Hacker News new | past | comments | ask | show | jobs | submit login
Introducing Google Public DNS: A new DNS resolver from Google (googlecode.blogspot.com)
264 points by johns on Dec 3, 2009 | hide | past | web | favorite | 155 comments



I'll do a blog post about this later today for those interested in my perspective on them entering the DNS space.

:-)

Edit: Here it is: http://blog.opendns.com/2009/12/03/opendns-google-dns/


From the blog post: "Third, Google claims that this service is better because it has no ads or redirection. But you have to remember they are also the largest advertising and redirection company on the Internet. To think that Google’s DNS service is for the benefit of the Internet would be naive. They know there is value in controlling more of your Internet experience and I would expect them to explore that fully. And of course, we always have protected user privacy and have never sold our DNS data. Here’s a link to our privacy policy."

davidu,

You have excellent points but you could have made them without bashing your competitor.

This response makes me think that you are afraid of your competition and using fear to convince people to use OpenDNS.


" ... and using fear to convince people to use OpenDNS."

Is the fear justified? Is it plausible enough that people should take it into account when picking a DNS service?

Google's self-interest is a legitimate factor to consider.


it’s not the same as OpenDNS. When you use Google DNS, you are getting the experience they prescribe. When you use OpenDNS, you get the Dashboard controls to manage your experience the way you want for you, your family or your organization.

Not mentioned was OpenDNS sends failed requests be default to a search page full of ads... Google appears to not be monetizing this.


Not monetizing this? Where do you think their motivation is coming from (to make the world a better place?)

Google Analytics falls into the same category. You're not paying currency to use the service; you're paying with your metrics. When you think about it in terms of scale, this is way worse. Google is great at taking this data and using it to generate revenue in a number of other ways. Any smart advertiser who uses Google Adwords to buy traffic knows to stay away from Google Analytics. Why would you let the company you're buying traffic from know how that traffic behaves?

The DNS project takes this a step further by giving Google a world of new data. Now you don't have to use Google or be on a site with Google Analytics for Google to know where you're going.

Seems harmless, but I bet they can't wait for this to be adopted by the masses.

With all that being said, 8.8.8.8 is a damn cool IP address and I'm sure my Google-powered Droid already uses it. /rant


I love how everyone comes down on Google for collecting data about net traffic, as though no other company on the internet ever thought of collecting traffic metrics. What is your current DNS provider's policy on DNS data collection? In the case of OpenDNS, sure, they have a privacy policy, but they also proxy Google's results and serve up ads. How's that so much better?

I'm perfectly happy to have my DNS data be collected (which I assume my ISP is already collecting) in exchange for ad-free, fast name resolution. Plus, now I don't ever need to look up a DNS server again, Google's is 8.8.8.8. Sweet.

EDIT: looks like Google's not collecting so much information anyway. http://code.google.com/speed/public-dns/privacy.html


Looking at that privacy policy, and it looks like exactly what they should be doing. There isn't much of a point in keeping personally identifiable information beyond a certain point, at least not something which directly leads back to you.

The only data analysis that would benefit from keeping identifying information would be to create a model for how users go about the internet, and google already has some very good models of that. This is just conjecture, but I would assume that being able to create geographic based models is far more useful than per-user models, which is something they keep.


> Plus, now I don't ever need to look up a DNS server again, Google's is 8.8.8.8. Sweet.

My DNS servers have been 4.2.2.[1-4] for a long time. They aren't that hard to remember.


I tried using those servers, and they didn't work. If I do an nslookup or dig through them, it's fine, but when I use them as the default nameservers in my network configuration, they seem to reject my requests.

Anyone know why?


Try `nslookup -vc [hostname]` after setting your name servers to the Level3 IP.

Just a wild guess. I can't remember off the top of my head if nslookup or dig, when specifying an alternate server, use TCP or UDP. But, if it uses TCP for those, then it's possible that your ISP is blocking UDP DNS traffic that's not destined for their DNS servers. It wouldn't be the first time.


Weird. It works now, unlike the last time I checked. Something must have changed, but I don't know what.


Don't know. I usually set them as the default DNS servers for my router to hand out through DHCP.


> Not monetizing this? Where do you think their motivation is coming from (to make the world a better place?)

One thing I like about Google is that they research and share infrastructure technologies. Why is there any reason to think that they would not be interested in improving DNS if it makes the Internet a better place for applications?

They would likely benefit if more applications are moved to the Internet but that does not make this an "evil" or deceptive tactic. What other company today would improve an Internet protocol or create a new protocol (Wave) and release it openly in an effort to move the Internet forward?

Sure you need to be mindful of how data is used and the services you sign up for but that applies to any service, including OpenDNS.


I'm sure they will try to do something with the data, but Google's problem these days is that it's been so successful and gotten so big that it's incentivized to basically make the Internet bigger, better, faster in order to continue to grow. Chrome (and Firefox with the Chrome whip behind it) is another example of this.


Note that they don't seem to be proxying opendns's domain...


For those who don't know about the referenced shenanigans, OpenDNS proxies google search traffic onto its own servers.

OpenDNS: It's neither 'open' nor DNS!


I knew OpenDNS redirected host-not-found traffic to their results page, but hadn't heard of them "prox[ying] google search traffic onto its own servers". Do you have more details?


Here is what google is serving up:

    [bcl@lister tmp]$ dig www.google.com
    ; <<>> DiG 9.6.1-P2-RedHat-9.6.1-7.P2.fc11 <<>> www.google.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33790
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;www.google.com.			IN	A

    ;; ANSWER SECTION:
    www.google.com.		603958	IN	CNAME	www.l.google.com.
    www.l.google.com.	300	IN	A	74.125.53.106
    www.l.google.com.	300	IN	A	74.125.53.103
    www.l.google.com.	300	IN	A	74.125.53.147
    www.l.google.com.	300	IN	A	74.125.53.105
    www.l.google.com.	300	IN	A	74.125.53.99
    www.l.google.com.	300	IN	A	74.125.53.104

    ;; Query time: 52 msec
    ;; SERVER: 192.168.101.20#53(192.168.101.20)
    ;; WHEN: Thu Dec  3 16:44:24 2009
    ;; MSG SIZE  rcvd: 148
Here is what opendns serves up:

    [bcl@lister tmp]$ dig www.google.com @208.67.222.222

    ; <<>> DiG 9.6.1-P2-RedHat-9.6.1-7.P2.fc11 <<>> www.google.com @208.67.222.222
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54658
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;www.google.com.			IN	A

    ;; ANSWER SECTION:
    www.google.com.		30	IN	CNAME	google.navigation.opendns.com.
    google.navigation.opendns.com. 30 IN	A	208.67.216.230
    google.navigation.opendns.com. 30 IN	A	208.67.216.231

    ;; Query time: 26 msec
    ;; SERVER: 208.67.222.222#53(208.67.222.222)
    ;; WHEN: Thu Dec  3 16:47:25 2009
    ;; MSG SIZE  rcvd: 104

All your queries are belong to us.


Wow. I had no idea; that goes way beyond what I expected based on OpenDNS's promotion of their free servers. No more OpenDNS for me.



I think I commented on that post when it was first posted in 2007, but here it is again: sure, I don't like what Dell/Google did on the new Dell machines. Meh. But that post is filled with so many absurd inaccuracies that I have to simply disregard it. Most prominently:

At the top of the page, he shows the exact text that appears on the "horrible" search results page. That text explains exactly how to remove that functionality:

"This program can be uninstalled from the Control Panel "Add/Remove Programs" in Windows XP or "Control Panel > Program > Programs and Features" in Windows Vista. Look for the application named "Browser Address Error Redirector". Older versions may be called "GoogleAFE" or "URL Assistant"."

He says this statement is "ambiguous". I have no idea how it is ambiguous, but ok. He then goes on to say the software is "hard to remove", and later that "users can't get rid of it!", both of which are outright lies. Installing and uninstalling software is a normal part of owning a computer, and as you can see above, Google's message tells users exactly what to uninstall. The entire process could be completed in 30 seconds.

But I have to ask myself every time I read this article: why is this guy going to so much effort to spread inaccuracies that demonize Google for trapping search results and presenting ads?

Well, because that is exactly how OpenDNS makes money, and Google threatened their business model. The entire first portion of the post, attacks and all, is present to justify this:

"we’ve stretched a bit beyond DNS itself to work around Google’s mis-directed efforts."

By going on the offensive, he now tries to justify providing a DNS service that OpeDNS doesn't just resolve hostnames anymore...instead, OpenDNS makes moral judgments about the domains you visit, and, as they trumpet so loudly, "we have a fix which does not require more client software". What this means to me is that whatever OpenDNS is doing, I can't uninstall it, because they own it -- it's not on my machine, it's on theirs.

Listen, when I use DNS, there's a contract I expect DNS to fulfill: I give you a name, and you resolve it to an IP or tell me it can't be resolved. It is an outright violation of the contract to resolve a hostname I give you to an address other than that with which it is associated, which is exactly what OpenDNS is doing.


Very helpful to understand their motivation, thanks. Unfortunately their rationale still amounts to: others are doing something sleazy, so we have to do something sleazy, too, to defend ourselves.

I don't own a Dell or run with any toolbars. I would find the "Browser Address Error Redirector" and remove it if I faced that warped experience.

So for me, this unrequested proxying isn't help, it's collateral damage from two competing typosquatters/querysquatters each trying to one-up the other.

A harder, but classier, way for OpenDNS to escalate their battle with Google would have been to offer a different set of DNS server IP addresses for customers who may want OpenDNS to trump Google/Dell.


My comment on your blog is being moderated, but here's what I said:

I think it’s a little naive to think it is a good thing for you. How are you going to compete with Google’s infrastructure and get your response times down to Google DNS’? I would expect many people will switch away as I just have until you can roll out an extremely expensive upgrade.


Their datacenter deployment is actually focused on large scale computing datacenters, not tons of footprint. It's widely deployed, and better in Asia than us, but that's not for long.

Update: I approved your comment.


Really? I could have sworn that Google was all about local content distribution, to the point of creating new fundamental internet infrastructure to reduce latency.

Learn something new every day.


No need David, we're keeping the faith in this shop.

ns[1-4].everydns.net, the first thing I do to a domain name that comes under my control.


Who owns/is EveryDNS? They have a node in SanJose,CA (where I live) and I've never heard of them.


"I'm David Ulevitch. I have a website at http://david.ulevitch.com/ I am the founder and CTO of OpenDNS. I also started and run EveryDNS.Net. You should be using both of them."

via: http://news.ycombinator.com/user?id=davidu


I'm not entirely sure, but I used to go to high school with a kid (a different Dave) that was absolutely brilliant and did some work with them. When I was looking for a dns provider, he showed me their site and I've referred them to everyone I know since. They really run an excellent service at top-notch quality. Probably time for me to donate again..


Your post seems like anti-Google to me. Aren't people free to choose the service they like? The one with the best service should be the market leader. On what basis will you separate the ownership of internet apps? Saying Google has the whole internet stack, so its evil is naive. :)


Your fifth point is the most important one for me. Once they know your DNS data they can make make very educated guesses about the rest of your internet traffic. Google knows what is hosted at the servers you are looking up.


> Google knows what is hosted at the servers you are looking up.

And so does every other DNS provider so long as the pages are public and if your ISP is your DNS provider then they can directly sniff your (non-encrypted) traffic too.


Well, your ISP potentially has access to your DNS lookups regardless of whether you're using Google's DNS servers or theirs or someone else's. That is, assuming the ISP owns the fiber that you're connected through. Small ISPs don't.

But now you're adding yet another party in the mix -- Google, who already have a lot of information about your interests and habits. At the very very least, you're inviting an interested third party to have a look at your traffic.

Most of davidu's response was kind of a waste of time, but the one thing that made an impression on me was when he referred to Google as an advertising company. He's right; they're the most technologically advanced advertising company in the world.

So if this conversation was about "an unnamed technologically savvy advertising company", instead of Google, would you still be interested in giving them your DNS traffic?


> So if this conversation was about "an unnamed technologically savvy advertising company", instead of Google, would you still be interested in giving them your DNS traffic?

So... you're saying that reputation counts for nothing? Google sort of evolved into an advertising company because of the position that they held as the most popular search engine.

Most advertising companies are companies that started out trying to be an advertising company. Most of them probably had to be cut-throat to make it out of obscurity.

This isn't to say that anyone should place blind trust in Google, but if -- as you're implying -- reputation counts for nothing, then what's the point in trying to maintain a reputation at all?

See my other reply in this thread too. You completely misinterpreted my post (or just used it as a soapbox to insert your views into the discussion). The post I was replying too said nothing about Google pulling all the information on you together. The poster seemed to be irked that your DNS provider also had access to the content of the pages you were using DNS lookups to view. I was pointing out that this is true of any DNS provider.


That's one of the things I'm saying, yes.

Google does not have a spotless track record in customer privacy issues, nor is there any reason to believe that because they're behaving in a particular way now, they'll behave the same later.

It's as simple as this: while I'm a fan of most of Google's products and services, I also think there's a point at which it's no longer smart to put all of your eggs into one internet company's basket, and I think we've reached that point.


> Google does not have a spotless track record in customer privacy issues, nor is there any reason to believe that because they're behaving in a particular way now, they'll behave the same later.

True, but most of the records are deleted after 48 hours, meaning that they no longer exist for Google to decide to mine years later once they change their policy. Other than that, this only becomes an issue if the entire internet starts pointing their DNS queries at GoogleDNS, which I doubt will happen.


I don't think any existing DNS providers have other sources of data like Google does. It's when it all comes together (search+analytics+adsense+Google Account reporting your trail, indexed website content and your email for profiling you) to make a dataset with potentially unprecedented cleanliness/completeness that it becomes interesting/scary. They can likely draw much stronger conclusions than most.

Not sure if their privacy policy lets them exercise their power fully in this field, though.


I was specifically addressing his post, not every possibility. He was claiming this was bad because Google has access to the content at each of the servers you lookup through their DNS service. My point was that so does everyone else on the internet, including other DNS providers that you might use.

(i.e. If I go to sws.example.com which hosts a Secret Warez Stash, unless it's password-protected everyone has access to it, not just Google.)


Ha! I was wondering in my head what OpenDNS would say about this when I read the article. Had no idea you were the founder of the company. That's pretty cool that you're on here.


I was wondering what you'd think :)


I didn't know who you were, but now I am very curious about what you think.


Did you anticipate Google will launch public DNS resolvers?


please do!


This is what a quick comparison looks like from NYC (in ms):

                    Level 3   Google   OpenDNS
    lifehacker.com  21        22       19 
    facebook.com    20        22       19 
    manu-j.com      21        44       42 
    reddit.com      30        73       20 
    tb4.fr          125       22       157 
    bbc.co.uk       103       22       98
The IP's used are 4.2.2.2, 8.8.8.8, and 208.67.222.222, respectively.

Using the script provided here: http://www.manu-j.com/blog/opendns-alternative-google-dns-ro...


Doing a single query for each domain isn't entirely fair.

    $ dig tb4.fr @208.67.222.222 | grep Query
    ;; Query time: 274 msec 
    $ dig tb4.fr @208.67.222.222 | grep Query 
    ;; Query time: 9 msec 
    $ dig tb4.fr @208.67.222.222 | grep Query 
    ;; Query time: 9 msec 
    $ dig tb4.fr @208.67.222.222 | grep Query 
    ;; Query time: 36 msec

Also, query time only tells you how long the server took to respond, and doesn't include network latency.


Obviously subsequent queries are going to be faster - at that point it's cached. That's the point of aggressive/speculative caching: it's so the first (and in practice this will be your only) query is faster. If you want to accurately average across multiple measurements, you need to space those measurements hours or days apart.


What you really want to do is log performance under real conditions over an extended period of time and then evaluate the results.

Given that the differences in query time between various DNS solutions are significant but minor, you will almost certainly find differences in performance that you hadn't thought about.


I'm updating the post (http://www.manu-j.com/blog/opendns-alternative-google-dns-ro...) as results keep coming in (India, Italy, NYC, Houston). From the looks of it, google is the best for international users and Level 3 (4.2.2.2) or openDNS for americans.


From London:

                    Level 3  Google  OpenDNS
    lifehacker.com    35       29      26
    facebook.com      31       45      18
    manu-j.com        30       41      38
    reddit.com        42      350      17
    tb4.fr            36       22      25
    bbc.co.uk         45       39      26
OpenDNS has servers here in London, so they put up a fairly good showing. And obviously there's some jitter - the 350ms reddit result is an anomaly - but a few other runs turned up 216ms and 378ms - must be something odd about it.


    Level 3       lifehacker.com       29ms
    Google        lifehacker.com       20ms
    OpenDNS       lifehacker.com       15ms
    
    Level 3       facebook.com         94ms
    Google        facebook.com         20ms
    OpenDNS       facebook.com         18ms
    
    Level 3       manu-j.com           32ms
    Google        manu-j.com           46ms
    OpenDNS       manu-j.com           14ms
    
    Level 3       reddit.com           30ms
    Google        reddit.com           22ms
    OpenDNS       reddit.com           16ms
    
    Level 3       tb4.fr              100ms
    Google        tb4.fr               21ms
    OpenDNS       tb4.fr               14ms
    
    Level 3       bbc.co.uk           132ms
    Google        bbc.co.uk            21ms
    OpenDNS       bbc.co.uk            15ms
Nottinghamshire, UK. OpenDNS a clear winner…


Madrid, Spain.

  Level 3    lifehacker.com   355 msec
  Google     lifehacker.com   37 msec
  OpenDNS    lifehacker.com   30 msec

  Level 3    facebook.com     46 msec
  Google     facebook.com     40 msec
  OpenDNS    facebook.com     32 msec

  Level 3    manu-j.com       196 msec
  Google     manu-j.com       37 msec
  OpenDNS    manu-j.com       32 msec

  Level 3    reddit.com       44 msec
  Google     reddit.com       60 msec
  OpenDNS    reddit.com       29 msec

  Level 3    tb4.fr           89 msec
  Google     tb4.fr           36 msec
  OpenDNS    tb4.fr           31 msec

  Level 3    bbc.co.uk        47 msec
  Google     bbc.co.uk        37 msec
  OpenDNS    bbc.co.uk        30 msec
OpenDNS wins


Fascinating. It's interesting to see that their times aren't always the fastest, but they seem able to keep responses speedy on the sites the other two struggle with (bbc and tb4). Maybe that's the prefetching at work?


It's a bit hard to do the math in bash, but you'd also probably want to determine the mean and standard deviation for a population of checks (at least 10 or so).

You could calculate it across a lot of domains, or calculate it with a lot of checks to one server.


"Google Public DNS telephone support * 877-590-4367 in the U.S. * 770-200-1201 outside the U.S."

Telephone support from Google? At first I thought this might be some kind of joke, but I then called and it's just automated help.


Makes sense to have telephone support - I mean, if your DNS is hosed, then web-based support won't do you much good.


Make sure to write down the phone number while your DNS is working...


For what it's worth, I've been using Level3's DNS servers for a while now, due to the fact that they have insanely low latencies:

4.2.2.1... 4.2.2.6 (or thereabouts). Not sure what Google's going to have on those. Are they gonna be even more super-duper-fast? I mean, if you look at the line-up of the best DNS servers out there, they're pretty damn fast already:

http://www.dslreports.com/forum/r19982548-DNS-Fastest-DNS-Se...

Also, for what it's worth, I've never quite understood why you'd use OpenDNS when level3 have open DNS servers that don't redirect you to their own pages when there's a missing record...


>> Not sure what Google's going to have on those

Trendiness, that's what


I believe those are Verizon DNS servers, actually.


  ~% whois 4.2.2.1

  OrgName:    Level 3 Communications, Inc.
  OrgID:      LVLT
  Address:    1025 Eldorado Blvd.
  City:       Broomfield
  StateProv:  CO
  PostalCode: 80021
  Country:    US
  
  NetRange:   4.0.0.0 - 4.255.255.255
  CIDR:       4.0.0.0/8
  NetName:    LVLT-ORG-4-8
  NetHandle:  NET-4-0-0-0-1
  Parent:
  NetType:    Direct Allocation
  NameServer: NS1.LEVEL3.NET
  NameServer: NS2.LEVEL3.NET
  Comment:
  RegDate:    1992-12-01
  Updated:    2009-06-19


Huh, I thought those were originally GTE's, and that they eventually became Verizon's with all the mergers and name changes. I stand corrected.


No, you're spot on.

  2.2.2.4.in-addr.arpa domain name pointer vnsc-bak.sys.gtei.net.
Even though the IP space hasn't been SWIP'd to GTE/Verizon, the server(s) behind that IP are evidently theirs.


Another source of interesting data about internet usage for google. You can find their privacy policy here: http://code.google.com/speed/public-dns/privacy.html

Quote from "What we log": "In the permanent logs, we don't keep personally identifiable information or IP information. We do keep some location information (at the city/metro level) so that we can conduct debugging, analyze abuse phenomena and improve the Google Public DNS prefetching feature. We don't correlate or combine your information from these logs with any other log data that Google might have about your use of other services, such as data from Web Search and data from advertising on the Google content network. After keeping this data for two weeks, we randomly sample a small subset for permanent storage."

Even if without any reference to the user that actually visited those sites, mantaining information about the "cluster" of urls visited during a browsing session could form a useful source of data not only to optimize ads and searches, the most obvious use could be build something like a recommendation engine (something that some kind of internet users could like, but i admit that something like this could be useless from the google point of view).


The information they gather from this could be the best thing ever for Google. They are now literally going to see how people go from site to site to site and direct ads and content to them based on that. Good move buisness wise Google.


Comments like this are pretty common for every new product Google releases, but the fact remains that Google doesn't actually do this.

http://code.google.com/speed/public-dns/privacy.html

In other words, your comment is anti-Google FUD.


From your link : "we randomly sample a small subset for permanent storage." Even if anonymous that data is really valuable as it allows to identify traffic patterns. I don't see anything "evil" in collecting anonymized data.


I wonder how hard is it to change their policy? Suppose some day the investors insist on monetizing this asset to its maximum potential. Can they just come up with a new privacy statement?

In order to stop them from doing that their change would have to be a clear criminal violation of something. Nobody would be able to sue them, and even getting them in a clear criminal violation would be tough (in the US anyway; recall the debacle of v. Microsoft).


The Google product manager responded to TechCrunch saying "no blocking, hijacking, or filtering" and responded on privacy with "Collected data includes IP address (up to 48 hours, to detect malicious behavior against the service), ISP information and geographic information (2 weeks each). The data is not correlated with your Google account in any way."

http://www.techcrunch.com/2009/12/03/google-dns-opendns/


Something to remember be it Google Public DNS or things like Open DNS: Most CDN's use DNS to map you to one of their servers.

E.g.: Assuming your physical location is in Asia/Europe, and let's say you use Open DNS, IP anycast will map you to their London DNS servers (Last I checked that's the only location outside of N. America OPEN DNS has servers). Let's say the website you visit is delivered by a CDN, this CDN's servers in London will deliver content to you even though there might be CDN servers in your ISP.


That's assuming DNS based geolocation, though. Some CDNs (including Cachefly, who we use) are anycast driven, so it doesn't matter where your DNS servers are located.


I know, which is why I said Most CDN's.


That's not what your post said when I responded. :)


It did. Original post had Most CDN's.


Wow, maybe I just read it wrong. I didn't see anything about DNS in my original reading.


You can always run your own instance of bind (or dnscache if that's more your style) to get a local nameserver that doesn't have any garbage on it.

The drawback is that you'll often lose a few ms to refreshing your cache, which will cause popular-but-non-CDN content to be slightly slower.



Most of these providers, like Open DNS, have location based caching as well. If you go to OpenDNS' support page you can see the different caches they have and what IP is currently resolving for each region.


Correct, which is why I picked the Asia/Europe example. Open DNS has servers in various cities in the US, but only one outside of the US.


Quick setup: the DNS servers are 8.8.8.8 and 8.8.4.4


8 is a lucky number. 7.7.7.7 is owned by the US DoD. I love the idea of vanity IP addresses.


It's kind of disappointing Google didn't get 1.3.3.7 though.


Sadly the 1 block is unallocated, so they would have to make a special request to the IANA to get that address.

Then again, they are Google, so who knows what they could get if they asked...

I'm also curious who Halliburton merged with in order to get the entire 34 block. Surely they weren't around at the time those were handed out so foolishly.


Makes me wonder how Google got that subnet though. They really weren't around when those A-nets were being handed out.


Looks like Level3 owns the 8...* block, and Google must be renting 8.8.8.* and 8.8.4.*.

The DNS service is probably hosted by Level 3.


As with the other story just posted that 4.3.2.1 is a Google DNS server, it also seems to be hosting on Level3.

http://news.ycombinator.com/item?id=975227


No, the DNS service is run by Google out of their datacenters, they're just renting 8.8.8.0/24 and 8.8.4.0/24 off Level3 because they're memorable numbers.

(It's interesting because 4.2.2.[1-4] are run by Level3)


My problem with posting online is I'm not a clear communicator. I understand that they are renting memorable IP addresses, and I understand that Google is running the DNS service out of the datacenter. I didn't say anything to the contrary.

What I meant by Level3 hosting it is... Level3 is likely the single ISP in front of this service. I don't think Google can get away with multihoming this, other ISPs are just going to push 8.8.8.8 packets to Level3. I don't know how routing tables work, but I don't think they can reliably advertise ownership of the 8.8.8.* block considering it is wholly contained by another block.


No, that's not correct - you can see here that the route is being advertised through no less than 11 intermediate ISPs (and there will be more, that's just from one perspective on the internet):

http://www.ris.ripe.net/cgi-bin/lg/index.cgi?rrc=RRC001&...

They're advertising 8.8.8.0/24, while Level3's route is 8.0.0.0/8 - the more specific route wins.

Google is effectively a tier 1 ISP now, so buying transit off Level3 for those blocks would be a lot more costly than routing them themselves.


What do you mean that Google is a tier 1 ISP? Do they provide transit to anyone?

Interestingly, if you can advertise a sub-block and override the bigger block's advertisement, what's stopping people from just stealing sub-blocks from ISPs?


> what's stopping people from just stealing sub-blocks from ISPs?

The thief has to either be upstream of your connection, or peered at an extremely high level with others trusting their BGP advertisements. There was a hilarious incident not that long ago where the Pakistanis accidentally blackholed YouTube's IP-block globally (instead of just within the country).


Classless inter-domain routing (CIDR) was created exactly for the purpose of freeing up subnets: http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing.


Right, but can you have overlapping blocks? The wikipedia page says nothing about that. It talks about combining smaller blocks to make bigger ones (which is the interesting part). So, if I understand correctly, some routers will see Level3's 8...* advertisement and not Google's 8.8.8.*. They will route 8.8.8.8 to Level3, and that's OK, because Level3 is not going to just drop the packets on the floor. They will forward to Google.

So this is why I said, in my original post, that Level3 is the home of Google's DNS service. If routers are respecting Google's own advertisement, it has to somehow be done with the permission of Level3.


Now imagine what could be done with IPv6 vanity addresses... ;)


I tested this and it is consistently offering better results than OpenDNS and 4.2.2.2. The results are here http://www.manu-j.com/blog/opendns-alternative-google-dns-ro...

The results posted are from India

How are the results from inside US ?


Where are you located?


If they can blacklist websites from their search engine, they can blacklist them from their DNS entries too. Doesn't this raise some concerns?


from the post:

Google Public DNS complies with the DNS standards and gives the user the exact response his or her computer expects without performing any blocking, filtering, or redirection that may hamper a user's browsing experience.


And, best of all, there's no spammy default site for unresolved names!


I would see it as a feature - most of the time Google's (spell|domain) correcting is very useful if I have miswritten something.


Using this DNS service will degrade your performance to almost any non-Google rich media content, pure and simple.

If you use Google's DNS service, because Google has your client IP, they can serve your content the fastest from the closest POP, however by using this DNS service you are actually creating an issue called "resolver proximity" for every CDN on the planet. This will be especially evident to those of you not in North America who unwittingly point to these servers.

In most global markets your best strategy is to use your local DNS resolver so the people who deliver everything from Netflix, iTunes, Hulu, ustream, (etc, etc, etc) understand that you're not in San Jose or Northern Virginia but really in Tokyo or Malaysia. If your ISP uses a DNS server that's "far" away from you (in terms of network latency) you should complain loudly.


8.8.8.8 and 8.8.4.4?

Even solely for the fact they are so easy to remember I bet this are going to be the most used DNS resolvers in the world in a few months.


I bet this are going to be the most used DNS resolvers in the world in a few months.

I doubt it. I suspect a good 90% (or even more) of regular users just use the DNS servers provided to them by their ISPs when their connections come up.


I would be astounded if 10% of users had ever heard of DNS, much less knew what it was and how to change which one they were using.


I've commonly used 4.2.2.2, for exactly this reason. It's an easy IP to ping, and to resolve DNS from.


I used to ping this IP but didn't know it was a DNS resolver, interesting.


4.2.2.2 (and 4.2.2.1 and 4.2.2.3) have worked for many years.


It's funny, I was thinking just yesterday about how much Comcast's new Domain Helper "service" makes me want to strangle them (http://blog.comcast.com/2009/08/domain-helper-national-rollo...).


Does anyone know who provides the bulk of the ads on these re-direct/ad DNS servers that ISPs are using these days? My guess is it's probably not Google or why would they offer an alternative? It sounds like a very clever way to attack their online advertising competition to me. Obviously they'd get into some hot water by trying to compete directly with their own advertising based DNS. Instead they attack the entire market of re-direct/ad DNS by offering a clean alternative that happens to hurt their competition. Very clever. It wouldn't surprise me to see some of the Google software (Toolbar, Chrome, Notifier) offer an option to use Google DNS in the future. For the end user it's a good thing -- for Google's competition it's pretty terrible.


Actually, a fair amount of this kind of advertising is Google. Also Yahoo, MS and any number of other providers.

Sure doesn't make DNS hijacking right, though.

<i>Disclaimer: Work for Google.</i>


A DNS I can actually remember.

A Quick comparison with OpenDNS (shameless plug) http://chanux.tumblr.com/post/267873772/googledns-vs-opendns


Dangerous Signs? From their FAQ:

>> Is Google Public DNS based on open source software, such as BIND?

>> No. Google Public DNS is Google's own implementation of the DNS standards


This looks to be a pretty neat DNS benchmarking tool: http://code.google.com/p/namebench/

I think I'm behind a restricted proxy or something (on some hotel WiFi), because it's not really working for me, but I'd be interested to hear others' results.

Compare to Level3's 4.2.2.2-3 and OpenDNS's 208.67.222.222 and 208.67.220.220 (they really need a more memorable IP). Any other good ones?


My results run from a SliceHost slice: https://gist.github.com/00a8976d0b76e796996a

    Mean response (in milliseconds):
    --------------------------------
     SBC/AT&T Global- ########### 45.11
     OpenDNS-2        ############# 56.75
     OpenDNS          ################ 66.40
     8.8.4.4          ################# 70.29
     4.2.2.3          ###################### 96.20
     UltraDNS-2       ######################## 104.35
     UltraDNS         ######################## 104.68
     Level 3-2        ######################### 106.95
     SYS-67.207.128.5 ########################### 114.93
     SYS-67.207.128.4 ###################################################### 231.97


Steve Gibson has a decent DNS Benchmark tool for Windows as well: http://www.grc.com/dns/benchmark.htm

(Level 3's DNS servers were slightly faster than Google's for me)

It has a list of several public DNS servers.


Some comments get clouded in politics and suspicion. If this move has a commercial reason then perhaps it's easily explained as to compete with OpenDNS.

Complaining that a search engine collects information seems crazy: surely that is a sign of a good company. The important thing is choice/competition. Google is a good competitor, whether you like them or not.



Distributed internet services is generally considered to be better than centralized ones. Google's entry into this, along with its other services, is beginning to give me pause.

I'm glad they've worked on this, but I think I'll stick with DNS as it was intended to be.


The problem is that local ISPs (or national/regional like Comcast) are poisoning the well by resolving non-existent DNS entries to their own advertisement-laden web servers in an attempt to increase their bottom line. At least open DNS servers exist like Level3 (4.2.2.[1-4]) or now Google (8.8.8.8,8.8.4.4)... (and to a lesser extent OpenDNS, which is 'open' but tries to pull some of the same advertisement stuff).

In general, the distributed aspect of DNS was to reduce latency and network traffic. While this might not keep network traffic within your ISP's internal network, it can severely reduce latency even if you're on a large ISP like Comcast/Qwest/TimeWarner. My only guess as to why this appears to be true, is that most ISPs don't really give a crap about their DNS servers just so long as it's still running and hasn't imploded.


You're right on all points. However, given Google's entry into this now, what motivation does any ISP have left for running its own DNS servers?


Keeping traffic on it's own network vs having all DNS queries making a round-trip between their network and Google's DNS (ala Level3)?

It's not like ISPs have ever needed an excuse to try and 'cut costs' by skimping on services. The difference is a greater majority of their customers use DNS than USENET.


DNS doesn't occupy a lot of bandwidth. DNS servers on the other hand can be irksome to deal with if you don't have to.

Small ISPs are merely resellers; if their DSL customers f'rinstance use Google's DNS servers instead of the ISPs, the ISP actually has less network traffic coming into their racks. Plus, they no longer have to admin a DNS server.

For larger ISPs, it may still be less trouble to just let their customers use Google's DNS instead.


Point taken.


Good move. I've been using 4.2.2.2 and 4.2.2.1 for a while now since I found out a few years ago that cable/DSL provider's DNS servers are flaky. It's amazing how often I go to somebody's house or cafe and find DNS to be the weak link.


    dhcp-107:~ 66% host -t ptr 8.8.8.8.in-addr.arpa
    8.8.8.8.in-addr.arpa domain name pointer any-in-0808.1e100.net.
    dhcp-107:~ 67% host -t ptr 4.4.8.8.in-addr.arpa
    Host 4.4.8.8.in-addr.arpa not found: 3(NXDOMAIN)



It's pretty obvious what Google gets out of this: they get your browsing history. My guess if that they'll uprate search results if lots of people visit them.


All I wanna know is: Can I tunnel IP traffic through it? http://thomer.com/howtos/nstx.html


From a quick test (from NYC), and it seems not at all faster than OpenDNS. Still, a whole lot faster than my ISP's default DNS servers.


in NJ, the ping is higher on google's servers than it is for OpenDNS (about 20ms vs 13ms) for me.


More interesting than ping is the resolution speed. Try something like dig to get a better measure of real performance:

http://www.madboa.com/geek/dig/


This comment will only be funny for Swedes that knows who Ulla-Bella is, and what number he/she always dials...



No way, I like my DNS resolvers to be a little stupid. They know way too much about me.


two reactions:

Wow!

Nervous :(


wonder how much a vanity ip like that would cost


my opinion on why they are doing this.... to track where you are going. and make sure that site is indexed.


This was inevitable, and will give OpenDNS some major competition. Google could make tons of money from ads and sponsored results on error pages.


Actually the whole point of this is to not redirect error pages. If you read the blog post, you'll see that they address this (and privacy concerns). DNS redirection is pretty evil and I'm proud of Google for working against it.

(Disclaimer - I'm a Google employee, I didn't work on this and my opinions are my own.)


Is displaying a "that domain doesn't exist" page considered redirection? Otherwise what would you see in your browser?

I wouldn't say OpenDNS is evil. Offering an ad-supported free service is how many things are allowed to continue existing.


Your browser has a built in page for "domain does not exist". Google cannot place ads on it. On the other hand if you set up OpenDNS and then go to "doesnotexit123411452345.com", it will likely redirect you to something like "ads.opendns.com/?search=doesnotexist", which breaks DNS, life and the Universe. OpenDNS provides an option to turn off this type of redirection, but if you have a residential connection with a dynamic IP, all of a sudden that setting might just disappear.

Avoid OpenDNS and IPS's that do this.


One of my corporate clients had their ISP move to OpenDNS for DNS services. It caused an endless stream of headaches for me as all of the various scientists employed there started complaining about the OpenDNS result pages (which also broke some other user habits they had -- they were used to being able to type "wikipedia" into Firefox's address bar and be redirected directly to wikipedia, for example).

I couldn't get the ISP to budge and the client didn't want to change ISPs, so I ended up setting everybody up on some public SBC DNS servers I know about.

With all respect due to davidu, this "functionality" in OpenDNS has caused me to feel a raging hatred for it every time its name is mentioned.


Rogers does the same thing with 404 pages here in Canada.

Another worrying thing I noticed the other day is that they have a "feature" which injects an HTML header into the page you're requesting if you are approaching your bandwidth limit.

We all know that our ISPs are inspecting our packets, but it's a little disconcerting to see the pages you request manipulated in such a wholesale fashion.


The browser's built-in handling of names that don't resolve


OpenDNS is an easy way to keep the kids out of most of the uglier sites on the internet. That's why I use it.


What do you think the Google Toolbar and Chrome do? Ironic coming from the largest advertising and redirection company in the world. :-)

Still, users having choice and forcing businesses to compete to win is good for end users and I support that 100%.


> What do you think the Google Toolbar and Chrome do?

DNS redirection affects ALL programs that are trying to access a network address (obviously unless directly by IP). So when my Jabber/XMPP client tries to contact doesnotexist.example.com, being redirected to an advertisement page doesn't help me very much, does it?

Google Toolbar and Google Chrome defaulting to Google as a 'landing page' of sorts only affects your web experience and only when using those pieces of software. This is a far cry from Comcast's DNS servers resolving ALL DNS traffic that should return 'does not exist' to their advert-filled web servers.


"What do you think the Google Toolbar and Chrome do?"

Not DNS redirection.


There are no error pages when a domain isn't found.

If a DNS server presents an IP so you can show people a web page ( like Verisign did intentionally a few years ago [1]) instead of returning 'no such domain' (NXDOMAIN), you break DNS for all apps that expect a host that's not registered to not resolve. Verisign's screwup lasted 20 days.

I doubt Google would do this.

[1]. http://en.wikipedia.org/wiki/Site_Finder


I wonder what advantages they have over OpenDNS


For one, they correctly return the expected DNS error when you make a request that cannot be resolved.


You can turn that off


As stated by others though, if you're on a dynamic IP connection it's possible (likely, even) that the setting won't stick forever.


I'm tired of all those stupid "you get shafted by default but you can 'opt-out' if you don't like it so what's the problem?!" schemes.


So how does google benefit from me sending them my dns requests . . . , They can serve me "domain not found pages" w/ads (works for OpenDNS), unless I'm a server. If enough people/servers use it they can control how traffic is sent to specific domains (this would be evil). I don't necessary think my request will be a lot faster adding ms, per extra hop. What I don't like about ISPs is there disregard for TTLs. They set their own TTLs so they don't have to make a new request. With a large distributed cache it could mean less hops, I'd love to see a diagram of their dns infrastructure. I've used 4.2.2.1 - 4.2.2.4 (level3) in the past.


So I thought about a bit. Google is not interested in redirection $$. They want to own the experience. As far as collecting your browsing behavior, they probably can easily do that with the toolbar. There operating systems can benefit from having geoDNS ip responses. Anyone know if this was a project worked on using the 20% do what you like google perk?

If google decided to do something evil. ISP can easily redirect port 53 udp/tcp traffic to their own servers.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: