Google has launched yet another new service. They now provide a DNS server for the public. DNS is how a computer translates an address that is easy for a human to understand (like www.google.com), to an address easy for it to use (126.96.36.199). It can be considered as a phonebook for the Internet. It takes "John Smith" and turns it into a number that can be dialed on the phone (342-555-5243).
DNS has been the subject of some vulnerabilities and attacks recently. One of the big ones was the Kaminsky DNS bug in 2008. This bug is a problem in the Domain Name System itself. Like many of the old protocols, DNS dates back to the days when security was not a huge concern. Because of that, there have been many security and trust problems over the years. DNS servers sends information to help the DNS client resolve its request. These glue records could contain information for any location on the Internet. That gaping hole has been fixed for a long time. Now servers check if the glue records are for the same domain. That leads into the Kaminsky bug.
The Kaminsky bug affects most name servers through a lack of randomization. As DNS uses UDP in order to serve large numbers of users efficiently, there is no connection state tracking other than what is sent by the DNS server. DNS requests have a 16-bit query id attached to them. Old servers just incremented the value for each request. When that got too easy to spoof, several years ago, the value became randomly generated. 65536 requests isn't that hard to spoof these days. The problem the Kaminsky bug exposes is that the requests a DNS server make to answer a query have a small set of source ports and often a non random selection for the set. Now servers randomizes the source ports over as much of the address space as is not in use. This increases the attack time from about ten seconds to ten hours on a 1 gigabit link, plenty of time for the attack to be noticed.
An attack on DNS is a serious issue. Quoting George Kurtz at McAfee:
If you control the DNS servers, you control the Internet.
Someone who used this bug could gain control of any service on the Internet, even email. SSL won't help. Certificate authorizes give out certificates based on email verification or web server verification. Both of those are controlled by DNS. Google is going to have to pay good attention to logs to watch for attacks. They are the first non-ISP DNS to be marketed to and known about by the more mainstream user. A report done on the Google DNS server shows they appear to have sufficient randomness.
What we log
Google Public DNS stores two sets of logs: temporary and permanent. The temporary logs store the full IP address of the machine you're using. We have to do this so that we can spot potentially bad things like DDoS attacks and so we can fix problems, such as particular domains not showing up for specific users.
We delete these temporary logs within 24 to 48 hours.
In the permanent logs, we don't keep personally identifiable information or
IP information. We do keep some location information (at the city/metro level) so that we can conduct debugging,
analyze abuse phenomena and improve the Google Public DNS prefetching feature. We don't correlate or combine
your information from these logs with any other log data that Google might have about your use of other services, such as
data from Web Search and data from advertising on the Google content network. After keeping this data for two weeks, we
randomly sample a small subset for permanent storage.
Note this line from the subset above.
We don't correlate or combine your information from these logs with any other log data that Google might have about your use of other services, such as data from Web Search and data from advertising on the Google content network.
For the privacy freaks out there, these are better terms that the use of your ISP's network and DNS. Are you running all communications through tor? Otherwise, the worst specific information Google keeps for non-abuse purposes is city/metro location information.
Google touts the speed of their DNS server compared to that of most DNS servers. They have a large cache for DNS requests to allow as many cache-hits as possible. For sites not visited as often Google has a prefetching service that puts entries viewed often enough to be worth it but that expire before they are requested again. This also uses DNS data from the web crawler behind Google's search; anything recently crawled by Google will have a cached DNS response available. I have a decent ISP and thus have no need for Google's DNS service. I did a basic speed comparison, and our ISP's DNS beats Google by virtue of being closer. Even more so with a local cache hit, my router responds 8x faster than Google (To be expected). Google does beat my ISP on cache misses, but not by much. However at school, Google's DNS responds way faster than the on campus DNS. Note: These numbers are not scientific, and should not be taken to mean anything more than: it's not worth it to me to change my DNS at home.
Google also follows the DNS standard with regards to NXDOMAIN requests. Many public DNS servers, and some ISP servers respond incorrectly in those cases with an IP to their server that tries to be "helpful". Unfortunately that breaks anything that isn't a web browser.
Test Google's DNS as compared to your current one. If it is faster, use it. If you are on a laptop, consider using it because you can guarantee it's functionality and security.
Google's DNS Configuration Instructions