Hacker News new | comments | ask | show | jobs | submit login
Google Public DNS turns 8.8.8.8 years old (googleblog.com)
197 points by tomweingarten 6 months ago | hide | past | web | favorite | 172 comments



Google's DNS service is interesting. I was never really sure what the business case for operating a public DNS resolver is, for any company really, but it was warmly welcomed when it was unveiled, at least for me. At the time, the public DNS resolvers I can recall were mostly oriented around blocking content.

A lot of people are worried about the privacy implications of using Google's DNS resolver. Paranoia is good, but it's probably overblown here. As far as I know, the primary objective of the project is to provide a fast, accurate DNS resolver, not to collect data. So much so that when it launched, it was originally called 'Honest DNS', as you can see on this bizarre Twitter account: https://twitter.com/honestdns

edit: Also of interest, Google does disclose exactly what data is logged, for the paranoid and curious: https://developers.google.com/speed/public-dns/privacy

(Disclaimer: I work for Google, but not on this. All of my knowledge of this service comes from being an end user, on the outside. Hopefully I didn't mess up any of the details.)


> Google's DNS service is interesting. I was never really sure what the business case for operating a public DNS resolver is, for any company really, but it was warmly welcomed when it was unveiled, at least for me. At the time, the public DNS resolvers I can recall were mostly oriented around blocking content.

They introduced it as ISPs were starting to inject advertising via their own DNS, which competes with Google's core business (it's easy to forget that the overwhelming majority of Google's revenue comes from advertising). That's not to say this isn't a good move from Google, but it's very much aligned with their business interests.


> They introduced it as ISPs were starting to inject advertising via their own DNS ...

This is mentioned in TFA, along with a Wikipedia link [0] to an entry mentioning several errant ISPs who "use DNS hijacking for their own purposes, such as displaying advertisements".

[0] https://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_...


> They introduced it as ISPs were starting to inject advertising via their own DNS

cough OpenDNS cough


Here's the deal. When you have Google resources and Google ambitions, you don't need an immediate strategy to justify doing something like supplying a free public DNS. Just do it because it's yet another capture of a resource. Maybe it'll be useful in the future.


> I was never really sure what the business case for operating a public DNS resolver

I always assumed it was to improve speed and security on the web.


Which Google believes to be good for their business too. It’s not such a mystery, or shady.


I agree with you and can only add that at some point, obsessing over information collection from stuff like this is a waste of life. Yes, privacy is important. Focusing on it to the point of obsession, as so many of us do, is just time that could have been imbued with much more meaning in light of our limited time here.


I think Google's motivations are likely to include protecting the internet, as they are the incumbent in so many spaces. Problems honestdns solves:

First, outright faking of dns resolution. Maybe to switch ads on internet pages. Maybe to falsify the pages entirely. Remember how internet in hotels worked 10 years ago ?

Second, lying to improve cost metrics for isps. Say, lying to cdns'es about the users location to use the cheapest connection for the isp. Or just lying to give users a bad connection and save on bandwidth.

Third censorship. Mostly dumb organisations' censorship. School networks in early 2000s are a good example.

Fourth, special support for a number of their products. Starting with, of course, their own cdns, but I don't think it'S limited to that.


Surveillance capitalism is one of the big topics of our times, and the outcome of this confrontation between individual rights and corporate greed will influence generations to come. At the same time, it's one more chapter in the history of capital vs. labour: whichever advantages will be extracted from the massive information imbalance will go to the few, to the detriment of the many.

I'm not sure you truly comprehend that a few dozen individuals have access some of the most intimate details on the lives of billions of people and they can do pretty much whatever they like with that, barring any roadblocks from the impotent US privacy laws. And not being part of the game is not really an option any more when almost all your friends and relatives are playing.

This is crazy when one thinks about it: whether I want it or not, my information will end up in the databases of some corporation. And I was born before this craziness, but a significant number of people will have their whole lives stored there and the only way to have a modicum of control over our data is the GDPR.

All the vulnerable aspects of an individual - finding a home, a job, getting medical care, etc - can be influenced through the power of information. Undesirable individuals can be harmed or effectively excluded from society without them even suspecting it. But undesirable is such an abstract word... in the past this meant women, homosexuals, jews, union leaders, religious leaders, journalists and so on.


The primary aim may not be to collect data, but Google does seem to like to collect data.

Even without tieing queries to users, DNS logs combined with Google Play activity and Chrome activity probably gives Google a lot of business intelligence about other companies.


Google claims they do not do this.

>We don't correlate or combine information from our temporary or permanent logs with any personal information that you have provided Google for other services.

Seems pretty clear cut.


But isn't it still very valuable to be able to see for instance: 400% week over week increase of dns requests to hot-new-ios-app.com. Doesn't matter what users, the aggregate trend is important. Similar to how FB uses their proxy app data to buy rising apps.

I haven't read the use policy maybe there is another line item saying they don't use this aggregate data?


I have no objection to them using aggregate data of that form.

It can be collected from a bunch of other sources (eg. Alexa top domains). It also probably isn't a very good indicator. time.ntp.org probably gets a lot of hits...


Yeah I mean they do have Google search, google analytics, play store etc. Plus apps on Firebase/cloud if they really wanted too though I trust they wouldn't.


"that you have provided" is very vague. I don't voluntarily provide Google with much information but I'm sure they know a lot about me.

Also it doesn't protect non-personal entities such as companies.


What makes you think they aren't lying?


I don't think anyone is trying to tell you who to trust or that Google is trustworthy. If you're concerned about DNS privacy then you're probably already not using Google DNS.


Yeah, I'm not sure what kinds of data Google might get from being a DNS resolver that it doesn't already get from people using Google Search.

Maybe competitive analysis (like, to get rough real time numbers of people that use Bing, etc.)? Though that's super niche and there's probably way cheaper ways to get that data.

Maybe it's a Fiber or internet.org kind of play, where by improving infra and access, you expand your own already-saturated market.


> Maybe it's a Fiber or internet.org kind of play

Maybe this is the exact reason + some data mining bonus (Not important, but Google can still do it).

Also, if Google is an ISP, without hosting it's own DNS service (Have to rely on other ISP's service) is dangerous.


>some data mining bonus

Its worth noting that Google publicly documents what data they retain from their DNS service requests.

https://developers.google.com/speed/public-dns/privacy


Yeah, I'm not sure what kinds of data Google might get from being a DNS resolver that it doesn't already get from people using Google Search.

They get to know all your non-HTTP(S) traffic too, of course. Other protocols still exist! Where you make POP3/IMAP/SMTP connections, where you SSH to, that kind of thing.


Google has done nothing so far to substantiate any trust in them. The "don't be evil" motto was abandoned.

It is a business that relies on collecting data, monetizing it, and using it to further reinforce its position.


I can't comment on that without some bias. If you personally believe Google's DNS is a potential threat to your privacy, my best advice is to use whichever DNS service you find to be most trustworthy, be it Quad9, your ISP, Cloudflare, etc.

However, I'm really not sure the whole recent debacle over "don't be evil" is really relevant to perceived ethical issues regarding Google. It's not like the motto became "actually, yes, be evil" - as far as I know, it became "do the right thing." And honestly, company cultures are all much more than just a motto.

I speak only for myself, but my feeling is that trust is very personal and if you don't trust Google, that's your right. All I'm discussing are things that I know, not trying to tell you who or what to trust.


I can’t say I trust Google overall (and have been gradually replacing my use of their services with competitors), but I do think that they abide by their terms and conditions generally, so thanks for posting a link to the 8.8.8.8 docs; they seem pretty clear-cut.


While Google's business model certainly relies on collecting and monetizing user data, I have yet to see any cases of abuse on their part. Rules for employee data access are very strict and I don't know of any cases whee they directly share data with third parties (excluding government demands).

For me, this makes them one of the most trustworthy companies when it comes to handling my data. If you know of any cases otherwise, I would love to hear about them.


Google abuses its position plenty and was found to be guilty in court multiple times.

There are endless examples of shady practices on Google's part, the obvious elephant in the room is ignoring the GDPR.


Don't be evil was NEVER abandoned. That was reported by right wing media and picked up by mainstream media without checking. Here is the the latest employee conduct statement.

"And remember… don’t be evil, and if you see something that you think isn’t right – speak up!"

Last thing the employee reads in the document.

https://abc.xyz/investor/other/google-code-of-conduct.html


    In [1]: (8<<24) | (8<<16) | (8<<8)| 8
    Out[1]: 134744072
Oh how the time just flies past.

Incidentally there are 10 types of people, those who understand binary and those who try to write too clever headlines.


they could have used that ~4 years ago with seconds.


Exactly.

  >>> dt = pendulum.datetime(2018, 8, 12, 0, 30)  # from the article
  >>> born = dt.subtract(years=8, months=8, days=8, hours=8)
  >>> born.add(seconds=int(ipaddress.ip_address('8.8.8.8')))
  <Pendulum [2014-03-12T05:24:32+00:00]>


I laughed.


Too bad it wasn't launched 4 days earlier so this could have been on 2018-08-08


There are also 1.1.1.1 and 9.9.9.9 from the 'easy remember' DNS list.


who runs 9.9.9.9 ?


https://quad9.net - IBM and two groups I haven't heard of.


One of those groups is Global Cyber Allience (GCA):

"GCA, a 501(c)3, was founded in September 2015 by the Manhattan District Attorney’s Office, the City of London Police and the Center for Internet Security."

https://www.cityoflondon.police.uk/advice-and-support/cyberc...


Quad9 was founded by IBM, PCH (Packet Clearing House - they operate a lot of smaller countries' authoritative dns), and GCA (Global Cyber Alliance), but it's a standalone Non-Profit. https://quad9.net/about/

I prefer to use them over Google and Cloudflare since their whole non-profit mission is DNS.

They also offer a 9.9.9.10 service if you don't want the "Security block list" (I don't like blacklists I don't control).


I find that map breaking down usage by country interesting. It seems almost nobody is using it in India and Australia. Is it performing badly, is it blocked by ISPs, or are those people just overly obsessed with privacy? Even China's usage is higher, surprisingly, even though it wouldn't help at all with bypassing censorship.


In India, the recent explosion in 4G availability has lead to a dramatic increase in first time internet users. But unlike earlier generation of users, these users have never accessed internet via a desktop - they only use a mobile, usually Android-based - nearly 80% of internet usage is via mobile now. That may account for the low usage as normal users cannot easily change dns settings on Android or iOS for that matter.

Australia is a puzzle though.


> I find that map breaking down usage by country interesting. It seems almost nobody is using it in... Australia. Is it performing badly

No. It works well.

> is it blocked by ISPs

No.

> or are those people just overly obsessed with privacy?

No.

I don't know why it's low in usage, bit I can't think of a reason why it wouldn't be low. I don't know anyone who would even think to change their DNS servers.


Sure but I'd have expected similar usage throughout western countries. here in Germany I wouldn't consider the average person any more techy than in Australia or anywhere else. People are pretty conservative and stick to what they know in general. I don't know anyone besides coworkers or friends working in the field who would do that, but then at least half of them are probably too skeptical of google to actually do it.


Public DNS is just one of the many free services that Google provides in order to slurp up every single possible activity that happens on the internet. Visit this website in your logged-in Google browser tab:

https://myactivity.google.com/myactivity

I don't know what it says for you, but for me it lists everything I do in my life. The restaurants I look at in the Seamless app. The Reddit posts I clicked on in the Reddit app. Every single YouTube video I watch. Everything I search for. All of the places I went yesterday and in the last 6 months.

And these are only my "explicit" actions. Now imagine that Google also passively knows every single web address I look up via DNS? We share private browsing sessions to them all the time regardless of in-cognito mode or any other privacy safeguards.


Google DNS is not used in any way to associate to your Google account. They say exactly everything they record and how it's stored and used.

https://developers.google.com/speed/public-dns/privacy


> Google DNS is not used in any way to associate to your Google account

OK, but it's still used to gather more information about how people are using the internet - what domains are popular, where they are being loaded from, etc. etc. etc.


In aggregate it would be wasteful not too. I don't see a problem with this


There's nothing wrong with that. Also all those sites already have Google Analytics anyway which gives far better data than DNS queries.


That's not what your link says however

We don't correlate or combine information from our temporary or permanent logs with any personal information that you have provided Google for other services.

Emphasis on personal information and provided. It does not say anything about non personal or inferred personal information imo.


What if I don't believe them?


Well then you don't believe them. But then whom do you believe would keep your DNS data private, and by what rationale do you find them more believable than Google?


A company whose business model isn't based entirely in analyzing user data in order to sell them the most things. Remember: these data don't have to be tied to your account. Google can use your ip address to glean your (approximate) location, and then use the websites you visit to better tell what kind of people live in that area. Even if they don't store the websites themselves, they can categorize the websites and store a category breakdown. They can find out what demographic you belong to from your account, and then associate the websites you visit with that demographic rather than that account. Lots of data that can be stored even if they're not directly associated with your account or the individual websites you visit.


> A company whose business model isn't based entirely in analyzing user data in order to sell them the most things.

Really? That's the only bar? So you're going to trust any company who isn't in this business without even reading & comparing their privacy policy or looking at their past history?

I also have to say I don't understand what you guys' true fear (read: threat model) is. It seems like for Google your criterion is "if they could potentially keep such data, they're automatically dangerous (doubly so if their name is 'Google')", whereas for anyone else not in the advertising business your standard suddenly changes to "I don't care what data they have, as long as I don't see evidence of active misbehavior". To me this sounds like what you really fear is personalized advertising itself rather than an actual privacy or security breach, which doesn't entirely make logical sense considering what the dangers of each of them are.


> So you're going to trust any company who isn't in this business

I never said that. I said that I'm not going to trust a company that has this business model. That by no means implies that I'm going to blindly trust a company with another business model, rather that trust in such a company is possible.


OK, then you didn't answer my question either. I was not asking "which companies would you not trust, and by what rationale"? The question I asked was: "Whom do you believe would keep your DNS data private, and by what rationale do you find them more believable than Google?"

Telling me you wouldn't trust someone who meets some disqualifying criterion isn't useful if you have so many disqualifying criteria that you wouldn't trust anybody, which frankly is the impression I get reading people's comments on this issue. If you have an actual company that you would trust, and a clear rationale for doing so, that's where we can have a real discussion.


> Whom do you believe would keep your DNS data private

You presupposing that it is necessary to send all DNS traffic to one entity. I run a local recursive nameserver (unbound) instead of sending all of my queries to a different nameserver.

Combined with aggressive caching, any particular DNS server (from .ROOT-SERVERS.NET down to the specific authoritative nameservers for a specific domain) is only able to view a tiny subset of my browsing behavior. Most of the time the query to the final authoritative nameserver is to be followed quickly by a TCP SYN packet that reveals roughly the same information.

Yes, running the full recursive resolver locally can be very slightly* slower than asking e.g. the local ISP's server that probably has the query cached. Fortunately, local caching limits this (very minor) problem to only the first request for a domain.


Running a recursive resolver isn't really that great from a "trust no one" perspective, because the .com nameservers are getting a decidedly not tiny subset of your access activity.


The TLDs are only queried for the NS records of the second-level domain, and the A (or AAAA) records of the those NS names. This is cached, often for longer than the record's specified TTL. The rest of the traffic is with the 0delegated nameserver,


The second level domain under com is the important part 95% of the time.


> This is cached, often for longer than the record's specified TTL.

NS records don't change very often. They can see that I looked up the delegation data about "example.com" once every $CACHE_TTL (~months). They do not get repeated queries at the beginning of every session I have with a website.

A lot of security is about being in the habit of minimizing attack surface. The only thing a TLD (or ISP) nameserver needs to know if I want to use the Doomain Name System is "pdkl95 asked for example.com's nameserver once last month" Instead of giving Google (or whomever) an update e.g.:

    ;; ANSWER SECTION:
    news.ycombinator.com.  300  IN  A  209.216.230.240
...every 5 minutes. This is not trying to stop someone discovering that I have ever been a domain; I'm limiting the ability to model my pattern of life[1].

[1] https://en.wikipedia.org/wiki/Pattern-of-life_analysis


So what I get out of this is that your system protects your privacy because it uses a custom TTL, and not really because you run a recursive resolver. It helps reduce errors, but you could get almost the same effect with a pure cache.


No, I'm still requesting the A/AAAA records at the normal TTL rate. This doesn't expose useful information, because those queries are sent directly to the domain's nameserver. The domain learns that data point anyway from the TCP SYN packet I'm probably sending immediately after I learn the A/AAAA record.

Separating the requests allows for different cache policies. If you simply delegate the entire recursive resolution work to Google (or whomever), they get to record that you needed "www.example.com" every TTL (5min?). You don't even need to see the domain's NS records in that case, so there isn't an opportunity to choose a cache policy.


I'm not sure why you lead with "No" because you didn't disagree with anything I said.


> and not really because you run a recursive resolver.

"No", because the system depends on running a recursive resolver locally to separate queries onto different nameservers.


It depends on doing so to work better. But a similar not-quite-as-good system could do without that feature. It's not integral.


What is this system that prevents pattern-of-life analysis while still sending all DNS queries to one nameserver? I'm still sending frequent short-TTL (normal caching) DNS lookups for most hosts that would betray my pattern-of-life in aggregate. The vast majority of the security is from sending those requests to the domain-specific nameservers instead of aggregating it all through a single upstream nameserver.

Aggressive caching of NS records for TLDs doesn't do anything to prevent a single upstream nameserver from leaning your pattern of life from the frequent DNS lookups for A records that are not cached longer than normal.


> What is this system that prevents pattern-of-life analysis while still sending all DNS queries to one nameserver?

Setting $CACHE_TTL to "months" on everything, and doing nothing else.

> I'm still sending frequent short-TTL (normal caching) DNS lookups for most hosts that would betray my pattern-of-life in aggregate.

Your system does that. This theoretical mildly-inferior system would not have frequent DNS lookups for any record type.


> Setting $CACHE_TTL to "months" on everything, and doing nothing else.

That will break a lot.

DNS isn't static; IPs regularly change as servers move, CDNs are introduced/changed. Long-term caching only works on NS records because changing DNS delegations is relatively rare. NS record caching does cause problems, but they are infrequent. Caching the addresses of the actual servers will break some things within days, and most of the internet the next time each server is updated/moved/etc.


QNAME minimization is about to fix that.


I think much of the distrust stems from: "why is google doing this". It costs some amount of money to operate a DNS service, and it's pretty reasonable to think that Google is getting something in return. Pretty much every other service they offer for "free" pays for itself by monetizing usage patterns and content, so it's no leap at all that they are offering DNS services with a similar quid-pro-quo.

Even if they don't use your traffic history to help with personalized advertising, they could conceivably use it for other things (e.g., bot detection, usage stats).

Google discusses what they collect in their privacy policy (https://developers.google.com/speed/public-dns/privacy), but not how they use it.


The answer is that yes, I don't -- fully -- trust anyone or anything I don't personally know. With that said, there are criteria by which I decide to trust a given company more or less, such as their business model, age, track record, size, and target audience. For example, I have some trust in apple because their business model relies on selling hardware and they have a decent track record (apple v fbi). I also have some trust in microsoft because a significant portion of their target audience is enterprise -- banks run windows me, the economy runs on excel. They have enterprise software that come with certain guarantees, and if they break those guarantees for me, a $10 customer, then they'll lose the $10 million customers, so I feel secure in using their enterprise software. However, this is tempered by windows 10 spyware, and makes me more reluctant to use consumer versions of their software.


I'm seeing what amounts to a lot of complaints and negative comments about what you wouldn't do, but for some reason you're still not actually answering the question of what you would do. The question has been quite clear and concrete: which DNS servers you would rationally trust more than Google's, and why. So far all I see that you've said is that you don't trust Google, that you in fact don't fully trust anyone, and that you would trust Microsoft and Apple more than Google---all three of which dodge the actual question of whose DNS servers you would use and why you would rationally trust them more than Google. Apple and Microsoft don't have public DNS servers (AFAIK? if they have ones that you're advocating then by all means correct me) so it wouldn't make any difference even if you'd trust them with your newborn baby. Regardless of whom else you pick, it really does not make any difference whether that DNS server(s) is getting 1% of your trust or 99% of it -- it's still going to be the one getting your queries, and I'm trying to understand whose server(s) you're picking and why it's rational to choose theirs over Google's.


Most people pay for ISP service and get a DNS server included in the price. It's a clear quid-pro-quo. If they don't respect your privacy, or they generally behave badly, you can switch providers (assuming you're not one of the 50 Million US citizens with only one ISP provider).

Even if you have an evil ISP, and they're selling your data for $0.50/month, you're still paying them $50/month for service. A bunch of angry customers could change their policy quickly. Few ISPs would try to squeeze those extra quarters from you, given the potential blow-back (some do, and they'll get their comeuppance). However generally, ISPs incentives are to keep you as a customer and get your fitty beans every month.

However, with Google, it's not clear why they are giving DNS services away for free or what they're getting in return. It clearly costs them some money to do so, and they're not being paid for it directly. It's possible that they're doing it purely altruistically, but they also have an extremely long history of using data for advertising or other forms of monetization.

I'm not saying that if you use 8.8.8.8, you'll search ads will target you. But I would bet they use your anonymized browsing history to fight bots, test internet speeds at various locations, identify browser technology, and who knows what.


This is really going against the impression I've both personally gotten and seen from others here. Are you really saying you would trust Comcast or AT&T here more than Google with your DNS history?

And regarding this bit:

> I'm not saying that if you use 8.8.8.8, you'll search ads will target you.

Hm, well others here have been suggesting this would be the case.

> But I would bet they use your anonymized browsing history to fight bots, test internet speeds at various locations, identify browser technology, and who knows what.

Even if I take this at face value, how are these things you listed bad things? If my DNS queries are going to fight bots, by all means, please fight bots! If they're going to help them improve internet speeds, by all means, they should do that! That's what data is good for. Everyone here is freaking out about privacy, not improved service. (!)


Certainly Comcast and At&T are pretty untrustworthy when asked to do the right thing, and I'd pretty confidently say they're less trustworthy than Google.

That said, they are selling a service, and you're paying for it. Quite a bit for it. It would be pretty stupid for AT&T to use your DNS data and risk your $150/month cable, phone, internet subscription for an extra buck or two.

But with Google, you just don't know and their entire business model is predicated on selling your data. They are almost certainly using their DNS servers for some data-based operation.

And a last quasi-technical point... I'm sure AT&T and Comcast have good engineers on staff, but I'm even more sure that Google has better ones. I am less concerned about AT&T and Comcast because I honestly don't think they have the wherewithal and talent to come up with ways to monetize DNS. I'm pretty sure Google could.

And to your point, even if Google is giving away DNS services to only fight bots and measure internet speeds, they should at least say that in their privacy policy. They don't. They just say they keep detailed data temporarily and anonymized data long term. I don't use Google's DNS because I really have no clue what they're doing with it. In contrast, if my ISP does something, I can always try to sue them, or if that fails cancel my service.


Just some related stories:

https://www.eff.org/deeplinks/2014/11/verizon-x-uidh

http://www.latimes.com/business/la-fi-lazarus-20150818-colum...

There is no point in discussing what companies might do in some theoretical framework - they do not care about your privacy, they monetize NXDOMAIN, etc. This isn't about what might happen - these abuses have already happened.


You asked by what criteria I would trust one company over another, which seems significantly more interesting but...alright:

My own ISP already knows all the ips I connect to, so telling them what the domains are doesn't tell them much, especially as the trend towards ipv6 means that multiple-domains-on-one-ip has gotten less popular.

Cloudflare's main prerogative isn't to sell clicks the way google's is, which earns it points already. In addition, if you believe the official documents, they permanently log a lot less[1] than google[2].

I would also, needless to say, feel ok hosting my own dns.

Quad9 and opendns both filter content, and as such I don't trust them because the fact that they're willing to do that means that they are willing to censor content if they so choose.

I don't know any other dns servers off the top of my head.

1: https://developers.cloudflare.com/1.1.1.1/commitment-to-priv... 2: https://developers.google.com/speed/public-dns/privacy


There we go! OK, so you'd trust your ISP and CloudFlare more than Google. Let's go through them.

> I would also, needless to say, feel ok hosting my own dns.

Yeah let's avoid options that 99%+ of people wouldn't find realistic.

> Quad9 and opendns both filter content, and as such I don't trust them because the fact that they're willing to do that means that they are willing to censor content if they so choose.

Right, I think I agree on that.

> Cloudflare's main prerogative isn't to sell clicks the way google's is, which earns it points already.

Sure, some points there for the increased likelihood of hypothetical data mishandling due to their incentives.

OTOH, don't forget it was Google who found this issue in CloudFlare, which earned Google some points and earned CloudFlare /quite/ the demerits in my book... and note that this was an _actual_ massive security incident, not a hypothetical one: https://blog.cloudflare.com/incident-report-on-memory-leak-c...

> My own ISP already knows all the ips I connect to, so telling them what the domains are doesn't tell them much, especially as the trend towards ipv6 means that multiple-domains-on-one-ip has gotten less popular.

I find this to be quite the odd argument for most people (maybe you're in the 1% of people who uses unconventional ISPs or email/search/map/etc. sites). Not only do major ISPs (thinking e.g. Comcast, AT&T here) not exactly have a great reputation on the privacy or security front (wasn't it just a few days ago someone posted about your home address being linked to your IP on Comcast?) -- meaning whatever data they do collect is prone to being hacked even if you believe they're really honestly keeping it private, which I'm not sure I always would -- but for most people Google already knows pretty much their life. And on top of that, they do their own tracking with Google Analytics, so they already know what websites most people are visiting -- not just from home, but also from work and on the go. And unlike with your ISP, it's likely already linked to your personal identity, not just your household or work office.

Oh, and in case you would like your advice to apply to those who have, say, Comcast, may I point you to quotes like this [1]:

> Comcast today said it has "no plans" to sell its customers' individual Web browsing histories, but Comcast can still deliver personalized ads based on its customers' browsing history. Comcast, the nation's largest home Internet provider, said it will continue to offer customers a way to opt out of targeted ads.

I don't know about you, but I would be shocked if they did this solely based on IP and did not find DNS information to be important for this task.

[1] https://arstechnica.com/tech-policy/2017/03/comcast-we-wont-...


> OTOH, don't forget it was Google who found this issue in CloudFlare, which earned Google some points and earned CloudFlare /quite/ the demerits in my book

I don't quite understand this one. Are you saying that you have an expectation that all software be bug-free? That just doesn't happen, unfortunately. Cloudflare had a problem, they fixed it promptly and then published a post-mortem on it. That, imo, is exactly what should happen. And as for google, it was discovered by their dedicated team of security researchers. Having such a team arguably reflects well on google, but do remember that monolithic corporations such as google are rarely unified.


No, I never suggested "I expect all software to be bug-free". Google software has bugs too. You're completely muddying the waters with a strawman like this. What I'm saying is that it that calling a massive security incident a "bug" doesn't suddenly erase it. Maybe it was pure dumb bad luck that could've happened to Google too, maybe it was because CloudFlare is just younger and still learning about the whole "defense-in-depth" thing that prevents 1-2 bugs from massively screwing everything up, or maybe it's just the lack of money and/or being able to attract as much top talent... I can't know for sure, and maybe I'd even sympathize with them, but I'm not trying to determine guilt and figure out whom to throw in jail here—I'm just trying to decide whose service to trust, pay for, and use. I'd be completely nuts to disregard actual severe past mistakes and solely look at my impressions of their intentions and hypothetical scenarios. You might look at intentions when figuring out whom to blame, but you definitely need to look at the cold, hard facts when figuring out whom to trust. The fact that they did actually make a system that actually screwed up in keeping private data private simply has to be taken into account when figuring out how much I can trust them with private data, however good their intentions and post-facto reactions to it were.


Threat model: "surveillance capitalism". Anyone in the ad business has a strong incentive to surveil you to sell or use the data.

That's a difference between Apple and Google - Apple is at least partially in the hardware business. Google is in the ad business - the surveillance business - full stop. And I say this as a fan of Google and someone who still uses their public DNS. But it's not surprising that people wonder how they use data.

https://www.schneier.com/blog/archives/2018/03/facebook_and_... But for every article about Facebook's creepy stalker behavior, thousands of other companies are breathing a collective sigh of relief that it's Facebook and not them in the spotlight. Because while Facebook is one of the biggest players in this space, there are thousands of other companies that spy on and manipulate us for profit.

Harvard Business School professor Shoshana Zuboff calls it "surveillance capitalism."


No, surveillance and ads aren't "threats" in and of themselves. Being surveilled or shown ads doesn't itself harm you (modulo wasting your time/brainpower, but by that logic getting an email or a phone call is also a threat). What would be a "threat" is potential harm occurring as their consequence. In the case of NSA surveillance, for example, people are worried about innocent people getting caught for the wrong reasons and due process not being followed, resulting in wrongful legal/physical/etc. harm to the wrong person. Or in the case of Equifax, one possible harm is your SSN leaking and being used for ID theft (financial harm, until if/when you prove your innocent).

Now what I'm not seeing is exactly which company's DNS is avoiding what credible harm that people here believe is potentially likely to result from using Google DNS.

As far as Google (or any company, really) internally is concerned, the fact that they are merely "using" the data for themselves (to show you ads, or whatever) is not itself a harm to you. (And maybe worth mentioning, they have used a lot of information to make life a lot better for everyone, like location for traffic data.) The harm would be if they used it to (say) discriminate against you in advertising goods/services, or to harass you, or if they did not secure it properly and your data leaked, etc. None of these are things I'm aware of happening inside Google, but if you know of evidence of this happening, I would love to know.

As far as Google is concerned externally, the only threat you seem to have hinted at here is that you believe they are likely to sell your data to other parties who are then likely to abuse them (such as by harassing you directly, or sharing/exposing your data online to others who might harm you). I have seen no evidence that this has been the case with Google (or Facebook) either -- which should make sense given that you believe user data is their most important asset -- but again, if you have any, by all means do share.

Given the above, combined with the facts that (a) so many people here seem to be disregarding the actual privacy policy, and (b) for most people Google probably already has more information to screw you with than your third-party DNS provider ever will, I'm led to believe there isn't really anything to be gained by avoiding Google DNS. But to each their own...


> Being surveilled […] doesn't itself harm you[…]

Pervasive Monitoring Is an Attack:

https://tools.ietf.org/html/rfc7258


> No, surveillance and ads aren't "threats" in and of themselves.

You're right, a threat is potential damage, these things are done damage.


Cory Doctorow on how surveillance capitalism harms you and harms societies. http://locusmag.com/2018/07/cory-doctorow-zucks-empire-of-oi...


threats" in and of themselves. Being surveilled or shown ads doesn't itself harm you

But it does. If you need a product generally you would just go out and buy it. Ads are psychologically manipulating you to buy things you don’t need and spend your limited time on this Earth doing things that aren’t beneficial to you. It wasn’t too bad when it was just billboards and TV slots but now it’s you vs the algorithms on a personal level.


Shelves on shops manipulate you. Some products are put in front, some in the back. Back in the day, small companies suffered due to this and big brands used to get more brand placement. Counters have inexpensive candies, so that, instead of giving change money back they can give you candies. On the other hand, that surveillance by Google gives me great Articles in Google Chrome. There are scores of programming related articles which i wouldn't have discovered otherwise. I mean I can't "just go and read an article: when i don't know about that website. To each their own.


One of the things that has had the most profound influence in my life was to apply for and get a fellowship that paid me graduate studies in the US. The only reason I learned of its existence was my mom seeing an ad of it on the newspaper.


Ah, anecdotes. “My grandfather smoked two packs of cigarettes a day, and he lived to be a 110.


What a ridiculous argument. I didn't get that fellowship despite the ad, unlike your grandfather who reached an old age despite smoking. I got it thanks to the ad.


You got the fellowship from the ad despite the vanishingly small chance that anyone would see it.


You must realize that what you're saying is an argument for better targeted ads. If you don't, I don't know how to help you see it.


Better targeted ads for some truly unequivocally beneficial things like scholarships might be a good thing, all else being equal. But:

1. Targeted ads requires enormous machineries of surveillance and file-keeping. Having too much information in closely related form is akin to having too much uranium in close proximity; it causes problems all of its own almost just by merely existing.

2. Ads in general, even the beneficial ones are, by definition, distracting from whatever content we were trying to read. See: São Paulo’s “Cidade Limpa”.


It is literally illegal now for them to lie about this.

You are welcome to believe that Google is just actively causing harm. But I don't understand why you'd specifically do this for them but not other businesses.


People can and do say that about any business or nation or whatever "specifically" being criticized. Why not criticize all of them? Because comments are limited in length, and because the subject at hand is cheapo PR for Google? Even if you were to criticize "all, fairly", you would have to start somewhere, and there would always someone saying "why not start with Y first", and when you criticize Y someone else says "why not start with X first".

Especially since people asking that generally know nothing about the people who criticize a thing, and what else they might criticize in other contexts. It's not like they're busy criticizing some bigger evil and criticism of $thing_under_current_discussion blocks their noble work. At worst they're doing nothing, yet expect others who are doing something -- even if that's just making one decision against one product or company, rather than zero, and making one comment about their own personal actual stance, instead of about synthesized hypothetical persons -- to take some time out of their day to answer pointless "questions".


If you don't trust a provider the obvious choice is to use another one.


It’s obvious for some people (perhaps the OP, yourself and myself for example) it’s not obvious or obvious that it’s even an option to the majority of people.

I personally try to advocate for good privacy education at places of work, study and play usually with a combination of a) the naritive / context, b) Provide simple examples (of why it probably matters), c) Explain with metaphors, and d) Give some simple advice where possible.

It’s not a perfect strategy but I think it does noticeably help lift the awareness bar.


Except in this case, I'd argue it's fairly obvious. One tends to make a conscious decision to change their DNS server from that provided by their ISP to a public DNS service such as Google's.


Then use something else, but what your ISP offers you is probably a lot worse (in service quality and security).


Lead with that then, so we know to ignore you.


Who is "we"?


[flagged]


Please try to be polite and stay away from nasty comments (especially when you’re not providing evidence based arguments).


If you have good reasons not to believe then you can sue Google and make $$$. Otherwise you're just hurting yourself.


The problem is that you can't know that for sure. Their public statements don't necessarily reflect their internal operations.


I’m almost certain it is, even in the link you posted they use unversed language to state they DO store not just your information but also your personally identifiable (!) information:

> “Google Public DNS does not PERMANENTLY store personally identifiable information.”

You have to be very, very careful with services like this especially when it comes to Google, Facebook and Microsoft (and the companies they own), they use weasel wording in documents like this almost all the time and it’s clearly with intent to /seem/ as if they’re good citizens rather than to _prove_ that they are.


Yes, they do not PERMANENTLY store PII, because they are crystal clear about the fact that they store it temporarily, and that by that they explicitly say they mean 24-48 hours:

> Google Public DNS stores two sets of logs: temporary and permanent.

> The temporary logs store the full IP address of the machine you're using.

> We delete these temporary logs within 24 to 48 hours.

> In the permanent logs, we don't keep personally identifiable information or IP information.

"Permanently" is not weasel-worded here.


So they do permanently store some information, perhaps tied to everything that isn't PII: my location, connection speed, time of day, access frequency. That can certainly be used to target adverts.

When an easy alternative is a company that doesn't have a reason to store this data, why not choose them?


By all means, choose whomever you trust the most. All I was saying in my response above was that, in making that decision, it would probably make sense to make sure you're reading their privacy policies accurately first. In this case the idea that "permanently" was weasel-worded seemed incorrect and misleading to me.


Use 1.1.1.1. Cloudflare have committed to never store identifiable information for more than 24 hours and have committed to independent auditing of their privacy protection. It's three times faster than 8.8.8.8 and it supports DNS over HTTPS.

https://1.1.1.1/

https://www.dnsperf.com/#!dns-resolvers

My Google activity page shows a big fat "No Activity". I have no doubt that they have plenty of my personal data rattling around on various servers, but Google at least pay lip service to offering you control over your data. European data regulators would be extremely displeased if they learned that these controls don't actually do what they purport to do.

https://myaccount.google.com/activitycontrols


> It's three times faster than 8.8.8.8

You mean 3x faster for you, right? We're talking about a geographically distributed system here... for me it's not too different. Or do you mean their DNS servers are somehow by their nature 3x faster than Google's at responding?


No, I mean faster across a broad benchmark suite from 227 globally distributed test locations. 1.1.1.1 is faster in every region - in Africa and Oceania, they're faster by over 100ms on average. It's conceivable that some users could get faster resolution from 8.8.8.8, but highly unlikely.

https://www.dnsperf.com/#!dns-resolvers

Cloudflare are a CDN company. Running a fast geographically distributed system is their core competence.


Absolutely agree, ideally we’d all be using DNS-over-TLS, however I think but DoH(S) is a ‘good enough’ alternative /if/ you trust the company running the servers.

Google I have essentially no trust in at all anymore (or maybe ever), Cloudflare I trust to a ‘reasonable’ degree; by that I mean I don’t believe they would (at the and leading up to the time of writing this comment) sell identifiable user data from their 1.1.1.1 DNS service and they have a very high technical skill level when it comes to internet security especially with regards to routing and network metadata. However it’s still not ideal or even slightly close to perfect security and while I’d trust Cloudflare over Google in a heartbeat - like anything that could change and better options that are also easy to use may (will likely) pop up.


1.1.1.1 also supports DNS-over-TLS. DNS-over-HTTPS is clearly an ugly hack, but it's probably a necessary hack for the time being.

https://developers.cloudflare.com/1.1.1.1/dns-over-tls/


Oh I didn’t know that, thanks for the link!


If we are talking ideals, then ideally we would be using something a lot better than the DNS protocol, which has been hammered out of shape in order to achieve things pretty hard nowadays, and not DNS-over-something at all.


Why the hell would Google offer a free service, and publicly commit to privacy in this way, just so they can lie and put the rest of their revenue at risk when a big law suit hits?

That’s bananas.


Aside from having to use Google Apps for work, I do not use any Google services - that url you posted shows totally blank for me -, but I would be very surprised if Google uses their DNS to reconcile "passive" activity back to an individual user. that really seems quite over the line in terms of intrusiveness - is it confirmed they do do that with their DNS?

edit: to answer my own question, it looks like OP is misinformed, here is the (very explicit) privacy policy about their DNS service: https://developers.google.com/speed/public-dns/privacy

note that in the (wonderful) GDPR world, its very hard for Google to do a sleight of hand with this stuff and actually be doing anything mischievous.


> The restaurants I look at in the Seamless app. The Reddit posts I clicked on in the Reddit app.

Unless I missed a press release announcing Google's acquisition of Seamless and Reddit, this seems impossible. AFAIK MyActivity doesn't track what you do inside non-Google apps.


Probably those apps open pages in the browser (reddit posts certainly qualify), so this could happen if he uses Chrome (or uses Chrome for custom tabs) and has sync turned on. Chrome's browsing history can show up in Web & App Activity if the option "Include Chrome browsing history and activity from websites and apps that use Google services" is turned on: https://support.google.com/websearch/answer/54068?co=GENIE.P...


What it says for me, is 'No acitivity.'

And it's been saying that saying that since I clicked 'Activity controls' on the side there, and unticked every box.

I don't for a moment believe it's all Google has on me, but you don't have to live with it.


I use Google GSuite for some of my email needs and to sync chrome.

I use a different Gmail account for maps.

I use DuckDuckGo for search.

Instead of Google I use third parties for everything else they do that they listed on here that they track.

My history/activity on their servers was limited outside of tracking my location.

I would love a decent alternative to Google Maps but nothing I’ve used comes close.


I use Google Maps, but that doesn't require you allow them long-term tracking of your location. It'll continue to work.

(Disclaimer, below is about maps, and my personal anecdote. Ignore as necessary.)

(Though I must say, I'm in the process of trialing a new mapping app. Because Google have failed me.

I live in a suburb that was created 2 years ago. It replaced part of an old suburb, and a new area that hadn't been assigned. They created a new postcode for this new suburb too. Two years on, Google doesn't know it exists, so my address doesn't exist. It has my road, but no name, no numbers.

I tried out OSM And+ (via FDroid), and Android mapping program, based mostly on OpenStreetMaps. It has my suburb, and my address. Since about 1 year, 10 months ago. The directions are flawless, and it has a decent GPS voice.

However, it doesn't have as decent coverage of the Points-Of-Interest stuff that Google Maps has, but I'm fine with that, never used them anyway, apart from finding the nearest fast food place or gas station on a long trip.

And the public transport stuff is hit & miss. But I can't keep up with bus timelines in my area myself, they change about once every 3 months because of strikes.)


How would a DNS query reveal which Reddit post you clicked on?


I think it's more the chrome browser, which is tracking your actions right?


FYI: You can also disable those histories by specific app or delete it in bulk in a few clicks.


They just stop showing your history to you on the website. Don't think for a second that they don't still have it.


Do you have any actual evidence of this? It's a massive company with plenty of regulations and scrutiny, along with a rather outspoken employee base. Data privacy is taken seriously whether you believe it or not, and I'm sure you're not confused by the fact that this is the trade for free services?


They do delete it completely. They have the complete infrastrucuture to wipeout everything that is deleted. This was discussed before with some comments from Google SREs.


That sounds like tinfoil and fearmongering. Do you really think that if that were the case that no whistle-blowers would have come out?


There are many cases of conspiracies going for multiple decades before a whistleblower attempts to uncover it. And, of course, if a conspiracy never gets a whistleblower, we never hear of it at all.

In short, the observation that “there are no whistleblowers” is not proof of the non-existence of a conspiracy.

The only thing you can realistically do is to evaluate the incentives of all the parties involved. And, sure, Google’s public promises of privacy (weasel-words or not), provide some incentive for them. But you also have to look at their actual risk of getting caught. How many people inside Google would they need to siphon off this data, analyze it, and re-inject it into their existing personal models (shadow profiles) of everyone? Call it “additional weight-adjustment from machine learning” or something. No-one outside the small group could then see that the extra data came from data analysis. Would the small risk of one of these few people blowing the whistle be worth it for Google, who absolutely depend on having the best information about everyone?


> Would the small risk of one of these few people blowing the whistle be worth it for Google,

No. Public DNS isn't even 1 decade old and Google already has massive insight from google analytics, adsense/adwords, the doubleclick network, android and store, chrome browser, chrome os, google search, google maps, gmail, youtube, google play, google fiber, google fi, google cloud platform, and all the various web properties that carry 1st-party cookies that easily get around Safari's misguided cookie war and have GDPR consent.

Trying to secretly sneak in some crappy DNS data is not worth it at all.


Well, that may be obvious to you, but it’s not obvious to me, and (here’s the kicker), neither of us can know for sure. Only very few specific people at Google are in a position to absolutely know whether this is happening, and they can’t tell anyone.


>> Only very few specific people at Google are in a position

Why do you think you know this for sure then?


You must be confusing me with someone else; I explicitly said that “neither of us can know for sure.”.


I use cloudflare dns. I don't think that they're good, necessarily, but they definitely give off a better vibe than google. I don't know what the seamless app is, but I have location and background services turned off on my phone. The only google apps I have on my phone are youtube (which rarely gets used) and gboard, which I also rarely use -- I mostly use wordflow. On desktop, I use startpage[1], which is essentially a proxy for google search, but they can't correlate your searches to form a profile of you, and the more people use it the better it works. There's also duckduckgo[2] which is significantly more popular and has shortcuts for searching on other sites such as google maps or amazon; it proxies its searches through bing. If you truly want to go all out with the privacy, you can use findx[3], which is open-source[4], but in my experience it has significantly worse search results, and last I checked it didn't have a fully-fledged image search yet.

There are limits, however, to how private you can get. Most people have email accounts through google, which means if you correspond with someone by email, even if your email isn't gmail, google is still analyzing what you wrote (they claimed to no longer be doing this, but I have no reason to believe them). As such, it is your job (not the parent specifically, but anyone reading this) to fight back against google's monopoly on information! Set up a private mail server for friends and family. Pressure work to use amazon or microsoft (not much better, but better nevertheless) for enterprise services over google. (This one may be easier as there are legitimate horror stories regarding gcp and gsuite that you can point to, such as the recent incident of someone's gcp account getting completely frozen without warning and reason for 3 days.) Above all, however, make sure not to look like you're wearing a tinfoil hat. Sound reasonable and if someone doesn't want to switch, don't push too hard; you lose credibility that way.

1: https://www.startpage.com/

2: https://duckduckgo.com/

3: https://www.findx.com/

4: https://github.com/privacore/open-source-search-engine


In case anyone wants to disable tracking(?), this is the page you need I believe. https://myaccount.google.com/activitycontrols


Google has a stronger privacy statement than any other public DNS provider and certainly better than your ISP’s. They provide DNS because a faster web is better for you and for Google.


Why don’t you disable it? Is because you have an Android phone?


Are you sure you know what dns and google dns is about?


Is that mostly due to using their DNS? Anyone know of alternative services to use? Does google section off this data as not for use internally?

Crazy, interesting, and a little scary.


It has nothing to do with their DNS.


Checked.

It knows my political affiliation, movies I like, music I listen to, kind of work I do, my financials, my weaknesses as a programmer, what clothes my kids wear, what books I read, what mobile apps I use and how often, videos I watch and who the fuck knows what else under the covers.

Disgusting. How does one run away from this?


Click 'activity controls', untick the boxes.


Probably can't. You can try obfuscating your behavior with services like Adnauseam or Noiszy?


What about 4.4.4.4 / 4.2.2.2?


I don't think that 4.4.4.4 is a current DNS server. Perhaps you mean 8.8.4.4 or 4.2.2.4? 4.2.2.X was originally intended to be 4.4.4.4, but it didn't happen: https://www.tummy.com/articles/famous-dns-server/


Thanks for the info.


In the very first post Google said they will publish learnings from this experiment. What have they learnt from this experiment that we can benefit from.


134,742,054 BCE? I really underestimated the early hominid tech stack.


For performance and privacy reasons, you should use Cloudflare DNS. Please don't trust blindly Google when they say they don't use your DNS request data. It is their core business model to get their hand on all the data they can.

https://blog.cloudflare.com/announcing-1111/


So it's fine to trust cloudflare "blindly" with the same data?

(I agree that for privacy DNS over https is good, but the resolver still sees your dns queries)


Don't trust any corporation. It is unbelivable simple to install dnscrypt-proxy 2 [1] and use DNS crypt.

Dnscrypt-proxy spreads your queries across multiple servers and keeps them private.

If you can afford consider running dnscrypt server yourself. [2]

[1] https://github.com/jedisct1/dnscrypt-proxy

[2] https://github.com/jedisct1/dnscrypt-proxy/wiki/How-to-setup...


Cloudflare's 1.1.1.1 DNS blocks https://archive.is


I didn't believe they'd do something like this, so I went to check and prove you wrong, but sure enough, it doesn't resolve. According to this post on CloudFare's support site, it's not their fault: https://community.cloudflare.com/t/archive-is-error-1001/182....

> This is unfortunately something we can’t do something about. Nameservers responsible for archive.is (ben.archive.is, anna.archive.is) are returning answers tailored to the IP address of the requestor.


And archive.is blames CloudFlare:

> it is because of 1.1.1.1

> try 8.8.8.8

But compare that answer, to the continued technical breakdowns given by CloudFlare as they tried to work out why archive.is is returning an inaccessible IP based an request IP.

CloudFlare attempted to determine why there was a problem, archive.is shrugged it off.


I'm guessing archive.is has misidentified DNS requests from 1.1.1.1 as a DDoS, so is resolving them to the requester's own IP address in an attempt to get them to DDoS themselves.

"returning answers tailored to the IP address of the requestor" is normal and correct behavior for most large websites, the problem is that one of those IP addresses is wrong. Specifically, when the requester is CloudFlare, archive.is is returning a CloudFlare internal IP address instead of their own. I'm guessing where they got that IP address is that it's the requester, and where they got mixed up is that virtually all high-volume DNS requesters that appear overnight are DDoS attacks.


I did the same research because I too found it hard to believe and it's still not clear to me how the problem is not on cloudflare. They claim the upstream is misconfigured, but how then does every single other DNS provider manage to handle it correctly?

Or are they claiming archive.is is explicitly blacklisting the cloudflare IP range? If that is the case it seems odd they are claiming the upstream is misconfigured as opposed to explicitly blocking them. Something does not add up correctly.


> how then does every single other DNS provider manage to handle it correctly?

They do not handle it at all. Remember that the responses are tailored to the IP address of the client, i.e. Cloudflare's back end. It is not Cloudflare that is doing that tailoring. So the question that you should be asking is how come archive.is did that tailoring for (as you claim at any rate, although I suspect that no-one has exhaustively tested this before claiming it) every single other DNS provider and not Cloudflare.

Indeed, if you read what you replied to, you'll find that it's the inverse of that situation. archive.is answers are explicitly tailored by archive.is for whenever it is, specifically, Cloudflare asking. So the question that you should be asking is how come archive.is is saying that it is on a Cloudflare-hosted CDN ("cdn-wo-ecs.archive.is", mapped to Cloudflare hosting IP addresses), but only saying that when it is Cloudflare asking.

Once you ask that latter question, you'll get to the meat of the issue, which is that archive.is demands that Cloudflare et al. pass on (most of) your IP address to them, and returns fake name-to-address mappings for Cloudflare and indeed anyone else who says that (for privacy or otherwise) they are not going to pass on that kind of ultimate client identifying information to archive.is nor to anyone else.

(It's archive.is tailoring its response where there is no EDNS0 client subnet, a.k.a. ECS, information, for the technical. That's what the "wo-ecs" means.)


Sometimes 1.1.1.1 is used as a testing value, and can get blocked for reasons. CloudFlare is getting a huge amount of spam IP traffic to 1.1.1.1 from misconfigured equipment, it wouldn't be too surprising if some upstreams have firewalled valid IPs.


When cloudflare resolves addresses, the DNS request is not coming from 1.1.1.1, it's coming from the IP address of the server actually making the request. You can confirm this by looking at the results of a VPN DNS leak test [0] and seeing the IPs being used to resolve the addresses do come from cloudflare, but are not 1.1.1.1

[0]: https://www.dnsleaktest.com/


Oh, amazing. Thanks, I thought the site was down.


Why?


It's not clear to me that I can trust Cloudflare, either.


I will take the least of two evils.

Look at the incentive and core business of the two companies.

Cloudflare is not in the business of mining as much data about you as possible. They don't sell ads and don't make money trying to make you fit into a profile. They have zero incentive to keep an history of all your DNS requests.

Google on the other hand, claim they don't do it but it will make complete sense for their business to do it.


Given their security track record, I wouldn't trust Cloudflare with any of my data, regardless of what they plan or don't plan on doing with it.


> Given their security track record, I wouldn't trust Cloudflare with any of my data, regardless of what they plan or don't plan on doing with it.

Your username is anothergoogler; do you work for Google?


No, but I do search using Google.


Oh, ok. Sorry. Usually it Google employees that call themselves "Googlers"


Cloudflare manipulated DNS entries in the recent past[0], so I don't think I want to use them.

0. https://twitter.com/eastdakota/status/1024018061311897600


So blindly trust Cloudflare instead of Google?


This is nothing more than pure conjecture...


Asserted without evidence, dismissed without evidence.


Baseless fear mongering from a concern troll.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: