Dec 5, 2009

Google Public DNS -Security & Privacy Analysis

Author: S.C. Leung
Google announced provision of free Google Public DNS service [1]. It is now in experimental stage targeting individual user only. Google Public DNS service is part of Google's cloud computing initiative to make Internet services available anywhere at any time.

It has a far reaching impact to the Internet after Google goes into the search engine business. Here is my preliminary analysis from information security & privacy perspective.

Performance and Availability
With the vast and distributed points of presence, clients are able to obtain more speedy and more resilient DNS services via geo-location awareness load balancing (technically using anycast), cache and prefetch name resolution. [2]

Comments: Just as the GMail service, Google has a wonderful resilience in infrastructure that corporations cannot generally afford. However, Google has no commitment on service level and you are always advised to have a secondary DNS pointing to your own ISP or internal DNS server.

Google Public DNS has designs against spoof attacks leading to DNS cache poisoning. [3]
  • filter out malformed queries and responses.
  • use more randomness of source ports and responding DNS servers
  • randomly vary the case of letters in domain names queried by "0x20 technique" [4] to reduce chance of spoofed response.
  • remove duplicate name queries are removed to mitigate birthday attacks (spoofed flooding response to increase chance of hit)
Google Public DNS has designs against Denial-of-service (DoS) and amplification attacks [3]
  • rate limiting of outgoing queries to name servers
  • rate limiting of outgoing responses to clients
Comments: These security measures are very carefully designed to combat the most current DNS attacks. Note that, however, there is a limitation in Public DNS. It can only accept and forward DNSSEC requests but CANNOT validate DNSSEC responses. When DNSSEC is popularizing we need to keep an eye on this.

Everyone knows that a log of you DNS queries is merely the same as a log of your web access habit without the content involved. Another Google service Safe Browsing was challenged by a researcher RSnake of potentially infringe clients' privacy by collecting client machines' browsing history[5]. Will that happen to Public DNS? What does Google log?

The Privacy Policy [6] specifies that they stores two sets of logs: temporary and permanent. Temporary logs (kept within 24-48 hours) store the user's full IP address so that Google can spot potentially bad things like attacks and fix problems like particular domains not showing up for specific users. The permanent log has no personally identifiable information or IP information but user's geolocation and ISP (AS number). Google will not correlate user's use of other services, like Search and advertisement.

Comments: The Google privacy policy has looked into the privacy concerns properly. However, as in cloud computing, how can they provide the transparency to assure the privacy policy is followed closely. Secondly, we also need to take into account the overriding conditions that may apply if Google is asked to cooperate with law enforcement agencies or authorities. Google not only keep track of everything you search, but every address you are visiting. Depending on which country you live in, government agencies have various powers to compel online service providers, such as Google and your ISP, to give them whatever information they might have about your identity and activities. For US, the post-9/11 Patriot Act made it easier for law enforcement agencies to get this information. Other governments will learn to get have access to such widespread surveillance powers for reasons they see fit. [7]

Other Comments

1. We need to be aware that DNS server is a key infrastructure for the directory of information on the Internet. Controlling DNS can directly control information access. Moreover, if a client cannot access an information repository, he has no knowledge if that information repository is unavailable or the name resolution is denied by the DNS server. So a key for freedom of information access is to guarantee that Google does not implement any kind of filtering without user authorization. Google has acknowledged this [1] but should have more transparency on this.

2. As with Google's Safe Browsing service, Public DNS can be used to filter against malware and phishing. It could be a future revenue stream, like Google's competitor OpenDNS. Besides, similar technology can be applied to pornography and gambling filtering for parental care. Once filtering is added, we have to look at how these services could impact freedom of information access and privacy.

3. Fast flux DNS technology is widely used by botnets to provide dynamic DNS resolution of malicious web sites to evade investigation. With Public DNS, Google can play an active role in malware and botnet detection through analysis of the DNS server responses. The information would be very useful for the security community.

4. Last by not least, I like to point out the importance of diversity as commented by the CEO of OpenDNS[8]. From Chrome OS at the bottom, to Chrome browser, and to Google Search at the top, Google is running the end-to-end infrastructure. Google is the largest advertising company in the world. Do we want Google to keep control over so much of our Internet experience? How can we preserve a heterogeneous Internet with lots of parties collaborating to make this thing work.

Back to Top


[1] Google Gets Into The DNS Business. Here’s What That Means"

[2] Google Public DNS: Performance Benefits

[3] Google Public DNS: Security Benefits

[4] Use of Bit 0x20 in DNS Labels to Improve Transaction Identity

[5] Google Safe Browsing Feature Could Compromise Privacy

[6] Google Public DNS: Privacy Policy

[7] You Have Zero Privacy Anyway -- Get Over It

[8] Some thoughts on Google DNS, by David Ulevitch, Founder of OpenDNS

No comments: