[dns-operations] After Google Mail, Google Docs, Google Wave... Google DNS

Joe Greco jgreco at ns.sol.net
Sun Dec 6 22:34:51 UTC 2009


> > From: Joe Greco <jgreco at ns.sol.net>
> > Date: Thu, 3 Dec 2009 21:35:51 -0600 (CST)
> > 
> > I want to see that happen.  Because unlike most other alternative DNS
> > services, Google can strike back, and strike back hard.
> 
> huh.  opendns redirects www.google.com to a local cache, last i saw, and
> as far as i know google did not send so much as a C&D over it.  and that's
> google's most visible property.  with that reaction as my guide, i predict
> that google would not give a rat's ass to prevent against gDNS hijacking.

We'll have to disagree on that one.  Users of OpenDNS have opted to use
that service, and are a small fraction of users, by anyone's count.  If
I recall the situation correctly, this was allowed under the OpenDNS ToS
and was also something you could opt out of at an account level; while I
do not particularly care for this, it does strike me as something that'd
be hard for Google to successfully object to, given the opt-in nature of 
OpenDNS and the ability to opt out.  Think it is a bad precedent to be 
setting though.

On the other hand, if a major US ISP (let's say an AT&T or a Comcast, 
pick your fav tech) were to do this, you would be talking about a 
significant drop in eyeballs to Google's web site.  Several of the
technologies used for DNS hijacking opt-out rely on cookies in a web
browser; anyone reading this list knows that's a load of crap, and
leaves things broken for many other purposes.  I think if Comcast 
(15%? of the US market, I'm just picking on them because they're big)
were to redirect www.google.com to their own search service, there
would be a response.  It might not be a visible response, but I expect
the Google mafia (hehe) would be able to find some way to make a point
to them.

Unlike OpenDNS, which merely resolves things and has ~zero eyeballs on
its network, Comcast has millions of eyeballs.  Millions of users.  And
Google isn't just a search property.  Because if they were, then Comcast
might be able to successfully "replace" www.google.com.  Google, however,
has so many other properties.  You want to redirect Google?  You prepared
to lose access to Google properties like YouTube?  Gmail?  Maps?  Voice?
Don't bother trying to tell me that Comcast can replace all that, or that
Comcast's users won't notice if they suddenly start having problems with
those properties.

And my point is this:  while the ISP might be successful in "just"
redirecting "www.google.com", this would represent a loss of significant
search revenue to Google.  If Google felt compelled to respond, they
could...  Google has made itself hard to attack in this manner because 
if all those other properies become unresolveable suddenly, and I'm 
definitely suggesting that Google might make them unresolveable from 
the ISP's ill-configured resolvers, then of course the customers pile 
on to the ISP's technical support.

Run through the possible scenarios in your head.  There are a lot of
them.  I see the advent of Google DNS partially as a response to DNS
hijacking by ISP's.  Where an ISP is simply redirecting NXDOMAIN on
its own servers, GoogleDNS represents a way to bypass that, and this
is beneficial to the Internet, at least as long as GoogleDNS allows
people a way to opt out of that.  Where an ISP is actively intercepting
www.google.com on its recursers, GoogleDNS becoms more imperative for
Google; it provides Google with a way to "fix" that situation.  And
where an ISP is actively intercepting GoogleDNS?  That's problematic
too, but I have a suspicion that Google's all instrumented to monitor
average query rates per network, and that GoogleDNS itself is designed
as a canary for certain possible situations, allowing them to more
effectively monitor any "interference" by smaller networks with their
traffic.

I'm not so sure I'd want to extrapolate from a minor edge case with
OpenDNS.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.



More information about the dns-operations mailing list