Why using Google DNS / OpenDNS is a bad idea

Why using Google DNS / OpenDNS is a bad idea

 

A post at TUAW today recommends you change your DNS provider to a service like Google DNS for faster performance. If you are located outside the US — like I am and like most APC readers are — this is a bad idea. I only discovered why after experiencing slow download speeds for several months.

Like other tech enthusiasts I jumped on the opportunity to switch my computer’s domain name server settings away from my ISP’s defaults to — I assumed — the much larger and faster Google DNS servers at 8.8.8.8 and 8.8.4.4 when they were first announced.

If you’re not familiar with what exactly DNS servers do they translate the web address you type into your browser into the actual IP address of the internet server you’re connecting to at the other end. For example a DNS server will convert “apcmag.com” typed into your browser address bar into “125.7.5.1″ which is the IP address of our server at Macquarie Telecom’s datacentre.

DNS servers can be one cause (among many) of slowness in your web browsing if your ISP’s DNS server is overloaded and responding slowly — you may experience a delay of seconds each time you go to a web address that your computer hasn’t seen recently (and therefore has to connect to a DNS server to find out the correlating IP address).

This is one of the problems that third-party public DNS providers like Google DNS and OpenDNS are supposed to fix — faster more reliable lookups.

However it was Simon Hackett CEO of Internode who I bumped into at a function who warned me off using third party DNS servers located overseas such as Google DNS or OpenDNS. (By the way if I’ve got any of the technical details wrong in this article it’s much more likely to be my fault than Simon’s…!)

The key reason they’re bad is that they stuff up your computer’s ability to find the closest Akamai server to you. Akamai is the worldwide system which places massive file servers inside ISP data centres worldwide — so that when you download a big file like a Windows or Mac OS X update or a TV show or movie from iTunes it downloads from a server that’s very close to you and therefore pumps down your line as fast as your ADSL2+ can handle. (The primary selling point of Akamai is that it avoids server overload when everyone tries to download something at once but a secondary selling point is that you’re downloading a file from a local server inside your ISP or at least in your country so that the trip between the file server and you is as short/fast as possible.)

If you use a US-based DNS server your closest Akamai cache will instead be chosen as being in the US and you’ll get crummy download speeds as your file trickles over the international link.

In my case this meant that iTunes downloads were coming down at a couple of hundred kilobytes per second rather than the 1.9MB/s I was accustomed to before I changed my DNS servers to Google DNS and OpenDNS.

Don’t get me wrong — there are some distinct advantages to using reliable servers from companies that specialise in providing DNS like much faster refresh of their DNS records when new domains are registered or websites change their IP addresses DNS-level blocking of known phishing sites and so on.

But when they claim you’ll get faster speed by using them they’re conveniently forgetting to mention that if you’re not located in the US they could badly slow down your speed when downloading from distributed caches like Akamai.

Admittedly part of the problem is the design of Akamai — it is to an extent a ‘hack’ of the DNS system (not in the illegal sense; but in the sense that they’re using the DNS system in a way it was not quite designed for initially.) I have contacted Akamai’s senior PR people twice and asked if they’re investigating any way of mitigating the problem when people use DNS servers outside their local geography but I haven’t heard back.

Of course if Google DNS OpenDNS or other public DNS providers put servers into Australia the problem would be largely gone. But until they do my advice is to stick with the DNS provided by your ISP. To their credit OpenDNS is reasonably up-front
about this problem
(though it’s not something they advertise on
their homepage so most users wouldn’t be aware of it.)

UPDATE: Phil Sweeney from Whirlpool reminded me that using a third-party DNS service can also screw up your ISP’s quota free downloads. For example iiNet provides unmetered downloads from Apple’s iTunes Store which is great if you like to buy TV series and rent/buy movies on iTunes. However if you change your DNS to OpenDNS or Google DNS you’ll be pulling the content from an Akamai server overseas rather than the one in iiNet’s network that is designated for free downloads. As a result you will be charged for those downloads.

 

 

  • John Wood

    I know it’s a bit late (2010 vs 2014), but Google’s 8.8.8.8 is a geo-located ip address – meaning that no matter where you are in the world, it’ll use the server closest to you… Also, to point out your second correction, once you have a connection to an IP address, DNS doesn’t apply – it’s only job is to point you in the right direction..

  • Brenden Spud

    Your second point is simply not true John. If your network adapter is still pointed at the DNS (say…. Google’s) after resolution, then it (the adapter) will call back on the server whenever it runs into another IP address it doesn’t know about.
    Now… if you knew what sites you were ONLY going to visit, and what their related IP addresses were, presuming they’re static, THEN there would be no need for the DNS server… but that is a lot of tedious boring work you would have to do. Which is why DNS servers exist in the first place!

  • http://nomoredst.blogspot.com Henry Hertz Hobbit

    I am sorry. This will be a long but hopefully educational response.

    John Wood, better late than never. Your point is correct. Google does not have just one set of servers at those IPv4 addresses but many. My problems with Google DNS in the past was that they just weren’t as good as I wished they had been. That was with just IPv4. IPv6 brings on a whole new set of complications.

    Until I had IPv6 capable routers my machines graciously had their LAN IPv4 set by the static method (which requires digging because each Liinix distro is different). I also use /etc/ethers to have the MAC + IPv4 in the ARP tables, especially for my HP-LJ4P printer which speaks only IPv4. I don’t even want the slightest chance of IPv4 spoofing. I will need to also handle IPv6 fairly soon.

    Now, lets lower the boom. I was getting good results from OpenDNS distributed service with an IPv4 only router. The millisecond an IPv6 router replaced my IPv4 router (that one died) I got yet another set of IP addresses for dead hosts over what I had for IPv4 from OpenDNS. Why? OpenDNS detects my IPv6 and uses that as a criteria rather than my IPv4 free setting that says give me the correct IPv4 address or report that it has no IPv4 address. More on that in a moment. If I go to those hosts in question in the browser I get a google-like search page from OpenDNS. Is the beast dead or not? If it is dead (not in DNS) say it is dead and more on. But you want it to really show that it is dead in a script and how is the DNS server to know that you are interactive or using a DNS checking script?

    I have two main activiites. One is review Phish at PhishTank for whether they are still a phish or not. Things change rapidly with somebody 15 minites ahead of you seeing the phish but for you they have taken the server down to fix the problem or the phish just doesn’t stick and you end up with barfed PHP script on your web page or corrections have been made, etcetera. I also help at MalwareDomainList and for myself in block lists of malware hosts. The last thing I need is a DNS service or something else between me and what ever saying this host has phish or malwre. *I* am the one that is determining whether it still has a phish or malware. One of the last things you want to do is mark a normal domain (that just means most of the time it gives something useful to people) as good to go if it will still infect people’s machines. You also don’t want to tell people something is still bad when the problem has been fixed. Let me just say this is a lot more complicated than you think it is. Even parkers are now randomly redirecting you back out to the Internet about 5% to 15% of the time and the rest of the time putting up a park page. Some of those redirects have been to ad-ware / spy-ware.

    DNS servers can be a controversial topic. Should we use djbdns (Dan J Bernstein’s DNS) BIND, or roll our own (only for people like Google)? All I know is that I am like the Boulder NIST time-keepers. They cannot get accurate enough time and as I write this are busily replacing Cesium clocks with even better ones. I want the best DNS results I can get. Giving different IP addresses (either IPv4 or IPv6) is not at all helpful to me. I frown on that. Do all of the servers have a malware redirector or do just one or a few of the multiple servers do that? That starts looking like the 3-4 end to end hosts where the first redirection randomly only redirects 5% to 25% of the people coming by towards the malware. Server people should try a static IP that is very much like Google’s and OpenDNS servers for the host itself. The DNS server giving either an IPv4 or IPv6 address when in fact it is an NXDomain is similarly a nuisance. You want the most accurate IPv4 or IPv6 information you can get.

    What brought me here? Searching for just those DNS servers for second or third pass when the first set of DNS servers failed. You learn to wait at least 2-3 days for the second pass for the purportedly dead hosts being run through DNS again as well. Frequently the DNS server was just temporarily down. Until IPv6 entered the mix, OpenDNS with a setting of do nothing was great. Now it isn’t good for the browser. Until I can verify the “-4″ gives good results using OpenDNS it is also suspicious even for scripts. But it is forbidden for phish checking. OTOH, it may be totally appropriate for normal people with normal needs.

  • Jack JillyWithIt

    Jack was here today. You are most welcome.

  • Dhaval Brahmbhatt

    This is such a bullshit article. You need to get your basics right. If you just understand how DNS cache works, you will know that Google’s DNS servers have bigger cache than your ISP’s servers. Its not in financial interest of your ISP to invest in better DNS infrastructure and I have heard from so many ISPs who themselves recommend using OpenDNS or Google DNS. ISPs never brag about their DNS response time in their ads and for for right reasons.