Don't you just...
... 'ate it when that 'appens...
Those who worry about cloud resilience have another incident to point at and frown, after Google's public domain name system (DNS) servers at the attractive IP addresses of 8.8.8.8. and 8.8.4.4 went down for Asian users yesterday. Google offers its public DNS servers out of the goodness of its heart, and also because the …
"Google offers its public DNS servers out of the goodness of its heart,"
No, Google offers the service so they know where you are going on the net when not using Google Chrome as your browser of choice. You can bet the originating IP, destination IP, protocol used and other info is being cached into datastores for future use.
You can bet the NSA / GCHQ / Mossad / (Insert favorite spy agency here) has taps on that info as well.
As long as you 1) have a additional DNS configured and 2) that additional DNS is not 8.8.4.4.
If you want a list of available (to you) DNS servers, one tool that provides this, as an aside, is Steve Gibson's DNS benchmark tool, since it contains a large list of public (and otherwise) DNSs.
In other words, if anyone went off-line because of this, they have only themselves to blame.
Argh. The inventor of SpinRite, drossware widely debunked and re-inventor of a deeply flawed implementation of syncookies, as well as promulgating the benefits of writing Win32 API GUI software in asm fer Christ's sake. Oh, and claiming raw sockets in Windows are evil, as if you can't just write eth frames. Fooey!
Gibson's clearly bright enough so it's a real shame that so much of what he writes is laced with puffery and snake-oil. Those "nanoprobes" are still there too: https://www.grc.com/np/np.htm, still a page of unbelievable claims with the coy mention of the cooperating client left to the end.
Have you got a link for a detailed writeup of SpinRite? I only ever saw uselessly shallow "reviews" of it
Thanks! - actual user testimonials are always more interesting than the sort of "I ran it for half an hour and it didn't crash and I think maybe my drive is happier now" reviews I've seen. So the rescuing being done was the recovery of the contents of bad sectors and mapping them out? Or the more mysterious "refresh the magnetic disk surfaces to allow them to operate more reliably" (which I guess may mean systemically re-writing the disk contents in the hope of countering bit-rot?)
sector drift was basically a phenomenon where the sector boundaries became fuzzy and out of focus because the head positioning wasn't accurate enough or would slowly change due to wear and tear - here's a link to a scanned article in PC Mag c. 1991 which explains in broad detail
https://books.google.co.uk/books?id=X_tru4xwJ_sC&pg=PT392&lpg=PT392&dq=hard+disk+sector+drift&source=bl&ots=C1-XvAsueT&sig=-nRyugVaWiAbXN68cGcKuqSXVzc&hl=en&sa=X&ei=ZMaCVZbQFczw-AHttIHoBg&redir_esc=y#v=onepage&q=hard%20disk%20sector%20drift&f=false
On our non-critical classroom network we use a different cheaper ISP. Their DNS is kind of crap, much worse then Google. And when their DNS craps out it still responds with bogus not found for everything most of the time so I'm better off with 8.8.8.8 as my first DNS. Google also updates faster then the ISP DNS servers do.
there is EVERYTHING wrong with 8.8.8.8 & 8.8.8.4.
It identifies:
1. The network/ computer requesting a DNS lookup
2. The target.
3. with a little bit of work, it allows cookies & facebook redirects to identify individual users traffic & interests, especially if the target is using google analitics.
4. If something were to go wrong, every DNS lookup could be directed to a single location, without the safety of a randomizing selection of alternative DNS servers.
Google offers its public DNS servers out of the goodness of its heart, and also because the touted features of extra speed and greater security advance its mission to get more people doing more stuff online more often.
I think you may also be missing another reason Google provides them: it gives them another big juicy titty of free data on which to slurp and gorge themselves.
What does Google really get from that data that is any use?
They just get to know that some IPs that could belong to any number of PCs or different PCs at different times are looking up an A record and an MX record for a certain host for the first time in x amount of hours.
-So this is a very small subsection of the net
-It isn't directly linked to a certain PC let alone a single PC or a single related PC or a certain owner
-The results will be locally cached for x amount of time that may or may not correspond to the TTL of the domain
Google have far better information than this directly from the Analytics plugin, ads and the web searches, the extra information that this would provide would be little more than useless noise. It is more likely to provide a bit of a route in for the N*S*A/G*C*H*Q for IT illiterate terr#orists than anything useful for the Google Marketing Machine.
Internet != www
I would have thought the stats they get from all the f*ckzillions of DNS lookups they handle would actually be pretty valuable. Not all wgets/mail clients/daemons and whatever other internet-aware processes (lots and lots and lots!) that do DNS lookups have JS enabled. GA just gets you data from web browsers.
Yes, I know Internet != www hence the reason I mentioned MX records - you might know they are used to lookup addresses of mail servers rather than web sites, or maybe not - try this link Explanation of MX Records?
But explain - why would they be so valuable to Google?
How about if you are logged in to gmail or any other Google product or signed into another service using a Google+ account and also using Google DNS? I can imagine they could correlate the data in that instance. However, it is data and that is valuable to Google, even if they have no use for it now, they may find a use later, costs them very little in the scheme of things.
If you are using Google products anyway the DNS lookups are pretty much worthless in the scheme of things, they can collect proper information about you without stepping into legal issues.
"However, it is data and that is valuable to Google"
Data isn't valuable to almost anyone - information is valuable, or further converting information to knowledge is actually valuable. If you can't convert data to information then it just fills space.
Indeed - I think the background work of tying millions of DNS lookups back to IP addresses which are at that time accessing Google services is too wasteful in disk space or computatonal resources even for 'evil' Google. I have a UK DNS as my first entry on some devices, my ISP DNS on a few, including DHCP usage of my router, but would generally opt for Google over OpenDNS as a second entry, as I don't expect as much potential for 'interference' with what can be found (in a censorship way) or whether the resulting 'answer' is not what others would get.
I think you may also be missing another reason Google provides them: it gives them another big juicy titty of free data on which to slurp and gorge themselves.
Not during a DNS amplification attack[1], it doesn't; the whole point of that is that the addresses are forged...
Vic.
[1] There's quite a bit of that going on at the moment - my server was attacked just the other day. It wouldn't surprise me in the slightest to find out that this is what took Google's DNS server down.
"Those who rely on free, unsupported, services have surely had enough warnings that their optimism may be misplaced."
Pretty much everything people expect from the Internet these days then, from DNS, to gmail/hotmail, via Facebook/twitter and music streaming services. Even ISPs if you're savvy enough (not a good one mind)
Talking to you Microsoft et al.
Why not allow a list of eight or ten or ... ? At first use, and periodically thereafter, have the client run a wee contest to rank the list. Any hiccup outside the norm, immediately send out another request to an alternate DNS. Why do the clients sit there waiting? It's 2014 already. Daft!!
There should be meta-DNS lists to provide an initial sorted list.
Somebody needs to RFC this already. Not me, cause I know nothing about this topic.
I don't know, but he doesn't mean Windows or Windows Server. I've got 8 DNS servers setup for my network, of which 8.8.8.8 is one.
Of course, this is probably the sort of user (who probably thinks he's an admin) that gives windows a bad name. Pro tip, press the "ADVANCED" button on that screen and you can enter as many DNS servers as you could possibly want.
Between the ISP's 2 servers, the backup ISP's 2 servers, 2 google servers and another 2 random DNS servers I have yet to encounter a time when the line is up, but DNS is down.
A C.A. wrote "...thinks he's an admin..."
We muddle through... Our home network is fiber optic 175 Mbps. Three wifi routers filling the 2.4GHz band, two more on 5 GHz. A half-dozen 24-port Gb switches (many spare ports to be honest) wired with Cat 6 STP. Eight desktops. Nine laptops. Half dozen game consoles. Dozen and dozens of gadgets, endless tablets and phones, two Apple TV, two WD TVs, Chromecast, you name it. When I run Fing, I have to scroll. Per network.
So at home, yes I am the one and only admin. Uptime is enviable. Still learning all the boring, tedious, mind numbing, repetitive settings ("admin" slog) and wondering why the coder drones at MS et al still miss some blindingly obvious things. Like improving DNS.
My day job is in another tech field. More interesting by my standards. If I ever need someone to supervise the low level formatting of a multi-TB drive, I'll contact you.
Thanks.
Ignoring the fact that you can add more than 2 DNS servers on a windows box (as already pointed out, click "advanced"), if you're really in need of highly available DNS then having your own DNS to manage this would probably be the way forward. For the majority of home users, 2 is enough.
My recollection was off. It was all the various routers that have two DNS slots. And the growing Internet of Things, who knows where their DNS settings are even located. Thank you for the corrections.
I still think that there is room for improvement. What you wise and experienced network experts so carefully tweak, clearly true in this DNS area, you could be replaced by about 100 lines of code and some online meta-ness. Maybe an Autopopulate button linked to a reliable online reference. And a default list to bootstrap. Maybe DNS majority voting.
It's 2014, it should "just work". Why do we even need to notice when a DNS server crashes. With a couple of RFCs, it'd be invisible. Even for Grandma.
Seems like less than a week since Belkin suggested that users switch to Google DNS to go online.
Vendor firmware tends to suck and Belkin is especially stupid.
Those who rely on free, unsupported, services have surely had enough warnings that their optimism may be misplaced.
In other news, water described as "wet", big flaming ball of hydrogen and helium in the sky "a bit warm" and, bears have been seen defecating in arboreal areas.
And people are still blindly trusting this shit. Mind. Boggled.
8.8.8.8 and 8.8.4.4 aren't foolproof. But they sure are a lot faster and more reliable than both Mediacom's (local cable ISP) and Centurylink's (local DSL ISP) DNSes (the ISP DNS's are also both non-compliant, they falsely return a ISP-owned IP for non-existant domains instead of NXDOMAIN.)
"...I'm actually a little curious as to why someone would have only one entry for DNS resolution."
I'm still wondering why, in the year 2014, somebody hasn't automated exactly what you suggest and more. Having a billion+ people all still fiddling with their DNS settings seems a bit unnecessary in this day and age. It would only take about 100 lines of code and multiple online repositories (perhaps another small section within the DNS themselves) to precisely automate it to be optimized. Self learning, etc. Default On, untick if you want manual control.
IT folks sometimes have a blind spot on such things. They love to fiddle and don't even notice the hours slipping away. I prefer if someone code it up once, so everyone else can get back to watching cat videos.
Same thing with NTP. Why do I need to try this one and try that one and try another one until it finally gets a response. Happens sometimes.
A tiny tweak to the code and let the code go up and down the list of NTP servers until it gets a response. Send out the initial pings to several NTP servers in parallel so that the human isn't kept waiting.
Each NTP server should host a list of other NTP servers it considers reliable. Let them score each other. Ranked and voted. So even the list of NTP servers is automatically maintained.
2014 folks.
Setting up a recursive search BIND is easy peasy. If you are really concerned, configure iptables (or ipfw) on the box to only allow incoming queries from ISP-controlled networks and/or configure BIND to only serve their networks.
Anyone relying on 8.8.8.8 who isn't a mortal user is being extremely lazy!
Sure 8.8.8.8 and 8.8.4.4 are nice stopgap solutions when you don't have the address of a proper DNS server, however you should never rely on under normal circumstances. After all Google may have technical problems, choose to terminate the service or just go bankrupt at pretty much any moment.
So doom and gloom and [people are stupid for using it] ??
Actually, I dont, but after reading this I might; my old ISP's DNS servers spent more time on holiday than the UK Parliament, and OpenDNS is getting soooo sloooow. One outage in I-dont-know-how-many-years is actually pretty good.
Google public DNS was used widely in a few recent protests, even graffitied onto walls to tell people how to get round local censorship. So I was just wondering... what with Hong Kong and Taiwan... just maybe they were trying to knock down something outside the Great Firewall of China?
At first I just used a pair of Pentium 2 boxes with OpenBSD installed running the native 'named' and a script that would pull a copy of InterNIC's root.zone daily. Now I have upgraded them to a pair of Atom machines, added a script to remove all those crappy gTLDs that are springing up nowadays, and added a couple of firewall rules to block all DNS traffic except from those two boxes (Making me immune from all that DNS change malware).
They are not authoritative.
8.8.8.8 and 8.8.4.4 are resolvers.
Only because - unfortunately - Microsoft chose to (wrongly) call the tab in the network-configuration dialog "DNS-Servers" doesn't make it right.
Please, El Reg (an IT publication, although self-proclaimed), actually read a book some time, or read wikipedia or at least listen to the "Ask Mr DNS" podcast http://www.ask-mrdns.com from Matt Larson and Cricket Liu.
Factually you are correct(ish) However, Unix based systems (at least) will have in /etc/resolv.conf something like:
domain example.co.uk
nameserver a.b.c.d
nameserver e.f.g.h
So the newbie: Windows using the term "DNS server" in their dialogues is fair enough - they are servers that spit out DNS information. As it turns out, a large proportion of the world refers to non auth resolvers as "DNS servers" or "nameservers".
I manage many Windows DNS, BIND, PowerDNS, Unbound, int al and feel I have a pretty good handle on how DNS works. Criticising people for their use of "DNS server" for a "resolver" is pretty low on my list of thing to get wound up about. Incidentally, many of those mere "resolvers" may of course be authoritative for some domains. In which case how do you refer to them?
Perhaps you might also get upset at an Apache instance being used as a reverse proxy being called a "web server".
Now if you really understood DNS 'n' IP to a level where you can get uptight in public and not expect to be flamed then you would have pointed out that MS's biggest mistake was to make it appear that DNS settings are per interface and not per host.
... or to put it another way: how would you like me to refer to a system that does DNS thingies as a resolver, authoritative for some zones and non-authoritative for other zones. I think I'll just call the whole lot of them DNS servers and if I'm not sure what they do but they perform this function then I'll still call them DNS servers. Oh and even if I bother to check the finer details, I'll still call them DNS servers.
Cheers
Jon