[dns-operations] Capturing Traffic

Robert Edmonds edmonds at isc.org
Tue Feb 26 00:17:58 UTC 2013

Noel Butler wrote:
> and putting tin foil hat on now :)  it would log those requests, and who
> knows what google does with that data, it sure as hell doesnt do it for
> the goodness of the planet, there is a commercial reason behind every
> decision and service they provide.

yes, who knows what google is doing with all that data.  they would
never tell us that.



    Google Public DNS stores two sets of logs: temporary and permanent.
    The temporary logs store the full IP address of the machine you're
    using. We have to do this so that we can spot potentially bad things
    like DDoS attacks and so we can fix problems, such as particular
    domains not showing up for specific users.

    We delete these temporary logs within 24 to 48 hours.

    In the permanent logs, we don't keep personally identifiable
    information or IP information. We do keep some location information
    (at the city/metro level) so that we can conduct debugging, analyze
    abuse phenomena. After keeping this data for two weeks, we randomly
    sample a small subset for permanent storage.

    We don't correlate or combine information from our temporary or
    permanent logs with any personal information that you have provided
    Google for other services.

    Finally, if you're interested in knowing what else we log when you
    use Google Public DNS, here is the full list of items that are
    included in our permanent logs:

    * Request domain name, e.g. www.google.com

    * Request type, e.g. A (which stands for IPv4 record), AAAA (IPv6
    record), NS, MX, TXT, etc.

    * Transport protocol on which the request arrived, i.e. TCP or UDP

    * Client's AS (autonomous system or ISP), e.g. AS15169

    * User's geolocation information: i.e. geocode, region ID, city ID,
    and metro code

    * Response code sent, e.g. SUCCESS, SERVFAIL, NXDOMAIN, etc.

    * Whether the request hit our frontend cache

    * Whether the request hit a cache elsewhere in the system (but not in
    the frontend)

    * Absolute arrival time in seconds

    * Total time taken to process the request end-to-end, in seconds

    * Name of the Google machine that processed this request, e.g.

    * Google target IP to which this request was addressed, e.g. one of
    our anycast IP addresses (no relation to the user's IP)

Robert Edmonds
edmonds at isc.org

More information about the dns-operations mailing list