back to article Something ate Google's 8.8.8.8 at about eight in Asia's evening

Those who worry about cloud resilience have another incident to point at and frown, after Google's public domain name system (DNS) servers at the attractive IP addresses of 8.8.8.8. and 8.8.4.4 went down for Asian users yesterday. Google offers its public DNS servers out of the goodness of its heart, and also because the …

  1. Graham Marsden
    Coat

    Don't you just...

    ... 'ate it when that 'appens...

    1. Anonymous Coward
      Anonymous Coward

      "Google offers its public DNS servers out of the goodness of its heart,"

      No, Google offers the service so they know where you are going on the net when not using Google Chrome as your browser of choice. You can bet the originating IP, destination IP, protocol used and other info is being cached into datastores for future use.

      You can bet the NSA / GCHQ / Mossad / (Insert favorite spy agency here) has taps on that info as well.

      1. Anonymous Coward
  2. Anonymous Coward
    Anonymous Coward

    There's nothing wrong with using 8.8.8.8 for DNS...

    As long as you 1) have a additional DNS configured and 2) that additional DNS is not 8.8.4.4.

    If you want a list of available (to you) DNS servers, one tool that provides this, as an aside, is Steve Gibson's DNS benchmark tool, since it contains a large list of public (and otherwise) DNSs.

    In other words, if anyone went off-line because of this, they have only themselves to blame.

    1. Anonymous Coward
      Anonymous Coward

      Re: There's nothing wrong with using 8.8.8.8 for DNS...

      Argh. The inventor of SpinRite, drossware widely debunked and re-inventor of a deeply flawed implementation of syncookies, as well as promulgating the benefits of writing Win32 API GUI software in asm fer Christ's sake. Oh, and claiming raw sockets in Windows are evil, as if you can't just write eth frames. Fooey!

      1. Anonymous Coward
        Anonymous Coward

        Re: There's nothing wrong with using 8.8.8.8 for DNS...

        Gibson's clearly bright enough so it's a real shame that so much of what he writes is laced with puffery and snake-oil. Those "nanoprobes" are still there too: https://www.grc.com/np/np.htm, still a page of unbelievable claims with the coy mention of the cooperating client left to the end.

        Have you got a link for a detailed writeup of SpinRite? I only ever saw uselessly shallow "reviews" of it

      2. hopkinse

        Re: There's nothing wrong with using 8.8.8.8 for DNS...

        Spinrite was actually quite useful in the early to mid 90's when the hard disks did suiffer from sector drift - I rescued many ST225s, crappy Kyocera KC20s and the like, using it.

        1. Anonymous Coward
          Anonymous Coward

          Re: There's nothing wrong with using 8.8.8.8 for DNS...

          Thanks! - actual user testimonials are always more interesting than the sort of "I ran it for half an hour and it didn't crash and I think maybe my drive is happier now" reviews I've seen. So the rescuing being done was the recovery of the contents of bad sectors and mapping them out? Or the more mysterious "refresh the magnetic disk surfaces to allow them to operate more reliably" (which I guess may mean systemically re-writing the disk contents in the hope of countering bit-rot?)

          1. hopkinse

            Re: There's nothing wrong with using 8.8.8.8 for DNS...

            sector drift was basically a phenomenon where the sector boundaries became fuzzy and out of focus because the head positioning wasn't accurate enough or would slowly change due to wear and tear - here's a link to a scanned article in PC Mag c. 1991 which explains in broad detail

            https://books.google.co.uk/books?id=X_tru4xwJ_sC&pg=PT392&lpg=PT392&dq=hard+disk+sector+drift&source=bl&ots=C1-XvAsueT&sig=-nRyugVaWiAbXN68cGcKuqSXVzc&hl=en&sa=X&ei=ZMaCVZbQFczw-AHttIHoBg&redir_esc=y#v=onepage&q=hard%20disk%20sector%20drift&f=false

    2. Tom 35

      Re: There's nothing wrong with using 8.8.8.8 for DNS...

      On our non-critical classroom network we use a different cheaper ISP. Their DNS is kind of crap, much worse then Google. And when their DNS craps out it still responds with bogus not found for everything most of the time so I'm better off with 8.8.8.8 as my first DNS. Google also updates faster then the ISP DNS servers do.

    3. Anonymous Coward
      Anonymous Coward

      Re: There's nothing wrong with using 8.8.8.8 for DNS...

      OpenDNS is usually my second DNS. Just to recap, so you can pick one:

      208.67.222.222

      208.67.220.220

      1. channel extended
        Unhappy

        Re: There's nothing wrong with using 8.8.8.8 for DNS...

        OpenDNS is known to block some site's that IT believes are not family friendly. Going by the site name only. Also they track https traffic using a self signed certificate.

    4. razorfishsl

      Re: There's nothing wrong with using 8.8.8.8 for DNS...

      there is EVERYTHING wrong with 8.8.8.8 & 8.8.8.4.

      It identifies:

      1. The network/ computer requesting a DNS lookup

      2. The target.

      3. with a little bit of work, it allows cookies & facebook redirects to identify individual users traffic & interests, especially if the target is using google analitics.

      4. If something were to go wrong, every DNS lookup could be directed to a single location, without the safety of a randomizing selection of alternative DNS servers.

  3. Anonymous Coward
    Anonymous Coward

    Rose tinting?

    Google offers its public DNS servers out of the goodness of its heart, and also because the touted features of extra speed and greater security advance its mission to get more people doing more stuff online more often.

    I think you may also be missing another reason Google provides them: it gives them another big juicy titty of free data on which to slurp and gorge themselves.

    1. Anonymous Coward
      Anonymous Coward

      Re: Rose tinting?

      What does Google really get from that data that is any use?

      They just get to know that some IPs that could belong to any number of PCs or different PCs at different times are looking up an A record and an MX record for a certain host for the first time in x amount of hours.

      -So this is a very small subsection of the net

      -It isn't directly linked to a certain PC let alone a single PC or a single related PC or a certain owner

      -The results will be locally cached for x amount of time that may or may not correspond to the TTL of the domain

      Google have far better information than this directly from the Analytics plugin, ads and the web searches, the extra information that this would provide would be little more than useless noise. It is more likely to provide a bit of a route in for the N*S*A/G*C*H*Q for IT illiterate terr#orists than anything useful for the Google Marketing Machine.

      1. batfastad

        Re: Rose tinting?

        Internet != www

        I would have thought the stats they get from all the f*ckzillions of DNS lookups they handle would actually be pretty valuable. Not all wgets/mail clients/daemons and whatever other internet-aware processes (lots and lots and lots!) that do DNS lookups have JS enabled. GA just gets you data from web browsers.

        1. Anonymous Coward
          Anonymous Coward

          Re: Rose tinting?

          Yes, I know Internet != www hence the reason I mentioned MX records - you might know they are used to lookup addresses of mail servers rather than web sites, or maybe not - try this link Explanation of MX Records?

          But explain - why would they be so valuable to Google?

          1. Salts

            Re: Rose tinting?

            How about if you are logged in to gmail or any other Google product or signed into another service using a Google+ account and also using Google DNS? I can imagine they could correlate the data in that instance. However, it is data and that is valuable to Google, even if they have no use for it now, they may find a use later, costs them very little in the scheme of things.

            1. Anonymous Coward
              Anonymous Coward

              Re: Rose tinting?

              If you are using Google products anyway the DNS lookups are pretty much worthless in the scheme of things, they can collect proper information about you without stepping into legal issues.

              "However, it is data and that is valuable to Google"

              Data isn't valuable to almost anyone - information is valuable, or further converting information to knowledge is actually valuable. If you can't convert data to information then it just fills space.

              1. M Mouse
                Thumb Up

                Re: Rose tinting?

                Indeed - I think the background work of tying millions of DNS lookups back to IP addresses which are at that time accessing Google services is too wasteful in disk space or computatonal resources even for 'evil' Google. I have a UK DNS as my first entry on some devices, my ISP DNS on a few, including DHCP usage of my router, but would generally opt for Google over OpenDNS as a second entry, as I don't expect as much potential for 'interference' with what can be found (in a censorship way) or whether the resulting 'answer' is not what others would get.

                1. razorfishsl

                  Re: Rose tinting?

                  They would not use it like that………

                  More along the lines of… lets take every DNS request from Texas and run an analysis on the number of Gay cowboy sites that are hit.

    2. Vic

      Re: Rose tinting?

      I think you may also be missing another reason Google provides them: it gives them another big juicy titty of free data on which to slurp and gorge themselves.

      Not during a DNS amplification attack[1], it doesn't; the whole point of that is that the addresses are forged...

      Vic.

      [1] There's quite a bit of that going on at the moment - my server was attacked just the other day. It wouldn't surprise me in the slightest to find out that this is what took Google's DNS server down.

  4. Annihilator

    Free! (ish)

    "Those who rely on free, unsupported, services have surely had enough warnings that their optimism may be misplaced."

    Pretty much everything people expect from the Internet these days then, from DNS, to gmail/hotmail, via Facebook/twitter and music streaming services. Even ISPs if you're savvy enough (not a good one mind)

  5. JeffyPoooh
    Pint

    Why are we limited to just two?

    Talking to you Microsoft et al.

    Why not allow a list of eight or ten or ... ? At first use, and periodically thereafter, have the client run a wee contest to rank the list. Any hiccup outside the norm, immediately send out another request to an alternate DNS. Why do the clients sit there waiting? It's 2014 already. Daft!!

    There should be meta-DNS lists to provide an initial sorted list.

    Somebody needs to RFC this already. Not me, cause I know nothing about this topic.

    1. GregC

      Re: meta-DNS lists

      <Devil's advocate>But who maintains and secures the meta-DNS lists to make sure they aren't compromised? I know, let's have a meta-meta-DNS list just to be sure. But who maintains...</Devil's advocate>

      Just sayin'

    2. LaeMing

      Re: Why are we limited to just two?

      Can't speak for MS, but my *nix box allows an arbitrary long list. 8.8.8.8 is my fallback if both my ISP's DNSes trip over.

    3. Sandtitz Silver badge
      WTF?

      Re: Why are we limited to just two? @JeffyPoooh

      "Talking to you Microsoft et al."

      Which Microsoft products are limited to just two DNS servers?

      1. Peter2 Silver badge

        Re: Why are we limited to just two? @JeffyPoooh

        I don't know, but he doesn't mean Windows or Windows Server. I've got 8 DNS servers setup for my network, of which 8.8.8.8 is one.

        Of course, this is probably the sort of user (who probably thinks he's an admin) that gives windows a bad name. Pro tip, press the "ADVANCED" button on that screen and you can enter as many DNS servers as you could possibly want.

        Between the ISP's 2 servers, the backup ISP's 2 servers, 2 google servers and another 2 random DNS servers I have yet to encounter a time when the line is up, but DNS is down.

        1. JeffyPoooh
          Pint

          Re: Why are we limited to just two?

          A C.A. wrote "...thinks he's an admin..."

          We muddle through... Our home network is fiber optic 175 Mbps. Three wifi routers filling the 2.4GHz band, two more on 5 GHz. A half-dozen 24-port Gb switches (many spare ports to be honest) wired with Cat 6 STP. Eight desktops. Nine laptops. Half dozen game consoles. Dozen and dozens of gadgets, endless tablets and phones, two Apple TV, two WD TVs, Chromecast, you name it. When I run Fing, I have to scroll. Per network.

          So at home, yes I am the one and only admin. Uptime is enviable. Still learning all the boring, tedious, mind numbing, repetitive settings ("admin" slog) and wondering why the coder drones at MS et al still miss some blindingly obvious things. Like improving DNS.

          My day job is in another tech field. More interesting by my standards. If I ever need someone to supervise the low level formatting of a multi-TB drive, I'll contact you.

          Thanks.

    4. Annihilator
      Thumb Down

      Re: Why are we limited to just two?

      Ignoring the fact that you can add more than 2 DNS servers on a windows box (as already pointed out, click "advanced"), if you're really in need of highly available DNS then having your own DNS to manage this would probably be the way forward. For the majority of home users, 2 is enough.

    5. JeffyPoooh
      Pint

      Re: Why are we limited to just two?

      My recollection was off. It was all the various routers that have two DNS slots. And the growing Internet of Things, who knows where their DNS settings are even located. Thank you for the corrections.

      I still think that there is room for improvement. What you wise and experienced network experts so carefully tweak, clearly true in this DNS area, you could be replaced by about 100 lines of code and some online meta-ness. Maybe an Autopopulate button linked to a reliable online reference. And a default list to bootstrap. Maybe DNS majority voting.

      It's 2014, it should "just work". Why do we even need to notice when a DNS server crashes. With a couple of RFCs, it'd be invisible. Even for Grandma.

  6. Decade
    Trollface

    I'm never buying Belkin network equipment ever

    Seems like less than a week since Belkin suggested that users switch to Google DNS to go online.

    Vendor firmware tends to suck and Belkin is especially stupid.

    1. Long John Brass

      Re: I'm never buying Belkin network equipment ever

      Hehe ... Initially read that as "Voodoo firmware tends to suck and Belkin is especially stupid."

  7. GregC

    And still they believe....

    Those who rely on free, unsupported, services have surely had enough warnings that their optimism may be misplaced.

    In other news, water described as "wet", big flaming ball of hydrogen and helium in the sky "a bit warm" and, bears have been seen defecating in arboreal areas.

    And people are still blindly trusting this shit. Mind. Boggled.

  8. Anonymous Coward
    Anonymous Coward

    Gr8 m8. I rel8, str8 appreci8, and congratul8. I r8 this an 8/8! Plz no h8! I'm str8 ir8. Cre8 more, can't w8!

  9. Henry Wertz 1 Gold badge

    Yeah...

    8.8.8.8 and 8.8.4.4 aren't foolproof. But they sure are a lot faster and more reliable than both Mediacom's (local cable ISP) and Centurylink's (local DSL ISP) DNSes (the ISP DNS's are also both non-compliant, they falsely return a ISP-owned IP for non-existant domains instead of NXDOMAIN.)

    1. Ole Juul

      Re: Yeah...

      I measure 8.8.8.8 as an average 15ms slower than my own ISP. Still, it's in my list.

      I'm actually a little curious as to why someone would have only one entry for DNS resolution. It's not a lot of typing for a small (and free) increment in reliability.

      1. JeffyPoooh
        Pint

        Re: Yeah...

        "...I'm actually a little curious as to why someone would have only one entry for DNS resolution."

        I'm still wondering why, in the year 2014, somebody hasn't automated exactly what you suggest and more. Having a billion+ people all still fiddling with their DNS settings seems a bit unnecessary in this day and age. It would only take about 100 lines of code and multiple online repositories (perhaps another small section within the DNS themselves) to precisely automate it to be optimized. Self learning, etc. Default On, untick if you want manual control.

        IT folks sometimes have a blind spot on such things. They love to fiddle and don't even notice the hours slipping away. I prefer if someone code it up once, so everyone else can get back to watching cat videos.

        1. JeffyPoooh

          Re: Yeah...

          Same thing with NTP. Why do I need to try this one and try that one and try another one until it finally gets a response. Happens sometimes.

          A tiny tweak to the code and let the code go up and down the list of NTP servers until it gets a response. Send out the initial pings to several NTP servers in parallel so that the human isn't kept waiting.

          Each NTP server should host a list of other NTP servers it considers reliable. Let them score each other. Ranked and voted. So even the list of NTP servers is automatically maintained.

          2014 folks.

    2. Neil Barnes Silver badge

      Re: Yeah...

      My ISP, too - mistype a url and watch your request get punted to the ISP's search engine... bah.

      Don't want alternate searches and did-you-means, want chance to correct type. Bah again.

  10. Daniel B.
    Boffin

    Oh please...

    Setting up a recursive search BIND is easy peasy. If you are really concerned, configure iptables (or ipfw) on the box to only allow incoming queries from ISP-controlled networks and/or configure BIND to only serve their networks.

    Anyone relying on 8.8.8.8 who isn't a mortal user is being extremely lazy!

    1. Anonymous Coward
      Anonymous Coward

      Oh DNS...

      Such a BIND

  11. Christian Berger

    Never trust in centralized services

    Sure 8.8.8.8 and 8.8.4.4 are nice stopgap solutions when you don't have the address of a proper DNS server, however you should never rely on under normal circumstances. After all Google may have technical problems, choose to terminate the service or just go bankrupt at pretty much any moment.

    1. pompurin

      Re: Never trust in centralized services

      Come on, this is ridiculous. Google, the big internet giant just terminating their DNS servers or going bust? Paranoia.

      1. John G Imrie

        Re: Never trust in centralized services

        Google has terminated other services at a whim.

    2. garden-snail
      Stop

      Re: Never trust in centralized services

      All your arguments also apply to "proper DNS servers". You shouldn't be saying, "don't rely on Google DNS" - you should be saying, "don't rely on any single DNS provider".

  12. Anonymous Coward
    Meh

    Bah Humbug

    So doom and gloom and [people are stupid for using it] ??

    Actually, I dont, but after reading this I might; my old ISP's DNS servers spent more time on holiday than the UK Parliament, and OpenDNS is getting soooo sloooow. One outage in I-dont-know-how-many-years is actually pretty good.

    1. Peter2 Silver badge

      Re: Bah Humbug

      Especially if that's one outage somewhere in the world that didn't effect us in I-dont-know-how-many-years.

    2. Jacques Kruger
      Happy

      Re: Bah Humbug

      For me the best combination for DNS used for browsing is openDNS, then Google, then ISP, all cached using dnsmasq on my gateway box. Works, and works very quickly. Sure, OpenDNS may be a bit slow every now and then, but a local cache more than makes up for this IMHO.

    3. JeffyPoooh
      Pint

      Re: Bah Humbug

      "OpenDNS is getting soooo sloooow."

      An automated system should self learn and automatically push slow DNS servers down the list. This would eventually balance the load.

      2014. Geesh.

  13. pompurin

    Personally I use a mix of 8.8.8.8 and 208.67.220.220. If both Google and OpenDNS go down then the internet is borked.

  14. Sir Runcible Spoon
    Joke

    Attack scores a perfect 10!

    When he's at my gate, with a big fat 8.8.8.8

    You wanna see the smile on my face

    And even at my door, with a poor poor 8.8.4.4

    There ain't no man can replace

  15. NogginTheNog

    4.2.2.1, 4.2.2.2, 4.2.2.3, 4.2.2.4, 4.2.2.5, 4.2.2.6

    I've been using a selection of the above as forwarders for my local DNS servers for years. If they ever fail the box will still do lookups the long way using the Root hints servers.

    1. Ol' Grumpy

      Re: 4.2.2.1, 4.2.2.2, 4.2.2.3, 4.2.2.4, 4.2.2.5, 4.2.2.6

      I've been using these but there seems to have been stability problems over the last month or so. I changed to the OpenNIC project and haven't had a problem since. (www.opennicproject.org if anyone is interested)

  16. Zippy's Sausage Factory
    Black Helicopters

    Chinese govt?

    Google public DNS was used widely in a few recent protests, even graffitied onto walls to tell people how to get round local censorship. So I was just wondering... what with Hong Kong and Taiwan... just maybe they were trying to knock down something outside the Great Firewall of China?

  17. ilmari

    Mandatory xkcd

    http://xkcd.com/1361/

  18. Crazy Operations Guy

    And this is why I set up my own DNS boxes

    At first I just used a pair of Pentium 2 boxes with OpenBSD installed running the native 'named' and a script that would pull a copy of InterNIC's root.zone daily. Now I have upgraded them to a pair of Atom machines, added a script to remove all those crappy gTLDs that are springing up nowadays, and added a couple of firewall rules to block all DNS traffic except from those two boxes (Making me immune from all that DNS change malware).

  19. Rainer

    These are not DNS-Servers

    They are not authoritative.

    8.8.8.8 and 8.8.4.4 are resolvers.

    Only because - unfortunately - Microsoft chose to (wrongly) call the tab in the network-configuration dialog "DNS-Servers" doesn't make it right.

    Please, El Reg (an IT publication, although self-proclaimed), actually read a book some time, or read wikipedia or at least listen to the "Ask Mr DNS" podcast http://www.ask-mrdns.com from Matt Larson and Cricket Liu.

    1. Anonymous Coward
      Anonymous Coward

      Re: These are not DNS-Servers

      Factually you are correct(ish) However, Unix based systems (at least) will have in /etc/resolv.conf something like:

      domain example.co.uk

      nameserver a.b.c.d

      nameserver e.f.g.h

      So the newbie: Windows using the term "DNS server" in their dialogues is fair enough - they are servers that spit out DNS information. As it turns out, a large proportion of the world refers to non auth resolvers as "DNS servers" or "nameservers".

      I manage many Windows DNS, BIND, PowerDNS, Unbound, int al and feel I have a pretty good handle on how DNS works. Criticising people for their use of "DNS server" for a "resolver" is pretty low on my list of thing to get wound up about. Incidentally, many of those mere "resolvers" may of course be authoritative for some domains. In which case how do you refer to them?

      Perhaps you might also get upset at an Apache instance being used as a reverse proxy being called a "web server".

      Now if you really understood DNS 'n' IP to a level where you can get uptight in public and not expect to be flamed then you would have pointed out that MS's biggest mistake was to make it appear that DNS settings are per interface and not per host.

      ... or to put it another way: how would you like me to refer to a system that does DNS thingies as a resolver, authoritative for some zones and non-authoritative for other zones. I think I'll just call the whole lot of them DNS servers and if I'm not sure what they do but they perform this function then I'll still call them DNS servers. Oh and even if I bother to check the finer details, I'll still call them DNS servers.

      Cheers

      Jon

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like