• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • About Darknet
  • Hacking Tools
  • Popular Posts
  • Darknet Archives
  • Contact Darknet
    • Advertise
    • Submit a Tool
Darknet – Hacking Tools, Hacker News & Cyber Security

Darknet - Hacking Tools, Hacker News & Cyber Security

Darknet is your best source for the latest hacking tools, hacker news, cyber security best practices, ethical hacking & pen-testing.

Is Google Public DNS Safe?

December 16, 2009

Views: 17,155

[ad]

Google recently launched a public DNS service similar to the popular service over at OpenDNS, you can find it on Googlecode here – http://code.google.com/speed/public-dns/.

The first obvious reaction for the infosec crowd (with all the recent DNS flaws), is to question the security of the Google DNS service.

HD Moore has done some good analysis on the service as outlined below.

Yesterday, Google launched its new Public DNS service. Among the benefits that Google is claiming for the new service is that it helps to secure DNS for users. Is that an accurate claim?

One of the big issues that security researcher Dan Kaminsky disclosed about DNS insecurity in 2008 was that DNS request information isn’t quite as random as it should be. The way DNS works is that each DNS request is supposed to carry with it a random number transaction ID. But it turns out that the random number is only one out of 65,000. DNS is at risk when there isn’t enough randomization and a hacker can ‘guess’ the number.

So is Google’s Public DNS random enough? I got a comment from famed security researcher, H D Moore on that point. Moore knows what he’s talking about when it comes to DNS exploits as his Metasploit tool was among the first to have a weaponized version of the Kaminsky DNS flaw.

It seems like the port allocation of the Google DNS system is adequately random even though it’s drawing from a fairly small port range.

So the claims this could be a more secure DNS server for most systems are true, it will protect against DNS cache poisoning attacks at least.

Moore has now put together a mapping of Google’s source port distribution on the Public DNS service. In his view, it looks like the source ports are sufficiently random, even though they are limited to a small range of ports.

According to HD, it looks like Google’s focus on security might be on the right track and the DNS could be good at preventing cache poisoning attacks.

His sample size is only 10,000 requests here, which isn’t a huge number but does give a decent sample in my view. He has also graphed source ports, transaction IDS and a comparison of source ports to those transaction IDs.

I’ll switch over from OpenDNS and give the Google system a try, maybe it’ll reduce the lag time a little.

If anyone else is already using it, do share with us your thoughts in the comment section below.

Source: Internet News (Thanks Navin)

Share
Tweet
Share
Buffer
WhatsApp
Email
0 Shares

Filed Under: Networking Hacking Tools Tagged With: dan-kaminsky, dns, dns exploit, dns security, hd-moore



Reader Interactions

Comments

  1. Luigi Rosa says

    December 16, 2009 at 10:23 am

    Keep in mind that if you do not use a local resolver, the CDN based contents (like Akamai and may others) will be delivered from a server that is not the best for your IP.

    So, you will have a smller lag for DNS query, but a bigger one for CDN contents.

    I am staying with my local resolver administered by myself.

  2. Phill Thomas says

    December 16, 2009 at 11:24 am

    I think 99% of users will never notice anything lag difference (if there is indeed any additional), I personally think its useful to have the likes of google offering this kind of service, it could potentially take off the strain or requirements to run internal DNS and give sys admins more time to drink coffee :)

  3. scriptjunkie says

    December 16, 2009 at 8:04 pm

    Unfortunately, RTT tends to rule DNS query speeds, and local resolvers are a heck of a lot closer. My measured query latency to Google for a nearby site lookup is .19 seconds. To my local DNS, it’s .01 second for the request. For a random name, (insecure.org) the local resolver took almost .02 seconds and Google took an astonishing 1.20 seconds (mostly in the miss of insecure.org.[my local domain] which is automatically tried first due to the default local domain appending, but whatever, every OS does it). So yeah they have some cool ideas, but I’m not that impressed or switching my default DNS. And yes, I do notice an additional 1.2 second delay every time I hit a new domain while surfing.

    IMNSHO, it is interesting for the implementer of a DNS system, especially the security part (http://code.google.com/speed/public-dns/docs/security.html) but it can’t supply a replacement for a local resolver.

  4. googtester says

    December 16, 2009 at 8:58 pm

    Hi,

    I always test new products from google and also currently using googles public dns, its giving much better results then open dns, but the features of open dns like filtering etc. are not supported by google yet.

    Hope google will impreove it more and implement it as one of its popular services from google.

  5. Darknet says

    December 17, 2009 at 5:38 am

    Well it matters to users outside of the US, I’m in Malaysia for example and the ISP DNS servers are shite…they are frequently down, slow to respond and sometimes purposely fail to resolve certain sites on order of the government. So I’ve always had the habit of using OpenDNS anyway, this is a valid alternative to me and if Google is using a CDN type setup with a node in SE Asia..it’ll definitely be faster than OpenDNS.

  6. Morgan Storey says

    December 17, 2009 at 12:11 pm

    I think its also a decent idea to use these as forwarders on your local DNS, heck you can put open DNS in as well. Thats what I tend to do as the root servers are simply to slow to respond here in Australia most of the time.

  7. Wojtek says

    December 17, 2009 at 1:36 pm

    A view from France…

    My ISP’s DNS is faster than Google or OpenDNS (by maybe 10%) but I would need to make more tests, especially to break down the difference in terms of RTT and DNS speed per se.

    Looking at the wild discussion in the US, it would seem that DNSes provided by ISPs over there are not that good. I guess this is because you have 3 zillions ISPs while we have just a handful. All of them have decent DNSes (both speed and stability) and switching to Google would not change much.

    An obvious advantage is that you need to remember 8.8.8.8 and 8.8.4.4 (see, I know tham by heart) instead of 984.398.165.26 and 594.365.23.900 (these, for some reason, never worked for me, no matter how hard I tried)

  8. silicon.shaman says

    December 17, 2009 at 2:41 pm

    Been using google’s DNS for a couple of weeks now, the improved lag time isn’t really enough to be noticeable, [although it is improved]. What does make a difference is the improved reliability of look-ups.

    As for the flaw…well it is only in testing stage. I figure they’ll probably patch that as the uptake on the service improves. But for now it’s not an issue.

  9. Hemanth G says

    December 17, 2009 at 4:31 pm

    I’m Switching from OPENDNS to Google, its been a few days and i already miss a few of OPENDNS feature’s like filtering, but the time lag has definitely reduced by about 10%.

    Unless Google add more features to its DNS service its unlikely i will continue with it.

  10. Varun says

    December 18, 2009 at 4:52 am

    Try namebench to see which of the public DNS server systems are fastest for you. For me Google DNS ended almost at the bottom of the list having 11-12 similar services. I am based out of Bangaloe.

  11. Darknet says

    December 18, 2009 at 9:00 pm

    With namebench Google primary (8.8.8.8) actually came out faster on average than my local ISP resolver.

  12. pfff says

    December 18, 2009 at 11:16 pm

    How about when “LSD” AKA HD Moore was backdooring people? Was he doing “good work” then to? Your old as dirt, don’t you remember when the hapless Perl program was a trojan punk?

  13. CC says

    December 19, 2009 at 2:33 pm

    Why give Google such power to control all your traffic?
    You might say that you already do that with your ISP and you are right! but your ISP isn’t Google they only provide internet service not all the other stuff Google is involved with.

    Google cares about security to a certain point, beyond this point they shift to $$$ and consider many other things to relate this service with the endless services they offer, Google is not a security firm, they do everything now from mobile phone to operating systems. Security is of little concern to them, It cannot be any other way and their actions over the last few years show that it is an aggressive control seeking big money corporation that all of the world already need to use(if you do not use the Google search it is really your loss so you cant just stop it).

    Do you really want Google to control every bit of communication coming out of your computer? I know I don’t, the email and web search are enough for me. They already scan my mail but apparently it is not enough and their new goal is to control all my traffic, the ads I watch, the porn I watch and EVERYTHING ELSE

    Google crossed to ‘the dark side’, sometime after they bought you-tube, there is no reason to feed them with more power so naturally don’t go for Google DNS.

  14. elpeor says

    December 21, 2009 at 12:10 pm

    I had stop using openDNS because It was blocking some spanish politics webpages, I just changed my DNS and I could open that web pages. I do not trust openDNS anymore.

  15. Marco says

    February 9, 2010 at 5:13 pm

    Yesterday I have tested the Google DNS server in my PS3. The download of a 217mb lage video-file reduces to 90 seconds (Internet via cable modem DS 20.000 / US 1.024). Using the original DNS server of my provider the same download terminated after 4 to 5 minutes. During online-playing I didn’t remark any problem. I cannot really say, if there is an improvement as the games are working online in the same speed. It could be that the data-queries and data-responses from the internet and to the internet is more fluent with the Google DNS server.

    I will try for another few days the google servers and if there won’t be any problems, the Google DNS server will be the first server to use. and it is a big difference to spend only 90 secnds for a 217mb donwload as waiting 4 to 5 minutes!!!! :-)

Primary Sidebar

Search Darknet

  • Email
  • Facebook
  • LinkedIn
  • RSS
  • Twitter

Advertise on Darknet

Latest Posts

Bantam - Advanced PHP Backdoor Management Tool For Post Exploitation

Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

Views: 289

Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload … ...More about Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

AI-Powered Cybercrime in 2025 - The Dark Web’s New Arms Race

AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Views: 493

In 2025, the dark web isn't just a marketplace for illicit goods—it's a development lab. … ...More about AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Upload_Bypass - Bypass Upload Restrictions During Penetration Testing

Upload_Bypass – Bypass Upload Restrictions During Penetration Testing

Views: 490

Upload_Bypass is a command-line tool that automates discovering and exploiting weak file upload … ...More about Upload_Bypass – Bypass Upload Restrictions During Penetration Testing

Shell3r - Powerful Shellcode Obfuscator for Offensive Security

Shell3r – Powerful Shellcode Obfuscator for Offensive Security

Views: 690

If antivirus and EDR vendors are getting smarter, so are the tools that red teamers and penetration … ...More about Shell3r – Powerful Shellcode Obfuscator for Offensive Security

Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

Views: 8,482

Introduction: How Much of the Internet Can You See? You're only scratching the surface when you … ...More about Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

DataSurgeon is an open-source Linux-based data extraction and transformation tool designed for forensic investigations and recovery scenarios.

DataSurgeon – Fast, Flexible Data Extraction and Transformation Tool for Linux

Views: 470

DataSurgeon is an open-source Linux-based data extraction and transformation tool designed for … ...More about DataSurgeon – Fast, Flexible Data Extraction and Transformation Tool for Linux

Topics

  • Advertorial (28)
  • Apple (46)
  • Countermeasures (227)
  • Cryptography (82)
  • Database Hacking (89)
  • Events/Cons (7)
  • Exploits/Vulnerabilities (431)
  • Forensics (65)
  • GenAI (3)
  • Hacker Culture (8)
  • Hacking News (229)
  • Hacking Tools (684)
  • Hardware Hacking (82)
  • Legal Issues (179)
  • Linux Hacking (73)
  • Malware (238)
  • Networking Hacking Tools (352)
  • Password Cracking Tools (104)
  • Phishing (41)
  • Privacy (219)
  • Secure Coding (118)
  • Security Software (233)
  • Site News (51)
    • Authors (6)
  • Social Engineering (37)
  • Spammers & Scammers (76)
  • Stupid E-mails (6)
  • Telecomms Hacking (6)
  • UNIX Hacking (6)
  • Virology (6)
  • Web Hacking (384)
  • Windows Hacking (169)
  • Wireless Hacking (45)

Security Blogs

  • Dancho Danchev
  • F-Secure Weblog
  • Google Online Security
  • Graham Cluley
  • Internet Storm Center
  • Krebs on Security
  • Schneier on Security
  • TaoSecurity
  • Troy Hunt

Security Links

  • Exploits Database
  • Linux Security
  • Register – Security
  • SANS
  • Sec Lists
  • US CERT

Footer

Most Viewed Posts

  • Brutus Password Cracker – Download brutus-aet2.zip AET2 (2,291,673)
  • Darknet – Hacking Tools, Hacker News & Cyber Security (2,173,069)
  • Top 15 Security Utilities & Download Hacking Tools (2,096,614)
  • 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) (1,199,675)
  • Password List Download Best Word List – Most Common Passwords (933,462)
  • wwwhack 1.9 – wwwhack19.zip Web Hacking Software Free Download (776,130)
  • Hack Tools/Exploits (673,286)
  • Wep0ff – Wireless WEP Key Cracker Tool (530,143)

Search

Recent Posts

  • Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation May 9, 2025
  • AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race May 7, 2025
  • Upload_Bypass – Bypass Upload Restrictions During Penetration Testing May 5, 2025
  • Shell3r – Powerful Shellcode Obfuscator for Offensive Security May 2, 2025
  • Understanding the Deep Web, Dark Web, and Darknet (2025 Guide) April 30, 2025
  • DataSurgeon – Fast, Flexible Data Extraction and Transformation Tool for Linux April 28, 2025

Tags

apple botnets computer-security darknet Database Hacking ddos dos exploits fuzzing google hacking-networks hacking-websites hacking-windows hacking tool Information-Security information gathering Legal Issues malware microsoft network-security Network Hacking Password Cracking pen-testing penetration-testing Phishing Privacy Python scammers Security Security Software spam spammers sql-injection trojan trojans virus viruses vulnerabilities web-application-security web-security windows windows-security Windows Hacking worms XSS

Copyright © 1999–2025 Darknet All Rights Reserved · Privacy Policy