Ask HN: What happens if Google's Public DNS fails? 8.8.8.8 8.8.4.4

4 points by therealmarv ↗ HN
I know that Google has probably the best servers in the world. But seeing how many people and companies (even seen it on telecommunication companies) rely on it is frightening.

8 comments

[ 2.9 ms ] story [ 28.4 ms ] thread
It's just one of the (many) available options. E.g. there's OpenDNS with 208.67.222.222 and 208.67.220.220 - and most importantly, there's the local DNS provided by ISP. That one is supposed to be the primary one, with Google's and OpenDNS's servers being a fallback or an alternative.

I use both G and ODNS - when the local defaults aren't working. I definitely would not recommend these as your primary servers, precisely because they're provided merely as a courtesy to you, without any guarantees whatsoever.

Well, first of all, just like any sane person have backups (your files, your plans etc) - any sane person or business have (or at least should have) a backup configuration in case prefered DNS goes down.

So this is not a problem really.

It's strange how the fact that it has an easily rememberable IP address has driven adoption of 8.8.8.8. I have a couple of other DNS servers memorized from before 8.8.8.8 appeared, I'd likely switch to them.

I guess the predictable would happen. Badly configured systems would stop working. Systems with a working secondary DNS would keep working.

More interesting question is what could you do if 8.8.8.8 was compromised? That could be interesting.

Compromised? Not much to do, but it also wouldn't hurt much. A rogue DNS can mishandle your queries, but in this age of HTTPS and SSH and whatnot, you should see right away that you're not connecting to legitimate endpoints: certificates aren't going to match.
The country Turkey compromised the Google DNS IPs once. It's also a way to block certain websites (no matter if HTTPS or not): http://arstechnica.com/information-technology/2014/03/turkey...
Nope. Just rerouted packets going for 8.8.8.8 somewhere else; that's a MITM, not a compromise (although with an unauthenticated service such as DNS, the difference is academic for the client). Still, the sites are still accessible if you can get the IP address from somewhere else - which can be a different DNS server or even the hosts file.

I do agree that such block is enough to deter most non-technical users.

That article is also old. I'm guessing Turkey has upgraded and maybe bought some tech from the Greate Firewall of China ;)
If the open resolvers fail, people will have to go back to the method the internet has used since it's inception of utilizing the internet root servers.