[dns-operations] new public DNS service: 9.9.9.9

Tue Nov 21 00:32:12 UTC 2017

On 21/11/2017 03:16, Damian Menscher wrote:

> On Mon, Nov 20, 2017 at 4:28 AM, Noel Butler <noel.butler at ausics.net> wrote:
> 
> On 20/11/2017 22:08, Damian Menscher wrote: 
> 
> On Mon, Nov 20, 2017 at 3:47 AM, Florian Weimer <fweimer at redhat.com> wrote:
> On 11/18/2017 09:11 AM, Damian Menscher wrote:
> Your argument that you don't trust the ISPs between you and
> Google/OpenDNS/Quad9, and therefore run your own local recursive resolver,
> confuses me.  After all, your local recursive needs to query third-party
> authoritative servers anyway.
> 
> To convince yourself, answer these two questions:
> - How many ISPs are between you and 8.8.8.8?  I'm on Comcast, and they
> have direct peering with Google, so the number is zero. 8.8.8.8 is increasingly seen as an anycast service address for DNS unrelated to Google, similar to how you download the SSH keys for root login from 169.254.169.254 or instance-data.  I expect that many ISPs route 8.8.8.8 to their own servers.

Unlike 169.254/16 which is defined by RFC to be link-local, 8.8.8.0/24
[1] has been allocated to Google. 

If you identify instances of BGP hijacking please report either
privately to the victim (Google in your example) or publicly to the
nanog mailing list, so corrective action can be taken. 

ISP's I've been with in times gone by have often "hijacked" open DNS
resolvers, to ensure their users get best experience by using their own
DNS servers. not a thing likes of google etc, can do about it. for
instance, with the new laws in Australia, you'll find plenty localising
googles and opendns's resolvers ip's to enforce and satisfy court
directions from copyright orders 
also allows them to use RPZ's to stop their users from going to phishing
sites and so on, most users wouldnt know the difference, nor care. 

Actually the users *do* care, which is why they explicitly changed their
settings from the ISP default to 8.8.8.8. 

Damian 

Actually, I think you'll find thats more along the lines of 
INSERT_DEVICENAME they've bought that may have them preset because
device manufacturers dont like users customising settings. Even my 12
moth old Samsung phone doesnt let me change the DNS servers on the 4G
side of things, which means I have to tolerate the settings they push.
(I know I can root the device and change it but thats beside the point
since its not a general user setting, unlike wifi)

Of the couple that ever did ask why we localised 8.8.8.8 and the "4" one
as well, I asked them to give me a reason why they'd want to use an
external DNS server, that would ultimately respond slower than one we
provide that was 10-30ms away, and at least at that time, provided no
nasty sites protection, what does that other DNS server do that ours
didn't, the silence was so deafening, until one said "it seemed cool to
use 8.8.8.8"    All I could do was just laugh. 

Maybe I'm old school, but I dont see a need for any open public
resolvers, those that run them, dont do it out the kindness of their
heart, there is always a commercial reason. 

-- 
Kind Regards, 

Noel Butler 

 		This Email, including any attachments, may contain legally privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [2] and ODF [3] documents accepted, please do not send proprietary
formatted documents 

Links:
------
[1] http://8.8.8.0/24
[2] http://www.adobe.com/
[3] http://en.wikipedia.org/wiki/OpenDocument
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20171121/4d23c56e/attachment.html>