Another reason NOT TO USE Google DNS

Forums › New Zealand Broadband › Another reason NOT TO USE Google DNS

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41025

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#142557 17-Mar-2014 10:43

Yet another reason not to use Google DNS, as seen on NZNOG discussion list:

Google DNS 8.8.8.8/32 was hijacked for ~22min yesterday, affecting networks in Brazil & Venezuela #bgp #hijack #dns pic.twitter.com/wlBuui8dwO

— BGPmon.net (@bgpmon) March 16, 2014

https://twitter.com/bgpmon/status/445266642616868864/photo/1

Not good having your DNS hijacked...

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

1 | 2

488 posts

Ultimate Geek
+1 received by user: 80

Trusted

#1007132 17-Mar-2014 10:54

Surely Google is safer than most, though?

Based on my "they have more to lose" rational...

ubergeeknz

3344 posts

Uber Geek
+1 received by user: 1041

Trusted

Vocus

#1007150 17-Mar-2014 10:59

Ouch. The point being, your ISP's DNS servers can't so easily be BGP hijacked (since it's in their own network anyway)

gundar

488 posts

Ultimate Geek
+1 received by user: 80

Trusted

#1007162 17-Mar-2014 11:08

So reading into that, the hijack only affects some ISP's address spaces?

ubergeeknz

3344 posts

Uber Geek
+1 received by user: 1041

Trusted

Vocus

#1007170 17-Mar-2014 11:23

gundar: So reading into that, the hijack only affects some ISP's address spaces?

On BGP Hijacking

gundar

488 posts

Ultimate Geek
+1 received by user: 80

Trusted

#1007176 17-Mar-2014 11:29

ubergeeknz:
gundar: So reading into that, the hijack only affects some ISP's address spaces?

On BGP Hijacking

Yes, I read that one, too and I have some years of experience in related fields. The OP implied Google is to blame, I am of the opinion the ISP or carrier in case is to blame and only those ISP's or the interconnected ISP's clients are going to have a bad experience.

Is this correct or is the fault that of Google?

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41025

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1007182 17-Mar-2014 11:36

I didn't imply it was Google's fault and it was not my intention. What I said is that there's no reason to use Google DNS - or any other external DNS. Even more in New Zealand where ISP's DNS will point to local resources which are faster to access.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Geekzone support

Support Geekzone with one-off or recurring donations Donate via PressPatron.

ubergeeknz

3344 posts

Uber Geek
+1 received by user: 1041

Trusted

Vocus

#1007184 17-Mar-2014 11:37

Not the fault of Google. It's the fault of insecure (and potentially misconfigured) protocols.

gundar

488 posts

Ultimate Geek
+1 received by user: 80

Trusted

#1007188 17-Mar-2014 11:44

freitasm: I didn't imply it was Google's fault and it was not my intention. What I said is that there's no reason to use Google DNS - or any other external DNS. Even more in New Zealand where ISP's DNS will point to local resources which are faster to access.

That would only be the case if my local DNS services have a known good cache of everything I want to access, surely?

Even a cached record could be a corrupted if it was read at the time of subversion?

I'm not picking here, just curious as I use OpenDNS and Google DNS in places because they are usually highly available and quick. I do have a lot of infrastructure experience, but have not stumbled across BGP hijacking before, so my questions are valid: How does it help if I use, for example, Slingshot DNS, which is patchy at times, rather than Google or OpenDNS?

ubergeeknz

3344 posts

Uber Geek
+1 received by user: 1041

Trusted

Vocus

#1007190 17-Mar-2014 11:48

gundar: Even a cached record could be a corrupted if it was read at the time of subversion?

Only if the hijacked DNS servers were authoritative for a given domain.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41025

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1007191 17-Mar-2014 11:48

I am not talking about DNS caching but content caching. Using your ISP DNS will point to local servers such as Google servers inside the network, in country Akamai servers, etc. Using Google DNS and OpenDNS for example you get none of these benefits.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Coil

6614 posts

Uber Geek
+1 received by user: 2153
Inactive user

#1007193 17-Mar-2014 11:54

ubergeeknz:
gundar: Even a cached record could be a corrupted if it was read at the time of subversion?

Only if the hijacked DNS servers were authoritative for a given domain.

I wonder when hijacked was it a troll who just pointed all queries to some really bad NSFW website?

Dyson

Shop now for Dyson appliances (affiliate link).

ubergeeknz

3344 posts

Uber Geek
+1 received by user: 1041

Trusted

Vocus

#1007195 17-Mar-2014 11:57

TimA:
ubergeeknz:
gundar: Even a cached record could be a corrupted if it was read at the time of subversion?

Only if the hijacked DNS servers were authoritative for a given domain.

I wonder when hijacked was it a troll who just pointed all queries to some really bad NSFW website?

That'd be cool! It's also very unlikely. Far more likely the intent was MITM on banking websites, etc.

Coil

6614 posts

Uber Geek
+1 received by user: 2153
Inactive user

#1007196 17-Mar-2014 11:58

ubergeeknz:
TimA:
ubergeeknz:
gundar: Even a cached record could be a corrupted if it was read at the time of subversion?

Only if the hijacked DNS servers were authoritative for a given domain.

I wonder when hijacked was it a troll who just pointed all queries to some really bad NSFW website?

That'd be cool! It's also very unlikely. Far more likely the intent was MITM on banking websites, etc.

Oo i see, Man in ye ol middle attacks.

DonGould

3892 posts

Uber Geek
+1 received by user: 164

#1007253 17-Mar-2014 13:20

The issues around this are huge aren't they?

Will DNSSEC break changing the dns system for traffic engineering?

Should we be using BGP and multi-homing to control where and how traffic should be directed?

What about privacy? Who's DNS server do you really want to put your query data in to and who is keeping a log and track of that information? Who should be? Who shouldn't be? Who are you happy with doing that? Who do you want to trust? Who should you trust? Is the whole system so captured now that you would be best just to not use it at all?

Personally I'm pushing 8.8.8.8 more often because it doesn't tend to break. I've had instances where my routers dns relay client seems to not work properly.

I've been messing with OpenDNS because some people want a 'clean feed'... but I can see that causes problems because 'some people' object to any kind of content 'control'.

Should I just run my own recessive dns server? But then how do I get the 'dns routing' information from my ISP?

Do I want DNS information of my users held in my own systems? Even in the course of legitimate business do I want to even have that data in my system that I might view? Do I want that responsibility? Does pushing the requests to Google and OpenDNS then just push it out of my domain? Then who do I upset by doing that?

Is this about NOT putting all our eggs in one basket? One has to wonder why these attacks are happening anyway. Is it a bunch of white knight hackers just trying to give us all the hint that putting all our eggs in the Google basket is just not good form? Is there really malice here or a bunch of very level headed reasonable people asking the questions I've asked and just not wanting to be given all the ownership either?

TL;DR - Grab a rod, go fishing.

D

Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41025

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1007269 17-Mar-2014 13:31

DonGould: Personally I'm pushing 8.8.8.8 more often because it doesn't tend to break. I've had instances where my routers dns relay client seems to not work properly.

People must be using really crappy ISPs to complain so much about "DNS breaking". Seriously, can't remember the last time (if ever) I have a "DNS is broken" problem.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

1 | 2