<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Mon, Nov 20, 2017 at 4:32 PM, Noel Butler <span dir="ltr"><<a href="mailto:noel.butler@ausics.net" target="_blank">noel.butler@ausics.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="font-size:10pt"><div><div class="h5">
<p>On 21/11/2017 03:16, Damian Menscher wrote:</p>
<blockquote type="cite" style="padding:0 0.4em;border-left:#1010ff 2px solid;margin:0">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Mon, Nov 20, 2017 at 4:28 AM, Noel Butler <span><<a href="mailto:noel.butler@ausics.net" rel="noreferrer" target="_blank">noel.butler@ausics.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="font-size:10pt">
<p>On 20/11/2017 22:08, Damian Menscher wrote:</p>
<blockquote style="padding:0 0.4em;border-left:#1010ff 2px solid;margin:0">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Mon, Nov 20, 2017 at 3:47 AM, Florian Weimer <span><<a href="mailto:fweimer@redhat.com" rel="noreferrer" target="_blank">fweimer@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid #cccccc;padding-left:1ex"><span class="m_8537163623715683079m_-5368978718576394047gmail-"><span class="m_8537163623715683079m_-5368978718576394047gmail-">On 11/18/2017 09:11 AM, Damian Menscher wrote:<br></span></span>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid #cccccc;padding-left:1ex">Your argument that you don't trust the ISPs between you and<br> Google/OpenDNS/Quad9, and therefore run your own local recursive resolver,<br> confuses me. After all, your local recursive needs to query third-party<br> authoritative servers anyway.<br><br> To convince yourself, answer these two questions:<br> - How many ISPs are between you and 8.8.8.8? I'm on Comcast, and they<br> have direct peering with Google, so the number is zero.</blockquote>
8.8.8.8 is increasingly seen as an anycast service address for DNS unrelated to Google, similar to how you download the SSH keys for root login from 169.254.169.254 or instance-data. I expect that many ISPs route 8.8.8.8 to their own servers.</blockquote>
<div> </div>
<div>Unlike 169.254/16 which is defined by RFC to be link-local, <a href="http://8.8.8.0/24" rel="noreferrer" target="_blank">8.8.8.0/24</a> has been allocated to Google.</div>
<div> </div>
<div>If you identify instances of BGP hijacking please report either privately to the victim (Google in your example) or publicly to the nanog mailing list, so corrective action can be taken.</div>
</div>
</div>
</div>
</blockquote>
<div> </div>
<div>ISP's I've been with in times gone by have often "hijacked" open DNS resolvers, to ensure their users get best experience by using their own DNS servers. not a thing likes of google etc, can do about it. for instance, with the new laws in Australia, you'll find plenty localising googles and opendns's resolvers ip's to enforce and satisfy court directions from copyright orders</div>
<div>also allows them to use RPZ's to stop their users from going to phishing sites and so on, most users wouldnt know the difference, nor care.</div>
</div>
</blockquote>
<div> </div>
<div>Actually the users *do* care, which is why they explicitly changed their settings from the ISP default to 8.8.8.8.</div></div></div></div></blockquote></div></div>
<div> </div>
<div>Maybe I'm old school, but I dont see a need for any open public resolvers, those that run them, dont do it out the kindness of their heart, there is always a commercial reason.</div></div></blockquote><div><br></div><div>You're right, there is a commercial reason Google operates an open public resolver: "our business depends on functional internet, so let's provide users an alternative to slow, broken, or actively malicious ISP servers."</div><div><br></div><div>I suppose you'll have us believe the ISPs are hijacking 8.8.8.8 to their own systems out of the goodness of their hearts, and not for some commercial reason (which is likely exactly what the users are trying to avoid)? Sorry, but I don't buy the claim that hijacking another company's address space to violate the express intent of your users is something you're doing just to be nice.</div><div><br></div><div>Damian</div></div></div></div>