Why and How to Use Google's Public DNS

Want to add to the discussion?

Is Google Public DNS Safe?
But when they did have the guide it was made clear that it would be done if you enabled it. We have the " opendns special". You won't know unless you do multiple checks over time and really see who's the most consistently fast and reliable. Transport protocol on which the request arrived, i. In my case this meant that iTunes downloads were coming down at a couple of hundred kilobytes per second rather than the 1. We designed the product to be fast, so let's get to the point quickly on privacy as well.

Why using Google DNS / OpenDNS is a bad idea

Should we be afraid of Google Public DNS?

I got a comment from famed security researcher, H D Moore on that point. So the claims this could be a more secure DNS server for most systems are true, it will protect against DNS cache poisoning attacks at least.

In his view, it looks like the source ports are sufficiently random, even though they are limited to a small range of ports. He has also graphed source ports, transaction IDS and a comparison of source ports to those transaction IDs. Internet News Thanks Navin. Keep in mind that if you do not use a local resolver, the CDN based contents like Akamai and may others will be delivered from a server that is not the best for your IP.

My measured query latency to Google for a nearby site lookup is. For a random name, insecure. And yes, I do notice an additional 1. I always test new products from google and also currently using googles public dns, its giving much better results then open dns, but the features of open dns like filtering etc.

Thats what I tend to do as the root servers are simply to slow to respond here in Australia most of the time. I guess this is because you have 3 zillions ISPs while we have just a handful. All of them have decent DNSes both speed and stability and switching to Google would not change much.

An obvious advantage is that you need to remember 8. What does make a difference is the improved reliability of look-ups. As for the flaw…well it is only in testing stage. Try namebench to see which of the public DNS server systems are fastest for you. For me Google DNS ended almost at the bottom of the list having similar services.

I am based out of Bangaloe. With namebench Google primary 8. Why give Google such power to control all your traffic? You might say that you already do that with your ISP and you are right!

Security is of little concern to them, It cannot be any other way and their actions over the last few years show that it is an aggressive control seeking big money corporation that all of the world already need to use if you do not use the Google search it is really your loss so you cant just stop it.

Do you really want Google to control every bit of communication coming out of your computer? The 3rd had some other IP, so I just replaced it with 8. Will everything work fine with that? It'll be fine with 8. It shouldn't even matter unless it can't connect to the first two. Of course, now you only have one real alternate, so it might be a good idea to put charter's DNS server in the third slot. I'm probably just being overly worried, but I trust Google and Charter, not really a smaller one like that.

Their network is many times larger than Google's and they have been around longer. Oh, I actually didn't know that: No I doubt it either, just thought it you wanted an alternative so you didn't have to use Charter at all that was an option. Basically have the servers send a routine ping to a certain IP address and if the response isn't there the network must be down.

I looked it up once, apparently they've onlyk been down for a grand total of 2 minutes since or something absurd. The other side to the coin is. If something is happening that is large enough to take down 4. So with Charter you are more likely than not still using those, just by middleman. When people are saying Level3 is huge they mean it. If Level3 were to be knocked out entirely by something, North America would be without internet as almost all of your traffic is going through Level3 somewhere.

Probably not unless the service is choppy from your connection for some reason. Your best option would be to use that DNSbenchmark tool posted elsewhere in the thread and put the highest scoring servers in your router though. How do I change my router settings? I can change settings on all of my devices, but I don't know how to access my router settings since it is a Charter wireless router. Ooh, I didn't think you might have an ISP router.

You can try using the instructions on this page to connect to the router, then look for a "basic setup", "advanced options - other" or something similar for DNS server info. If there isn't anything, or you don't want to mess with that, you can just add the DNS servers to your devices.

How I think about it is, i know google and I know their motives. Your ISP already provides you with and gets paid for internet access. Because of that, I have no reason to think their privacy policy, stability, or security on their DNS server is as good as Google's. If it's a Linux router I bet it is , putting nothing — or 0. Netgear routers most likely use Linux at their core, or something like VXWorks. So the charter regular internet can work, but the wireless can be messed up with a DNS shutdown?

I did the DNS thing on my laptop and on my wife's iphone, but I cant figure out how to do it on my android or on our nook. Their server comes back and I don't have to worry about it? I almost bought another router tonight thinking it was that. Android needs to be rooted to change the DNS. I also have charter, took me five minutes to fix wifes laptop today when I remembered i never changes the DNS settings on it when we got her a new one.

The latest version of Android 4. When you connect to your wifi, check the advanced settings options and it'll be there. If you're already connected to the network, just press and hold the network's name and click modify and go from there. If I recall, previous versions of android also had this. Google offers something for free?

You know what, your traffic. A for profit company who's also likely selling your data. Nothing is for free. At least with your ISP you got a little bit of leg to stand on being a paid customer. If they aren't then there is a problem. Google's DNS may not be the fastest.

Your ISP's might be, once they get their problem fixed. You won't know unless you do multiple checks over time and really see who's the most consistently fast and reliable. As much as you're right on 1 a very good reason to never use Google DNS , 2 and 3 aren't right.

Most public DNS services that aren't provided on a 'best effort' basis will be the same. OpenDNS only has servers in major cities. I still wouldn't trust them. What they did is inexcusable. To be fair, they did make it quite clear when they did that that if you were using their service that they would do that. Not sure if they had the GUide since day 1.

But when they did have the guide it was made clear that it would be done if you enabled it. They were a resolver that provided a specific service that some administrators found useful. Apparently you did not, but dont pretend that its without merit. Considering it was explicitly opt-in that would be pretty hard to do accidentally, Im not clear what the issue is.

Opendns is a scam at its very heart. It's a good way for small business to keep employees from going where they should at least non tech savvy ones. There are legitimate, normal ways to make money, and then there are scams and slimeball ways to make money. Opendns started their service by intentionally associating themselves with the word "open" as in open source software.

I haven't dealt with them in years, but back when I did consulting work most of my clients had no idea that Opendns was a for profit, private corporation. They also used to return their own advertising pages as results instead of proper nxdomain results for failed queries.

This is fucking with the basic standards that define how the internet should work and predictably it caused all kinds of problems. A common example that I ran into time after time was that clients running a mail server would "lose" emails.

Turns out they weren't lost, but were being sent to the opendns servers without the users intending this or being aware it was even happening. This was a natural consequence of the way opendns breaks dns. A private corporation intercepting your emails and at best throwing them away without notice, and you don't even know they are a company and you are a client.

This happened all the time during the few years I did consulting. Making money is fine. Breaking standards defined in the internet RFCs is bad. Doing it for profit and disguising that fact from your clients is bad. Opendns can suck my dirty balls. Yeah, and that was an option that you could opt-out of if you used their service. I used it for my Guest WiFi and disabled it. They were also pretty clear about that being a thing. That's sort of the entire point. OpenDNS is used by companies to block employees from accessing certain stuff at the DNS level rather than the better and more sophisticated ways.

The only way to do that at the DNS level is by changing the results. It's a quick and dirty way of preventing non-techie employees from "making a personal phonecall" if they can't "access the phonebook" so to speak. If you don't want to break internet RFCs then don't become a client of a service based entirely around breaking an RFC. They never disguised it. That information practically oozed out from between the lines. The only way you could be using OpenDNS without knowing that was a thing is if you never visited the OpenDNS site in the first place, in which case you're an idiot that deserves to have your shit fucked with for not researching what you're doing.

I only saw the damage their service did to a number of clients, was never a user myself. It was happening so often back in Client after client had no idea opendns was a private corporation. They had no idea why their DNS was breaking in strange ways. Something doesn't add up.

Edit - also, how did they justify running an smtp service that silently accepted mail to any address in combination with a DNS hijack that caused email to be mistakenly delivered to it? Had they simply not run SMTP on their advertising system, the messages would have failed local and sender notified, or if they ran a normal smtp server it would have rejected non local and again sender notified, but instead they intentionally hid this flaw in their scheme by running a catch all and intercepted and then threw away, apparently their victims messaging silently.

Its all coming back to me now. The calls always went like this, in case its not clear:. We determine A broke their DNS again, no big deal, everything will sit in queue for a bit but will get delivered whenever A gets their shit together. New messages go right out. They never get to A, of course. All messages for the past X hours are just gone. Do you have a source on the SMTP thing? I'm pretty sure intercepting mail like that is illegal, since it's illegal within a company, I'm sure it's illegal for a company to do it to another company's mail as well.

SMTP mail services generally arent going to advertise what email addresses it considers valid and which it doesnt. This is a spam control technique and everyone in their right mind should be using it. Heres a better question. Im not even clear what scenario youre painting:. Sorry if this sounds harsh, but there are legitimate reasons to set things up similar to how you described, and rolling in there with no documentation and ripping things out is the wrong way to begin.

Thats not to say I didnt do stuff like that as a freshman IT tech, but I deserved to be smacked upside the head for it and so do you. Perhaps you are not aware that the SMTP spec says mail servers should try an A record lookup in the case that MX records aren't available?

Now consider what happens when a DNS service returns their own advertising server for all invalid A records. Also, accepting messages for non local domains and then silently discarding them is absolutely not a normal spam fighting technique. Quit assuming everyone is an idiot and instead, try to learn from them. It would serve you well.

I wasnt aware of that. In practice, however, if someone doesnt have MX records, theyre doing it wrong. Reading up on IETF message threads, there appears to be a number of engineers who share my opinion: If you want mail to work, use MX records rather than relying on a 30 year old artifact that was designed to solve the chicken-and-egg problem that existed back then. If someone else's MTA behavior is breaking your system, you need to evaluate why you are using theyre MTA rather then complaining that you dont like their behavior.

If you want to focus on RFCs, there is absolutely no standard that I am aware of that makes it "wrong" behavior to accept mail from domains other than yours, nor that it is wrong to choose to store or discard that mail as they choose.

At the end of the day, arguing technical RFC compliance on a point generally considered archaic on a service that explicitly violates RFC is a bit silly. If you dont like that, dont use their service. It's not that people are intending to use A records in place of MX records. That's dumb, and I agree that people should use MX records. The problem is that sending mail servers will do A record lookups whenever an MX isn't available.

This means that any time an MX record fails for any reason, mail to that domain ends up going to opendns's mail server. This also means any user that mistypes the domain part of an email address probably ends up sending that message to opendns's mail server.

In every case I was called into, the root problem was that somebody broke their MX records somehow. However, the outcome was that due to opendns's abuse all the mail disappeared without any notice to the user when normally it would have just been queued for a while or at very least the user would have been notified that the message wasn't delivered.

There are some limited cases in which a mail server might legitimately drop messages, and these are also addressed in the same RFC:. However, it is extremely dangerous and violates a long tradition and community expectations that mail is either delivered or returned. If silent message-dropping is misused, it could easily undermine confidence in the reliability of the Internet's mail systems. So silent dropping of messages should be considered only in those cases where there is very high confidence that the messages are seriously fraudulent or otherwise inappropriate.

I can't believe you would suggest a honey pot is a valid excuse here That's not a honey pot. Dunno what tarpitting has to do with anything.. This has nothing to do with a "no such address" situation. This is the entirely wrong domain. It is normal to conceal valid addresses within your domain, of course. It is not normal to accept mail for domains you don't handle, forget about the address part.

You've tried to stretch things in some way to excuse their behavior, but most of your points are either invalid or just irrelevant.

Google's Public DNS is fast