[dns-operations] new public DNS service: 9.9.9.9

Florian Weimer fweimer at redhat.com
Mon Nov 20 12:15:58 UTC 2017


On 11/20/2017 01:08 PM, Damian Menscher wrote:
> On Mon, Nov 20, 2017 at 3:47 AM, Florian Weimer <fweimer at redhat.com> wrote:
> 
>> On 11/18/2017 09:11 AM, Damian Menscher wrote:
>>
>>> Your argument that you don't trust the ISPs between you and
>>> Google/OpenDNS/Quad9, and therefore run your own local recursive resolver,
>>> confuses me.  After all, your local recursive needs to query third-party
>>> authoritative servers anyway.
>>>
>>> To convince yourself, answer these two questions:
>>>     - How many ISPs are between you and 8.8.8.8?  I'm on Comcast, and they
>>> have direct peering with Google, so the number is zero.
>>>
>>
>> 8.8.8.8 is increasingly seen as an anycast service address for DNS
>> unrelated to Google, similar to how you download the SSH keys for root
>> login from 169.254.169.254 or instance-data.  I expect that many ISPs route
>> 8.8.8.8 to their own servers.
> 
> Unlike 169.254/16 which is defined by RFC to be link-local, 8.8.8.0/24 has
> been allocated to Google.

Well, yes, there is this difference, but the reuse of 
169.254.169.254/instance-data is technically invalid for the same reason.

> If you identify instances of BGP hijacking please report either privately
> to the victim (Google in your example) or publicly to the nanog mailing
> list, so corrective action can be taken.

Does this refer to BGP hijacking specifically, or any kind of routing 
manipulation which causes 8.8.8.8 (and not DNS traffic in general) to be 
handled locally within the ISP network?

Thanks,
Florian



More information about the dns-operations mailing list