From the blog post:
"Third, Google claims that this service is better because it has no ads or redirection. But you have to remember they are also the largest advertising and redirection company on the Internet. To think that Google’s DNS service is for the benefit of the Internet would be naive. They know there is value in controlling more of your Internet experience and I would expect them to explore that fully. And of course, we always have protected user privacy and have never sold our DNS data. Here’s a link to our privacy policy."
davidu,
You have excellent points but you could have made them without bashing your competitor.
This response makes me think that you are afraid of your competition and using fear to convince people to use OpenDNS.
it’s not the same as OpenDNS. When you use Google DNS, you are getting the experience they prescribe. When you use OpenDNS, you get the Dashboard controls to manage your experience the way you want for you, your family or your organization.
Not mentioned was OpenDNS sends failed requests be default to a search page full of ads... Google appears to not be monetizing this.
Not monetizing this? Where do you think their motivation is coming from (to make the world a better place?)
Google Analytics falls into the same category. You're not paying currency to use the service; you're paying with your metrics. When you think about it in terms of scale, this is way worse. Google is great at taking this data and using it to generate revenue in a number of other ways. Any smart advertiser who uses Google Adwords to buy traffic knows to stay away from Google Analytics. Why would you let the company you're buying traffic from know how that traffic behaves?
The DNS project takes this a step further by giving Google a world of new data. Now you don't have to use Google or be on a site with Google Analytics for Google to know where you're going.
Seems harmless, but I bet they can't wait for this to be adopted by the masses.
With all that being said, 8.8.8.8 is a damn cool IP address and I'm sure my Google-powered Droid already uses it. /rant
I love how everyone comes down on Google for collecting data about net traffic, as though no other company on the internet ever thought of collecting traffic metrics. What is your current DNS provider's policy on DNS data collection? In the case of OpenDNS, sure, they have a privacy policy, but they also proxy Google's results and serve up ads. How's that so much better?
I'm perfectly happy to have my DNS data be collected (which I assume my ISP is already collecting) in exchange for ad-free, fast name resolution. Plus, now I don't ever need to look up a DNS server again, Google's is 8.8.8.8. Sweet.
Looking at that privacy policy, and it looks like exactly what they should be doing. There isn't much of a point in keeping personally identifiable information beyond a certain point, at least not something which directly leads back to you.
The only data analysis that would benefit from keeping identifying information would be to create a model for how users go about the internet, and google already has some very good models of that. This is just conjecture, but I would assume that being able to create geographic based models is far more useful than per-user models, which is something they keep.
I tried using those servers, and they didn't work. If I do an nslookup or dig through them, it's fine, but when I use them as the default nameservers in my network configuration, they seem to reject my requests.
Try `nslookup -vc [hostname]` after setting your name servers to the Level3 IP.
Just a wild guess. I can't remember off the top of my head if nslookup or dig, when specifying an alternate server, use TCP or UDP. But, if it uses TCP for those, then it's possible that your ISP is blocking UDP DNS traffic that's not destined for their DNS servers. It wouldn't be the first time.
> Not monetizing this? Where do you think their motivation is coming from (to make the world a better place?)
One thing I like about Google is that they research and share infrastructure technologies. Why is there any reason to think that they would not be interested in improving DNS if it makes the Internet a better place for applications?
They would likely benefit if more applications are moved to the Internet but that does not make this an "evil" or deceptive tactic. What other company today would improve an Internet protocol or create a new protocol (Wave) and release it openly in an effort to move the Internet forward?
Sure you need to be mindful of how data is used and the services you sign up for but that applies to any service, including OpenDNS.
I'm sure they will try to do something with the data, but Google's problem these days is that it's been so successful and gotten so big that it's incentivized to basically make the Internet bigger, better, faster in order to continue to grow. Chrome (and Firefox with the Chrome whip behind it) is another example of this.
I knew OpenDNS redirected host-not-found traffic to their results page, but hadn't heard of them "prox[ying] google search traffic onto its own servers". Do you have more details?
I think I commented on that post when it was first posted in 2007, but here it is again: sure, I don't like what Dell/Google did on the new Dell machines. Meh. But that post is filled with so many absurd inaccuracies that I have to simply disregard it. Most prominently:
At the top of the page, he shows the exact text that appears on the "horrible" search results page. That text explains exactly how to remove that functionality:
"This program can be uninstalled from the Control Panel "Add/Remove Programs" in Windows XP or "Control Panel > Program > Programs and Features" in Windows Vista. Look for the application named "Browser Address Error Redirector". Older versions may be called "GoogleAFE" or "URL Assistant"."
He says this statement is "ambiguous". I have no idea how it is ambiguous, but ok. He then goes on to say the software is "hard to remove", and later that "users can't get rid of it!", both of which are outright lies. Installing and uninstalling software is a normal part of owning a computer, and as you can see above, Google's message tells users exactly what to uninstall. The entire process could be completed in 30 seconds.
But I have to ask myself every time I read this article: why is this guy going to so much effort to spread inaccuracies that demonize Google for trapping search results and presenting ads?
Well, because that is exactly how OpenDNS makes money, and Google threatened their business model. The entire first portion of the post, attacks and all, is present to justify this:
"we’ve stretched a bit beyond DNS itself to work around Google’s mis-directed efforts."
By going on the offensive, he now tries to justify providing a DNS service that OpeDNS doesn't just resolve hostnames anymore...instead, OpenDNS makes moral judgments about the domains you visit, and, as they trumpet so loudly, "we have a fix which does not require more client software". What this means to me is that whatever OpenDNS is doing, I can't uninstall it, because they own it -- it's not on my machine, it's on theirs.
Listen, when I use DNS, there's a contract I expect DNS to fulfill: I give you a name, and you resolve it to an IP or tell me it can't be resolved. It is an outright violation of the contract to resolve a hostname I give you to an address other than that with which it is associated, which is exactly what OpenDNS is doing.
Very helpful to understand their motivation, thanks. Unfortunately their rationale still amounts to: others are doing something sleazy, so we have to do something sleazy, too, to defend ourselves.
I don't own a Dell or run with any toolbars. I would find the "Browser Address Error Redirector" and remove it if I faced that warped experience.
So for me, this unrequested proxying isn't help, it's collateral damage from two competing typosquatters/querysquatters each trying to one-up the other.
A harder, but classier, way for OpenDNS to escalate their
battle with Google would have been to offer a different set of DNS server IP addresses for customers who may want OpenDNS to trump Google/Dell.
My comment on your blog is being moderated, but here's what I said:
I think it’s a little naive to think it is a good thing for you. How are you going to compete with Google’s infrastructure and get your response times down to Google DNS’? I would expect many people will switch away as I just have until you can roll out an extremely expensive upgrade.
Their datacenter deployment is actually focused on large scale computing datacenters, not tons of footprint. It's widely deployed, and better in Asia than us, but that's not for long.
Really? I could have sworn that Google was all about local content distribution, to the point of creating new fundamental internet infrastructure to reduce latency.
"I'm David Ulevitch. I have a website at http://david.ulevitch.com/
I am the founder and CTO of OpenDNS. I also started and run EveryDNS.Net. You should be using both of them."
I'm not entirely sure, but I used to go to high school with a kid (a different Dave) that was absolutely brilliant and did some work with them. When I was looking for a dns provider, he showed me their site and I've referred them to everyone I know since. They really run an excellent service at top-notch quality. Probably time for me to donate again..
Your post seems like anti-Google to me. Aren't people free to choose the service they like? The one with the best service should be the market leader. On what basis will you separate the ownership of internet apps? Saying Google has the whole internet stack, so its evil is naive. :)
Your fifth point is the most important one for me. Once they know your DNS data they can make make very educated guesses about the rest of your internet traffic. Google knows what is hosted at the servers you are looking up.
> Google knows what is hosted at the servers you are looking up.
And so does every other DNS provider so long as the pages are public and if your ISP is your DNS provider then they can directly sniff your (non-encrypted) traffic too.
Well, your ISP potentially has access to your DNS lookups regardless of whether you're using Google's DNS servers or theirs or someone else's. That is, assuming the ISP owns the fiber that you're connected through. Small ISPs don't.
But now you're adding yet another party in the mix -- Google, who already have a lot of information about your interests and habits. At the very very least, you're inviting an interested third party to have a look at your traffic.
Most of davidu's response was kind of a waste of time, but the one thing that made an impression on me was when he referred to Google as an advertising company. He's right; they're the most technologically advanced advertising company in the world.
So if this conversation was about "an unnamed technologically savvy advertising company", instead of Google, would you still be interested in giving them your DNS traffic?
> So if this conversation was about "an unnamed technologically savvy advertising company", instead of Google, would you still be interested in giving them your DNS traffic?
So... you're saying that reputation counts for nothing? Google sort of evolved into an advertising company because of the position that they held as the most popular search engine.
Most advertising companies are companies that started out trying to be an advertising company. Most of them probably had to be cut-throat to make it out of obscurity.
This isn't to say that anyone should place blind trust in Google, but if -- as you're implying -- reputation counts for nothing, then what's the point in trying to maintain a reputation at all?
See my other reply in this thread too. You completely misinterpreted my post (or just used it as a soapbox to insert your views into the discussion). The post I was replying too said nothing about Google pulling all the information on you together. The poster seemed to be irked that your DNS provider also had access to the content of the pages you were using DNS lookups to view. I was pointing out that this is true of any DNS provider.
Google does not have a spotless track record in customer privacy issues, nor is there any reason to believe that because they're behaving in a particular way now, they'll behave the same later.
It's as simple as this: while I'm a fan of most of Google's products and services, I also think there's a point at which it's no longer smart to put all of your eggs into one internet company's basket, and I think we've reached that point.
> Google does not have a spotless track record in customer privacy issues, nor is there any reason to believe that because they're behaving in a particular way now, they'll behave the same later.
True, but most of the records are deleted after 48 hours, meaning that they no longer exist for Google to decide to mine years later once they change their policy. Other than that, this only becomes an issue if the entire internet starts pointing their DNS queries at GoogleDNS, which I doubt will happen.
I don't think any existing DNS providers have other sources of data like Google does. It's when it all comes together (search+analytics+adsense+Google Account reporting your trail, indexed website content and your email for profiling you) to make a dataset with potentially unprecedented cleanliness/completeness that it becomes interesting/scary. They can likely draw much stronger conclusions than most.
Not sure if their privacy policy lets them exercise their power fully in this field, though.
I was specifically addressing his post, not every possibility. He was claiming this was bad because Google has access to the content at each of the servers you lookup through their DNS service. My point was that so does everyone else on the internet, including other DNS providers that you might use.
(i.e. If I go to sws.example.com which hosts a Secret Warez Stash, unless it's password-protected everyone has access to it, not just Google.)
Ha! I was wondering in my head what OpenDNS would say about this when I read the article. Had no idea you were the founder of the company. That's pretty cool that you're on here.
Obviously subsequent queries are going to be faster - at that point it's cached. That's the point of aggressive/speculative caching: it's so the first (and in practice this will be your only) query is faster. If you want to accurately average across multiple measurements, you need to space those measurements hours or days apart.
What you really want to do is log performance under real conditions over an extended period of time and then evaluate the results.
Given that the differences in query time between various DNS solutions are significant but minor, you will almost certainly find differences in performance that you hadn't thought about.
I'm updating the post (http://www.manu-j.com/blog/opendns-alternative-google-dns-ro...) as results keep coming in (India, Italy, NYC, Houston). From the looks of it, google is the best for international users and Level 3 (4.2.2.2) or openDNS for americans.
OpenDNS has servers here in London, so they put up a fairly good showing. And obviously there's some jitter - the 350ms reddit result is an anomaly - but a few other runs turned up 216ms and 378ms - must be something odd about it.
Fascinating. It's interesting to see that their times aren't always the fastest, but they seem able to keep responses speedy on the sites the other two struggle with (bbc and tb4). Maybe that's the prefetching at work?
It's a bit hard to do the math in bash, but you'd also probably want to determine the mean and standard deviation for a population of checks (at least 10 or so).
You could calculate it across a lot of domains, or calculate it with a lot of checks to one server.
For what it's worth, I've been using Level3's DNS servers for a while now, due to the fact that they have insanely low latencies:
4.2.2.1... 4.2.2.6 (or thereabouts). Not sure what Google's going to have on those. Are they gonna be even more super-duper-fast? I mean, if you look at the line-up of the best DNS servers out there, they're pretty damn fast already:
Also, for what it's worth, I've never quite understood why you'd use OpenDNS when level3 have open DNS servers that don't redirect you to their own pages when there's a missing record...
Quote from "What we log":
"In the permanent logs, we don't keep personally identifiable information or IP information. We do keep some location information (at the city/metro level) so that we can conduct debugging, analyze abuse phenomena and improve the Google Public DNS prefetching feature. We don't correlate or combine your information from these logs with any other log data that Google might have about your use of other services, such as data from Web Search and data from advertising on the Google content network. After keeping this data for two weeks, we randomly sample a small subset for permanent storage."
Even if without any reference to the user that actually visited those sites, mantaining information about the "cluster" of urls visited during a browsing session could form a useful source of data not only to optimize ads and searches, the most obvious use could be build something like a recommendation engine (something that some kind of internet users could like, but i admit that something like this could be useless from the google point of view).
The information they gather from this could be the best thing ever for Google. They are now literally going to see how people go from site to site to site and direct ads and content to them based on that. Good move buisness wise Google.
From your link : "we randomly sample a small subset for permanent storage."
Even if anonymous that data is really valuable as it allows to identify traffic patterns. I don't see anything "evil" in collecting anonymized data.
I wonder how hard is it to change their policy? Suppose some day the investors insist on monetizing this asset to its maximum potential. Can they just come up with a new privacy statement?
In order to stop them from doing that their change would have to be a clear criminal violation of something. Nobody would be able to sue them, and even getting them in a clear criminal violation would be tough (in the US anyway; recall the debacle of v. Microsoft).
The Google product manager responded to TechCrunch saying "no blocking, hijacking, or filtering" and responded on privacy with "Collected data includes IP address (up to 48 hours, to detect malicious behavior against the service), ISP information and geographic information (2 weeks each). The data is not correlated with your Google account in any way."
Something to remember be it Google Public DNS or things like Open DNS: Most CDN's use DNS to map you to one of their servers.
E.g.: Assuming your physical location is in Asia/Europe, and let's say you use Open DNS, IP anycast will map you to their London DNS servers (Last I checked that's the only location outside of N. America OPEN DNS has servers). Let's say the website you visit is delivered by a CDN, this CDN's servers in London will deliver content to you even though there might be CDN servers in your ISP.
That's assuming DNS based geolocation, though. Some CDNs (including Cachefly, who we use) are anycast driven, so it doesn't matter where your DNS servers are located.
Most of these providers, like Open DNS, have location based caching as well. If you go to OpenDNS' support page you can see the different caches they have and what IP is currently resolving for each region.
Sadly the 1 block is unallocated, so they would have to make a special request to the IANA to get that address.
Then again, they are Google, so who knows what they could get if they asked...
I'm also curious who Halliburton merged with in order to get the entire 34 block. Surely they weren't around at the time those were handed out so foolishly.
No, the DNS service is run by Google out of their datacenters, they're just renting 8.8.8.0/24 and 8.8.4.0/24 off Level3 because they're memorable numbers.
(It's interesting because 4.2.2.[1-4] are run by Level3)
My problem with posting online is I'm not a clear communicator. I understand that they are renting memorable IP addresses, and I understand that Google is running the DNS service out of the datacenter. I didn't say anything to the contrary.
What I meant by Level3 hosting it is... Level3 is likely the single ISP in front of this service. I don't think Google can get away with multihoming this, other ISPs are just going to push 8.8.8.8 packets to Level3. I don't know how routing tables work, but I don't think they can reliably advertise ownership of the 8.8.8.* block considering it is wholly contained by another block.
No, that's not correct - you can see here that the route is being advertised through no less than 11 intermediate ISPs (and there will be more, that's just from one perspective on the internet):
What do you mean that Google is a tier 1 ISP? Do they provide transit to anyone?
Interestingly, if you can advertise a sub-block and override the bigger block's advertisement, what's stopping people from just stealing sub-blocks from ISPs?
> what's stopping people from just stealing sub-blocks from ISPs?
The thief has to either be upstream of your connection, or peered at an extremely high level with others trusting their BGP advertisements. There was a hilarious incident not that long ago where the Pakistanis accidentally blackholed YouTube's IP-block globally (instead of just within the country).
Right, but can you have overlapping blocks? The wikipedia page says nothing about that. It talks about combining smaller blocks to make bigger ones (which is the interesting part). So, if I understand correctly, some routers will see Level3's 8...* advertisement and not Google's 8.8.8.*. They will route 8.8.8.8 to Level3, and that's OK, because Level3 is not going to just drop the packets on the floor. They will forward to Google.
So this is why I said, in my original post, that Level3 is the home of Google's DNS service. If routers are respecting Google's own advertisement, it has to somehow be done with the permission of Level3.
Google Public DNS complies with the DNS standards and gives the user the exact response his or her computer expects without performing any blocking, filtering, or redirection that may hamper a user's browsing experience.
Using this DNS service will degrade your performance to almost any non-Google rich media content, pure and simple.
If you use Google's DNS service, because Google has your client IP, they can serve your content the fastest from the closest POP, however by using this DNS service you are actually creating an issue called "resolver proximity" for every CDN on the planet. This will be especially evident to those of you not in North America who unwittingly point to these servers.
In most global markets your best strategy is to use your local DNS resolver so the people who deliver everything from Netflix, iTunes, Hulu, ustream, (etc, etc, etc) understand that you're not in San Jose or Northern Virginia but really in Tokyo or Malaysia. If your ISP uses a DNS server that's "far" away from you (in terms of network latency) you should complain loudly.
I bet this are going to be the most used DNS resolvers in the world in a few months.
I doubt it. I suspect a good 90% (or even more) of regular users just use the DNS servers provided to them by their ISPs when their connections come up.
Does anyone know who provides the bulk of the ads on these re-direct/ad DNS servers that ISPs are using these days? My guess is it's probably not Google or why would they offer an alternative? It sounds like a very clever way to attack their online advertising competition to me. Obviously they'd get into some hot water by trying to compete directly with their own advertising based DNS. Instead they attack the entire market of re-direct/ad DNS by offering a clean alternative that happens to hurt their competition. Very clever. It wouldn't surprise me to see some of the Google software (Toolbar, Chrome, Notifier) offer an option to use Google DNS in the future. For the end user it's a good thing -- for Google's competition it's pretty terrible.
I think I'm behind a restricted proxy or something (on some hotel WiFi), because it's not really working for me, but I'd be interested to hear others' results.
Compare to Level3's 4.2.2.2-3 and OpenDNS's 208.67.222.222 and 208.67.220.220 (they really need a more memorable IP). Any other good ones?
Some comments get clouded in politics and suspicion. If this move has a commercial reason then perhaps it's easily explained as to compete with OpenDNS.
Complaining that a search engine collects information seems crazy: surely that is a sign of a good company. The important thing is choice/competition. Google is a good competitor, whether you like them or not.
Distributed internet services is generally considered to be better than centralized ones. Google's entry into this, along with its other services, is beginning to give me pause.
I'm glad they've worked on this, but I think I'll stick with DNS as it was intended to be.
The problem is that local ISPs (or national/regional like Comcast) are poisoning the well by resolving non-existent DNS entries to their own advertisement-laden web servers in an attempt to increase their bottom line. At least open DNS servers exist like Level3 (4.2.2.[1-4]) or now Google (8.8.8.8,8.8.4.4)... (and to a lesser extent OpenDNS, which is 'open' but tries to pull some of the same advertisement stuff).
In general, the distributed aspect of DNS was to reduce latency and network traffic. While this might not keep network traffic within your ISP's internal network, it can severely reduce latency even if you're on a large ISP like Comcast/Qwest/TimeWarner. My only guess as to why this appears to be true, is that most ISPs don't really give a crap about their DNS servers just so long as it's still running and hasn't imploded.
Keeping traffic on it's own network vs having all DNS queries making a round-trip between their network and Google's DNS (ala Level3)?
It's not like ISPs have ever needed an excuse to try and 'cut costs' by skimping on services. The difference is a greater majority of their customers use DNS than USENET.
DNS doesn't occupy a lot of bandwidth. DNS servers on the other hand can be irksome to deal with if you don't have to.
Small ISPs are merely resellers; if their DSL customers f'rinstance use Google's DNS servers instead of the ISPs, the ISP actually has less network traffic coming into their racks. Plus, they no longer have to admin a DNS server.
For larger ISPs, it may still be less trouble to just let their customers use Google's DNS instead.
Good move. I've been using 4.2.2.2 and 4.2.2.1 for a while now since I found out a few years ago that cable/DSL provider's DNS servers are flaky. It's amazing how often I go to somebody's house or cafe and find DNS to be the weak link.
It's pretty obvious what Google gets out of this: they get your browsing history. My guess if that they'll uprate search results if lots of people visit them.
Actually the whole point of this is to not redirect error pages. If you read the blog post, you'll see that they address this (and privacy concerns). DNS redirection is pretty evil and I'm proud of Google for working against it.
(Disclaimer - I'm a Google employee, I didn't work on this and my opinions are my own.)
Your browser has a built in page for "domain does not exist". Google cannot place ads on it. On the other hand if you set up OpenDNS and then go to "doesnotexit123411452345.com", it will likely redirect you to something like "ads.opendns.com/?search=doesnotexist", which breaks DNS, life and the Universe. OpenDNS provides an option to turn off this type of redirection, but if you have a residential connection with a dynamic IP, all of a sudden that setting might just disappear.
One of my corporate clients had their ISP move to OpenDNS for DNS services. It caused an endless stream of headaches for me as all of the various scientists employed there started complaining about the OpenDNS result pages (which also broke some other user habits they had -- they were used to being able to type "wikipedia" into Firefox's address bar and be redirected directly to wikipedia, for example).
I couldn't get the ISP to budge and the client didn't want to change ISPs, so I ended up setting everybody up on some public SBC DNS servers I know about.
With all respect due to davidu, this "functionality" in OpenDNS has caused me to feel a raging hatred for it every time its name is mentioned.
Rogers does the same thing with 404 pages here in Canada.
Another worrying thing I noticed the other day is that they have a "feature" which injects an HTML header into the page you're requesting if you are approaching your bandwidth limit.
We all know that our ISPs are inspecting our packets, but it's a little disconcerting to see the pages you request manipulated in such a wholesale fashion.
> What do you think the Google Toolbar and Chrome do?
DNS redirection affects ALL programs that are trying to access a network address (obviously unless directly by IP). So when my Jabber/XMPP client tries to contact doesnotexist.example.com, being redirected to an advertisement page doesn't help me very much, does it?
Google Toolbar and Google Chrome defaulting to Google as a 'landing page' of sorts only affects your web experience and only when using those pieces of software. This is a far cry from Comcast's DNS servers resolving ALL DNS traffic that should return 'does not exist' to their advert-filled web servers.
There are no error pages when a domain isn't found.
If a DNS server presents an IP so you can show people a web page ( like Verisign did intentionally a few years ago [1]) instead of returning 'no such domain' (NXDOMAIN), you break DNS for all apps that expect a host that's not registered to not resolve. Verisign's screwup lasted 20 days.
So how does google benefit from me sending them my dns requests . . . , They can serve me "domain not found pages" w/ads (works for OpenDNS), unless I'm a server. If enough people/servers use it they can control how traffic is sent to specific domains (this would be evil). I don't necessary think my request will be a lot faster adding ms, per extra hop. What I don't like about ISPs is there disregard for TTLs. They set their own TTLs so they don't have to make a new request. With a large distributed cache it could mean less hops, I'd love to see a diagram of their dns infrastructure. I've used 4.2.2.1 - 4.2.2.4 (level3) in the past.
So I thought about a bit. Google is not interested in redirection $$. They want to own the experience. As far as collecting your browsing behavior, they probably can easily do that with the toolbar. There operating systems can benefit from having geoDNS ip responses. Anyone know if this was a project worked on using the 20% do what you like google perk?
If google decided to do something evil. ISP can easily redirect port 53 udp/tcp traffic to their own servers.
:-)
Edit: Here it is: http://blog.opendns.com/2009/12/03/opendns-google-dns/