Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Proposes DNS Extension

CmdrTaco posted more than 4 years ago | from the you-know-my-name dept.

Google 271

ElusiveJoe writes "Google, along with a group of DNS and content providers, hopes to alter the DNS protocol. Currently, a DNS request can be sent to a recursive DNS server, which would send out requests to other DNS servers from its own IP address, thus acting somewhat similar to a proxy server. The proposed modification would allow authoritative nameservers to expose your IP address (instead of an address of your ISP's DNS server, for example) in order to 'load balance traffic and send users to a nearby server.' Or it would allow any interested party to look at your DNS requests. Or it would send a user from Iran or Libya to a 'domain name doesn't exist' server."

cancel ×

271 comments

Sorry! There are no comments related to the filter you selected.

Do no evil, eh? (1, Troll)

Rossman (593924) | more than 4 years ago | (#30936986)

Yeah right.

Re:Do no evil, eh? (1, Insightful)

Iphtashu Fitz (263795) | more than 4 years ago | (#30937054)

What's evil about this? All sorts of CDN systems could benefit from this. Hell, it could actually provide even the smallest web provider with a poor-man's version of expensive products like F5's global traffic manager.

Re:Do no evil, eh? (2, Informative)

TooMuchToDo (882796) | more than 4 years ago | (#30937162)

Not really. Load balancers provide features like constant service checks and "sticky" sessions that DNS isn't going to be able to provide (theoretically, service checks could be done, but it's going to be faster and more accurate to have the appliance on-site doing the checks). You don't want your load balancing flapping because some point between you and the DNS servers is suffering from congestion, negating your service checks to perform said load balancing.

Re:Do no evil, eh? (0)

Anonymous Coward | more than 4 years ago | (#30937348)

Well, the summary lists two ways that this could be used for "evil":

1) Or it would allow any interested party to look at your DNS requests.
2) Or it would send a user from Iran or Libya to a "domain name doesn't exist" server.

Violating privacy and enabling censorship have no place in the Western world.

Re:Do no evil, eh? (5, Insightful)

dito (9528) | more than 4 years ago | (#30937798)

Well, the summary lists two ways that this could be used for "evil":

1) Or it would allow any interested party to look at your DNS requests.
2) Or it would send a user from Iran or Libya to a "domain name doesn't exist" server.

Violating privacy and enabling censorship have no place in the Western world.

You are assuming that the summary bears any relation to reality!

The proposal is that your ISP's resolver will pass your approximate IP address when doing DNS a request on your behalf so that you can be sent to a close-by server for your actual TCP connection.

What extra information does someone get here? How does this allow "any interested party to look at your DNS requests"?

On the Iran point, if the website wants to block users from Iran, they can do that when you make the TCP connection - at that time they get your exact IP address and can apply any filtering policy they like.

Re:Do no evil, eh? (2, Informative)

donaggie03 (769758) | more than 4 years ago | (#30937932)

On your point about the Iran point...I think there is still the issue of intermediate servers sending "domain doesn't exist" messages to Libyan requests before the packet even reaches the intended destination.

Re:Do no evil, eh? (5, Informative)

dito (9528) | more than 4 years ago | (#30938176)

On your point about the Iran point...I think there is still the issue of intermediate servers sending "domain doesn't exist" messages to Libyan requests before the packet even reaches the intended destination.

What intermediate servers? The only parties involved here are you, the website and a 3rd-party resolver that you have chosen to use.

If you don't trust your 3rd-party resolver then you're screwed with or without this extension because this resolver can see your full IP address and can lie to you about DNS (e.g. sending you to an ad site instead of saying "no such domain" or whatever).

If you don't trust the website then why are you trying to connect to it? The website will get your full IP address as soon as you connect and can then do whatever it likes with that.

Assuming you are actually planning on connecting to the website and not just doing DNS requests for the sake of it, nobody gets any information that they weren't going to get anyway and nobody has any opportunity to block you that they weren't going to have anyway.

Duh (5, Funny)

TheNinjaroach (878876) | more than 4 years ago | (#30938564)

If you don't trust the website then why are you trying to connect to it?

Free ringtones.

Re:Do no evil, eh? (1)

Island Admin (1562905) | more than 4 years ago | (#30938598)

If users are worried about their DNS requests being logged .... as could be the case, they should use an OpenDNS server, or non local server. In the case with Iran, etc .. simply point, your DNS to something offshore.

I agree with the point you are making, if a government wants to censor content, or violate your privacy they can intercept the TCP traffic. Leaving offshore VPNs as the only solution to those not wanting to be monitored.

Re:Do no evil, eh? (2, Insightful)

ultranova (717540) | more than 4 years ago | (#30938376)

Violating privacy and enabling censorship have no place in the Western world.

Oh, how I wish that was true!

Re:Do no evil, eh? (1)

megamerican (1073936) | more than 4 years ago | (#30937884)

So basically what you are saying is, let's find any way this can be marginally useful and attribute it to the only reason why Google is doing this and disregard everything else, thus they are not evil.

Re:Do no evil, eh? (0)

Anonymous Coward | more than 4 years ago | (#30937082)

Indeed, this could very well be abused as much as it could be useful.

Re:Do no evil, eh? (1)

extremescholar (714216) | more than 4 years ago | (#30938190)

One man's abuse is another man's useful.

Re:Do no evil, eh? (0, Flamebait)

Gabrill (556503) | more than 4 years ago | (#30937104)

Mod parent up. There is no good reason for this other than to facilitate the monitoring of users.

Re:Do no evil, eh? (2, Interesting)

nine-times (778537) | more than 4 years ago | (#30937538)

Are you sure there's *no* good reason? I can understand saying that you think the downsides outweigh the benefits, but they claim that it would help them to "load balance traffic and send users to a nearby server," and it seems very possible that this functionality could be used that way. Yes, I'm sure you could accomplish this in other ways, too, but maybe Google feels like this will help them do it more efficiently. With all the traffic Google gets, efficiency is a big deal.

Maybe there's another solution though? Like providing multiple DNS results for each query with enough information to let the client-side intelligently pick their own server out of the list?

I don't know. I just know enough to know that DNS isn't so perfect as to be beyond improvement.

Re:Do no evil, eh? (1, Insightful)

poetmatt (793785) | more than 4 years ago | (#30937592)

I think the issue here is that for a marginal amount of good there's a whole lot of bad that can come out of this idea.

Re:Do no evil, eh? (1)

bickle (101226) | more than 4 years ago | (#30937602)

With all the traffic Google gets, efficiency is a big deal.

But it's not such a big deal that it justifies allowing monitoring of traffic and possible censorship.

Re:Do no evil, eh? (0)

Anonymous Coward | more than 4 years ago | (#30937768)

"There is no good reason for this other than to facilitate the monitoring of users."

Did you miss this part:

"DNS can be used to load balance traffic and send users to a nearby server."

There is at least one good reason for this other than to facilitate the monitoring of users. Maybe it's insufficient, maybe it isn't, but ignoring it doesn't help your argument.

Re:Do no evil, eh? (2, Informative)

badpazzword (991691) | more than 4 years ago | (#30938220)

From: http://arstechnica.com/tech-policy/news/2010/01/google-wants-to-see-client-addresses-in-dns-queries.ars

"Google does have a plan to avoid the most egregious privacy concerns. "Recursive Resolvers are strongly encouraged to conceal part of the IP address of the user by truncating IPv4 addresses to 24 bits." Coincidentally, 24 bits maps directly to the minimum address block that can be carried in the Internet's routing system. Carrying any more than that won't help solve the network distance problem using the routing tables. For IPv6, there is no corresponding number that everyone agrees to, but the authors of the draft suggest truncating IPv6 addresses as well. Of course, the owner of the authoritative DNS server still gets to see the client's full IP address when the HTTP request for the actual content is sent."

Re:Do no evil, eh? (1)

hairyfeet (841228) | more than 4 years ago | (#30938276)

And considering how much Google loooooooves datamining, is anyone actually surprised? They already have all your mail, your searches, your docs, etc if you use their services, why not your DNS as well? This is why I have been avoiding Google like the clap and only using Gmail as a spamdump. They just seem to want their fingers in waaaaay too many pies for me to trust that "do no evil" BS.

NO company should be able to amass that much data on you, I don't care who they are or if they have a catchy slogan or not. Considering how easily this could be abused and used for censorship I think one would have to be nuts or a serious Google fanboi to want this. I wonder how much of this data they are already keeping if you use their DNS service [webmonkey.com] ?

Everyone used to talk about how scary MSFT was with their "embrace, extend" bullshit, but frankly ever since Darth Gates left the company to the sweaty monkey they have flailed around like a drunken elephant from one idea to another. With the sheer amount of data Google is gathering on everybody I would say they are MUCH scarier now than MSFT ever was. At least you could avoid MSFT by going Linux or Apple. What happens if Google gets the ISPs to jump on board with this? Much scarier than the sweaty monkey IMHO.

Re:Do no evil, eh? (0, Flamebait)

suso (153703) | more than 4 years ago | (#30937206)

My thoughts exactly. Google already does anycast, so why exactly do they need this? Obviously to generate logs of what DNS queries are being made by exactly who.

NO (1)

CHRONOSS2008 (1226498) | more than 4 years ago | (#30937032)

get off my lawn google
i have my own dns thank you
stupid americans

The Extinction of DNS? (0)

Anonymous Coward | more than 4 years ago | (#30937044)

Whacome? Goodgle, Whacome?

Do no evil, my ass. (1, Troll)

mosel-saar-ruwer (732341) | more than 4 years ago | (#30937058)

Google just can't seem to go Big Brother soon enough.

Re:Do no evil, my ass. (2, Interesting)

jwinster (1620555) | more than 4 years ago | (#30937210)

I'm trying to think of a legitimate reason for Google to want this pushed through, other than to track their users. I can understand an IP wanting to use the "load balancing" reasoning, but tracking user activity is the ONLY thing Google stands to gain.

Re:Do no evil, my ass. (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30937578)

Are you being deliberately obtuse? Region-based load balancing also helps content providers reduce latency and get better bandwidth by reducing the number of network hops between you and the web server. This could be very beneficial to sites like Youtube and other high-bandwidth sites.

And the privacy issues strike me as semi-bullshit. You are looking up the DNS for a website YOU WERE PLANNING TO VISIT ANYWAY. When you visit the web site, they have your full IP address anyway. Sure, there are potential man-in-the-middle issues, and maybe some worries in cases where the web server operator (which presumably you want to give your IP address to) and the DNS server operator are different people. But seriously, web browsing is not IP address anonymous in any way, so I see no reason why DNS has to be either. If you want that level of privacy, you should be using Tor.

Anyway, the privacy/efficiency debate is worth having, but you have to first acknowledge that Google's legitimate reason for this extension might actually be the reason they stated.

Re:Do no evil, my ass. (0, Offtopic)

2obvious4u (871996) | more than 4 years ago | (#30937826)

Are you being deliberately obtuse?

No, I was being acute. [wikipedia.org]

Re:Do no evil, my ass. (4, Insightful)

2obvious4u (871996) | more than 4 years ago | (#30937294)

IF governments couldn't get Big Brother information from Corporations, then I wouldn't have a problem with data mining. What is scary about Big Brother is a government using the information to use the force of the state to put people in jail. A corporation uses that information to provide products that consumers want. The government uses that information to control the population through force.

If Google could be trusted to never hand that information over to the government, then I would have no problem with them data mining as much as they want.

Those were really big IF's since we all know the government can easily get the information from Google, therefore we don't want them to have it.

There are lots of value add services that can be done because of data mining that consumers and the population want, they just ignore the consequences of the government also having access to the same data.

Re:Do no evil, my ass. (1)

LordLimecat (1103839) | more than 4 years ago | (#30938510)

So you dont think it would be possible for the government to just get that info from the DNS resolvers?

It strikes me that you could create a slashdot article stating that google had a plan to make it possible for websites to log who visit... and everyone would start bashing google, nevermind the fact that thats already the reality.

Re:Do no evil, my ass. (0)

Anonymous Coward | more than 4 years ago | (#30937300)

Dude I was about to write a post with exactly the same title. Google is turning evil.

Re:Do no evil, my ass. (3, Insightful)

mother_reincarnated (1099781) | more than 4 years ago | (#30937936)

Oh because they're not going to get all four octets a fraction of a second later when you CONNECT TO THEIR SERVER?

Critical thinking people... This would actually let people not use their ISP provided LDNS' without getting asstastic performance from every big site out there!

Their motto might be 'do no evil' (1)

Adult film producer (866485) | more than 4 years ago | (#30937066)

but the consequences could be..

True face of google (0, Informative)

Anonymous Coward | more than 4 years ago | (#30937092)

This is horrible. This is so GOOG can monitor ALL of your web activity, all the time.

If you ever use Google, or see adwords anywhere, they already have your ip--all 4 octets.

With this DNS extension, they can see what sites buckets of people are visiting when they're NOT on google sites or where goog ads are being served. It's not resolved down to the user, but it's bucketed, and over time, they can guess what's happening.

This proposal is absolutely about google getting more data about your internet habits, and more data about the market spaces they don't (yet) control.

Think about how this is working... (3, Informative)

schon (31600) | more than 4 years ago | (#30937868)

With this DNS extension, they can see what sites buckets of people are visiting when they're NOT on google sites or where goog ads are being served.

Umm, how is that, exactly? Assume this gets adopted - Google's DNS servers aren't authoritative for anyone other than Google - so they won't see your DNS requests... and even if they were, they'd only see traffic for the sites that Google DNS is authoritative for.

Consider the fact that Google runs a caching DNS already, they don't need this - they'll already have the data for everyone using their resolver service, which would be much more data than this would get them.

In short, I think your tinfoil hat is a little tight. This sounds to me like Google's DNS service has turned out to be using more of their bandwidth than they anticipated, and they're looking to reduce it.

Re:Think about how this is working... (0)

Anonymous Coward | more than 4 years ago | (#30938230)

right. this is really about fixing google's dns service. if i use the resolver from my isp the
address is already likely to be close network-wise to where i am

remind me why using a google resolver is a good enough idea for the end user that
we need to change dns?

Not as evil as suggested (5, Informative)

Saishuuheiki (1657565) | more than 4 years ago | (#30937140)

If you read the entire post by google, you'll notice they are suggesting only the first 3 octects of the IP address are transmitted. Now while this could theoretically be used to censor regions of users, it could not be used to expose you (since it isn't the complete IP address)

Re:Not as evil as suggested (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#30937346)

Doesn't that theoretically nail you down to somewhere within 252 ish machines? (Assuming IPv4).

The first 3 octets seem like they could be enough to personally identify you based on your DNS Search records.

Re:Not as evil as suggested (1, Funny)

Anonymous Coward | more than 4 years ago | (#30938046)

Doesn't that theoretically nail you down to somewhere within 252 ish machines? (Assuming IPv4).

The first 3 octets seem like they could be enough to personally identify you based on your DNS Search records.

That's a good point. And if the first three octets aren't enough then the next DNS request, coming from your own IP address, should do the trick.

Re:Not as evil as suggested (2, Interesting)

gstoddart (321705) | more than 4 years ago | (#30937420)

If you read the entire post by google, you'll notice they are suggesting only the first 3 octects of the IP address are transmitted. Now while this could theoretically be used to censor regions of users, it could not be used to expose you (since it isn't the complete IP address)

No, but given that only an additional 255 (or is it 254?) users besides you can be coming from that range, it's not like over time someone can't correlate this to you.

I'm not convinced this doesn't have privacy implications, or that we're not better off with our requesting DNS being the one who is shown. I don't necessarily want web sites to know where I'm coming from.

Cheers

Re:Not as evil as suggested (4, Insightful)

Talisein (65839) | more than 4 years ago | (#30937760)

Web sites already know where you're coming from. They have your IP address. Every single one of them, unless you're using a proxy. The problem is they can't easily redirect you to the server closest to you once you've already resolved their address. The only in the whole system who do not know your IP when you're browsing the web is potentially the authoritative DNS server; the usual case is the same people who run the authoritative DNS server also run the web server, so while they don't get your IP when you do the DNS lookup they will when you eventually land on the site.

Re:Not as evil as suggested (0)

Anonymous Coward | more than 4 years ago | (#30938136)

Don't ever switch to IPv6 then.... (says the Anonymous Coward)

Re:Not as evil as suggested (1)

gparent (1242548) | more than 4 years ago | (#30938570)

No, but given that only an additional 255 (or is it 254?) users besides you can be coming from that range, it's not like over time someone can't correlate this to you.

Could be 256.

Re:Not as evil as suggested (1)

LordLimecat (1103839) | more than 4 years ago | (#30938580)

Its 254, assuming that its not being natted in any way. And the IP addresses change randomly for most users, at random intervals.

Somehow all these people are super concerned with THIS idea, but have no qualms about everything they do online being logged in weblogs. But then, its google (or microsoft, or apple), so we have to bash them; theyre too successful to be allowed to have good, non-evil ideas!

Re:Not as evil as suggested (1)

Vainglorious Coward (267452) | more than 4 years ago | (#30937458)

only the first 3 octects of the IP address are transmitted...could not be used to expose you

Combining this with the information from the already quite pervasive tracking google does, I can't imagine that identifying your one-of-256-addresses is anything other than trivial.

Re:Not as evil as suggested (1)

LordLimecat (1103839) | more than 4 years ago | (#30938612)

How are they going to correlate a random DNS entry with you, without access to a cookie, or session data?

Re:Not as evil as suggested (2, Interesting)

TheRaven64 (641858) | more than 4 years ago | (#30937528)

The first three octets limit you to a maximum of 256 machines. In practice, most addresses are assigned in /24s, so you end up with two of these used for the router and broadcast addresses. Most broadband ISPs don't recycle addresses often, so you end up with the same IP for weeks, if not months, at a time. Of the other 200 people on your /24, how many are online at the same time as you? Maybe 10-20? Of these, how many have sufficiently similar surfing patterns that, when you combine the DNS results with tracking data from all sites that use Google analytics, they can't be distinguished from you?

If Google can't track your Internet usage from the first three octets of your IP address and DNS results then they haven't got nearly as much expertise in data mining as you'd need to operate a successful search engine.

Re:Not as evil as suggested (1)

Talisein (65839) | more than 4 years ago | (#30938064)

Let's assume that you're not using Google's recursive DNS server (because you're obviously and rightfully afraid of them). Instead, say, you're using OpenDNS.

You want to go to www.google.com, but you need to resolve the domain name. You're request goes to OpenDNS. They get to see your IP. They always have. Then OpenDNS goes to google' authoritative DNS server to figure out the IP for their webserver. Under the proposal, the authoritative server would get to see some of your IP address, so okay, Google knows where you are, omg. But then you get the DNS query back and your web browser shows the Google homepage. OMG, their webserver just got your IP address again! So Google would know your full IP address anyways.

On the other hand you may want to go to www.cnn.com. Again OpenDNS gets your query and your IP. Under the proposal, the cnn.com nameserver would get to see some of your IP address when answering OpenDNS's query. But then again, cnn.com would get your full IP address later when you actually go to the site. ****And Google Would Know Nothing Of Your Visit To CNN, Even Under This Proposal**** baring CNN using Google analytics on their webpage, which they very well might, but this proposal has nothing to do with that.

Re:Not as evil as suggested (0)

Anonymous Coward | more than 4 years ago | (#30937594)

If that were true, it should be the CIDR netmask, not some fixed number of bits. But still, it is just an attempt to subvert local control. If an organization is running DNS caching, it is specifically because they do not want their local hosts filling the WAN link with redundant queries, but want to CACHE and REUSE the same binding for all of the local hosts. Such an organization is not interested in redirecting their clients to make individual queries that bypass the caching proxy, or they would not have deployed such a cache in the first place.

This will only lead to more use of transparent DNS proxies, which are a substantial headache for all involved.

Re:Not as evil as suggested (1)

poetmatt (793785) | more than 4 years ago | (#30937700)

even the first 2 octets can be enough to reliably identify with some digging. what do you think 3 is gonna do?

Re:Not as evil as suggested (2, Informative)

Saishuuheiki (1657565) | more than 4 years ago | (#30938124)

Isn't it a moot discussion anyways? Generally speaking they're going to get your IP address anyways when you connect to their server; so why is it important if they get your IP earlier when you're looking up their server?

I guess there could be some way to track what sites you're looking up from different tiers of DNS servers. If you were using google DNS, they'd have your entire DNS anyways, and if you were using another, then they'd only get your IP if you're connecting to google.com

Re:Not as evil as suggested (2, Insightful)

Anonymous Coward | more than 4 years ago | (#30937794)

I'm not worried about the "evil" aspect of it. This just doesn't sound like what DNS should be used for.

Re:Not as evil as suggested (1)

madddddddddd (1710534) | more than 4 years ago | (#30937938)

DING DING DING DING DING DING

right on the head.

anonymous genius.

Bad summary (3, Informative)

Talisein (65839) | more than 4 years ago | (#30937148)

The proposal says they would only use the first three octets. And users could just use a different DNS server if they had a restrictive servers that blacklisted Iran or whatever.

Re:Bad summary (1)

Anonymous Coward | more than 4 years ago | (#30938102)

No, they could not use a different server. That's the whole point. The resolving server, i.e. the one the users "use", currently does not reveal any information about the IP address of the requesting computer. With Google's extension, it is supposed to say to the authoritative server: Here's someone from a.b.c.x and he wants to know what the IP address of www.google.com is. Then the authoritative server for google.com can answer one thing if a.b.c.x is in Libya and another thing if a.b.c.x is in Canada.

The justification for this extension is load balancing: Instead of randomly assigning users to different servers with "round-robin DNS", Google wants to send users to geographically closer servers, and they want to do it via DNS. This is stupid. Aside from all the surveillance and manipulation opportunities it creates, it makes caching near impossible. If the result depends on the IP address of the requesting computer, then the resolver can not return a cached result which was stored when another user requested the "same" information. It is similar to the content negotiation feature of HTTP (where the client can for example send the preferred language with the request, meaning that the result does not depend on the URL alone), with one significant difference: there is no "vary client-IP/24" option in HTTP, because that would obviously make caching impossible.

DNS is a distributed database, not a relay system for point-to-point communication.

Wow, Slashdot editors hate Google (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30937150)

The summary isn't even close to correct. What the hell is going on with Slashdot these days?

Re:Wow, Slashdot editors hate Google (2, Funny)

ionix5891 (1228718) | more than 4 years ago | (#30937580)

its ok they hate Micro$oft more (yes thats a dollar sign in there :D)

Re:Wow, Slashdot editors hate Google (1)

NerveGas (168686) | more than 4 years ago | (#30937906)

Does accuracy matter? They got you to surf and comment, didn't they?

Re:Wow, Slashdot editors hate Google (5, Informative)

Nimey (114278) | more than 4 years ago | (#30937968)

These days?

Obligatory (1)

sconeu (64226) | more than 4 years ago | (#30938036)

You must be new here.

Re:Obligatory (0)

Anonymous Coward | more than 4 years ago | (#30938380)

I've got a three-digit UID, you insensitive clod!

http://slashdot.org/zoo.pl?op=check&uid=666

Do no evil, at first anyway. (1)

gimmebeer (1648629) | more than 4 years ago | (#30937164)

Absolute power corrupts absolutly. There comes a point when attempting to control everything about the Internet is evil by default. Google is approaching critical mass.

I agree with this (0)

Anonymous Coward | more than 4 years ago | (#30937280)

After RTFM, I think it is a good idea. And sharing the first 3 octets of your IP shouldn't hurt your privacy, actually

How's that evil? (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30937324)

What a load of crap. There is no way to exploit that. If a someone wants to block certain IP ranges, it is much more efficient to do so at the HTTP (or whatever the protocol in use is) level, rather than in DNS.

Even if this gets introduced, every DNS server will continue supporting the old (without 'IP forwarding') way of doing things, so it's easy enough to pick a DNS server which doesn't forward your IP. Everything will work just as it does now (you won't have the potential speed advantage you might get with the new system though).

Whoever wrote TFS doesn't know the first thing about how networks work. Looking at what just happened in China, do you think that Google of all companies really wants to endanger your privacy?

The reason why Google offers public DNS servers and why they came up with this is because they want to make the internet faster for everyone. And they're doing it in an open, backwards-compatible way.

This is a good idea and should be implemented.

This is important! (5, Insightful)

HaeMaker (221642) | more than 4 years ago | (#30937338)

This is extraordinarily important for efficient operation of the internet. If people want to block you, they can, DNS or no DNS. However, for global load balancing, this is vital. You want to connect to a server near you, not near your DNS server.

This will not stop the proper function of proxies.

Re:This is important! (1, Interesting)

madddddddddd (1710534) | more than 4 years ago | (#30937598)

NO IT ISN'T.

domains can already manage their own worldwide content distribution networks, and route requests after they get to them.

when large volumes of bits are involved, like most responses from cdn servers, then YES, "This is important!"... but for the dns request packets to also be pooled and routed in this fashion is unnecessary and as the submitter points out opens up massive privacy holes currently plugged.

this isn't about single points of failure... it's purely load balancing that can already be done without sacrificing anything. google just has their hands on so much of the system that it makes sense to them, the same sense it would make for a video software developer to put a mpeg codec directly in the OS kernel...

the layers are there for a reason.

Re:This is important! (1)

TheSunborn (68004) | more than 4 years ago | (#30937736)

So imagine we have servers in 2 different datacenters. Then an accident closes one of the datacenters. How would the current dns system allow os to redirect all trafic to our other datacenter?

Re:This is important! (1)

madddddddddd (1710534) | more than 4 years ago | (#30937864)

are you joking? i'm not teaching classes here.

your question is flawed. you obviously don't understand the system.

Re:This is important! (0)

Anonymous Coward | more than 4 years ago | (#30938338)

It doesn't. That's not what it is designed to do. Even with the extension, users would still get cached responses (as long as their resolver deems them close enough to a user who requested the record earlier on) and find themselves unable to connect until the TTL of the record (usually several hours).

What you describe is a routing problem, not a DNS problem.

Re:This is important! (2, Informative)

Anonymous Coward | more than 4 years ago | (#30937912)

If you're attempting to contact the domain, the DNS server will have your domain anyway. The privacy stuff here is specious.

You're thinking that this is about loadbalancing the DNS requests. That isn't the case, RTFA, etc. This about what HaeMaker said-- getting the user to the server closest to them, instead of to a completely arbitrary server halfway around the globe!

How are you proposing to do loadbalancing when:
0) If you haven't noticed, large sites DO have a sit-ton of traffic coming to and from them.
1) HTTP doesn't allow for a redirect to another IP address using the same hostname (it relies *entirely on DNS for that)
2) If you can't use DNS to direct to the appropriate host (via IP), then you have to route the traffic over the "wrong" links *twice*. That is a lot of bandwidth.

Re:This is important! (0, Troll)

madddddddddd (1710534) | more than 4 years ago | (#30938134)

it's not about the DNS server the user is using... it's about the DNS servers used by the DNS server the user is using... and any DNS servers they might use.

that is not specious. that is a problem.

the user never directly entered into any agreements with the service providers in the middle.

Re:This is important! (0)

Anonymous Coward | more than 4 years ago | (#30938620)

You're right-- you didn't enter into an agreement.
Neither did the user enter into any agreements with any of the myriad of ISPs in the middle, nor in many many cases the operator of the server.
Again, how does this make anything worse in regards to censorship? Any of the DNS servers in that chain up to the authoritative server could return a "Nope" response today. If they want to censor access to a site, it is trivial to do so today. If they want to prevent access to a set of IPs, it is trivial to do today.

Loadbalancing and demand-shifting IS an important part of the internet. When you go to the grocery store, do you go to a random grocery store in the world, or do you go to the one that will give you the best service with some tradeoff with driving distance?

You're not responding to anyone's points. You're saying they're all "bogus" without any thoughtful argument.
I hate trolls. Give us that thoughtful argument!

Re:This is important! (1)

madddddddddd (1710534) | more than 4 years ago | (#30938182)

and the answer to all of your other bogus issues: CDN.

good use on the quotes around "wrong"....

you're right... it isn't "really" wrong.

Re:This is important! (1)

gparent (1242548) | more than 4 years ago | (#30938658)

when large volumes of bits are involved, like most responses from cdn servers, then YES, "This is important!"... but for the dns request packets to also be pooled and routed in this fashion is unnecessary and as the submitter points out opens up massive privacy holes currently plugged.

What "privacy" issues? Your DNS already knows your IP - You just sent data to it on the IP layers. If it wants to send you a NXDOMAIN based on your subnet, it already can.

Re:This is important! (0)

Anonymous Coward | more than 4 years ago | (#30937964)

I *so* would love this DNS extension for our F5 BigIP GTMs. We already use DNS response time for load balancing metrics, this would just be awesome.

Re:This is important! (1)

ubrgeek (679399) | more than 4 years ago | (#30938296)

Why can't they just use the IP address of the DNS server and assume (I know, I know. "Assume") the user is somewhat geographically close to the server and feed content from the appropriate source closest to that server? Does something like Comcast use only a couple of DNS servers or do the requests come from regional hubs? (Sorry if my question has an obvious answer; I'm really not overly DNS-savy.)

Google, you are wrong here. (3, Informative)

Tei (520358) | more than 4 years ago | (#30937364)

Internet already work withouth the need to propagate this information. Following the OS concept of "Less power", the less information about you that is propagated, the less problems.

"By returning different addresses to requests coming from different places, DNS can be used to load balance traffic and send users to a nearby server. For example, if you look up www.google.com from a computer in New York, it may resolve to an IP address pointing to a server in New York City. If you look up www.google.com from the Netherlands, the result could be an IP address pointing to a server in the Netherlands. Sending you to a nearby server improves speed, latency, and network utilization."

It seems this balancing is already possible withouth the need to propagate that data. I choose here safety/privacy, over a potential speed gain. Also the risk is for everyone, but the gain is just for a few ones (the people that has lots of servers and need a balancing solution)... hence, is unfair. My view of this.

Re:Google, you are wrong here. (0)

Anonymous Coward | more than 4 years ago | (#30938132)

OK, I'll bite. Prove it. How are you going to reliably route people to the nearest server without doing this with DNS? ..and you're honestly saying that large sites should tell their users to "stuff it" and send people halfway around the world (making for a piss poor experience as your page loads slowly thanks to the thin pipes through the oceans..) just because "it isn't fair" that they're a large site?

Do you propose that we should all crawl everywhere because it is unfair that some people can run faster?

Re:Google, you are wrong here. (0)

Anonymous Coward | more than 4 years ago | (#30938180)

Internet already work withouth the need to propagate this information. Following the OS concept of "Less power", the less information about you that is propagated, the less problems.

If Google wants to do it properly, they should register into DNS all of their servers, with some geographical naming scheme. If I am in San Jose and my computer is configured as such, then the resolver should first try san-jose.california.us.www.google.com before it tries www.google.com. If the lookup for san-jose.california.us.www.google.com fails, then I know that there is no server for that area, so the resolver can try something more generic.

san-jose.california.us.www.google.com
california.us.www.google.com
us.www.google.com
www.google.com

A simple update to the resolver libraries on the client side would add support for this, and the transition can be made incrementally on both the DNS clients and the DNS servers.

Re:Google, you are wrong here. (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30938618)

I agree. If Google wants my computer to use an IP nearer to my physical location they will move to extend DNS to include the geographic data in the replies. That way they send me a list of IPs + geography data for each and I get to choose to honor or ignore it.

A real possibility (0)

Anonymous Coward | more than 4 years ago | (#30937386)

You can also send any user to a "this page has been hacked by XXXX's cyber army" server, thus making psyops and propaganda easier.

What about IPv6 (2, Interesting)

wadey (215252) | more than 4 years ago | (#30937438)

It seems IPv6 will be in use soon; so why tinker with DNS requests on IPv4 ?

Also, does anybody know how GEO locating an IP will be done on IPv6 (at least down to country level) ?

yah but they are already close (1)

digitalsushi (137809) | more than 4 years ago | (#30937452)

this is what anycast routing was invented for. the root servers use it, why not secondaries?

Needed, not evil... (5, Insightful)

nweaver (113078) | more than 4 years ago | (#30937508)

There are already many uses where the IP address of the resolver is used to determine service, basically every CDN etc uses this technique.

This extension is needed if you want OpenDNS and the like to Not Suck when fetching Akamai sourced content, youtube videos, etc.

And its not like the owner of the DNS authority won't find out who you are anyway, after all, you then CONTACT THEM DIRECTLY WITH YOUR IP ADDRESS!!

Re:Needed, not evil... (1)

madddddddddd (1710534) | more than 4 years ago | (#30937818)

what about the DNS authority that the users DNS authority uses? or what about the DNS authority that DNS authority uses?

currently the user defining IP is visible to the ISP and the domain owner the user requested. as it should be, as i have never entered into any agreements with anyone else.

Re:Needed, not evil... (1)

drachenstern (160456) | more than 4 years ago | (#30938624)

That's the part that I don't get about what people are moaning about. You're obviously connecting to the host server at the end, it's inherent in the DNS request (unless you're doing a whois or something, but that's not the same is it?).

I think most people are getting jacked up about "could be used for tracking purposes".

Might be handy for global traffic distribution (1)

toejam13 (958243) | more than 4 years ago | (#30937624)

There are several products currently on the market that allow you to perform geographic load distribution via DNS. These products look at your LDNS server's address and either attempt to triangulate using a reverse DNS lookup to the LDNS server, calculating number of hops and/or round-trip times to that LDNS from each of your sites, or they use static IP range tables broken down by region. The assumption is that a client in somewhat close proximity to their LDNS server.

The problem with these methods is that some very large ISPs may use only a couple of LDNS servers for an entire continent. In the case of third party DNS services, it grows to being a couple of LDNS servers for the entire planet. So there is no geographic unity between client and LDNS server.

This proposal helps a bit, but unless it includes a method where a LDNS server can be told that a DNS query's response is only good for that client's /24 subnet (or any varying mask bitlength), you'll still end up with clients clobbering each other with these geographic load distribution products unless you set the TTL to 1 second. That work around has the nasty side effect of increasing your DNS load by an exponential factor, which isn't good either.

Re:Might be handy for global traffic distribution (1)

amorsen (7485) | more than 4 years ago | (#30938638)

That work around has the nasty side effect of increasing your DNS load by an exponential factor, which isn't good either.

Imagine you're hosting web servers. If you can handle N HTTP queries, you can also handle N DNS requests, unless your DNS servers are completely useless. Even with TTL 0, you'll only get at most the same number of DNS requests as you're getting HTTP queries.

I can't se how this give google any more data (3, Insightful)

TheSunborn (68004) | more than 4 years ago | (#30937650)

I can't se how this does give any more information to Google or other users.

Example: If i do a lookup on www.slashdot.org then this query should newer hit any dns server controlled by Google.

The only way a query would end up on a google controlled dns server, would be if the domain i looked up were owned by google, and in that case I don't care, because then I am about to visit the site anyway which mean they will have my entire ip.

Hmmmmm... (0, Troll)

QuietLagoon (813062) | more than 4 years ago | (#30937720)

Just what is google's problem lately?

Missing part of the "do no evil" statement (0)

Anonymous Coward | more than 4 years ago | (#30937776)

"Do no evil, just do the good ones in the ass."

They just don't mention the 2nd part because they assUme everyone knows it by now. How's your ass, need some lube?

it's about CDN geocaching, not a conspiracy (1)

markhahn (122033) | more than 4 years ago | (#30937790)

look, you can already use whatever DNS server you want. if you're worried about your traffic being analyzed by someone else's DNS, just use your own (or a privacy-respecting) DNS elsewhere.

DNS is just the obvious way to ensure that clients use the best path to content.

Re:it's about CDN geocaching, not a conspiracy (1)

cpghost (719344) | more than 4 years ago | (#30938246)

DNS is just the obvious way to ensure that clients use the best path to content.

Isn't the obvious way a combination of anycast + bgp? It works quite well, and is administred by knowledgable network specialists who also happen to know the exact topology of their backbones. Putting it in DNS instead opens the door to endless misuse by domain owners who believe in geo-specific discrimination. CDNs should work transparently, but allowing end users (a.k.a. domain owners in this particular case) to tinker that is a really bad idea, IMHO.

If it ain't broke... (1)

TheDarkener (198348) | more than 4 years ago | (#30937820)

...don't fix it.

Ups and Downs (4, Insightful)

LaminatorX (410794) | more than 4 years ago | (#30937878)

I like it. I don't know what the aggregate increase in efficiency across the net would be, but I'm betting if Google is suggesting it, it could be significant. While there are some potential abuses, they're really no different than what can already be done at the router/server level currently.

Marginal Good, Whole lot of Bad (1)

mpapet (761907) | more than 4 years ago | (#30937944)

The use of the word 'marginal' needs to be disambiguated too. It means 'not of central importance.'

Intelligence at the ends, not the middle (1)

ka9dgx (72702) | more than 4 years ago | (#30938248)

The reason the internet is so successful is that it has a core that doesn't try to think too much. Get packet, forward packet, etc..

If load balancing is a concern, the client node should determine where the best place to get content from is at, NOT some hack which makes DNS less reliable, and noisier.

Use digital fountains and give out multiple sources to get streams from, and let the end user's computer figure it out. They are the ones in the best place to determine which is a more reliable stream of packets, not some aggregated delayed measure post facto.

I don't like this idea. Round robin should be good enough.

Privacy and internet (1)

gmuslera (3436) | more than 4 years ago | (#30938464)

While this don't identify you for a lot of reasons, there are some good points of using this. Hitting local caches/distribution network nodes/etc will make internet actually faster (a good percent of total bandwidth comes from places where this applies, and going to somewhat local resources unclogs international links). At least where i live where around 200 ms is the avg ping time with the rest of the world, but 30 or lower to local ones, accessing most of static resources local should make a difference.

And probably more important, dont forbids you to keep your privacy, old nameservers, or if you want, your own authoritative nameserver,will not send that information and you could use them

Censoring the Axis of evil (1)

stimpleton (732392) | more than 4 years ago | (#30938538)

" Or it would send a user from Iran or Libya to a 'domain name doesn't exist' server."

Why limited to these countries? How about Australia? Remember, this is a country that blocked Wikileaks thru its state sanctioned banlist. Politicians there are on board [stuff.co.nz] .

Even Linden Labs(makers of Second Life) have set up servers there(only 2-3 countries to have their servers outside the US). Critics theorize this is little to with technical distributed computing reasons but to be in readiness to self censor their content as LL seems to have had the opinion from Ozzie officials that Second Life in its current form would be "offensive". IE: against the law...like Child Porn etc.

Google needs the tools to "keep sweet" with local authorities. These DNS changes would help them avoid being like Linden Labs situation.

This is bad (1, Insightful)

BhaKi (1316335) | more than 4 years ago | (#30938626)

This is crap. You don't need user's IP address for load balancing. The only motives behind this are propaganda and psyops. For instance, this move will allow US to block traffic to certain sites from certain countries and then claim that access failures are due to censorship imposed by that country's government.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>