In an effort to enhance the Web experience and speed things up for users, Google is getting into the DNS business. DNS has privacy and security implications, though, that Google has to take into consideration in providing this service.
Privacy is a concern with virtually everything Google touches. The very nature of many of Google’s core offerings is based on cataloging and indexing every possible detail about everything. To provide the best search results, it has to create the most comprehensive site index. To provide the most detailed maps, it has to painstakingly catalog every street in the world. Sometimes the goal of providing information oversteps the privacy boundary.
The privacy concern with Google Public DNS though is more about the Big Brother status that Google achieves by acting as the DNS resolver to the world. With recent purchases like AdMob and Teracent, Google is aggressively expanding its advertising footprint. The ability to monitor and capture detailed Web data from the DNS traffic could be a goldmine for Google.
David Ulevitch, founder of OpenDNS, challenges Google’s altruism in his blog post: “Google claims that this service is better because it has no ads or redirection. But you have to remember they are also the largest advertising and redirection company on the Internet. To think that Google’s DNS service is for the benefit of the Internet would be naive.”
Privacy issues aside, DNS also comes with some inherent security concerns. The Google Code Blog acknowledged the security implications of DNS in the post announcing Google Public DNS. “DNS is vulnerable to spoofing attacks that can poison the cache of a nameserver and can route all its users to a malicious website.”
There have been a number of issues discovered with DNS and attacks that exploit weaknesses in DNS in recent years. It was designed in a Utopian era before Internet or Web security were issues. DNSSEC has been developed as a next-generation, more secure implementation of DNS, but it is not yet part of the mainstream.
Google is aware of the security flaws with DNS though and has taken steps to protect against them. “Until new protocols like DNSSEC get widely adopted, resolvers need to take additional measures to keep their caches secure. Google Public DNS makes it more difficult for attackers to spoof valid responses by randomizing the case of query names and including additional data in its DNS messages.”
DNS cache poisoning can be a very effective exploit if successful, and Google Public DNS will provide a very tempting target. The steps Google has taken are a good interim action while we wait for the widespread adoption of DNSSEC.
These measures don’t address the Big Brother privacy concerns, but that is a whole different battle that Google will have to fight probably as long as it is in the business of indexing the world and providing targeted advertising.