User Name
Password
AppleNova Forums » Third-Party Products »

Someone Want to Explain Google/Open DNS?


Register Members List Calendar Search FAQ Posting Guidelines
Someone Want to Explain Google/Open DNS?
Page 1 of 2 [1] 2  Next Thread Tools
jdcfsu
Veteran Member
 
Join Date: Jun 2006
Location: Florida
 
2009-12-03, 15:46

Reading around it seems the benefit for using something like Google DNS or Open DNS seems to be a slightly faster Internet experience, but I'm curious about the privacy/security implications. Is there increased security by using a system like this? The only thing I know about DNS is how to change my various domains' nameservers to point to different web hosts. Thanks for the explanations to come.
  quote
Banana
is the next Chiquita
 
Join Date: Feb 2005
 
2009-12-03, 16:02

I doubt DNS has anything to do with security. If you want to, think of it as a phonebooks consisting of addresses of various servers.

The difference between ISP's default DNS server and OpenDNS would be same as using a old phonebook printed five years ago against using a current one. Both may still have good addresses for popular & bigger players such as Google, but the older phonebook may have invalid entries that requires even more lookups in other DNS server before you reach the destination.

So there's no change to security here. As for privacy, I would think it's a case of switching out from ISP's DNS server to OpenDNS, so your browsing activity is now on a different server, if they do even keep that kind of information. (and I don't know for a fact that they don't or do)
  quote
torifile
Less than Stellar Member
 
Join Date: May 2004
Location: Durham, NC
Send a message via AIM to torifile  
2009-12-03, 16:05

OpenDNS provides protection against phishing, so it is a security thing.

I just think that the alternate DNS servers provide for quicker IP lookups. OpenDNS also corrects for common typing mistakes like typing ".rog" for .org or ".ocm" for .com.

Dunno about Google DNS. It's new to me.

If it's not red and showing substantial musculature, you're wearing it wrong.
  quote
Banana
is the next Chiquita
 
Join Date: Feb 2005
 
2009-12-03, 16:06

Cool, I must have missed that phishing protection thingy.
  quote
Kickaha
Likes his boobies blue.
 
Join Date: May 2004
Location: Hell
 
2009-12-03, 16:17

There *have* been security issues popping up in common DNS implementations recently that allow for injection of new info on the sly.

To take your phonebook example, Banana, it would be like a scam artist sneaking in to your house and editing your *new* phonebook to point to his business.

But I'm not sure what else it gets you, other than a globally accessible, assumed to be correct and secure, server.

Well, that and *MY* ISP (Cablevision) has been playing footloose and fancy free with their damned DNS system recently, doing their "Oh, let us HELP YOU... and show you ads!" crap when I mistype something. Goddammit, if it's a dead site, I want to see a DEAD SITE. Asshats.

My other brain is hung like a horse too.
#IRC isn't old school.
Old school is being able to say 'finger me' with a straight face.
  quote
ezkcdude
Veteran Member
 
Join Date: Jan 2005
 
2009-12-03, 16:50

So is this supposed to be like dyndns? I'm confused.
  quote
MBHockey
skates=grafs
 
Join Date: May 2005
Location: New York
 
2009-12-03, 16:58

No, dyndns is more for updating a certain host computer with varying IP addresses to a single host name, making it easier to find on the internet.

Google Public DNS should just allow your computer to load web pages faster because it promises very fast DNS lookups (host name to IP conversions that are required for loading web pages).
  quote
alcimedes
I shot the sherrif.
 
Join Date: May 2004
Send a message via ICQ to alcimedes  
2009-12-03, 17:13

Of course, google would also be collecting the information (URL's) that people are typing in, and would likely be able to tie that to the existing google cookie on your machine to know even more about what you do online. /tinfoil hat

I assume they would then try to use that information to supply more relevant ads or sell the ad information, as now they would not only know what search terms you've typed in lately but also where you're going on your own time.

Ex. Google would have zero idea normally that I go to AN. I never type "applenova" or anything similar in their search engine. But if I used their DNS servers, they'd know that my machine requested the DNS entry for Applenova.

Google is your frenemy.
Caveat Emptor - Latin for tough titty
I tend to interpret things in the way that's most hilarious to me
  quote
Banana
is the next Chiquita
 
Join Date: Feb 2005
 
2009-12-03, 17:13

Quote:
Originally Posted by Kickaha View Post
There *have* been security issues popping up in common DNS implementations recently that allow for injection of new info on the sly.
Well! Goes to show how little I actually know!

I didn't even think it was possible, injecting a different address since I thought DNS is basically a read-only operation- you ask a server for an address and thus it's a matter of trusting that server to be honest.
  quote
alcimedes
I shot the sherrif.
 
Join Date: May 2004
Send a message via ICQ to alcimedes  
2009-12-03, 17:15

Quote:
Originally Posted by Banana View Post
Well! Goes to show how little I actually know!

I didn't even think it was possible, injecting a different address since I thought DNS is basically a read-only operation- you ask a server for an address and thus it's a matter of trusting that server to be honest.
Correct. They put their machine between you and the real server and then supply you with bogus data, so that your request never reaches the real DNS server.
  quote
Kickaha
Likes his boobies blue.
 
Join Date: May 2004
Location: Hell
 
2009-12-03, 17:28

Quote:
Originally Posted by alcimedes View Post
Of course, google would also be collecting the information (URL's) that people are typing in, and would likely be able to tie that to the existing google cookie on your machine to know even more about what you do online. /tinfoil hat

I assume they would then try to use that information to supply more relevant ads or sell the ad information, as now they would not only know what search terms you've typed in lately but also where you're going on your own time.

Ex. Google would have zero idea normally that I go to AN. I never type "applenova" or anything similar in their search engine. But if I used their DNS servers, they'd know that my machine requested the DNS entry for Applenova.
Their privacy policy: http://code.google.com/speed/public-dns/privacy.html
  quote
alcimedes
I shot the sherrif.
 
Join Date: May 2004
Send a message via ICQ to alcimedes  
2009-12-03, 17:31

Call me paranoid, but I don't believe it.
  quote
chucker
 
Join Date: May 2004
Location: near Bremen, Germany
Send a message via ICQ to chucker Send a message via AIM to chucker Send a message via MSN to chucker Send a message via Yahoo to chucker Send a message via Skype™ to chucker 
2009-12-03, 17:34

Quote:
Originally Posted by alcimedes View Post
would likely be able to tie that to the existing google cookie on your machine to know even more about what you do online.
I could be missing something, but how would they tie a cookie to DNS requests?
  quote
Banana
is the next Chiquita
 
Join Date: Feb 2005
 
2009-12-03, 17:47

Quote:
Originally Posted by alcimedes View Post
Correct. They put their machine between you and the real server and then supply you with bogus data, so that your request never reaches the real DNS server.
Hmm. But how? I'm picturing that my ISP server is the first point of contact- it's all what my network knows about- it has to go to the gateway address of the ISP which would then hop to ISP's DNS server (assuming we're using the default here rather than defining OpenDNS). Therefore, they'd have to hijack ISP's gateway and that's pretty far more severe breach than if they were sniffing my packets on a random route to say, Google's server?
  quote
chucker
 
Join Date: May 2004
Location: near Bremen, Germany
Send a message via ICQ to chucker Send a message via AIM to chucker Send a message via MSN to chucker Send a message via Yahoo to chucker Send a message via Skype™ to chucker 
2009-12-03, 17:57

Quote:
Originally Posted by Banana View Post
Hmm. But how? I'm picturing that my ISP server is the first point of contact- it's all what my network knows about- it has to go to the gateway address of the ISP which would then hop to ISP's DNS server (assuming we're using the default here rather than defining OpenDNS). Therefore, they'd have to hijack ISP's gateway and that's pretty far more severe breach than if they were sniffing my packets on a random route to say, Google's server?
Your assumption that the ISP's DNS server is just two hops away is the problem. In my particular case, it's five hops. I'm sure there are people for whom it'll be more.

You're right, though: if all servers on the route to the DNS server can be trusted, then the chances of the DNS server being authentic are high. Unfortunately, that doesn't have to be the case.
  quote
alcimedes
I shot the sherrif.
 
Join Date: May 2004
Send a message via ICQ to alcimedes  
2009-12-03, 17:57

"The temporary logs store the full IP address of the machine you're using."

So you hit google's page any time from that IP that and they have your DNS searches tied to the permanent google cookie living on your machine and whenever that IP address overlapped with the DNS queries.

Google is your frenemy.
Caveat Emptor - Latin for tough titty
I tend to interpret things in the way that's most hilarious to me
  quote
alcimedes
I shot the sherrif.
 
Join Date: May 2004
Send a message via ICQ to alcimedes  
2009-12-03, 17:59

Quote:
Originally Posted by Banana View Post
Hmm. But how? I'm picturing that my ISP server is the first point of contact- it's all what my network knows about- it has to go to the gateway address of the ISP which would then hop to ISP's DNS server (assuming we're using the default here rather than defining OpenDNS). Therefore, they'd have to hijack ISP's gateway and that's pretty far more severe breach than if they were sniffing my packets on a random route to say, Google's server?
In that case someone else just has to be on your local ISP's network and they can spoof the DNS server (if they're smart) and get your machine to request packets from them.

See the various Defcon hacks for real life examples of it happening in a very short amount of time. (IIRC one of the hackers replaced all image requests with goatse)

Google is your frenemy.
Caveat Emptor - Latin for tough titty
I tend to interpret things in the way that's most hilarious to me
  quote
Banana
is the next Chiquita
 
Join Date: Feb 2005
 
2009-12-03, 18:01

Quote:
Originally Posted by chucker View Post
Your assumption that the ISP's DNS server is just two hops away is the problem. In my particular case, it's five hops. I'm sure there are people for whom it'll be more.
Interesting. To be honest, I'd have expected DNS servers to be 2 or less hops away because DNS is probably most requested service compared to any other web services so naturally one would want fast resolution, and that can be had by reducing the latency (as well as having right hardware in place) and thus the hops needed to reach the DNS server.

Or at least the DNS server would be on the same network with the gateway server so there's no external hopping to be sniffed.

Quote:
Originally Posted by alcimedes View Post
In that case someone else just has to be on your local ISP's network and they can spoof the DNS server (if they're smart) and get your machine to request packets from them.
Okay, that's much more plausible. I can see how that could be done.

Thanks for sharing, alci & chucker.
  quote
chucker
 
Join Date: May 2004
Location: near Bremen, Germany
Send a message via ICQ to chucker Send a message via AIM to chucker Send a message via MSN to chucker Send a message via Yahoo to chucker Send a message via Skype™ to chucker 
2009-12-03, 18:17

Quote:
Originally Posted by Banana View Post
Interesting. To be honest, I'd have expected DNS servers to be 2 or less hops away because DNS is probably most requested service compared to any other web services so naturally one would want fast resolution, and that can be had by reducing the latency (as well as having right hardware in place) and thus the hops needed to reach the DNS server.
But that would require proximity, i.e. for the ISP to set up hundreds of DNS servers.

Quote:
Originally Posted by alcimedes View Post
"The temporary logs store the full IP address of the machine you're using."

So you hit google's page any time from that IP that and they have your DNS searches tied to the permanent google cookie living on your machine and whenever that IP address overlapped with the DNS queries.
Fair enough. Doesn't really work so well, though — plenty of offices out there with dozens of people behind one single public IP address.
  quote
alcimedes
I shot the sherrif.
 
Join Date: May 2004
Send a message via ICQ to alcimedes  
2009-12-03, 18:25

Quote:
Originally Posted by chucker View Post
Fair enough. Doesn't really work so well, though — plenty of offices out there with dozens of people behind one single public IP address.
True, it's not the be all end all etc. for gathering information, but given google's willingness to hand over user information when presented with a warrant (or when asked not so nicely), and the Govt's various programs to monitor piles of online traffic, it does make me nervous.

Google is your frenemy.
Caveat Emptor - Latin for tough titty
I tend to interpret things in the way that's most hilarious to me
  quote
jdcfsu
Veteran Member
 
Join Date: Jun 2006
Location: Florida
 
2009-12-03, 20:10

So, basically the only upside to these systems is a potential speed increase while browsing. There's a potential for increased ad generation and browsing habit sharing, but it's not really known. There's no benefit with respect to security. Did I sum it up correctly?
  quote
Xaqtly
Veteran Member
 
Join Date: May 2004
 
2009-12-03, 20:47

In some cases it's worth it just because your ISP's DNS entries are terrible. This happened to my gf, who is on Time Warner cable. I changed her router's dns entries to the OpenDNS numbers, and voila - it was like unclogging a sink.
  quote
Maciej
M AH - ch ain saw
 
Join Date: May 2004
 
2009-12-03, 21:12

I'm thinking of switching away from Time Warner's DNS, too - what do you guys recommend OpenDNS or Google DNS?
  quote
dmegatool
Custom User Title
 
Join Date: Jul 2006
Location: At home
 
2009-12-03, 22:19

Using it right now. It's fast !!

There's no "openDNS google results" page either so a 404 is 404, wich is great.
  quote
ShadowOfGed
Travels via TARDIS
 
Join Date: Aug 2005
Location: Earthsea
 
2009-12-03, 23:14

I wonder how long it will take an ISP to do something really nasty and try to re-route connections to Google's DNS server addresses back to their own. I wouldn't put it past 'em.

An inbound DNS connection from a customer's system to 8.8.8.8? Well, we'll just route that packet to this machine over here instead.

Apparently I call the cops when I see people litter.
  quote
dmegatool
Custom User Title
 
Join Date: Jul 2006
Location: At home
 
2009-12-03, 23:30

Isn't it illegal ? I mean, you're asking for something you pay for but get something else instead (And I guess without any warning).
  quote
turtle
Lord of the Rant.
Formerly turtle2472
 
Join Date: Mar 2005
Location: Tidewater Virginia
 
2009-12-04, 01:07

I've used OpenDNS for a few years now and love it. Sure I don't like the ads they throw up there when I miskey a URL, but the security features are great. I have now subscribed to their "Deluxe" service so I don't get the ads anymore. It's was $10 a year I think, something insignificant to say the least.

My main reasons for using OpenDNS aren't the DNS routing as much as traffic control and monitoring. Since my home network is paired with my account on OpenDNS I can set it so you can't get to MySpace at all on my home network. Once the DNS system attempts to pull it the site is blocked.

I have also blocked most ad sites and banners through OpenDNS. Porn, Hate and malicious sites are also blocked by category. Sure this doesn't block all of them, but it sure does limit them.

Well worth the effort to set up if you asked me.

Louis L'Amour, “To make democracy work, we must be a notion of participants, not simply observers. One who does not vote has no right to complain.”
MineCraft? mc.applenova.com | Visit us! | Maybe someday I'll proof read, until then deal with it.
  quote
JohnnyTheA
Senior Member
 
Join Date: Feb 2005
 
2009-12-04, 01:45

I think another reason people get OpenDNS is that there is option you acn select where they block access to adult sites. I don't know how good it works though. For adults its not an issue but if you have kids.... I can see how it would work much better than a netNanny type program IF they update the DNS fast enough so that rated X sites are never resolved... Wondering how they treat torrents....

JTA
  quote
Brad
Selfish Heathen
 
Join Date: May 2004
Location: Zone of Pain
 
2009-12-04, 02:58

Quote:
Originally Posted by dmegatool View Post
Isn't it illegal ? I mean, you're asking for something you pay for but get something else instead (And I guess without any warning).
Nope. It's been a very commonplace practice for many years. ISPs and other DNS providers have long labelled DNS redirection as a beneficial service to its customers since technically, yes, it can (and probably many times does) help the user find the site he/she is looking for if it points to something like a search page. Only just very recently has ICANN decided redirection is a bad idea and wants to ban it.

http://www.icann.org/en/topics/new-g...24nov09-en.pdf
Quote:
At its public meeting in Sydney in June 2009, the ICANN Board of Directors resolved that new top-level domains (TLDs) should not use DNS (Domain Name System) redirection and synthesizing of DNS responses. In response to the Board resolution, ICANN included a default prohibition for redirection and synthesizing of DNS responses in the draft Registry Agreement & Specifications1 for new generic TLDs (gTLDs). ICANN also included a similar commitment as part of the request for new IDN2 ccTLDs3 in the proposed Terms and Conditions, and in the three proposed relationship options4 between ICANN and the IDN ccTLD manager.
Quote:
Synthesized responses should not be introduced into top-level domains (TLDs) or zones that serve the public, whose contents are primarily delegations and glue, and where delegations cross organizational boundaries over which the operator may have little control or influence. Although the wildcard mechanism for providing a default answer in response to DNS queries for uninstantiated names is documented in the defining RFCs (Requests for Comment), it was generally intended to be used only in narrow contexts (for example, MX records for e-mail applications), generally within a single enterprise.

The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting.
  quote
Partial
Stallion
 
Join Date: Feb 2006
Location: Milwaukee
 
2009-12-04, 03:27

I feel like my browsing experience has been slower since trying this. Fudgesicles.
  quote
Posting Rules Navigation
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Page 1 of 2 [1] 2  Next

Post Reply

Forum Jump
Thread Tools
Similar Threads
Thread Thread Starter Forum Replies Last Post
Google secretly reveals new browser project: Google Chrome Brad General Discussion 62 2008-10-28 15:16
please explain 'class' in PHP nassau Programmer's Nook 12 2006-07-13 13:36
Can someone explain iPhoto to me? solinari6 Apple Products 20 2005-04-19 10:06
Can someone explain this in Activity Monitor to me? jimdad Genius Bar 3 2005-01-15 15:31
Can someone explain this? (Strange CPU usage) DMBand0026 General Discussion 6 2004-08-07 18:49


« Previous Thread | Next Thread »

All times are GMT -5. The time now is 03:22.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Copyright ©2004 - 2019, AppleNova