Google launches Google Public DNS (with warning!)

Isn't the whole point of distributed DNS to maintain speed and resilience? Kudos to google for thinking up cache prefetching, but I think the world would be better served by the code rather than their service.
 
Well, Google's datacenters are pretty well distributed globally, so you can assume that their DNS servers have speed and resilience. The 8.8.x.x IP addresses are simply routed to the nearest host by the nearest BGP router. They're < 20 ms from me anyway (probably AMS-IX and/or UK/Ireland).
 
Ok, first major (and to me: fatal) error found: Google Public DNS appears to filter out any replies that start with 127.x.x.x, except 127.0.0.2. Logical as that may sound (it's not a publicly routable network), all spam blacklists (Spamhaus, etc.) use 127.x.x.x return codes on queries that are 'hits' (i.e. spam IP addresses). A lot of them do not only use 127.0.0.2 to report a 'hit', but also 127.0.0.3 and up to report different kinds of hits (like on combined blacklists like zen.spamhaus.org). All of these 'higher numbered hits' fail.

Spamhaus case (uses 127.0.0.x return codes):

Using Google DNS:
Code: 
# dig A 193.97.250.77.zen.spamhaus.org +short
(nada)

Not using Google DNS:
Code: 
$ dig A 193.97.250.77.zen.spamhaus.org +short
127.0.0.[B]11[/B]

SpamCop case (uses 127.0.0.2 return codes):

Using Google DNS:
Code: 
# dig A 206.115.50.94.bl.spamcop.net +short
127.0.0.2

So if you're using any form of 'multiple return code' blacklisting (SpamAssassin with DNS blacklists, milters with DNS blacklists, etc.), do not use Google Public DNS or you're likely to get hit with spam.
 
You must log in or register to reply here.
Back
Top