Can Google be trusted with DNS?

So, Google has opened up its own, free, public DNS server. The sales pitch is that their DNS server is faster than your ISP’s, and therefore, you will save a ton of speed browsing the Web using their DNS server. Fair enough. But something occurred to me, just as I was about to change my DNS setup here to use it… do I trust Google to have a history of every DNS lookup I make? Umm… not really. I note that the service’s privacy policy says that my IP address will only be logged for 24 hours (makes sense, given the prevalence of dynamic IPs anyways). But it also says that the service is compliant with Google’s primary privacy policy. And we all know what that entails… “anything and everything”. And of course, Google is always free to change the policy without notice or warning.

So, how comfortable would you feel knowing that every single DNS lookup you do is logged by Google, regardless of whether or not your IP is associated with it?


20 thoughts on “Can Google be trusted with DNS?”

  1. I’ve been using openDNS for about five years.
    Does its huge cache really make a difference in responsiveness (vs recursion).

    You bet it does.

    Is Google Public DNS better than openDNS? I don’t know, but I tend to be an early adopter anyhow, so I’ve switched from openDNS to GPDNS and will give it a go.

  2. @Dietrich Schmitz

    I have no doubt that GPDNS will be super fast… Google has quietly built out a massive, high speed, private network and has a zillion servers all over the place. They also “get” caching really well. My concern here is privacy. To mis-quote Steve Ballmer, “I f***ing hate Google”, as it pertains to privacy. I made an order from a particular Web site at least 6 months ago. Now, their ads follow me all over the place, thanks to Google. Other sites I have merely *visited* and now, thanks to Google, those ads appear all over the place. Do you know how weird it is to be looking at a pro wrestling related site and see ads for Crate & Barrel? It’s really obnoxious. Given that I don’t even have a Google account, I find it unacceptable. Somehow, merely browsing the Web has signed me up to Google’s Big Brother ad delivery system, and I am really upset about it. So yeah, I am not sure how I feel about them knowing every DNS lookup I make.


  3. Everybody gets *concerned* about privacy BUT you know what encryption takes care of that (DNSSEC) which won’t happen until everyone is on the same page.

    In fact, consider this, when you put something in the mail, you place it in an envelope, as a matter of common practice and privacy. It works because everyone does it. Privacy is maintained (for the most part).

    But email? The above analogy should apply but doesn’t. Everything is clear text and could be remedied with GnuPG PGP S/MIME but that would require everyone to be on the same page. That won’t happen without a mandate and treaties.

    In fact, if everyone used GnuPG, the email’s MIME format senderid field would become ‘protected’ with signed certificates, ISPs could simply test the headers of email for the appropriate GPG key and if not present shunt non-compliant email to /dev/null or follow the appropriate mandated guideline for return. Spam, as it were, would substantially cease to exist.

    So, in the meantime, life goes on and while some of your concerns are well-taken, there’s more than a healthy share of paranoia floating around about Google’s privacy practices and I believe that Google’s interest in providing a *better* DNS is a legitimate and noble endeavour.

  4. @Dietrich Schmitz

    The primary difference between the examples that you give and my issue with Google, is that your examples are of the, “what is the chance that some stranger will intercept my traffic?” And frankly, I agree that those fears are WAY overblown. My very real issue with Google is that it’s not the “what’s the chance?” but “I know they are!” And I’m not so much worried that an actual human is going to get a hold of the data and say, “hmm, let’s see how we can mess with this guy!” It’s the fact that I hate Google’s advertisements. I have gone out of my way to not give Google a drop of my data. I do not use any of their services, other than using their search engine a few times a year as a backup search source. I do not visit any of their properties, other than the Google Analytics account for this site (which is registered to George anyways). All the same, their bloody ads get shoved down my throat, simply because I had the audacity to go about my daily business.

    To put it another way, how would you feel if every time you came home, someone was sitting on the sidewalk in front of your house holding a really ugly sign and making a nuisance of himself… not illegal so you can’t call the police, but enough to drive you insane? That’s how I feel about Google. I hate their ads and I hate how they use all sorts of aggregate data to make their ads really annoying. It’s very creepy to be on one site and see ads for an unrelated site, simply because I visited a similar site 6 months ago.

    It’s funny, people go insane about spam and popup ads, and no one questions it. But when I get pissed off about Google’s tracking, people poo poo it, like I’ve got a third arm sprouting out of my back that only I can see.


  5. Have you tried Noscript/Adblock? That would take care of it. Yes? Yes!
    Folks, what we have here is a Scientific Breakthrough!

    ah hem.

    Come on J.Ja. Straighten up and fly right. 😉

  6. I don’t often agree with Dietrich, but he’s dead on in #5. If the ads bug you that much, use noscript/adblock. Personally, I try to let most ads through, but any ad with sound or Flash is blocked. Popups are generally blocked and all of those rollover ads 9as well as the ones that pop up links on my.Yahoo are blocked.

  7. @Dietrich Schmitz

    I’ve never installed such an app, and I’ve never had the desire to. I don’t mind ads in general, just the ones from Google, and only because of their tracking behavior. As a general principle, I actually like the ads, for the following reasons:

    * As a content producer, I understand that it is hard to make a living. Why deprive someone who works hard the chance to get a dime that they’ve earned?

    * Properly placed ads (TechRepublic is a good example of a site that does this well) often interest me. I will see an ad that I click once every now and then, and often end up learning something new or getting something I needed due to the ads.

    * I feel that an ad-supported site has an implicit contract with its readers: “by visiting this site, you agree to view the ads, in order to help us pay our bills”.

    Like I said, it’s not the ads that rub me the wrong way, it’s the tracking behavior that the ads display that annoys me. If you don’t feel that fine, I can totally understand. But don’t try to convince me otherwise, and I won’t try to convince you that lima beans are tasty. It’s a matter of opinion, and merely that. :)


  8. Justin, using noscript also makes you immune to many web attacks, since it allows you to block all javascript, except those that you white list.

    I personally don’t run it to block ads.

    the plugin doesn’t affect the site layout, I just never realized it was ad free and I wanted to make sure I wasn’t blocking ads that support the site.

    FYI, I agree completely about ads that are correctly targeted. With that said, you’d think that increased tracking by Google would make the ads more applicable to your interests. Nevertheless, I generally block google scripts and I block all of their cookies.

  9. It is very obvious that Google is abstracting away the power of DNS lookup away from ISPs’ DNS servers primarily to prevent the ISPs from squeezing the pipe.

    Look, this is one of the first steps toward network neutrality. The future is so obvious, the ISPs are definitely dumb pipes with no value-add besides the raw bits throughput. While all the values will be shifted to digital abstraction of raw bits on the two ends of the pipes. There is nothing the pipe owner could do except to accept the reality and just be a bulk throughput dealer.

    Interesting that you guys are totally against network neutrality, yet talking about Google’s DNS service. As to the question whether Google DNS should be trusted, I guess people should have the same distrust for Google as they do for their ISPs, so it is the same.

  10. TS, I agree with the last paragraph, but I fail to understand your logic behind the first 2.
    Just because you’ve changed the DNS doesn’t mean the ISP can’t figure out whether they want to raise/lower the priority of a given packet.

  11. notgonnatellya :

    TS, I agree with the last paragraph, but I fail to understand your logic behind the first 2.
    Just because you’ve changed the DNS doesn’t mean the ISP can’t figure out whether they want to raise/lower the priority of a given packet.

    I get what he’s saying, and it makes sense. By taking away more and more services from the ISP, they are simply relegated to providing the basic IP services. And yeah, it’s a trend that’s been going on for a while; who actually uses the email that their ISP provides, or puts a personal Web site up on the hosting their ISP provides? Not many people. Other than AOL users, very few folks are using *any* of the “value add” services from their ISP, and by taking away even the most basic stuff like DNS, Google makes it take much easier to have ISP portability and flexibility. Heck, I would *not* be surprised if they roll out an IP aliasing (or dynamic DNS system) system in the future, so that you can get a static IP with Google and have your traffic end up at your servers regardless of what your IP actually is. That would be the final nail in the “tied to an ISP” coffin. At the same time, it would make folks pretty dependent upon Google.

    The big difference between my ISP tracking my DNS queries and Google doing it, is that my ISP has no way of monetizing that data or using it to annoy me. Google does. :)

    I beleive that if you look closely at Google’s Net Neutrality stance, none of it runs counter to Google’s potential profit margins. At the same time, as owner of one of the largest private networks out there, it is a rather cynical stance to take unless there is an ulterior motive (which I beleive there is, incidentally). Google has their fingers in an awful lot of pies in a way that, while they are not actively harming consumers, they bend and twist the overall direction of things in a way that suits them very, very well.

    Take a look at the HTML 5 spec. The editor, Ian Hickson, is a Google employee. They hired him so that he could have the time to work on HTML 5. In addition, they make available lots of Google resources (he seems to be able to make some awful free form queries into their search system, for example… and he spends a lot of time talking to Google engineers) to him to assist him in his research of HTML 5. Deliberately insidious? Of course not. They certainly are not telling him what to include or not to include in the HTML 5 spec, and if they did, I beleive he has the integrity to treat it the same as a request from Apple, Mozilla, Microsoft, etc. But that being said, when the bar for inclusion in the spec is set as high as it is (actually implemented features get a LOT of weight, things that people think would be good with no implementation are almost worthless), when Google wants something in the spec, they implement it in Chrome (which is, for all intents and purposes, a non-entity in the real-world Web browser market) then say, “hey look, we’ve got it implemented!” As a result, lots of stuff that Google had originally put into Gears (which incidentally, they just ceased development on, in favor of HTML 5) ended up in HTML 5. This is how we have an HTML spec that includes an asyncronous processing model, offline storage, and direct DB connectivity (shudder).

    Again, it’s not like someone at Google is directly dictating what the spec should say, but by having direct access to Ian, they get an awful lot of influence, far outsized to their role in the Web. Devious? Not really. Sneaky? Kind of. But anyone who thinks that Google doesn’t play hardball and manipulate “community services” like the W3C is sadly mistaken. Which is why I look at their stance on Net Neutrality and ask, “what’s the catch?”

    Personally, the reason why I think Net Neutrality is dumb is because there is no way to word the legislation in a way that allows QoS or paying for upscale service. Right now, all of the Net Neutrality bills are akin to forcing car makers to sell the same car to all customers, or a burger place to sell the same size burger to everyone, or a food store to charge the same per-pound price on 1 oz. of meat as they do for 10 lbs. It’s rediculous. As a concept, I like the idea of ISPs not being able to deliberately degrade access to a 3rd party in order to extort a “toll”, but at the same time, I have no clue how to rationally word such a bill.


  12. Look Justin:

    We had a fair share of differences in the past. I agree with most of your comments here today so far, except the last paragraph.

    “Personally, the reason why I think Net Neutrality is dumb is because there is no way to word the legislation in a way that allows QoS or paying for upscale service. Right now, all of the Net Neutrality bills are akin to forcing car makers to sell the same car to all customers, or a burger place to sell the same size burger to everyone, or a food store to charge the same per-pound price on 1 oz. of meat as they do for 10 lbs. It’s rediculous.”

    That’s precisely the point of Net Neutrality. QoS shouldn’t be the differentiation of upscale service, because one packet prioritized is inherently means that another is deprioritized at the same time. What comes down to is determinism and fairness. We discussed this last time about this, and even today, I told you that ideally, ISPs are dumb pipes that they should consider themselves to be “bulk throughput dealers” rather than “opportunistic latency arbitrageurs”.

    You said that Net Neutrality bills are akin to forcing car makers to sell the same car. You are right. Bits are the same. From the perspective of a pipe owner, you can still control costs of how you make those bits. Once it is made, they are all the same.

    I never said that ISPs should charge the same price on 1oz of meat vs 10 lbs. You are talking about volume economics. The differentiation is volume, not quality(QoS). In today’s world, price differentiation by volume is naturally occuring. You pay less if you buy a 1Gbit pipe than if you bought by the mbps. What you are thinking about is QoS, or differentiation by manual determism alteration. The best example to think about is: both customers paid for a dinner at a restaurant, the restaurant can’t say “pay me $5 more per plate, I would serve you 5 minutes faster” at the expense of the previous consumer who refused to pay for the time value. The restaurant can differentiate consumers by seating different consumers at different VIP tables, it doesn’t mean that the VIP customer can walk over to the non-VIP table and start eating the non-VIP person’s dinner. That’s a very sarcastic example, but it is the most accurate reflection.

    I really don’t want to get into politics of Net Neutrality. To summarize this however, the fact that you are raising a question “Can Google be trusted with DNS” inherently is rhetorical. There is a classic strategy that the Republicans use all the time, called “fear mongering”:

    What it does is that it undermines the fear of the targeted group of people to sway a public opinion for a profit motive. Most people don’t want to talk about it, but the best examples of fear mongering tactics of recent times include 911, heck, the bible itself is a fear mongering piece of work targetted at people’s fear of death.

    The pipe owners realize that unless they seed some fear into people’s perspective of Google DNS’s privacy issues, they would lose the grip on DNS in the long term. Technically, there is no privacy on the Internet. Google has no obligation to protect your DNS privacy any more than your ISPs will. In the end, to the end users, you can’t tell a difference, and even you can, you can’t do anything about it. That’s the honest truth. While it is unfortunate that you have to reveal your DNS queries and your search queries to Google, what are you going to do different by not using Google? Ask the same query to Bing? See?

    Anyways, I got to go. Think about it.

  13. Joseph A Nagy Jr :

    @Justin James

    There is already a dynamic dns service out there.

    And since the last time I used them, they’ve added a few services. (:

    Yup, I use them myself. There are also public DNS servers out there too, like OpenDNS. Google is starting to muscle in on some of these services (DNS serving currently, and I suspect dynamic DNS services soon). They act like it’s a public service, but given the number of quality of existing systems, the “public service” explanation doesn’t make much sense to me.


  14. By the way, Google has an option to turn off personalized ads. I got thoroughly sick of Bird Bath ads following me every fucking where I went, because I had bought a bird bath for me son 2 months back. I followed it, and it worked, no more Bird Baths.

    Frankly, though, some in Google needs their heads examined on this one. The ads should not be the same as the research/purchasing one is doing – they should be pushing alternatives or related items (like bird feeders or something). Also, their much touted feedback calculations arent working very well, as I ignored every ad, and they persisted like nothing else (till I turned them off).

  15. I havn’t seen a web add in years. Adblock and NoName Script, never had any problems. I also have some greesemonkey scripts working along as well. The web is much better now. Ad’s?? Thing of the past 😀

    But anyway, I wouldn’t touch this google DNS malarkey at all…not with a barge pole, I have a gmail account but I rarly use it, actually it’s my “crap” box if I want to use it for something I dont want to give any real e-mail address away to

Comments are closed.