[TriLUG] OpenDNS hijacking google.com addresses?
Aaron Joyner
aaron at joyner.ws
Mon Dec 7 17:00:32 EST 2009
A few things for the tinfoil hat wearers amongst us. I'll start off
by disclaiming my biases. Google signs my paychecks, and I
interviewed the author of namebench (Thomas Stromberg) when he came to
Google, and have worked with him in the same group ever since. He
asked me to code review namebench, but I didn't make the time before
release (others have, I was on paternity leave). Of course, I write
here representing only myself, not Google in any way. With that out
of the way...
You can easily test this for yourself. Try running the following
command from your favorite linux box:
$ dig +noall +answer www.google.com @208.67.222.222
www.google.com. 30 IN CNAME google.navigation.opendns.com.
google.navigation.opendns.com. 30 IN A 208.67.217.231
google.navigation.opendns.com. 30 IN A 208.67.217.230
That's the OpenDNS nameserver returning what most people would call
either an "alternate" or "hijacked" result for google.com, depending
on how inflammatory you'd like to be. It's certainly not the result
returned by the server they return as the authoritative DNS for the
same query, which a recursive DNS resolver would be expected (or if
you want to be inflammatory, required by the RFCs) to return:
$ dig +noall +answer NS google.com @208.67.222.222
google.com. 170328 IN NS ns1.google.com.
google.com. 170328 IN NS ns2.google.com.
google.com. 170328 IN NS ns3.google.com.
google.com. 170328 IN NS ns4.google.com.
$ dig +noall +answer NS www.google.com @ns1.google.com
www.google.com. 604800 IN CNAME www.l.google.com.
OpenDNS has an explanation for this on their blog, involving
complaints about a deal between Google and Dell, and that what they're
doing is essentially "verifying" that you're not being hijacked by
someone else:
http://blog.opendns.com/2007/05/22/google-turns-the-page/
At the least, this redirects all www.google.com searches through
OpenDNS's servers, allowing them to log and/or to potentially modify
queries and/or results in-flight. As stated on the previous page,
they say they don't do that. I'll leave that speculation to the
tin-foil hat crew.
So, in short, yes, namebench is accurately assessing that OpenDNS
returns a different result for google.com, at least from the examples
I have seen. OpenDNS says they do this in the interest of improving
the experience for the user. My advice is that each user must make an
informed decision about the risks and tradeoffs of the service
provided by OpenDNS.
Aaron S. Joyner
On Mon, Dec 7, 2009 at 1:57 PM, Paul McLanahan <pmclanahan at gmail.com> wrote:
> On Mon, Dec 7, 2009 at 1:40 PM, Alan Porter <porter at trilug.org> wrote:
>> Tinfoil hats ready...
>>
>> I run dnsmasq on my machines, and I normally point it to
>> use OpenDNS as its upstream source. When I ask it for
>> www.google.com, it does *not* resolve to an opendns address.
>
> Great! Thanks for checking into that Alan. Not sure what crack that
> namebench app was smoking. But that opendns subdomain does exist and
> appear to be a proxy to google. The namebench app is a 20% project of
> a googler, maybe they're unhappy w/ OpenDNS for some other reason? It
> did recommend OpenDNS for me though... who knows??!?!?!!
>
> Thanks,
>
> Paul
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
>
More information about the TriLUG
mailing list