
udp
Please use the original title where possible - even if "OpenDNS warns about
Google DNS" is going to get you more upvotes than "A Closer Look at Google
Public DNS".

------
sixcorners
Is there a way to use OpenDNS from any location and permanently opt out of
their NXDOMAIN hijacking? I know you can configure it from their website but
you can only control your own domains so it doesn't work when you access a
wifi hub. You also have to run that daemon all the time which seems like a
slightly bigger privacy concern.

> We don’t persist logs for our users without accounts and configured
> networks, I’m not sure Google makes the same statement.

Does that mean that both my DNS requests AND my HTTP requests to whatever
webserver is intercepting my requests to test.invalid
(<http://guide.a.id.opendns.com/?url=test.invalid>) are not being logged? Does
that mean my requests on wifi hubs that are configured with OpenDNS are being
logged?

What does it mean to discourage automated DNS lookups? What else do I use it
for? dig?

Couldn't one argue that it is a good idea to keep the number of companies that
have access to your information low? From that perspective wouldn't it be
prudent to use Google for everything?

~~~
pbhjpbhj
> _NXDOMAIN hijacking_ //

You and waffle_ss both mention this, can you expand on what problem you're
facing. I use OpenDNS because of the filtering abilities and because I found
on test that they were marginally faster for me than Google.

Next to never do I see their domain redirect page and whenever I have it's
always had the domain I've been after at the top of the page - for example,
<http://guide.opendns.com/?url=ycambinator.com>. Yes it has a couple of text-
ads but for the 2-3s you're on the page I can't see that I really have any
problem with this at all ... it's way less intrusive than the ads on most
websites now.

So what's the issue? Is it really akin to being robbed at gunpoint?

~~~
chc
You seem to be taking offense to something that wasn't said. The term
"hijacking" is used here in much the same sense as "signal hijacking" or the
program Audio Hijack. The relevant part of the "hijack" imagery is forcibly
taking over the way a transport. It essentially means they are causing DNS
requests to return against-spec responses.

~~~
pbhjpbhj
Hyperbole blah-blah-blah.

> _they are causing DNS requests to return against-spec responses_ //

That's part of their service. If there was no way to switch it off then I can
understand being annoyed but you can just choose to use your ISP's DNS.

It just appeared to me that both comments concerning this were of the form
"ZOMG they has borken my internetz"; could be I read the tone wrong.

So anyway, for the service that OpenDNS are offering is it wrong of them to
simplify the situation for users making mistakes entering domain names in
their browser?

~~~
chc
I think "wrong" is a good word for it. Users typing things into an address
field in a Web browser is not the only use case for DNS, but this breaks DNS
for the whole system, which is the wrong solution. Correcting mistakes in the
address field is something browsers should take care of. Firefox and Chrome
both do — I know Safari doesn't, and I can't remember what IE does. In fact,
Chrome has to employ a rather ugly hack to work around this behavior from
noncompliant DNS servers.

~~~
pbhjpbhj
> _not the only use case for DNS_ //

Of course. But I think that's exclusively the use case that OpenDNS target in
their consideration of non-resolving domains.

------
mike-cardwell
It's so easy to install a local copy of Unbound on your desktop, even on a
Windows box. I'm surprised when I see hackers using Google or OpenDNS rather
than using their own DNS resolver. Unbound supports DNSSEC too.

~~~
icebraining
The two are not incompatible: I run my own DNS resolver (dnsmasq) which I
configured to recurse to Google DNS.

The problem is that any domain lookup requires at least two requests: one to
the root servers to find out the domain's nameserver, and one to that
nameserver to find out its actual records.

Google has so many users that it's very unlikely that it isn't already in
cache, but as a single user of my own resolver, I'd have to pay that penalty
for each domain every couple of hours or less (there are some ridiculously low
TTLs out there).

Frankly, I think it's worth it.

~~~
stock_toaster
I am sure you realize, but by pointing to Google DNS, you are making your CDN
edge request performance _worse_ (in general).

CDNs using GeoDNS will assume your location is the google DNS servers[1], and
will use the closest edge node. You would likely get better performance with
some sites (those using big expensive CDNs) if you pointed to your ISP's
recursors (or used unbound to be your own).

[1]: Google's DNS servers are likely anycast multi-homed as well, so it may
not be quite as bad as if google only had a couple of centrally located
servers. It would still likely skew your closest CDN Edge node a bit.

------
secure
I think both the headline is wrong (I don’t see where they explicitly warn
people, can someone point it out?) and the interview contains no actual facts.
The only statements are "probably" and "I’m not sure"…

~~~
justsee
The warning is at the end of the article:

"I think Google controlling search, the browser, and the network or DNS layer
is a dangerous trifecta that the consumer will probably be best served
avoiding"

> the interview contains no actual facts

The headline never asserted the article contained facts though? A brief
article that contains someone's thoughts is fine by me.

I see nothing disagreeable in the argument that consumers should avoid
consolidating all their network activities so those activities route through
one advertising corporation.

~~~
jemfinch
Why do you consider the marketing opinion held by one company of its
competitor interesting, let alone worthy to be posted here?

------
twiceaday
A company warns about its competitor without any substantial claims.

------
gpmcadam
Was there a reason for linking in at page 2?

First page, for those that didn't realise:
[http://www.forbes.com/sites/eliseackerman/2012/02/25/a-close...](http://www.forbes.com/sites/eliseackerman/2012/02/25/a-closer-
look-at-google-public-dns/)

------
ksec
In the end it is about trust. Sometimes i just wish ISP would provide better
DNS services.

~~~
fpgeek
This. A thousand times this. The issues I've had with ISP DNS...

ISP A making their very fast service look dog-slow with terrible DNS (and a
terrible wireless router, to boot). ISP B sending mangled responses to some
popular requests including facebook.com (which is what made fixing it a
priority in my household) and so on...

------
pasbesoin
This is really a nothing article: It (rightly) warns, very generally, about
(over) consolidation of services, but beyond that says nothing specific.

~~~
jemfinch
Google's public DNS is not consolidated with _any_ other Google services. From
its privacy page[0]: "We don't correlate or combine your information from the
temporary or permanent logs with any other data that Google might have about
your use of other services, such as data from Web Search and data from
advertising on the Google content network."

Warning about consolidation of services would very much be _wrong_ in this
situation.

[0] [http://code.google.com/intl/en-EN/speed/public-
dns/privacy.h...](http://code.google.com/intl/en-EN/speed/public-
dns/privacy.html)

~~~
pasbesoin
Well, that's kind of why I threw in the "very generally" part.

It's good to know / have some confirmation (?), though, that Google's handling
of DNS query data will not change as part of the ongoing Privacy Policy
revision and user accounts data consolidation. (I commented / queried on this
point a few weeks ago, in another thread.)

