« Preventing Security Development Errors: Lessons Learned at Windows Live by Using ASP.NET MVC | Main | 132,000+ sites Compromised Via SQL Injection »

Potential risks of using Google's free DNS service?

Google has announced that they are offering a free DNS service to anyone wanting to use it. Unfortunately the motivations/privacy concerns aren't being discussed in as much detail as I'd like, and people aren't asking the important question of why google is offering such a free service.

Several points to consider

  • Google can profile a given IP for which countries they visit, or which types of sites they prefer.
  • Google can identify sites you visit that lack google analytics/google ads, allowing google to know everything you connect to.
  • Google states they don't share the data with analytics or google ads, it doesn't seem to say it won't share this data with others.
  • Google may see queries to internal hostnames on your local corporate intranet/lan when you attempt to visit an internal site.
  • Google will be able to see the software products an IP uses, if those products perform web based updates. 
  • Google will be able to tell if you're infected with malware, if that malware contacts hostnames for payload updates. This allows google to know if you're backdoored/infected which hypothetically means this information could be used to gather a list of hacked hosts. It also gives them the potential to control the payloads used by bots not using payload verification/signing. Am I saying google will do something with this information? Unlikely.

While it is true your ISP is in a similar position (although chances are they couldn't retain or analyze the traffic like google can due to lack of resources), your ISPs motivation of offering you DNS is to make the web work, while google's has some sort of yet to be determined financial benefit (they are a publicly traded company looking out for shareholders after all) which is likely related to your personal habits.

I believe google is doing the right thing regarding speeding up the web, however I have concerns that one day many people will regret handing over so much information to google. Hopefully once the original founders leave google entirely the do no evil message remains intact. The motivation for this post is that you should be aware how much information you give away to one particular company, while the service is 'free' you're paying a yet to be determined price.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.


All Comments are Moderated and will be delayed!



Once DNS comes with encryption, this will be more interesting. For the time being, DNS queries are hardly secure no matter who performs them.

Stephan


I would also be concerned about how much information they share with the government. I would not trust them with any private usage information. They are too close to the Obama Administration.


Stephan, Encrypted DNS queries is not going to happen. It's too much overhead for zero security value. If I can snoop in your queries, then I can snoop on the rest of your traffic, therefore, I already know where you are going. Secondly, if I can I running a DNS resolver, even if the queries are encrypted, I can still see what you are asking for because, and this is the important part, the resolver has to decrypt the query before it is processed.


If they can detect malware why don't ISP detect infected PCs on their networks?

Google will be able to tell if you're infected with malware, if that malware contacts hostnames for payload updates. This allows google to know if you're backdoored/infected which hypothetically means this information could be used to gather a list of hacked hosts. It also gives them the potential to control the payloads used by bots not using payload verification/signing.


All of these points apply to any DNS service, including the one your ISP uses. And last time I checked Google has nothing to do with Obama.


While it is true any ISP can have insight into what you visit, ISP's don't have the resources to retain this information/analyze it, google does. Many people use google for both search and email. Even those that don't still have google ads/analytics rendered putting google into a unique position to see the web habits of user's (more than anyone else, minus the feds perhaps).


Who cares? I have nothing to hide. Let them track my every stop on the web. I'm boring to watch. :)


I completely agree that much of the media attention hasn't discussed privacy concerns as much as I would like. That being said, I don't think I agree with all of your statements. For example, this statement:

"your ISPs motivation of offering you DNS is to make the web work, while google's has some sort of yet to be determined financial benefit (they are a publicly traded company looking out for shareholders after all) which is likely related to your personal habits."

Seems to include quite a bit of your personal opinion.

Again, I do want to see more conversation on this topic, and I appreciate your write-up. I just think there is a better argument to make.


Nice post, thanks.


@Mitchell
I wasn't trying to make an argument for or against google dns, merely start a discussion with points of view that folks may not be considering.

Your ISP does offer DNS in order to make the web work, I think we agree with this. Google offering a service that is considered standard with every ISP on the planet likely means they plan on monetizing it in some way. Companies are in it to make money and google is no exception. Given that google makes money based on your interests (via ads) it isnt a stretch to say that by providing dns, it is yet another avenue to profit from your interests.

Again I'm reiterating that I don't think google is going to 'be evil', merely that people should factor in how much info they give to one particular organization.


I really don't think google is trying to police your evil deeds.

DNS is data and data is what google lives on. By running DNS google will, as they say, be a switchboard on the internet.

Why? It's simple! It's much more efficient than a spider for finding new content for Live Search. And in the wake they hurt more small companies.


Matter is almost everybody that is not into IT doesn't understand anything about many thing, especially DNS stuff.

To control and restraign, public institutions have to be concerned. If they don't understand, they won't. And Google is growing so fast, that laws are always late.


Unfortunately, Google is more likely to protect you than your ISP simply because they are heavily scrutinized by quite a few government entities. Small ISPs' privacy policies are often unclear and it is not even certain that they actually follow the ones they have.
Besides, if you are concerned about "big brother", just take a look at Yahoo's policies regarding data retention. They retain some data (like what IP registered which username at what time and with all kinds of personal data for 10 years..)


In my viewpoint, the Internet is becoming a highway to only deliver unwanted commercial content, gather user data, "steal" programs from our hard drives and move them in clouds to enforce always only paid access, and anything else is soon getting banned for illegality. Perhaps distributing and downloading warez is the most legitimate and harmless behavioral type related to making the network valuable and prosperous to the society.

Services, such as OpenDNS usually spoof search engine IP addresses to record your search queries and they might eventually record all DNS lookups. Contrary to those, OpenNIC is free DNS run by volunteers. When everybody can run his own DNS server, everybody can also gather & misuse obtained user data.


I have the following concern. When I use Google DNS does it mean that I hide certain information from my ISP? Is he able to collect any data. In this sense Google might be more reliable than the local ISP.


@dimitre
Not really since all your traffic passes your ISP's network anyway.


Don't trust either Google or your ISP for DNS. Run your own DNS resolver.
Google can add your DNS queries to it's arsenal of tracking mechanisms.
ISPs really don't care about their DNS servers and are likely targets for hackers to redirect you to sites to steal your information such as bank login.


That's a good thought. I think they getting too much info with cookies, and now they want DNS history. Isn't it too much?


I was thinking of using google free DNS for my new website but I think I might look into alternatives after reading this. They already collate enough tracking information using cookies!

Post a comment







Remember personal info?