Passive Observations of a Large DNS Service: 2.5 Years in the Life of Google

Wouter B. De Vries, Roland Van Rijswijk-Deij, Pieter Tjerk De Boer, Aiko Pras

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    15 Citations (Scopus)
    242 Downloads (Pure)

    Abstract

    In 2009 Google launched its Public DNS service, with its characteristic IP address 8.8.8.8. Since then, this service has grown to be the largest and most well-known DNS service in existence. The popularity of public DNS services has been disruptive for Content Delivery Networks (CDNs). CDNs rely on IP information to geo-Iocate clients. This no longer works in the presence of public resolvers, which led to the introduction of the EDNSO Client Subnet extension. ECS allows resolvers to reveal part of a client's IP address to authoritative name servers and helps CDNs pinpoint client origin. A useful side effect of ECS is that it can be used to study the workings of public DNS resolvers. In this paper, we leverage this side effect of ECS to study Google Public DNS. From a dataset of 3.7 billion DNS queries spanning 2.5 years, we extract ECS information and perform a longitudinal analysis of which clients are served from which Point-of-Presence. Our study focuses on two aspects of GPDNS. First, we show that while GPDNS has PoPs in many countries, traffic is frequently routed out of country, even if that was not necessary. Often this reduces performance, and perhaps more importantly, exposes DNS requests to state-level surveillance. Second, we study how GPDNS is used by clients. We show that end-users switch to GPDNS en masse when their ISP's DNS service is unresponsive, and do not switch back. We also find that many e-mail providers configure GPDNS as the resolver for their servers. This raises serious privacy concerns, as DNS queries from mail servers reveal information about hosts they exchange mail with. Because of GPDNS's use of ECS, this sensitive information is not only revealed to Google, but also to any operator of an authoritative name server that receives ECS-enabled queries from GPDNS during the lookup process.

    Original languageEnglish
    Title of host publication2018 Network Traffic Measurement and Analysis Conference (TMA)
    PublisherIEEE
    ISBN (Electronic)978-3-903176-09-6
    ISBN (Print)978-1-5386-7152-8
    DOIs
    Publication statusPublished - 25 Oct 2018
    Event2nd Network Traffic Measurement and Analysis Conference, TMA 2018 - Vienna, Austria
    Duration: 26 Jun 201829 Jun 2018
    Conference number: 2
    http://tma.ifip.org/2018/

    Conference

    Conference2nd Network Traffic Measurement and Analysis Conference, TMA 2018
    Abbreviated titleTMA 2018
    Country/TerritoryAustria
    CityVienna
    Period26/06/1829/06/18
    Internet address

    Keywords

    • 2019 OA procedure

    Fingerprint

    Dive into the research topics of 'Passive Observations of a Large DNS Service: 2.5 Years in the Life of Google'. Together they form a unique fingerprint.

    Cite this