Hacker News new | comments | show | ask | jobs | submit login
OpenDNS warns about Google DNS (forbes.com)
34 points by cr4zy on Feb 26, 2012 | hide | past | web | favorite | 35 comments

"We don’t persist logs for our users without accounts and configured networks, I’m not sure Google makes the same statement."

What FUD. Was this statement from the FAQ[0] not explicit enough? "With Google Public DNS, we collect IP address (only temporarily) and ISP and location information (in permanent logs) for the purpose of making our service faster, better and more secure. Specifically, we use this data to conduct debugging and to analyze abuse phenomena. After 24 hours, we erase any IP information."

Or what about this more detailed explanation[1] on the linked privacy page? [Originally posted, but removed on account of formatting issues]

If you don't know the answer to a question about a competitor's service, the appropriate, ethical thing to say is, "I don't know." When you say, "We do <good thing X>, I don't know if they do," you are by your omission sowing the seeds of fear, uncertainty, and doubt in the audience, for your economic reasons.

[0] http://code.google.com/intl/en-EN/speed/public-dns/faq.html#...

[1] http://code.google.com/intl/en-EN/speed/public-dns/privacy.h...

This might be a poorly written article, but it does lead to an interesting question - what does Google expect to get back from offering a DNS service for free?

They couldn't keep group archives up due to the "maintenance overhead", so they are cost-conscious. They are way beyond being "no evil", so this is hardly a charity for a greater good. There must be the reason.

Changing the privacy policy is a very simple thing to do. Today they don't recycle any DNS info, but - click - and tomorrow they suddenly do. And being in the business of cross-correlating anything and everything, I can't imagine how tempted they are. So the question is this - should they announce a change to the privacy policy, how many sysadmins and laymen will get off their lazy asses and switch away from Google? And how many would notice the change to begin with.

Google has a financial incentive to want latency online to be lower. The more people use the internet for things, the more ad money they can make. By offering their own DNS service, they can lower the DNS latency for some people, and goad competing DNS services into becoming faster as well.

I doubt that running Google DNS costs a huge amount of money, so the incentive to Google can be pretty subtle and still be worthwhile.

> what does Google expect to get back from offering a DNS service for free?

The same reason we've been giving since we released it: to make the Internet faster for people.

> They are way beyond being "no evil", so this is hardly a charity for a greater good.

No, it's because when the Internet works better for people they use it more, and we make more money.

> I can't imagine how tempted they are.

More FUD.

While they may erase "IP information", that doesn't mean they've erased the aggregate data. They could easily take a list of the actual domains and figure out how popular they are in various regions based off of the dns queries again them.

OpenDNS could do this too. I don't see how this is a disturbing outcome. If Google wanted this information, it wouldn't really need GDNS (and it's probably not even the best way for Google to do it).

I switched from OpenDNS to Google for DNS because I was tired of seeing ad pages when I mistyped a domain name in my browser. At least Google isn't hijacking NXDOMAIN results to make money. You can check your own DNS provider for this behavior as well as others with Berkeley's Netalyzr[1] Web service.

[1]: http://netalyzr.icsi.berkeley.edu/

Why didn't you just opt out of the ads? Google can subsidise their DNS service with their other profit making products. OpenDNS needs an actual business model, and they offer you a clean DNS feed if you want one.

Well, it's mostly because Google just works "out of the box" for what I need, but also because in order for OpenDNS to associate a dynamic IP address to an OpenDNS account, you have to run some proprietary software[1] to notify their service when your IP address changes. It looks like they don't have a Linux client available, and to spend the amount of time trying to get a set up like this to work for me, I could probably just as easily set up DNS caching on my home server.

[1]: http://www.opendns.com/support/dynamic_ip_downloads/

Because using and is less friction than having to a) setup DNS server IPs and then b) having to configure NXDOMAIN proper behavior.

Isn't "friction" what all the startup folks are talking about these days? And how to remove it? It does indeed suck if your business relies on that friction for its business model.

What a poor article. Full of "I don't know", "maybe" and just plain FUD. The fact is between Google and OpenDNS, only one makes money at it. Google provides DNS because it makes the internet more reliable, which helps their business. OpenDNS provides DNS so they can sell you stuff (or ads).



That's more information than anyone should need for Google DNS.

Please use the original title where possible - even if "OpenDNS warns about Google DNS" is going to get you more upvotes than "A Closer Look at Google Public DNS".

Is there a way to use OpenDNS from any location and permanently opt out of their NXDOMAIN hijacking? I know you can configure it from their website but you can only control your own domains so it doesn't work when you access a wifi hub. You also have to run that daemon all the time which seems like a slightly bigger privacy concern.

> We don’t persist logs for our users without accounts and configured networks, I’m not sure Google makes the same statement.

Does that mean that both my DNS requests AND my HTTP requests to whatever webserver is intercepting my requests to test.invalid (http://guide.a.id.opendns.com/?url=test.invalid) are not being logged? Does that mean my requests on wifi hubs that are configured with OpenDNS are being logged?

What does it mean to discourage automated DNS lookups? What else do I use it for? dig?

Couldn't one argue that it is a good idea to keep the number of companies that have access to your information low? From that perspective wouldn't it be prudent to use Google for everything?

>NXDOMAIN hijacking //

You and waffle_ss both mention this, can you expand on what problem you're facing. I use OpenDNS because of the filtering abilities and because I found on test that they were marginally faster for me than Google.

Next to never do I see their domain redirect page and whenever I have it's always had the domain I've been after at the top of the page - for example, http://guide.opendns.com/?url=ycambinator.com. Yes it has a couple of text-ads but for the 2-3s you're on the page I can't see that I really have any problem with this at all ... it's way less intrusive than the ads on most websites now.

So what's the issue? Is it really akin to being robbed at gunpoint?

It's really just a quirk that I would rather not deal with. If I run dig on a hostname, that means I want to know about whatever records are associated with that hostname. If I try to get a program to connect to an invalid hostname I want it to say that's the problem instead of waiting a minute or two for the connection attempt to time out. It's also kind of backwards. If I want that kind of functionality, shouldn't that be in the browser?

Hmm.. minor correction.. It seems that, with OpenDNS, test.invalid returns NXDOMAIN, test.invali gives me Oh well. When I made that other post I assumed they would be the same.

You seem to be taking offense to something that wasn't said. The term "hijacking" is used here in much the same sense as "signal hijacking" or the program Audio Hijack. The relevant part of the "hijack" imagery is forcibly taking over the way a transport. It essentially means they are causing DNS requests to return against-spec responses.

Hyperbole blah-blah-blah.

>they are causing DNS requests to return against-spec responses //

That's part of their service. If there was no way to switch it off then I can understand being annoyed but you can just choose to use your ISP's DNS.

It just appeared to me that both comments concerning this were of the form "ZOMG they has borken my internetz"; could be I read the tone wrong.

So anyway, for the service that OpenDNS are offering is it wrong of them to simplify the situation for users making mistakes entering domain names in their browser?

I think "wrong" is a good word for it. Users typing things into an address field in a Web browser is not the only use case for DNS, but this breaks DNS for the whole system, which is the wrong solution. Correcting mistakes in the address field is something browsers should take care of. Firefox and Chrome both do — I know Safari doesn't, and I can't remember what IE does. In fact, Chrome has to employ a rather ugly hack to work around this behavior from noncompliant DNS servers.

>not the only use case for DNS //

Of course. But I think that's exclusively the use case that OpenDNS target in their consideration of non-resolving domains.

The problem with DNS hijacking is not breaking the Web, it's breaking a lot of other protocols. I dont know which of the issues are worse, but see for yourself:


> We don’t persist logs for our users without accounts and configured networks, I’m not sure Google makes the same statement.

I think the main point here is persist; OpenDNS probably logs all your requests but they will discard it after x days.

It's so easy to install a local copy of Unbound on your desktop, even on a Windows box. I'm surprised when I see hackers using Google or OpenDNS rather than using their own DNS resolver. Unbound supports DNSSEC too.

The two are not incompatible: I run my own DNS resolver (dnsmasq) which I configured to recurse to Google DNS.

The problem is that any domain lookup requires at least two requests: one to the root servers to find out the domain's nameserver, and one to that nameserver to find out its actual records.

Google has so many users that it's very unlikely that it isn't already in cache, but as a single user of my own resolver, I'd have to pay that penalty for each domain every couple of hours or less (there are some ridiculously low TTLs out there).

Frankly, I think it's worth it.

I am sure you realize, but by pointing to Google DNS, you are making your CDN edge request performance worse (in general).

CDNs using GeoDNS will assume your location is the google DNS servers[1], and will use the closest edge node. You would likely get better performance with some sites (those using big expensive CDNs) if you pointed to your ISP's recursors (or used unbound to be your own).

[1]: Google's DNS servers are likely anycast multi-homed as well, so it may not be quite as bad as if google only had a couple of centrally located servers. It would still likely skew your closest CDN Edge node a bit.

Thanks for this great tip. I've been looking for a simple Windows-based DNS resolver for a while now.

I think both the headline is wrong (I don’t see where they explicitly warn people, can someone point it out?) and the interview contains no actual facts. The only statements are "probably" and "I’m not sure"…

The warning is at the end of the article:

"I think Google controlling search, the browser, and the network or DNS layer is a dangerous trifecta that the consumer will probably be best served avoiding"

> the interview contains no actual facts

The headline never asserted the article contained facts though? A brief article that contains someone's thoughts is fine by me.

I see nothing disagreeable in the argument that consumers should avoid consolidating all their network activities so those activities route through one advertising corporation.

Why do you consider the marketing opinion held by one company of its competitor interesting, let alone worthy to be posted here?

A company warns about its competitor without any substantial claims.

Was there a reason for linking in at page 2?

First page, for those that didn't realise: http://www.forbes.com/sites/eliseackerman/2012/02/25/a-close...

In the end it is about trust. Sometimes i just wish ISP would provide better DNS services.

This. A thousand times this. The issues I've had with ISP DNS...

ISP A making their very fast service look dog-slow with terrible DNS (and a terrible wireless router, to boot). ISP B sending mangled responses to some popular requests including facebook.com (which is what made fixing it a priority in my household) and so on...

This is really a nothing article: It (rightly) warns, very generally, about (over) consolidation of services, but beyond that says nothing specific.

Google's public DNS is not consolidated with any other Google services. From its privacy page[0]: "We don't correlate or combine your information from the temporary or permanent logs with any other data that Google might have about your use of other services, such as data from Web Search and data from advertising on the Google content network."

Warning about consolidation of services would very much be wrong in this situation.

[0] http://code.google.com/intl/en-EN/speed/public-dns/privacy.h...

Well, that's kind of why I threw in the "very generally" part.

It's good to know / have some confirmation (?), though, that Google's handling of DNS query data will not change as part of the ongoing Privacy Policy revision and user accounts data consolidation. (I commented / queried on this point a few weeks ago, in another thread.)

Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact