Google launches Google Public DNS (with warning!)

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer
There already is OpenDNS, and now there is Google Public DNS. Google promises not to redirect or intercept any DNS lookup (as opposed to OpenDNS) whether it succeeds or fails. Here is the associated privacy policy.

See post #8 for a serious warning about using this service.
 
Isn't the whole point of distributed DNS to maintain speed and resilience? Kudos to google for thinking up cache prefetching, but I think the world would be better served by the code rather than their service.
 
Well, Google's datacenters are pretty well distributed globally, so you can assume that their DNS servers have speed and resilience. The 8.8.x.x IP addresses are simply routed to the nearest host by the nearest BGP router. They're < 20 ms from me anyway (probably AMS-IX and/or UK/Ireland).
 
Ok, first major (and to me: fatal) error found: Google Public DNS appears to filter out any replies that start with 127.x.x.x, except 127.0.0.2. Logical as that may sound (it's not a publicly routable network), all spam blacklists (Spamhaus, etc.) use 127.x.x.x return codes on queries that are 'hits' (i.e. spam IP addresses). A lot of them do not only use 127.0.0.2 to report a 'hit', but also 127.0.0.3 and up to report different kinds of hits (like on combined blacklists like zen.spamhaus.org). All of these 'higher numbered hits' fail.

Spamhaus case (uses 127.0.0.x return codes):

Using Google DNS:
Code:
# dig A 193.97.250.77.zen.spamhaus.org +short
(nada)

Not using Google DNS:
Code:
$ dig A 193.97.250.77.zen.spamhaus.org +short
127.0.0.[B]11[/B]

SpamCop case (uses 127.0.0.2 return codes):

Using Google DNS:
Code:
# dig A 206.115.50.94.bl.spamcop.net +short
127.0.0.2

So if you're using any form of 'multiple return code' blacklisting (SpamAssassin with DNS blacklists, milters with DNS blacklists, etc.), do not use Google Public DNS or you're likely to get hit with spam.
 
Back
Top