Passive Observations of a Large DNS Service: 2.5 Years in the Life of Google

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

1 Citation (Scopus)
8 Downloads (Pure)

Abstract

In 2009 Google launched its Public DNS service, with its characteristic IP address 8.8.8.8. Since then, this service has grown to be the largest and most well-known DNS service in existence. The popularity of public DNS services has been disruptive for Content Delivery Networks (CDNs). CDNs rely on IP information to geo-Iocate clients. This no longer works in the presence of public resolvers, which led to the introduction of the EDNSO Client Subnet extension. ECS allows resolvers to reveal part of a client's IP address to authoritative name servers and helps CDNs pinpoint client origin. A useful side effect of ECS is that it can be used to study the workings of public DNS resolvers. In this paper, we leverage this side effect of ECS to study Google Public DNS. From a dataset of 3.7 billion DNS queries spanning 2.5 years, we extract ECS information and perform a longitudinal analysis of which clients are served from which Point-of-Presence. Our study focuses on two aspects of GPDNS. First, we show that while GPDNS has PoPs in many countries, traffic is frequently routed out of country, even if that was not necessary. Often this reduces performance, and perhaps more importantly, exposes DNS requests to state-level surveillance. Second, we study how GPDNS is used by clients. We show that end-users switch to GPDNS en masse when their ISP's DNS service is unresponsive, and do not switch back. We also find that many e-mail providers configure GPDNS as the resolver for their servers. This raises serious privacy concerns, as DNS queries from mail servers reveal information about hosts they exchange mail with. Because of GPDNS's use of ECS, this sensitive information is not only revealed to Google, but also to any operator of an authoritative name server that receives ECS-enabled queries from GPDNS during the lookup process.

Original languageEnglish
Title of host publication2018 Network Traffic Measurement and Analysis Conference (TMA)
PublisherIEEE
ISBN (Electronic)978-3-903176-09-6
ISBN (Print)978-1-5386-7152-8
DOIs
Publication statusPublished - 25 Oct 2018

Fingerprint

Servers
Switches
Google
Query
Side effects

Cite this

De Vries, W. B., Van Rijswijk-Deij, R., De Boer, P. T., & Pras, A. (2018). Passive Observations of a Large DNS Service: 2.5 Years in the Life of Google. In 2018 Network Traffic Measurement and Analysis Conference (TMA) [8506536] IEEE. https://doi.org/10.23919/TMA.2018.8506536
De Vries, Wouter B. ; Van Rijswijk-Deij, Roland ; De Boer, Pieter Tjerk ; Pras, Aiko. / Passive Observations of a Large DNS Service : 2.5 Years in the Life of Google. 2018 Network Traffic Measurement and Analysis Conference (TMA). IEEE, 2018.
@inproceedings{98d41a803ddc477e8b62d76db5010bdc,
title = "Passive Observations of a Large DNS Service: 2.5 Years in the Life of Google",
abstract = "In 2009 Google launched its Public DNS service, with its characteristic IP address 8.8.8.8. Since then, this service has grown to be the largest and most well-known DNS service in existence. The popularity of public DNS services has been disruptive for Content Delivery Networks (CDNs). CDNs rely on IP information to geo-Iocate clients. This no longer works in the presence of public resolvers, which led to the introduction of the EDNSO Client Subnet extension. ECS allows resolvers to reveal part of a client's IP address to authoritative name servers and helps CDNs pinpoint client origin. A useful side effect of ECS is that it can be used to study the workings of public DNS resolvers. In this paper, we leverage this side effect of ECS to study Google Public DNS. From a dataset of 3.7 billion DNS queries spanning 2.5 years, we extract ECS information and perform a longitudinal analysis of which clients are served from which Point-of-Presence. Our study focuses on two aspects of GPDNS. First, we show that while GPDNS has PoPs in many countries, traffic is frequently routed out of country, even if that was not necessary. Often this reduces performance, and perhaps more importantly, exposes DNS requests to state-level surveillance. Second, we study how GPDNS is used by clients. We show that end-users switch to GPDNS en masse when their ISP's DNS service is unresponsive, and do not switch back. We also find that many e-mail providers configure GPDNS as the resolver for their servers. This raises serious privacy concerns, as DNS queries from mail servers reveal information about hosts they exchange mail with. Because of GPDNS's use of ECS, this sensitive information is not only revealed to Google, but also to any operator of an authoritative name server that receives ECS-enabled queries from GPDNS during the lookup process.",
author = "{De Vries}, {Wouter B.} and {Van Rijswijk-Deij}, Roland and {De Boer}, {Pieter Tjerk} and Aiko Pras",
year = "2018",
month = "10",
day = "25",
doi = "10.23919/TMA.2018.8506536",
language = "English",
isbn = "978-1-5386-7152-8",
booktitle = "2018 Network Traffic Measurement and Analysis Conference (TMA)",
publisher = "IEEE",
address = "United States",

}

De Vries, WB, Van Rijswijk-Deij, R, De Boer, PT & Pras, A 2018, Passive Observations of a Large DNS Service: 2.5 Years in the Life of Google. in 2018 Network Traffic Measurement and Analysis Conference (TMA)., 8506536, IEEE. https://doi.org/10.23919/TMA.2018.8506536

Passive Observations of a Large DNS Service : 2.5 Years in the Life of Google. / De Vries, Wouter B.; Van Rijswijk-Deij, Roland; De Boer, Pieter Tjerk; Pras, Aiko.

2018 Network Traffic Measurement and Analysis Conference (TMA). IEEE, 2018. 8506536.

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

TY - GEN

T1 - Passive Observations of a Large DNS Service

T2 - 2.5 Years in the Life of Google

AU - De Vries, Wouter B.

AU - Van Rijswijk-Deij, Roland

AU - De Boer, Pieter Tjerk

AU - Pras, Aiko

PY - 2018/10/25

Y1 - 2018/10/25

N2 - In 2009 Google launched its Public DNS service, with its characteristic IP address 8.8.8.8. Since then, this service has grown to be the largest and most well-known DNS service in existence. The popularity of public DNS services has been disruptive for Content Delivery Networks (CDNs). CDNs rely on IP information to geo-Iocate clients. This no longer works in the presence of public resolvers, which led to the introduction of the EDNSO Client Subnet extension. ECS allows resolvers to reveal part of a client's IP address to authoritative name servers and helps CDNs pinpoint client origin. A useful side effect of ECS is that it can be used to study the workings of public DNS resolvers. In this paper, we leverage this side effect of ECS to study Google Public DNS. From a dataset of 3.7 billion DNS queries spanning 2.5 years, we extract ECS information and perform a longitudinal analysis of which clients are served from which Point-of-Presence. Our study focuses on two aspects of GPDNS. First, we show that while GPDNS has PoPs in many countries, traffic is frequently routed out of country, even if that was not necessary. Often this reduces performance, and perhaps more importantly, exposes DNS requests to state-level surveillance. Second, we study how GPDNS is used by clients. We show that end-users switch to GPDNS en masse when their ISP's DNS service is unresponsive, and do not switch back. We also find that many e-mail providers configure GPDNS as the resolver for their servers. This raises serious privacy concerns, as DNS queries from mail servers reveal information about hosts they exchange mail with. Because of GPDNS's use of ECS, this sensitive information is not only revealed to Google, but also to any operator of an authoritative name server that receives ECS-enabled queries from GPDNS during the lookup process.

AB - In 2009 Google launched its Public DNS service, with its characteristic IP address 8.8.8.8. Since then, this service has grown to be the largest and most well-known DNS service in existence. The popularity of public DNS services has been disruptive for Content Delivery Networks (CDNs). CDNs rely on IP information to geo-Iocate clients. This no longer works in the presence of public resolvers, which led to the introduction of the EDNSO Client Subnet extension. ECS allows resolvers to reveal part of a client's IP address to authoritative name servers and helps CDNs pinpoint client origin. A useful side effect of ECS is that it can be used to study the workings of public DNS resolvers. In this paper, we leverage this side effect of ECS to study Google Public DNS. From a dataset of 3.7 billion DNS queries spanning 2.5 years, we extract ECS information and perform a longitudinal analysis of which clients are served from which Point-of-Presence. Our study focuses on two aspects of GPDNS. First, we show that while GPDNS has PoPs in many countries, traffic is frequently routed out of country, even if that was not necessary. Often this reduces performance, and perhaps more importantly, exposes DNS requests to state-level surveillance. Second, we study how GPDNS is used by clients. We show that end-users switch to GPDNS en masse when their ISP's DNS service is unresponsive, and do not switch back. We also find that many e-mail providers configure GPDNS as the resolver for their servers. This raises serious privacy concerns, as DNS queries from mail servers reveal information about hosts they exchange mail with. Because of GPDNS's use of ECS, this sensitive information is not only revealed to Google, but also to any operator of an authoritative name server that receives ECS-enabled queries from GPDNS during the lookup process.

UR - http://www.scopus.com/inward/record.url?scp=85057269303&partnerID=8YFLogxK

U2 - 10.23919/TMA.2018.8506536

DO - 10.23919/TMA.2018.8506536

M3 - Conference contribution

SN - 978-1-5386-7152-8

BT - 2018 Network Traffic Measurement and Analysis Conference (TMA)

PB - IEEE

ER -

De Vries WB, Van Rijswijk-Deij R, De Boer PT, Pras A. Passive Observations of a Large DNS Service: 2.5 Years in the Life of Google. In 2018 Network Traffic Measurement and Analysis Conference (TMA). IEEE. 2018. 8506536 https://doi.org/10.23919/TMA.2018.8506536