Why using Google DNS / OpenDNS is a bad idea

Why using Google DNS / OpenDNS is a bad idea

 

A post at TUAW today recommends you change your DNS provider to a service like Google DNS for faster performance. If you are located outside the US — like I am and like most APC readers are — this is a bad idea. I only discovered why after experiencing slow download speeds for several months.

Like other tech enthusiasts I jumped on the opportunity to switch my computer’s domain name server settings away from my ISP’s defaults to — I assumed — the much larger and faster Google DNS servers at 8.8.8.8 and 8.8.4.4 when they were first announced.

If you’re not familiar with what exactly DNS servers do they translate the web address you type into your browser into the actual IP address of the internet server you’re connecting to at the other end. For example a DNS server will convert “apcmag.com” typed into your browser address bar into “125.7.5.1” which is the IP address of our server at Macquarie Telecom’s datacentre.

DNS servers can be one cause (among many) of slowness in your web browsing if your ISP’s DNS server is overloaded and responding slowly — you may experience a delay of seconds each time you go to a web address that your computer hasn’t seen recently (and therefore has to connect to a DNS server to find out the correlating IP address).

This is one of the problems that third-party public DNS providers like Google DNS and OpenDNS are supposed to fix — faster more reliable lookups.

However it was Simon Hackett CEO of Internode who I bumped into at a function who warned me off using third party DNS servers located overseas such as Google DNS or OpenDNS. (By the way if I’ve got any of the technical details wrong in this article it’s much more likely to be my fault than Simon’s…!)

The key reason they’re bad is that they stuff up your computer’s ability to find the closest Akamai server to you. Akamai is the worldwide system which places massive file servers inside ISP data centres worldwide — so that when you download a big file like a Windows or Mac OS X update or a TV show or movie from iTunes it downloads from a server that’s very close to you and therefore pumps down your line as fast as your ADSL2+ can handle. (The primary selling point of Akamai is that it avoids server overload when everyone tries to download something at once but a secondary selling point is that you’re downloading a file from a local server inside your ISP or at least in your country so that the trip between the file server and you is as short/fast as possible.)

If you use a US-based DNS server your closest Akamai cache will instead be chosen as being in the US and you’ll get crummy download speeds as your file trickles over the international link.

In my case this meant that iTunes downloads were coming down at a couple of hundred kilobytes per second rather than the 1.9MB/s I was accustomed to before I changed my DNS servers to Google DNS and OpenDNS.

Don’t get me wrong — there are some distinct advantages to using reliable servers from companies that specialise in providing DNS like much faster refresh of their DNS records when new domains are registered or websites change their IP addresses DNS-level blocking of known phishing sites and so on.

But when they claim you’ll get faster speed by using them they’re conveniently forgetting to mention that if you’re not located in the US they could badly slow down your speed when downloading from distributed caches like Akamai.

Admittedly part of the problem is the design of Akamai — it is to an extent a ‘hack’ of the DNS system (not in the illegal sense; but in the sense that they’re using the DNS system in a way it was not quite designed for initially.) I have contacted Akamai’s senior PR people twice and asked if they’re investigating any way of mitigating the problem when people use DNS servers outside their local geography but I haven’t heard back.

Of course if Google DNS OpenDNS or other public DNS providers put servers into Australia the problem would be largely gone. But until they do my advice is to stick with the DNS provided by your ISP. To their credit OpenDNS is reasonably up-front
about this problem
(though it’s not something they advertise on
their homepage so most users wouldn’t be aware of it.)

UPDATE: Phil Sweeney from Whirlpool reminded me that using a third-party DNS service can also screw up your ISP’s quota free downloads. For example iiNet provides unmetered downloads from Apple’s iTunes Store which is great if you like to buy TV series and rent/buy movies on iTunes. However if you change your DNS to OpenDNS or Google DNS you’ll be pulling the content from an Akamai server overseas rather than the one in iiNet’s network that is designated for free downloads. As a result you will be charged for those downloads.

 

 

  • John Wood

    I know it’s a bit late (2010 vs 2014), but Google’s 8.8.8.8 is a geo-located ip address – meaning that no matter where you are in the world, it’ll use the server closest to you… Also, to point out your second correction, once you have a connection to an IP address, DNS doesn’t apply – it’s only job is to point you in the right direction..

    • Bharat Kumar

      But google uses its own IPs, even for their DNS servers.
      The location of the IPs (DNS) determines where your request gets resolved, per the note from venkin below. So unless google shares the geo-location of their DNS IPs you don’t get pointed in the right direction !

      • John Wood

        There is no need to share the physical location of the servers, as the 8.8.8.8 ip address always points to the closest server to you – thats what geo-located ip address is. For example, in the uk, i get the uk dns server, when i go to the US, i get a server in the US – all using that one ip address.

        • Bharat Kumar

          I started investigating when I was taken to servers in Japan and Korea for India-based services. That’s when I was told a request (to auth DNSs) from 8.8.8.8 is seen as ‘mapped’ from outside India.

  • Brenden Spud

    Your second point is simply not true John. If your network adapter is still pointed at the DNS (say…. Google’s) after resolution, then it (the adapter) will call back on the server whenever it runs into another IP address it doesn’t know about.
    Now… if you knew what sites you were ONLY going to visit, and what their related IP addresses were, presuming they’re static, THEN there would be no need for the DNS server… but that is a lot of tedious boring work you would have to do. Which is why DNS servers exist in the first place!

    • John Wood

      not sure you understood what i was trying to say..

      once you query a dns server for an ip address, according to the RFC (and common sense!), your software (IE, chrome, win 7, linux etc (not your adaptor!)) doesn’t ask for the ip address again for a certain amount of time (why check the phonebook again when you’ve only just hung up?)

      it’s only the time taken for the initial request that is important.

  • http://nomoredst.blogspot.com Henry Hertz Hobbit

    I am sorry. This will be a long but hopefully educational response.

    John Wood, better late than never. Your point is correct. Google does not have just one set of servers at those IPv4 addresses but many. My problems with Google DNS in the past was that they just weren’t as good as I wished they had been. That was with just IPv4. IPv6 brings on a whole new set of complications.

    Until I had IPv6 capable routers my machines graciously had their LAN IPv4 set by the static method (which requires digging because each Liinix distro is different). I also use /etc/ethers to have the MAC + IPv4 in the ARP tables, especially for my HP-LJ4P printer which speaks only IPv4. I don’t even want the slightest chance of IPv4 spoofing. I will need to also handle IPv6 fairly soon.

    Now, lets lower the boom. I was getting good results from OpenDNS distributed service with an IPv4 only router. The millisecond an IPv6 router replaced my IPv4 router (that one died) I got yet another set of IP addresses for dead hosts over what I had for IPv4 from OpenDNS. Why? OpenDNS detects my IPv6 and uses that as a criteria rather than my IPv4 free setting that says give me the correct IPv4 address or report that it has no IPv4 address. More on that in a moment. If I go to those hosts in question in the browser I get a google-like search page from OpenDNS. Is the beast dead or not? If it is dead (not in DNS) say it is dead and more on. But you want it to really show that it is dead in a script and how is the DNS server to know that you are interactive or using a DNS checking script?

    I have two main activiites. One is review Phish at PhishTank for whether they are still a phish or not. Things change rapidly with somebody 15 minites ahead of you seeing the phish but for you they have taken the server down to fix the problem or the phish just doesn’t stick and you end up with barfed PHP script on your web page or corrections have been made, etcetera. I also help at MalwareDomainList and for myself in block lists of malware hosts. The last thing I need is a DNS service or something else between me and what ever saying this host has phish or malwre. *I* am the one that is determining whether it still has a phish or malware. One of the last things you want to do is mark a normal domain (that just means most of the time it gives something useful to people) as good to go if it will still infect people’s machines. You also don’t want to tell people something is still bad when the problem has been fixed. Let me just say this is a lot more complicated than you think it is. Even parkers are now randomly redirecting you back out to the Internet about 5% to 15% of the time and the rest of the time putting up a park page. Some of those redirects have been to ad-ware / spy-ware.

    DNS servers can be a controversial topic. Should we use djbdns (Dan J Bernstein’s DNS) BIND, or roll our own (only for people like Google)? All I know is that I am like the Boulder NIST time-keepers. They cannot get accurate enough time and as I write this are busily replacing Cesium clocks with even better ones. I want the best DNS results I can get. Giving different IP addresses (either IPv4 or IPv6) is not at all helpful to me. I frown on that. Do all of the servers have a malware redirector or do just one or a few of the multiple servers do that? That starts looking like the 3-4 end to end hosts where the first redirection randomly only redirects 5% to 25% of the people coming by towards the malware. Server people should try a static IP that is very much like Google’s and OpenDNS servers for the host itself. The DNS server giving either an IPv4 or IPv6 address when in fact it is an NXDomain is similarly a nuisance. You want the most accurate IPv4 or IPv6 information you can get.

    What brought me here? Searching for just those DNS servers for second or third pass when the first set of DNS servers failed. You learn to wait at least 2-3 days for the second pass for the purportedly dead hosts being run through DNS again as well. Frequently the DNS server was just temporarily down. Until IPv6 entered the mix, OpenDNS with a setting of do nothing was great. Now it isn’t good for the browser. Until I can verify the “-4″ gives good results using OpenDNS it is also suspicious even for scripts. But it is forbidden for phish checking. OTOH, it may be totally appropriate for normal people with normal needs.

  • Jack JillyWithIt

    Jack was here today. You are most welcome.

  • Dhaval Brahmbhatt

    This is such a bullshit article. You need to get your basics right. If you just understand how DNS cache works, you will know that Google’s DNS servers have bigger cache than your ISP’s servers. Its not in financial interest of your ISP to invest in better DNS infrastructure and I have heard from so many ISPs who themselves recommend using OpenDNS or Google DNS. ISPs never brag about their DNS response time in their ads and for for right reasons.

    • Bharat Kumar

      in fact dhaval, you are quite dumb, you haven’t understood the subtleties, or don’t wish to follow The article highlights a major issue. You seem to be the kind who believes in outsourcing everything, even if for short-term profit, not realizing the risks.
      That seems to be the approach with most telcos and ISPs in India, who now wonder how to get back to profits !

  • venkin

    If your ISP asks you to set the DNS to anything other than its own, I would advise you to shift to a better one. You could manage in the interim, but subject to a few things :)

    Firstly, Google or OpenDNS are only DNS caches, they are mostly not authoritative DNS servers. Even if Google’s anycast DNS connects to the nearest 8.8.8.8 instance, the problem of connecting to an sub-optimal server location doesn’t go away, because

    an authoritative DNS server is the one which converts a host address of a URL to an IP address.
    The problem of sites getting resolved to resolved “far” or sub-optimal from the ISP will get mitigated, somewhat, if authoritative DNSs, take the consumer’s IP address. That IP address, consumer’s, is more relevant than the requesting- DNS-cache’s IP , to resolve to an Internet location “closer” to the consumer. Google’s DNS cache passes that, consumer’s IP, up in the request to the authoritative servers.
    However, not all sites’ authoritative DNSs are upgraded to be userIP-aware-before-resolution
    ?? :)

    But the ISPs, rather than consumers, must worry about DNS.

    An ISP, if it is serious of ensuring a quality of service and stay in business, must have a back to back service level agreement for adequate DNS infrastructure – the importance of which is gaining by the day with security issues. Countries waking up to governance of Internet governance would want the ISPs to be in control of DNS resolution

    Some ISPs may not honor requests to competing ISP’s DNS IPs. So, even if there is a Google DNS cache “close” to you, but on your ISP’s neighbor and competition’s network, that may not work !

    An ISP which provides just an Internet connection and doesn’t have content on its network, will face a challenge surviving in business, with no control on costs of bandwidth. Therefore, if your ISP asks you to set the DNS to anything other than its own, I would advise you to shift to a better one.

    • Bharat Kumar

      very insightful ! frankly, needs some simplification.
      But as venkin says, its the ISPs who have to worry
      if I use an iPad or an android phone, or a user on the loose connecting to
      wifi hotspots where available, I can’t keep switching DNSs !
      Nor can I settle taken to a location outside my country if I use google’s or opendns…not that I have much of a choice if in India…most sites except a few notable ones like flipkart, rediff are outside India. We don’t now of broadband speeds here :)

      • John Wood

        If your country has a big enough intrnet precense, you will undoughtedly have a google dns server in your country (india does), so using googles dns should be fine. I think india may even have some cdn network endpoints too, so you should also be ok with opendns or the other bigger dns caches too…

  • John Wood

    Thanks for that link, it was very informative and confirmed a few things i suspected about google

  • Bharat Kumar

    I buy that, using a global cache is a good thing to do.
    But then again what the cache returns may not be most suitable to your location.
    The auth DNSes, I know, use the requesting DNS, to return an IP optimal for the location and in some cases [geo]load balances the requests to different content servers.

    in other words, the content delivery networks (CDNs) use requesting DNS’s location to return a webserver IP. If the DNS isn’t in the ‘network’ of the ISP, the auth server would return an IP address closer to the requesting DNS IP, not the client IP.

    this is getting resolved with EDNS (rfc 6891), but that would take some time to get adopted by auth DNSs.

  • Bharat Kumar

    yes, I am worried about telcos and ISPs in India, where I live