"We don’t persist logs for our users without accounts and configured networks, I’m not sure Google makes the same statement."
What FUD. Was this statement from the FAQ not explicit enough? "With Google Public DNS, we collect IP address (only temporarily) and ISP and location information (in permanent logs) for the purpose of making our service faster, better and more secure. Specifically, we use this data to conduct debugging and to analyze abuse phenomena. After 24 hours, we erase any IP information."
Or what about this more detailed explanation on the linked privacy page? [Originally posted, but removed on account of formatting issues]
If you don't know the answer to a question about a competitor's service, the appropriate, ethical thing to say is, "I don't know." When you say, "We do <good thing X>, I don't know if they do," you are by your omission sowing the seeds of fear, uncertainty, and doubt in the audience, for your economic reasons.
This might be a poorly written article, but it does lead to an interesting question - what does Google expect to get back from offering a DNS service for free?
They couldn't keep group archives up due to the "maintenance overhead", so they are cost-conscious. They are way beyond being "no evil", so this is hardly a charity for a greater good. There must be the reason.
Google has a financial incentive to want latency online to be lower. The more people use the internet for things, the more ad money they can make. By offering their own DNS service, they can lower the DNS latency for some people, and goad competing DNS services into becoming faster as well.
I doubt that running Google DNS costs a huge amount of money, so the incentive to Google can be pretty subtle and still be worthwhile.
While they may erase "IP information", that doesn't mean they've erased the aggregate data. They could easily take a list of the actual domains and figure out how popular they are in various regions based off of the dns queries again them.
I switched from OpenDNS to Google for DNS because I was tired of seeing ad pages when I mistyped a domain name in my browser. At least Google isn't hijacking NXDOMAIN results to make money. You can check your own DNS provider for this behavior as well as others with Berkeley's Netalyzr Web service.
Why didn't you just opt out of the ads? Google can subsidise their DNS service with their other profit making products. OpenDNS needs an actual business model, and they offer you a clean DNS feed if you want one.
Well, it's mostly because Google just works "out of the box" for what I need, but also because in order for OpenDNS to associate a dynamic IP address to an OpenDNS account, you have to run some proprietary software to notify their service when your IP address changes. It looks like they don't have a Linux client available, and to spend the amount of time trying to get a set up like this to work for me, I could probably just as easily set up DNS caching on my home server.
What a poor article. Full of "I don't know", "maybe" and just plain FUD. The fact is between Google and OpenDNS, only one makes money at it. Google provides DNS because it makes the internet more reliable, which helps their business. OpenDNS provides DNS so they can sell you stuff (or ads).
Is there a way to use OpenDNS from any location and permanently opt out of their NXDOMAIN hijacking? I know you can configure it from their website but you can only control your own domains so it doesn't work when you access a wifi hub. You also have to run that daemon all the time which seems like a slightly bigger privacy concern.
> We don’t persist logs for our users without accounts and configured networks, I’m not sure Google makes the same statement.
Does that mean that both my DNS requests AND my HTTP requests to whatever webserver is intercepting my requests to test.invalid (http://guide.a.id.opendns.com/?url=test.invalid) are not being logged? Does that mean my requests on wifi hubs that are configured with OpenDNS are being logged?
What does it mean to discourage automated DNS lookups? What else do I use it for? dig?
Couldn't one argue that it is a good idea to keep the number of companies that have access to your information low? From that perspective wouldn't it be prudent to use Google for everything?
You and waffle_ss both mention this, can you expand on what problem you're facing. I use OpenDNS because of the filtering abilities and because I found on test that they were marginally faster for me than Google.
Next to never do I see their domain redirect page and whenever I have it's always had the domain I've been after at the top of the page - for example, http://guide.opendns.com/?url=ycambinator.com. Yes it has a couple of text-ads but for the 2-3s you're on the page I can't see that I really have any problem with this at all ... it's way less intrusive than the ads on most websites now.
So what's the issue? Is it really akin to being robbed at gunpoint?
It's really just a quirk that I would rather not deal with. If I run dig on a hostname, that means I want to know about whatever records are associated with that hostname. If I try to get a program to connect to an invalid hostname I want it to say that's the problem instead of waiting a minute or two for the connection attempt to time out. It's also kind of backwards. If I want that kind of functionality, shouldn't that be in the browser?
Hmm.. minor correction.. It seems that, with OpenDNS, test.invalid returns NXDOMAIN, test.invali gives me 126.96.36.199. Oh well. When I made that other post I assumed they would be the same.
You seem to be taking offense to something that wasn't said. The term "hijacking" is used here in much the same sense as "signal hijacking" or the program Audio Hijack. The relevant part of the "hijack" imagery is forcibly taking over the way a transport. It essentially means they are causing DNS requests to return against-spec responses.
I think "wrong" is a good word for it. Users typing things into an address field in a Web browser is not the only use case for DNS, but this breaks DNS for the whole system, which is the wrong solution. Correcting mistakes in the address field is something browsers should take care of. Firefox and Chrome both do — I know Safari doesn't, and I can't remember what IE does. In fact, Chrome has to employ a rather ugly hack to work around this behavior from noncompliant DNS servers.
It's so easy to install a local copy of Unbound on your desktop, even on a Windows box. I'm surprised when I see hackers using Google or OpenDNS rather than using their own DNS resolver. Unbound supports DNSSEC too.
The two are not incompatible: I run my own DNS resolver (dnsmasq) which I configured to recurse to Google DNS.
The problem is that any domain lookup requires at least two requests: one to the root servers to find out the domain's nameserver, and one to that nameserver to find out its actual records.
Google has so many users that it's very unlikely that it isn't already in cache, but as a single user of my own resolver, I'd have to pay that penalty for each domain every couple of hours or less (there are some ridiculously low TTLs out there).
I am sure you realize, but by pointing to Google DNS, you are making your CDN edge request performance worse (in general).
CDNs using GeoDNS will assume your location is the google DNS servers, and will use the closest edge node. You would likely get better performance with some sites (those using big expensive CDNs) if you pointed to your ISP's recursors (or used unbound to be your own).
: Google's DNS servers are likely anycast multi-homed as well, so it may not be quite as bad as if google only had a couple of centrally located servers. It would still likely skew your closest CDN Edge node a bit.
I think both the headline is wrong (I don’t see where they explicitly warn people, can someone point it out?) and the interview contains no actual facts. The only statements are "probably" and "I’m not sure"…
This. A thousand times this. The issues I've had with ISP DNS...
ISP A making their very fast service look dog-slow with terrible DNS (and a terrible wireless router, to boot). ISP B sending mangled responses to some popular requests including facebook.com (which is what made fixing it a priority in my household) and so on...
Google's public DNS is not consolidated with any other Google services. From its privacy page: "We don't correlate or combine your information from the temporary or permanent logs with any other data that Google might have about your use of other services, such as data from Web Search and data from advertising on the Google content network."
Warning about consolidation of services would very much be wrong in this situation.
Well, that's kind of why I threw in the "very generally" part.