My Chromecast Ultra would not start until I began answering 8.8.8.8

(mailarchive.ietf.org)

810 points | by baptou12 1869 days ago

55 comments

  • anilakar 1868 days ago
    In case the name of the original poster does not ring a bell: https://en.wikipedia.org/wiki/Paul_Vixie
    • paulddraper 1867 days ago
      Co-designer of DNS and member of the Internet Hall of Fame
  • calibas 1868 days ago
    This should bother people here more than it does. The last thing the Internet needs is even more dependence upon Google. They've made it quite clear through their actions that they're not supporters of a free and open Internet: https://theintercept.com/2018/09/14/google-china-prototype-l...

    If people don't push back against these kinds of things, Google will continue to abuse their power. There shouldn't be an army of apologists here making excuses for them.

    As far as a solution goes, they can simply make 8.8.8.8 a fallback when something goes wrong. It's a disturbing trend to see them forcing things like this upon users.

    • apostacy 1868 days ago
      Thank you! I feel gaslit even talking about this!

      Mention this online, and you will get a torrent of people telling you that you must be doing something wrong, and even if it is true Google probably has a good reason that is just beyond our understanding.

      I just talked about my experience with Chromecast here a few hours ago in another thread. [1] The Google product forums are way worse.

      It is not reasonable that I should have to do packet injection to not let my Chromecast connect to Google's DNS servers, especially if I just want to watch locally streamed videos.

      Google has slowly been carving features off of the Chromecast for the last four years. I only use it for local video content, so why must I update when it has burned me in the past?

      What really kills me is how we wouldn't let Microsoft or Facebook pull this crap.

      [1]: https://news.ycombinator.com/item?id=19171115

    • reaperducer 1868 days ago
      The last thing the Internet needs is even more dependence upon Google

      Watching Big G's actions over the last few years, I've sometimes wondered if it's laying the groundwork to fork the internet.

      People talk about China and Russia's actions balkanizing the internet. But I have a sense that Google could do it, as well, and bring us back to the days when people didn't know the difference between the real internet and America Online.

      • linuxftw 1868 days ago
        We're already there. Younger generation knows little about the web, but they all participate in the walled-garden-net via their app store.
        • darpa_escapee 1868 days ago
          Yep. In many places in the world, the internet is Facebook/WhatsApp/YouTube and whatever portal each of your apps allows you to peer into.
          • ryandrake 1868 days ago
            This is no different than the late 90s, when the Internet was AOL for a huge number of people. In 20 years it'll surely be some other platform, too, as long as the relatively open "Internet" foundation persists.
            • anfilt 1868 days ago
              The concern is those foundations though since google obviously has influence when it comes to it.
            • linuxftw 1866 days ago
              I think there is an important distinction. Back then, it was all on the PC, which had several hard-fought battles to keep that platform open. Today's main-stream computing platforms (other than PC) are not as open. Replacing the operating system can be impossible. Installing applications outside the designated channels can be impossible.

              Smartphone manufacturers can and do have absolute control over the software you run on your device. That was not true in the 90s.

          • paulio 1868 days ago
            If by "....in many places...." you mean the majority, then I agree.
      • rsync 1868 days ago
        "Watching Big G's actions over the last few years, I've sometimes wondered if it's laying the groundwork to fork the internet."

        Wonder no more as that is the end goal.

        Nothing less than becoming the new Ma Bell can be considered success.

        • Wowfunhappy 1868 days ago
          > Wonder no more as that is the end goal.

          We don't know this.

          • ionised 1866 days ago
            Not for sure no, but the signs are all there.
      • m463 1868 days ago
        Trying to use the california department of motor vehicles website logs you into google. This is not analytics. You also cannot make an appointment with google services blocked (you get "server unavailable")
      • JohnFen 1868 days ago
        > I've sometimes wondered if it's laying the groundwork to fork the internet.

        Would that mean that my internet would no longer have Googly stuff on it? I could get behind that.

        • DCoder 1868 days ago
          It could also mean your internet not having some other sites which chose to side with Google.
          • JohnFen 1868 days ago
            True, but I'm fine with that.
      • taneq 1868 days ago
        Is this not what AMP is for?
      • Tsubasachan 1868 days ago
        Just see how many websites use Google analytics.
    • kllrnohj 1868 days ago
      > The last thing the Internet needs is even more dependence upon Google.

      This doesn't change that? It's a google streaming device that in order to function at all requires a connection to google's data centers.

      Why does it matter if that connection happens via 8.8.8.8 or some other IP resolved by a different DNS server? What is the actual, practical difference of that? It's still connecting to Google in order to provide the singular feature of the device. And if you didn't want that, then don't buy the product? It's not exactly surprising that an internet streaming stick requires connecting to the product's cloud services, is it?

      If they hardcoded some other google IP and it wasn't a DNS server at all, would that still bother you to the same degree? Would you still be ranting about a "free and open internet"? If not, then your objections in this case are probably misguided to say the least. Because this is really just an implementation detail of the Cast device connecting to the Cast servers. It doesn't change your privacy. It doesn't change the shape of the internet. It doesn't change anything significant. And if you really, desperately care for some reason you can route 8.8.8.8 wherever you want.

      Otherwise by blocking 8.8.8.8 you're breaking the free & open nature of the internet. You've done the thing you're ranting against and censored the internet.

      • michaelmrose 1868 days ago
        Choosing to block 8.8.8.8 for devices in your own home is neither censorship nor breaking the free and open nature of the internet. It is baffling how you could imagine it is.

        It is in fact strange that a device that facilitates streaming from a variety of servers needs to resolve a particular dns server to function. Its obvious that it should need to resolve SOME dns server to function but not a particular one.

        Clearly it can't update if it can't talk to google but why shouldn't it be able to play local content or stream netflix without talking to a particular google IP?

        • kllrnohj 1867 days ago
          > Clearly it can't update if it can't talk to google but why shouldn't it be able to play local content or stream netflix without talking to a particular google IP?

          All cast apps & authentication are provided by Google's servers. Once it begins streaming from Netflix then Google isn't involved, but they handle initiation of that connection. Same for local content. And they don't exactly need to hijack DNS to figure out that you're watching Netflix after they launch the Netflix app.

          And they know when streaming stops. Hence why it switches back to the slide show screensaver when you leave Netflix stopped for a minute or two.

      • srcmap 1868 days ago
        "Why does it matter if that connection happens via 8.8.8.8 or some other IP resolved by a different DNS server?"

        By controlling the DNS server, user can early point doubleclick.net, google analytic to 0.0.0.0. That might be why google wants to control that in the Chromecast.

        It is a continue war between Jedi the Hackers and the Empire. The young Anakin Skywalker - Do no evil Googlers have felt the (share holders) power of Dark Side. The power felt stronger as the G stock price kept going up.

        BTW, one can also config a raspberry pi / openwrt device to have subdomain ip of 8.8.8.8 and still resolve the doubleclick.net or all other tracking websites to 0.0.0.0.

        May the source be with you.

        • kllrnohj 1867 days ago
          Which you can do by routing 8.8.8.8 anyway.

          But you seem to have forgotten this device exclusively runs Google software on it. Why would they be using doubleclick.net on a device with no user input or interaction? Why wouldn't they just build the analytics into the OS?

      • calibas 1868 days ago
        I never suggested blocking 8.8.8.8, I'd think you're replying to the wrong comment but you directly quoted part of mine. I criticize Google and I get called a hypocrite for things I never said...
      • pishpash 1868 days ago
        You're missing the part where 8.8.8.8 is a Google service for which an open, internet service already exists. If whatever Google's data centers are providing (besides 8.8.8.8) for the device's features also already had open implementations, then yes, the same complaint could be levied.

        By replacing parts of the internet that were open with non-open solutions, the intent and the consequence are clear.

        But I will say that that bridge has been crossed long ago. 8.8.8.8 has been hardcoded in so many places today that it may as well be a fixture of the internet, like the search thing, like many other properties of Google that are maybe not monopolies but are 80% of one. There is no internet that does not depend on Google (except in certain Firewalled countries). It's already too late.

        • rossjudson 1868 days ago
          Why do multiple DNS implementations exist? Why do multiple entities run different implementations? Does every DNS contain the same information, and do they all respond the same way?

          You might find Google's DNS privacy policy to be of interest: https://developers.google.com/speed/public-dns/privacy

          • pishpash 1868 days ago
            Google provides what they believe to be improved/more reliable services that they can make guarantees about. The open internet is inherently less than that. Besides the paradox about companies owning proprietary technology to key infrastructure that isn't then shared like early internet technology was, one thing is for sure: Chromecast could have made the tradeoff to use 8.8.8.8 a user choice. When in doubt, ask, but with Google, the culture has always been we know better.
          • _asummers 1868 days ago
            This is the same question ask asking why multiple companies make maps. Yes, some may be better, but having multiple means that if someone starts to misbehave (being inaccurate, slow, whatever), a user has alternatives. Regardless of Google not connecting to your personal IP or other PII per your link, DNS is still a business endeavor for them and gives them a considerable advantage to their search rankings. Some people are not okay with that. Note also that it does not suggest they can't use that traffic to show you ads in some capacity.

            To be clear, I use 8.8.8.8, but I understand the aversion. Google is a data vacuum, and being forced to give them more data than they are entitled to is a valid concern.

      • hopler 1867 days ago
        Chromecast is a device that receives a URL from my phone, loads that URL content, and plays the video.

        Why does it need to depend on Google Cloud at all? Sure, Google connectivity can enhance it, but you don't need Cloud to make a device like this useful.

        Same thing with the Title routers, where your local network collapses if the Cloud has a problem.

    • _bxg1 1868 days ago
      Last year I ditched Android and unplugged my Chromecasts. Google's no longer not-being-evil, and I want nothing more to do with them.
      • hopler 1867 days ago
        Do you have an alternate streaming system ?
        • _bxg1 1867 days ago
          Mostly I use my PS4/smart TV. I have no doubt that data is also collected, but somehow it makes me feel slightly better.
        • p2t2p 1867 days ago
          There is Apple's AirPlay, but you need Apple tv to use it.
    • johnchristopher 1868 days ago
      > This should bother people here more than it does. The last thing the Internet needs is even more dependence upon Google. They've made it quite clear through their actions that they're not supporters of a free and open Internet: https://theintercept.com/2018/09/14/google-china-prototype-l....

      Which reminds me of:

      > Secretary of State Hillary Clinton on Thursday called for uncensored Internet access around the world. Among other initiatives, Clinton said the U.S. government will meet next month with network services companies to advance "Internet freedom."... In remarks aimed at the business community, Clinton said companies shouldn't yield to pressure from foreign governments to censor themselves or violate human rights. She urged companies to resist such pressures even if it means losing business in those countries, and argued that a principled stand would be good for business over the long run... Clinton said the State Department will host a meeting in February with network services companies to address the issues around Internet freedom. (from https://www.business-humanrights.org/en/hillary-clinton-says...)

      > Increasingly, U.S. companies are making the issue of internet and information freedom a greater consideration in their business decisions. I hope that their competitors and foreign governments will pay close attention to this trend. The most recent situation involving Google has attracted a great deal of interest. And we look to the Chinese authorities to conduct a thorough review of the cyber intrusions that led Google to make its announcement. And we also look for that investigation and its results to be transparent.

      https://2009-2017.state.gov/secretary/20092013clinton/rm/201...

      Chris Messina, open web advocate at Google at the time, was present (check his website now http://chrismessina.me/b/13865613/leaving-google).

      edit: damn... almost ten years ago.

      • _bxg1 1868 days ago
        But her emails
        • sjwright 1868 days ago
          Don't worry, Russia found them
    • ehsankia 1868 days ago
      I agree with most your points, but trying to make a connection between "exploration of bringing Google services to China" and "supporting free and open Internet" feels like a huge stretch to me.

      Let's ignore the fact that every other tech company such as Microsoft and Apple are in China, and the fact that Google already does censor content in most other countries. Let's also ignore all the other things Google does for OSS and the web.

      I'm just amazed at all the random places people manage to bring up and force their disagreement about Dragonfly into any discussion around Google.

      • calibas 1868 days ago
        You can't create tools for censorship in China and support a free and open Internet. Those things are completely opposed to each other.

        Pointing out the actions of other companies, the good things Google has done, or the fact that they censor content in most countries doesn't negate that fact. Those are just mediocre argumentative tactics to try and downplay a public relations disaster.

        We're not even dealing with the same Google from 9 years ago. Here's some good reading for everyone about how Google went out of it's way to protect Chinese dissidents and refused to comply with the Chinese government. Now they're doing the opposite:

        https://googleblog.blogspot.com/2010/01/new-approach-to-chin...

        • ehsankia 1868 days ago
          > You can't create tools for censorship in China and support a free and open Internet

          What does following local laws of one specific country have to do with the open global internet? You do realize that Chinese internet is already behind a firewall, and is not open, right?

          > Google went out of it's way to protect Chinese dissidents

          And we have absolutely facts about what they were working on with Dragonfly, except leaks from a source which was very clearly biased against the project. For all we know, they were coming up with new tech that allowed them to provide services to Chinese citizen while still protecting them.

          That to me makes much more sense as to why they were considering re-entering, than the baseless "they were only doing it for the money" reasoning.

          • calibas 1868 days ago
            You're acting like your guesses are just as good as The Intercept's investigation, and all to defend Google!

            Why are you doing PR for them?

            • hopler 1867 days ago
              Whether Google is in China or not, China Internet is not free and open.

              That's simply not Google's choice. The people with guns and tanks in China decide that. Judge Google by what they do the Internet where they have power, with browser tech and HTTP standards and AMP and DNS and YouTube and whatever.

              • calibas 1867 days ago
                They do have power here, all they need to do is not secretly partner with an oppressive regime to assist them with censoring the Internet. That's quite easy to do, hell, I'm doing it right now...

                All you've done is framed the situation in a way that makes it seem like Google isn't responsible for it's own actions.

              • ionised 1866 days ago
                > China Internet is not free and open.

                Then Google should have nothing to do with it. Otherwise they are not supportive of 'a free and open internet', but are actively supporting a close, censored and controlled internet.

                It's pretty simple.

        • johncolanduoni 1868 days ago
          > You can't create tools for censorship in China and support a free and open Internet. Those things are completely opposed to each other.

          I don't see why Google wouldn't actually prefer if China didn't have such draconian restrictions. At the very least it would reduce their regulatory compliance work in China drastically.

    • kw71 1867 days ago
      It's ridiculous that android devices ignore the dns server my dhcp gives, too.
    • diminoten 1868 days ago
      Yes, because doing one bad thing erases all good you've ever done...
    • StreamBright 1868 days ago
      I am not sure we really dependent on Google. The exodus has already started to abandon surveillance capitalism entirely and it will only accelerate with GDPR and other means that states are pushing back on these companies.
    • pexaizix 1868 days ago
      It doesn't bother me because it's a Chromecast, an appliance I don't want or need. If I needed something similar, I could get it from other manufacturers.
      • nirvdrum 1868 days ago
        FWIW, Chrome does this as well. Its DNS prefetch feature will ignore your local hosts file and configured DNS servers. It creates annoying problems if you have a VPN where some hosts resolve differently than they do publicly.

        Granted, in this case if you block Google's DNS servers from routing, Chrome will use your system's name resolution configuration.

        • odorousrex 1868 days ago
          TIL! This upsets me more than the Chromecast using Google's DNS.

          I barely use Chrome anymore (just for testing really) but the thought that any domain I wish to go to can be overridden by the browser by default - that's scary.

          I mean what if Google doesn't like your website's content. They can block it on their DNS server and 99.999% of Chrome users would think something was wrong with your site.

          Thank you, I hate it.

          • StreamBright 1868 days ago
            I was thinking about buying a better network device for home and have VLANs and ACLs just to take control of my internet again. It is pretty annoying that Google not only trying to track me everywhere but actively overriding system wide settings to be able to get information what sites I am visiting.
            • fiddlerwoaroof 1868 days ago
              You don’t necessarily need a better networking device if your current router is supported by openwrt/lede
              • StreamBright 1867 days ago
                I was looking into that yesterday. How can I disable forwarding in Dnsmasq for certain domain names? Maybe I should run a local resolver server myself instead of forwarding the DNS requests to 3rd parties and do it that way with ACLs? Let me know if you have detailed documentation about how to use OpenWRT for these.
          • DCoder 1868 days ago
            In theory, couldn't Firefox's certificate store blacklist the TLS certificate your website uses, with the same user-confusing result?
            • admax88q 1868 days ago
              I mean in theory your web browser doesn't have to respect the address bar, it can do whatever the fuck it wants. The point is what Chrome is already doing is not good behaviour.
        • pault 1868 days ago
          Holy synchronicity! I just ran into this this morning when trying to null route a hostname on my co-workers computer and nobody could figure out why chrome could still resolve the IP after we changed the hosts file.
          • nirvdrum 1867 days ago
            It was disheartening how much time I spent tracking this down. I generally use Firefox, but since the web is bifurcated, I need to be able to access some sites with Chrome.
        • sundvor 1868 days ago
          Funny flashbacks to Google highjacking the .dev tld and forcing it to be https in Chrome.

          Actually it was just annoying, not funny.

        • matwood 1868 days ago
          This is extremely annoying. The VPN will switch DNS servers and macOS and Safari work fine, but Chrome will not find internal servers. I assumed it was just a cache, but this makes sense.
          • nirvdrum 1867 days ago
            I was astonished at how this was handled on the issue tracker. It was closed as "works as designed" even though the design was the problem.

            https://bugs.chromium.org/p/chromium/issues/detail?id=432236

            (I'm obviously a bit biased on the matter because it affected me and cost me a silly amount of time to track down.)

            • rkeene2 1867 days ago
              They also removed support for mandatory features of HTTPS [0], as defined in RFC 2818. Not that I'm against the change /per se/, but there correct way to go about it is to change the standard.

              They also claimed Firefox was doing the same thing, which is false and not really sufficient justification for not supporting things that MUST be supported.

              [0] https://bugs.chromium.org/p/chromium/issues/detail?id=700354

        • buildbot 1868 days ago
          Oh, that explains a lot actually. Safari works great with a corporate VPN, Chrome randomly fails to resolve things...
      • pizza 1868 days ago
        I think the idea is that getting Google to fix this by telling them this is unacceptable is a swifter course of action than hoping Google will notice your individual $35 purchase went elsewhere.
        • subcosmos 1868 days ago
          You mean they can't just machine-vision the expression on your face, through your webcam, when you decide against a purchase?
          • brokenmachine 1866 days ago
            Lol! Unfortunately only on Android 8 devices.
      • arbitrage 1868 days ago
        First they came for the appliances I don't want or need, because I don't use appliances I don't want or need.

        This has been discussed to death. Slippery slope, etc., etc.

        • pexaizix 1868 days ago
          I disagree. People who care about not hitting 8.8.8.8 simply do not own a Chromecast.
          • justizin 1868 days ago
            This is patently false, as Paul Vixie, who created DNS, clearly owns one.
          • lostlogin 1868 days ago
            I own one and have bought three. Cloudflare DNS for me (via a Pihole).
            • fonosip 1868 days ago
              You have to masquerade at your router. Or at the vpn. For example https://ba.net/adblock/vpn/roku-chromecast-fix.html
            • snowwindwaves 1868 days ago
              are you internally masquerading 8.8.8.8 to 1.1.1.1?
              • lostlogin 1868 days ago
                I just pointed the Pihole at 1.1.1.1 and added 8.8.8.8 to the block list. The Chromecast works fine with it. Not sure if the Pihole does something clever though? I’m very sure that the Chromecast does but I can see it’s traffic on the Pihole.
          • angusp 1868 days ago
            Not really, before you could firewall it off from the rest of your network - though now you can just masquerade 8.8.8.8 and 8.8.4.4 to your DNS server of choice
            • tiew9Vii 1868 days ago
              I run an OpenBSD router with PF:

              pass in quick on { $lan $wireguard } proto udp to { 8.8.8.8 8.8.4.4 } port 53 rdr-to 192.168.2.1

              Locally I run Unbound for caching, local dns zones and ad/malware domain blocking[2]. I have a DNS forwarder in Unbound configured to a local Stubby[1] instance that does dns over tls to Cloudflare.

              Having done "big data" contract work for the largest telco in my current country of residence who are some of the worst skilled people I have ever work with, your local ISP is highly likely abusing your DNS history profiling your household for various questionable things just as much as Google. At least with Cloudflare they have a clear privacy policy[3] and I have faith their technical skill to anonymize data and use it can't be as bad as my ISP.

              [1] https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+... [2] https://github.com/StevenBlack/hosts [3] https://developers.cloudflare.com/1.1.1.1/commitment-to-priv...

            • pixl97 1868 days ago
              Until Google implements DNS over TLS and does cert checking.
  • RickS 1868 days ago
    More concerning to me was the fairly recent removal of non-phone-app setup. It used to be that a chromecast would display a 4 character code on screen, which could be used to activate it from the browser.

    Now, they require that it be managed with the google Home app, and have discontinued the method that allowed chromecast use without installing additional google software on your phone.

    This made for a really disheartening christmas experience, when I first assured my mother that no, we could skip this stuff with your phone, only to find out that no, she would indeed have to make that sacrifice.

    Especially frustrating is that my same devices, validated with the old method, continue to function just fine.

    Does anyone with more knowledge than I have know of a reason for this that isn't data-greedy or consumer-hostile? From my perspective, "Don't be evil" has been dead long enough that the bones are sunbleached.

    • 05 1868 days ago
      The obvious reason is that any local browser config pages cannot be SSL protected because the device can not provide a valid certificate for 192.168.0.33 or chromecast.local

      Phone app can use a custom TLS CA to make sure the stick was produced by Google and is not a rogue neighbor phishing for your WiFi password..

      • djrogers 1868 days ago
        No, that's not how it worked - you got a code on the screen you could use to activate the device with google from any browser - much like many many many TV apps use (visit foo.com/activate and enter code NNNN). You weren't browsing to any local devices...
        • dragonwriter 1868 days ago
          > No, that's not how it worked

          Yes, it is; Chromecast activation has always used the Chromecast itself as the WiFi host; you have to do that to even set it up to use another network.

          > you got a code on the screen you could use to activate the device with google from any browser - much like many many many TV apps use (visit foo.com/activate and enter code NNNN).

          TV apps can do that because the TV device is already configured to connect to a network. And both the app and your browser can connect to the same remote server. Chromecast activation can't work that way, since it occurs as a necessary prerequisite to connecting the Chromecast to a network.

          • RickS 1868 days ago
            (OP of complaint)

            This matches my understanding as well.

            05's answer about security and rogue devices is a good one. It makes a lot of sense. For my (and I expect most people's) threat model, google's prying eyes are a more credible concern than my neighbor's, and I wish they hadn't changed it, but it's nonetheless a defensible reason for making the change.

        • TravisDick 1868 days ago
          I'm a little confused by this. If the chromecast didn't know my wifi password, how could it connect to google to receive any information / configuration? Mostly commenting because I want to know if there's some cool mechanism for getting around that! Thanks!
      • RickS 1868 days ago
        Thank you for this answer. It makes a lot of sense. For my (and I expect most people's) threat model, google's prying eyes are a more credible concern than my neighbor's, and I wish they hadn't changed it, but it's nonetheless a defensible reason for making the change.
        • johncolanduoni 1868 days ago
          > For my (and I expect most people's) threat model, google's prying eyes are a more credible concern than my neighbor's, and I wish they hadn't changed it, but it's nonetheless a defensible reason for making the change.

          Phishing by a random bad actor taking advantage of lack of TLS verification is far more likely than Google putting a sandbox escape in a phone app they distribute to steal information from you. I really hope most people's threat model doesn't match yours in this respect.

      • tinus_hn 1866 days ago
        It is impossible to ‘make sure the stick was produced by Google’. That’s fake security which is even worse than no security.
    • Silhouette 1868 days ago
      As an extra treat, Google Home isn't compatible with some older devices that are still perfectly functional. We use a Gen 3 iPad (max iOS version = 9) to control a few bits and pieces, including being a handy way to cast online streaming services to the big screen. Until one day the Chromecast gets a bit confused, as they do from time to time... and the Chromecast app on the iPad tells us in nauseatingly cutesy fashion that we should get the latest version... and redirects us to a different app on the App Store (Google Home) that isn't even compatible with our device. Literally, one day it all worked fine, the next day the whole setup is completely broken.
      • scarface74 1868 days ago
        In the meantime, my first gen iPad from 2010 running iOS 5 can Airplay to my AppleTV 4K....
    • pishpash 1868 days ago
      Everybody could foresee "don't be evil" would die with the IPO. Not only that, but the spirit of young Google, like 20% time or Google Labs and off-the-wall ideas that could bubble up, all eventually died.
      • jonny_eh 1868 days ago
        Requiring a phone for setup now counts as evil?
        • justinclift 1868 days ago
          Some people (like me) don't do phones. ;)

          But then again, I de-Googled myself ages ago, so mostly not a problem.

  • AdmiralAsshat 1868 days ago
    Knowing who he is, my takeaway should be, "Wow! An Internet Hall of Famer weighing in against a Google product!"

    But my actual takeaway is, "Legends of the CS world write informal, pithy rants to Google just like the rest of us mortals."

    • jchw 1868 days ago
      I find the responses on the mailing list to be interesting. Nobody there seems terribly amused by this thread so far.

      >Are you looking for https://support.google.com/chromecast/contactflow ?

      >And [wasting our time] as well.

      And to be fair, I would've expected a personal blog post rather than an IETF post. This is definitely quaint, though it gets the point across.

    • slim 1868 days ago
      IETF should be concerned since one solution to this problem is to hijack the DNS. Namely 8.8.8.8
      • justizin 1868 days ago
        Right, realistically what Vixie is saying is: This is a major vendor failing to comply with IETF standards and using their market dominance to undermine open standards and protocols.
        • dragonwriter 1868 days ago
          > This is a major vendor failing to comply with IETF standards

          What IETF standard is violated by a device using a known DNS server rather than the one offered by DHCP?

    • nashashmi 1867 days ago
      I agree with you. He had more leverage if he said:

        my ISP blocks 8.8.8.8. 
        I cannot activate chrome cast.
    • jmull 1868 days ago
      Pithy, drunken, one or the other.
    • trumped 1868 days ago
      why didn't you rant about it first, then, AdmiralAsshat? (if you are so good)
  • unethical_ban 1868 days ago
    Jared Mauch's response was pretty rude.

    I don't mind defaults, but I do not like the inability to change.

    I wonder if it was clearly documented as a device requirement that 8.8.8.8 was needed. All prerequisites of function should be in the Quick Start Guide of the tool in question. Furthermore, users aren't always in control of the firewall/ACL on their network. If I go to Jack's Organic Coffee for a meeting and they only allow 1.1.1.1 out for DNS, I can't use my cast device? That's screwy.

    • roblabla 1868 days ago
      It was rude because the DNSOP WG mailing list (to which this email was sent to) isn't a google support forum. https://datatracker.ietf.org/wg/dnsop/about/ outlines what the DNS WG is about. Ranting about how Google's devices are terrible isn't an appropriate use of this communication channel.
      • Aiphie3E 1868 days ago
        I assume he does not want support. He wants to highlight a threat to DNS choice.
        • belorn 1868 days ago
          The threat is actually more at IANA than DNS. I would not be surprised if ISP supplied routers would start MITM quad ip DNS servers in order to retake the data and control. A lot of harm will happen if that became standard practice.

          DNSSEC do not protect against this.

          • lukeschlather 1868 days ago
            Would that break DNSSEC?
            • belorn 1867 days ago
              No. DNSSEC makes sure that the record is correct as given by the authoritative DNS server. It does not specify or control who resolved the name and for whom.
    • eertami 1868 days ago
      Maybe I'm missing the forest for the trees but... what possible reason would you have for taking a Chromecast to a coffee shop?
      • pixl97 1868 days ago
        The problem here is you are falling in the same trap as the Google engineers here.

        Why would ______ want to do _______ with their ______ device?

        You can make a locked down device that only does a very limited subset of functions, but you really should make that known to the user before hand. "This device requires access to $X servers to function".

        If you have secret requirements that go far beyond user expectations, expect that your users might get pissy about it.

        • hannasanarion 1868 days ago
          The fact that we got six years into the chromecast world before anybody complained is a pretty good indicator that, no, in fact, most people who want to watch youtube on their TVs don't configure their firewalls to block 8.8.8.8.
          • Sendotsh 1868 days ago
            It has actually been a common issue for many years, including for myself, but the rest of us don't have the social clout for it to make it to HN front page.

            These days you have no chance of getting any form of tech support or even issue acknowledgement unless you have a large follower count online.

          • scbrg 1868 days ago
            Perhaps the hordes of previous complainers, unlike Paul Vixie, complained to the black hole that is Google support, so we never heard of it :)
          • acct1771 1867 days ago
            Mmmm...I love manufactured consent in the morning.
        • kllrnohj 1868 days ago
          Google isn't exactly secret about the fact that Chromecast connects to Google's data centers.

          Especially if you're using it to, say, watch YouTube, as Paul Vixie was.

          Chromecast connecting to Google is not a "secret requirements that go far beyond user expectations." Expecting a cloud-connected product to continue to work when you've randomly blacklisted IPs that belong to that company is, however, an unreasonable expectation.

          • markstos 1868 days ago
            We expect that Chromecast connects to Google's servers when you are using Google services. By forcing you to use their DNS service, they can track every non-Google DNS query you make as well, which is all tied to your IP address. It is a form of surveillance of everything that you do on your Chromecast, for which there is no explicit consent.

            https://security.stackexchange.com/questions/62273/can-dns-s...

            It is similar in some ways to Facebook tracking users across the internet through Facebook "Like" and "Connect" buttons across the internet, even when the user's aren't on the Facebook site and did not opt-in to having their browsing tracked by Facebook outside of Facebook.

            • kllrnohj 1867 days ago
              > By forcing you to use their DNS service, they can track every non-Google DNS query you make as well, which is all tied to your IP address.

              It's a Chromecast. You literally can't make non-Google queries on it at all in the first place.

              So what, exactly, is the privacy concern here? What specific flow of events does the Chromecast using 8.8.8.8 impact your privacy?

              • markstos 1867 days ago
                Chromecast allows casting any tab, with any URL, not just Google properties.
                • kllrnohj 1865 days ago
                  Which is a video stream. The Chromecast itself isn't doing squat but playing a video.
          • nofunsir 1868 days ago
            "cloud-connected" Hacker News is not the best* place for nebulous cumulonimbus commentary.
        • scarface74 1868 days ago
          If you want a general purpose computer to serve as your set top box, buy a general purpose computer.
      • unethical_ban 1868 days ago
        It was a stretch. I've taken Roku to a local bar to stream live events. The generic "take my device to a network I do not manage" isn't outrageous though.
      • jil 1868 days ago
        Campuses also have this kind of security. I can't use a Chromecast or a Google Home on my college campus because my school's IT team blocks all DNS servers except their own.
        • robotrout 1868 days ago
          I used to travel with a Chromecast so I could cast in my hotel room. I finally gave up, since it never worked in any hotel I stayed in.
          • jil 1868 days ago
            I did the same thing and gave up too, but that's because every hotel TV used composite video.
      • reaperducer 1868 days ago
        People bring all kinds of crazy things to coffee shops. I saw someone set up a full-on painting kit, with a big palette, tubes of paint, and a full-sized easel.

        I believe at one time TPUG members (https://www.tpug.ca) would bring their PETs to Starbucks for meetings. I know I've banged out work on a TRS-80 Model 100 at Coffee Bean.

      • barrkel 1868 days ago
        Not a coffee shop, but certainly a hotel room, to cast some entertainment on the TV rather than rely on a laptop.
        • farisjarrah 1868 days ago
          The hotel thing can be a pain if there is some sort of per device login portal.
          • michel-slm 1868 days ago
            Roku and Amazon Fire TV works fine with captive portals though (Roku elegantly asks you to connect to a custom WiFi AP that just forwards the captive portal to your phone). So this is another case of Google making assumptions that limit their devices' usability.
      • arrty88 1868 days ago
        I’ve thrown parties at many public venues, schools, bars, restaurants and want to put up a slide show. Etc. so many use cases.
      • solarkraft 1868 days ago
        What about a presentation? What if it's not a coffee shop, but a conference?
    • C1sc0cat 1868 days ago
      You must have lead a sheltered life if you think this is "pretty rude". Its blunt and to the point I will give you but really
      • nabakin 1868 days ago
        You don't have to be sheltered to think it's rude. This feels like an attack, please stop.
        • jaredmauch 1868 days ago
          You also maybe should know that I could have texted that to him as well. It's not as if we don't know each other.. i may have even been to his home previously :-)
          • jhayward 1868 days ago
            You should perhaps consider if you are modeling the behavior that you want to see others adopt. They don't know your relationship status, they only know that you find it acceptable to be rude and dismissive in a professional environment.

            Newcomers, outsiders, and others will take that experience to heart.

            • dang 1868 days ago
              Speaking of newcomers, could you please be more polite to newcomers here?

              From the HN guidelines: "Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith."

              https://news.ycombinator.com/newsguidelines.html

              • jhayward 1868 days ago
                Ah, I see my mistake - I confused one participant on the list with another. My apology to Jared. Thank you for the correction, Dan.
            • nofunsir 1868 days ago
              How else would he attain status a la Linus in the mailing list world?
              • dang 1868 days ago
                Please don't pile on.
  • rasz 1868 days ago
    Chrome is just as insistent on using 8.8.8.8. Took me >2 years of constant pestering to make Vivaldi finally patch some of it out.

    https://www.reddit.com/r/vivaldibrowser/comments/a23071/how_...

    • dvdgsng 1868 days ago
      I had no idea. thank you for this! I assume the setting is "use google dns service to help resolve navigation errors"?
      • rasz 1868 days ago
        Yes, except Chrome has very liberal definition of what it considers an error.
        • ballenf 1868 days ago
          Is there any combination of settings in Chrome that will disable this behavior?
        • tinus_hn 1866 days ago
          You’re not letting Google know what you’re browsing! We have resolved this error automatically.
  • alias_neo 1868 days ago
    It's not new, and but limited to Chromecast Ultra, I detected this from several Android devices (phones) pre-Pie and configured my firewall to redirect those requests to my own DNS.

    Regardless of their reason, many of us don't want to use Google DNS and the just using their control over these devices to force people to 8.8.8.8/8.8.4.4.

    I haven't checked how Pie behaves yet but it provides an option in the UI to specify private DNS.

    Also, I found some time ago, and am not sure if it's still the case, but some of their first-party apps hard coded Google DNS, so seeing one at the system level was irrelevant.

    • metalliqaz 1868 days ago
      Google's business is built on web services, and we know for a fact that ISP occasionally try to inject bullshit into their customers browsing sessions via all kinds of dirty tricks. Their DNS is also designed to be faster than typical DNS. I wouldn't be surprised if Google sees this as a way to ensure the proper function of their devices.
      • alias_neo 1868 days ago
        I'm not arguing with that, but lots of us can and do run our own DNS for various reasons, it should respect that, or provide a power-user way to override the default DNS.

        By all means offer fall-backs to Google DNS if it's not behaving correctly, for the reason you mention.

        I've found it's also, quite poorly implemented, particular on CC Audios, I had an instance last year where my internet connection went down at my ISP, my DNS saw 10s of thousands of DNS queries per-device from each of my Chromecast Audio devices in the time I was out at work. It was almost 40k DNS queries in ~12 hours, per device.

        Almost everything else on my network behaved normally, but the Google devices just went mental spamming the network with insane numbers of impossible requests, back-offs are a thing, they should use them.

        • freeopinion 1868 days ago
          DNAT
          • pixl97 1868 days ago
            At least until Google starts DNS over TLS with cert pinning.
          • alias_neo 1868 days ago
            This is what I've done, I mentioned it in another comment, but we shouldn't have to resort to that.
      • Rebelgecko 1868 days ago
        I suspect it's to keep people from using Pi-holes or other DNS level adblockers. A non-ultra chromecast will totally ignore the routers preferred DNS unless you blackhole 8.8.8.8 and 8.8.4.4, then it'll fallback to the DNS server you actually want it to use.
        • Laforet 1868 days ago
          Transparent DNS proxy is a thing, plenty of ISPs have been using them for more than a decade. I know mine does because occasionally they hit a snag and setting your DNS to 8.8.8.8 wont help because any request over port 53 is silently intercepted.

          Like somebody said below, this is pretty much a non issue unless google starts to force DNSSEC and certificate pinning.

      • hrez 1868 days ago
        It should obey DHCP or static dns settings like any normal network device. It's so typical of google's attitude of "know better" and imposing arbitrary rules of their own just because they can. This "proper function" actually breaks any function on firewalled network. So paint it as failed.
      • darpa_escapee 1868 days ago
        This is an incredibly generous reading of the situation that, as far as I can tell, has no basis in reality. Google is circumventing how the internet works at pretty basic level by not respecting users' DNS preferences in favor of their own.
        • kllrnohj 1868 days ago
          The internet does not work on top of DNS. DNS works on top of the internet. Nothing about IPv4 was circumvented here, and IPv6 is even built to not need/use DHCP at all.

          There is no mandate or expectation that all DHCP clients always use the advertised DNS settings. If there was than alternate DNS services like 1.1.1.1 or 8.8.8.8 wouldn't even exist in the first place, as your ISP would be in complete control of your DNS settings unless you splurged for a static IP.

          The cast client decided to use its own DNS settings as many clients do - you can override the DHCP settings on just about any general purpose OS, for example. Even though they are DHCP clients. Do you call Linux allowing you to specify a DNS server as "circumventing how the internet works at a pretty basic level", too?

          • userbinator 1868 days ago
            Do you call Linux allowing you to specify a DNS server as "circumventing how the internet works at a pretty basic level", too?

            There's a vast difference between "users can configure it to what they want" and "it's hardcoded and can't be changed".

            • kllrnohj 1868 days ago
              In both cases the client software ignored the network's settings. It's identical in behavior to the network.

              Either that's circumventing how the internet works or it isn't.

              Sounds like you agree that it's not, in fact, circumventing how the internet works?

              • userbinator 1868 days ago
                The critical difference is whether it is under control of the user.
                • dazilcher 1867 days ago
                  That's a critical difference which has nothing to do with "how the internet works".
        • Rapzid 1868 days ago
          The consumer of the DNS is the Chromecast. Its preference is 8.8.8.8 .
          • pmontra 1868 days ago
            The owner of the Chromecast decides which DNS to use, unless we decide that Google keeps owning it and the sale is not a sale.
          • darpa_escapee 1868 days ago
            A Chromecast isn't an agent with free will and intentions, the user is. When I set my DNS settings to a different DNS server than Google's, my preference is just that: different from Google's.
            • jtms 1868 days ago
              I think your humor detection algorithm needs some enhancement.
          • JohnFen 1868 days ago
            Chromcasts are sentient now? Wow, that should be the headline!
            • Rapzid 1868 days ago
              I'm clearly meaning the choices made by the Chromecast via the product and service owners and creators. The thing is a consumer IoT device with a lot of blackbox going on. It's consuming the DNS service to provide another service to the end user. How that happens is trivia to most people.

              I think it's fine to want that configurable and maybe, maybe even expect or ask for it.. But I believe concocting conspiracy and assigning malicious intent so readily, as many are, displays either an ignorance of how products get built for the mass market or a feigning of such. As others who have worked on IoT devices have pointed out, there are rather valid user experience concerns behind baking these "preferences" into the products.

              • JohnFen 1868 days ago
                Obviously, I knew what you meant. You just expressed it in a humorous (and, I think, not entirely valid) way, granting agency to the device rather than people.

                > As others who have worked on IoT devices have pointed out, there are rather valid user experience concerns behind baking these "preferences" into the products.

                Which is something that I have not denied. What I assert is that there absolutely needs to be a way to change that behavior if users wish. The lack of that ability is, in my opinion, something that is harmful, both technically and socially.

    • jusssi 1868 days ago
      I wonder if 8.8.8.8 still has a per-IP rate limit, and what the consequences for people behind a CGNAT would be.

      Still 2 years ago that rate limit was pretty easy to hit by accident with a Selenium browser farm accessing through single public IP.

  • dastx 1868 days ago
    I posted this a while ago on the /r/pihole subreddit. Since my router is a bit more restricted, I ended up blocking Google's DNS as they've been doing this in other devices and software as well. It seems that they only add one of the dns servers and fallback onto the DNS server provider by DHCP. My pihole number of queries suddenly jumped up after I blocked those IPs.
  • jasonjayr 1868 days ago
    I agree with the shadiness of this, but just to play devil's advocate here, is this to work around shitty ISP's that play games with DNS? Residential ISPs have not exactly been good faith actors in this game ...
    • megous 1868 days ago
      Yes, but how does it help hardcoding one IP address that ISPs can simply route to their own DNS server?
      • tialaramex 1868 days ago
        Today the ISP could, with a bunch of effort, re-route the traffic, though I haven't seen any evidence that any of them do that. So it helps materially because for today it works.

        Tomorrow these devices will do DPRIV, probably DNS over HTTPS, and so the ISP won't be different from any other man-in-the-middle, unable to meddle with the contents of protected traffic.

        • oarsinsync 1868 days ago
          > Today the ISP could, with a bunch of effort, re-route the traffic

          Injecting a route into your IGP is pretty trivial, any ISP with an engineer with more than 6 month's experience could manage this.

          > though I haven't seen any evidence that any of them do that

          Unless you've actually looked, and performed pcap analysis of what your dns request/response looks like to try and determine if your ISP is intercepting, you can't be sure.

          That said, several ISPs used to do this quite transparently (pun not intended) in the early 2000s, to return advertising pages whenever a DNS query failed. Some of them would do this on their own DNS servers (that were the default pushed to your CPE, which was then the default for your network), some of them would actually hijack anything going to udp/53. This used to be prevalent for a while.

          Then again, who's making more money monetising your activity? Your ISP or Google? Given that your ISP can already see every IP you visit and how much traffic you exchange with that counterparty, who would you rather protect your DNS requests from? Them or Google?

          • JohnFen 1868 days ago
            > several ISPs used to do this quite transparently (pun not intended) in the early 2000s, to return advertising pages whenever a DNS query failed.

            Yep. This was what spurred me to start running and using my own DNS server in the first place.

            > who would you rather protect your DNS requests from? Them or Google?

            I don't think one of them is better than the other on that count.

          • rincebrain 1868 days ago
            Verizon still does this to this day, in fact.
        • stordoff 1868 days ago
          It's quite common in the UK: https://en.wikipedia.org/wiki/Web_blocking_in_the_United_Kin...

          My ISP does the blocking slightly - the DNS response is fine, but they inject a redirect into the HTTP response.

        • andreareina 1868 days ago
          I've experienced ISPs trying to block sites by intercepting the DNS request and returning their own servers. DNS over HTTP solves that for now, but I'm concerned that they'll just switch to blocking by IP or SNI.
        • cma 1868 days ago
          They could keep routing it and modify it's results. Comcast already does this with http, injecting datacap warnings into HTML pages.
    • Tsubasachan 1868 days ago
      I actually trust my ISP more than Google.
      • josteink 1868 days ago
        No need for downvotes. Outside the US, most people do.

        Anything else would be weird.

        • int_19h 1868 days ago
          I'm in US, and I still trust my ISP more that Google.

          Which is to say, I trust them both to try to screw me, but the ISP has already done so to the extent that they were able. But Google is just warming up, and they're more competent.

  • josteink 1868 days ago
    Expect more of this once “DNS over HTTPS” takes hold.

    Nothing Google makes will ever respect your DHCP-server or local network settings ever again.

    • silon42 1868 days ago
      I guess we'll have to block protocols where DPI doesn't work.
    • JohnFen 1868 days ago
      > Expect more of this once “DNS over HTTPS” takes hold.

      I do. DNS-over-HTTPS is why I've modified my network so I can MITM all HTTPS connections.

      • chaz6 1868 days ago
        (Un)fortunately, TLS 1.3 will prevent MITM from working unless you are able to install a trusted root ca cert on the device, which I doubt is possible on Chromecast devices.
        • userbinator 1868 days ago
          TLS and SSL before it has always prevented MITM from working without configuring your own certificates --- that's the whole point of the security it provides, after all. AFAIK TLS 1.3 doesn't change that.
      • josteink 1868 days ago
        Sounds interesting. Do you have a write up about creating such a setup?
        • JohnFen 1868 days ago
          No, I don't, but it's conceptually pretty easy (the devil is always in the details). I'm sure you could find something on the net describing this better.

          What I've done is, first, to block the HTTPS port from going anywhere except to my proxy. If you want to use HTTPS in my network, you have to install my cert. That cert is used to negotiate the HTTPS connection to the proxy. The proxy then has access to the plain-text data stream. If that data stream is a DNS request, then it's diverted to a DNS-over-HTTPS server that I run (which uses my local DNS server to resolve the request). Otherwise, the proxy just transfers the data to and from the destination site using an HTTPS connection from the proxy to the destination.

          • LeoPanthera 1868 days ago
            How do you cope with devices that do not allow the installation of a new CA root?

            I suspect the answer is "I don't use them", but that's going to be a blocker for mostly everyone.

          • dragonwriter 1868 days ago
            > What I've done is, first, to block the HTTPS port from going anywhere except to my proxy. If you want to use HTTPS in my network, you have to install my cert.

            But there are a very large number of potential HTTPS ports (a reasonably well behaved system could, as well as 443, use anything that isn't well-known or registered, or which was registered for the particular use, even if the underlying protocol was HTTPS.)

          • b1r6 1868 days ago
            This is giving me some good ideas for my homelab... Thank you!
          • tucif 1868 days ago
            does this work with apps using certificate pinning?
            • nofunsir 1868 days ago
              This does break all sorts of apps/workflows, and it's a pain having to let each and every tool (pip/curl/firefox/java/etc...) know about the cert you want it to know about.
  • chewz 1868 days ago
    Set DNS to Google and do

    dig +short TXT whoami.ds.akahelp.net

    Then set to other DNS provider and do the same

    You will see that Google DNS is delivering ECS which helps with directing traffic to nearest CDN.

    I have quite secure DNS setup but still forward some queries to Google DNS (HBO, Spotify, etc.) just to take advantage of using ECS.

    • X-Istence 1868 days ago
      When you run your own DNS server, then you don't need ECS, since it will have the real IP address at the authoritative server.
    • Severian 1868 days ago
      This is great info.
  • richardwhiuk 1868 days ago
    I've seen this been done before, and IME it's reasonable behavior.

    I've seen so many instances of computers configured with DNS servers which are extremely slow, or provide garbage results, that adding a known good DNS server to the list, and then parallel resolving across all of them is a perfectly legitimate thing to do.

    • jon-wood 1868 days ago
      We hardcode known good DNS servers in IoT devices that we ship from work because a significant proportion of issues being reported by customers were caused by ISP resolvers doing things they shouldn't - mostly either redirecting all domains to a splash screen telling people about bandwidth quotas/other things, or not respecting the TTL returned by our resolvers, which could cause data to get directed to the wrong place for extended periods.
      • Bartweiss 1868 days ago
        This is a really interesting point, thank you.

        My initial reaction to the post above was "ship a known-good DNS if you must, but honor the user-chosen service unless it's not answering." This makes sense as a more common reason you'd want to hardcode a DNS, and a reason to honor your setting over whatever is coming back from the customer's DNS.

        I still can't see a good rationale for only using the hardcoded DNS, though. Not only does it strip user control, it opens the door to all kinds of secondary stupidity like breaking every Chromecast in Turkey by insisting on a blocked DNS.

        • cwkoss 1868 days ago
          There's no reason "use only hardcoded DNS" couldn't be user configurable, for all the benefit with none of the costs.

          Well... all of the benefit to the user. Google doesn't get to use your DNS requests to sell ads.

          • kllrnohj 1868 days ago
            > Well... all of the benefit to the user. Google doesn't get to use your DNS requests to sell ads.

            How do you envision this working on the product in question? When are you ever making arbitrary DNS lookups in a Chromecast?

            Seriously take the tinfoil hat off for a minute and think rationally. Google owns the entirety of the software on the device, and all connections to & from it. There's nothing they gain in terms of data harvesting from hard-coding their DNS here. There is no user input in play at all here. What are they going to harvest from a device that only ever does DNS lookups for their own hostnames?

            If this was happening on Chrome, or Android, or something where user input & interaction was actually a thing then sure. But this is a goddamn Chromecast. All it does is watch YouTube and similar. How in any way, shape, or form can those DNS requests in any way help sell ads?

            • jimsmart 1866 days ago
              In this instance, I think it's got less to do with harvesting data from the lookups, and more to do with ensuring advertising gets shown?

              i.e. I suspect Google force their own DNS so that one cannot so easily use e.g. PiHole to filter out DNS lookups for servers that stream e.g. YouTube adverts.

              ?

      • creeble 1868 days ago
        Been there too, sad to say. We haven't gone so far as to hard-code DNS servers yet, but it's shocking how bad some ISPs' DNS support can be.

        There should be a better way to fight it, but I fear Google may win here because I haven't been able to find anything wrong with the way their servers work. I.e., 8.8.8.8 isn't doing anything evil afaict... Yet.

        • JohnFen 1868 days ago
          Doing that can be (barely) acceptable, provided that you also do two other things: make it clear to users that you're doing that, and allow a way for the user to change that behavior if they desire.
        • jon-wood 1866 days ago
          We default to Cloudflare’s 1.1.1.1 resolver because they have a clear policy on what they will and won’t do with the data available to them.
    • joekrill 1868 days ago
      OK but if that "known good" DNS server goes down or isn't available, you still have others you can fall back to. The device shouldn't just become completely useless. But that's what Google is doing here. It's their DNS servers or none, it seems.
      • Arnt 1868 days ago
        I too have written code that asks 8.8.8.8 and 8.8.4.4, because the DNS server I get from DHCP frequently is so brain-damaged. (SRV records, what's that?) I asked both in parallel.

        On one hand it feels wrong to not ask in parallel.

        On the other, $%#@%#$%!$@# the %$#%#$%^$#@%#$! packet filters that block DNS packets to everyone except the local brain-damaged resolver. Or even redirect. If Google will fight that fight I'll happily enjoy the benefits.

        • AnIdiotOnTheNet 1868 days ago
          As someone who has had to block and redirect DNS traffic, there are reasons we do this and if you have a problem with it then you should contact the admins about it. If you're unwilling to do that, maybe you shouldn't be doing what you're trying to do at work.
          • Arnt 1868 days ago
            Do you happen to be the admin at the meeting venue that discarded my SRV and DNSSEC lookups? What were the reasons you did this, if so?
            • AnIdiotOnTheNet 1868 days ago
              Use the guest WiFi, that's what it's there for.
              • Arnt 1867 days ago
                Does that have a sensibly working resolver?

                In my haphazard experience, the networks that block access to UDP port 53 are more than likely to have gelded broken name servers that e.g. serve empty NXERROR results for anything but A/TXT, and receptionists that say, "uh, let me check" and then check that their browser can open the google home page. (Insert invectives here.)

                I've seen be fixed. Once. One meeting I attended started with a quite broken network, but it was an IETF meeting, and the IETF tools team reconfigured the AP channel layout, the DHCP server and the caching name server at that hotel and after that it was fine.

        • kazinator 1868 days ago
          > If Google will fight that fight I'll happily enjoy the benefits.

          Evidently, they are:

          https://en.wikipedia.org/wiki/DNS_over_HTTPS

          https://developers.google.com/speed/public-dns/docs/dns-over...

          • vetinari 1868 days ago
            And that's how we are going to get mandatory https proxies in networks... The arms race will continue, making the lives of everyone more difficult.
            • kazinator 1868 days ago
              A HTTPS proxy can't rewrite the contents of your stream. If it redirects to the wrong host, the cert doesn't match.
              • vetinari 1868 days ago
                That's fine, it is not about rewriting stream, but about not allowing to connect certain hosts.
            • glennpratt 1868 days ago
              I will never install that cert, so it stops there for me. IT security theater be damned.
        • JohnFen 1868 days ago
          > On the other, $%#@%#$%!$@# the %$#%#$%^$#@%#$! packet filters that block DNS packets to everyone except the local brain-damaged resolver.

          Curse it all you want, but forcing all DNS lookups to be resolved by a particular server is often an important security measure.

          • glennpratt 1868 days ago
            Lolwut? Seriously, what serious exploit would be stopped by this.
      • matz1 1868 days ago
        To me its a reasonable trade off, the probability the google DNS server goes down is low and the amount of people who purposely block google dns is also low.
        • jackfraser 1868 days ago
          Sure, but don't we reserve the right to run our own split-horizon DNS servers and point fqdn's our devices want to resolve to anything we desire?

          Don't like it? Use TLS and verify certificates.

          • nickspacek 1868 days ago
            I wonder why they aren't just using TLS and pinning certificates? I suppose they probably do, but furthermore want to ensure that they control the resolution of other services (e.g. Netflix) for the device.
          • matz1 1868 days ago
            Sure, if the product doesn't fit your need then either build your own chromecast or use different product. I personally do not want to build my own so I'm perfectly okay with the trade off.
        • AlphaSite 1868 days ago
          My company blocks google dns.
    • monochromatic 1868 days ago
      Resolving in parallel is one thing. Breaking down when your hardcoded DNS isn’t available, but the customer’s working DNS is... is something else entirely.
    • sesutton 1868 days ago
      Case in point, I was getting NXDOMAIN for mailarchive.ietf.org until I switched to 8.8.8.8 from my work's DNS.
    • zamazingo 1868 days ago
      Unless you want your own dns server used at all times.
      • shawnz 1868 days ago
        But why would you care about that? You're already connecting to Google's service, YouTube, so what does it change to use Google's DNS to resolve it? What is the circumstance where you'd care about not using Google's DNS but then connect to a Google service anyway? If Chromecasts allowed arbitrary web browsing, I would maybe see your point -- but they don't.
        • Bartweiss 1868 days ago
          Perhaps you live in Turkey and Google Public DNS is blocked?

          I agree that on a privacy level, hiding DNS requests from Google when your Google Chromecast is calling Youtube seems like closing the stable door after the horse is gone. But there are reasons other than privacy that relying on Google's DNS might go wrong; it can be blocked (or trigger suspicion) by a government, ISPs have occasionally broken their routing to 8.8.8.8 specifically, and Google DNS itself has even had (very rare) outages.

          None of those issues are enormously common, except perhaps Turkey's censorship, but they're all totally avoidable. Using 8.8.8.8 as a default and failing over to the user's DNS if necessary seems to be strictly better than this approach from a consumer viewpoint.

          • shawnz 1868 days ago
            These are good points, agreed. Thank you
          • sowbug 1868 days ago
            Chromecast isn't sold in Turkey. That fact doesn't invalidate your general point. But pragmatism easily wins when balancing all the real-world craziness of captive portals, ISP DNS hacks, and creative name-resolution optimizations against "but it could be grey-marketed in Turkey." This is especially true for a narrow-purpose consumer-entertainment appliance that already depends on other services provided by its manufacturer.

            https://support.google.com/store/answer/2462844

        • driverdan 1868 days ago
          > But why would you care about that?

          The reason doesn't matter. We should be in control of our own networks. Google shouldn't be deciding for us.

          • fixermark 1868 days ago
            You are in control of your own network.

            Map 8.8.8.8 to the machine of your choosing.

            • pixl97 1868 days ago
              And when the next update uses DNS over TLS with cert pinning?
            • dingaling 1868 days ago
              What if my network is IPv6 only?
              • shawnz 1868 days ago
                The fact that the device requires IPv4 is a much different complaint than anything to do with the use of the DNS protocol. What if YouTube were just IPv4 only? Then you'd be in the same situation no matter what DNS server you are using.
              • kllrnohj 1868 days ago
                Then DHCP isn't even used/required and this is all moot as clients are fully allowed (and even expected) to self-configure, including DNS if they want. Heck, DNS advertisement via IPv6-RA is still only even a proposed standard: https://tools.ietf.org/html/rfc6106 it hasn't been ratified yet, and support isn't widespread.
          • shawnz 1868 days ago
            Would you say that Google is "controlling your network" if they just hard-coded the IP for YouTube? This is effectively the same but with one layer of indirection in between. What's the difference?
          • treis 1868 days ago
            When did Google decide that you should buy a chromecast?
            • Bartweiss 1868 days ago
              Does Google make the DNS requirement clear pre-purchase, or accept returns over this issue?

              This isn't the same as coming into your home and forcing you to use Public DNS, sure, but I think people are justified in being annoyed if they buy something, then find an arbitrary and unannounced dependency in it.

              (I can't find any mention of the DNS requirement by Google, just extensive threads elsewhere about working around the problems it's caused people. It looks like there is a 15-day return window for working devices. That's something, but if I stopped allowing Public DNS on day 16 and my device stopped working, I'd hardly feel like I had fair notice unless it was explicit somewhere in the instructions.)

              • shawnz 1868 days ago
                Where do they announce all the other IPs that need to be reachable in order to access YouTube? Why is the dependency on 8.8.8.8 being reachable somehow more annoying than the rest?
                • smcl 1868 days ago
                  Well there are nearly infinite ways to route traffic to/from YouTube.com, that is how the internet works. However for this product there is a very hard dependency on this one specific IP address, which isn’t documented and is pretty unreasonable
                  • shawnz 1868 days ago
                    > Well there are nearly infinite ways to route traffic to/from YouTube.com, that is how the internet works.

                    I'm talking about the endpoint. YouTube.com resolves to a finite set of IP addresses, and accessing YouTube requires that outgoing traffic is allowed to all of them. All of this is entirely under the control of Google, so how does adding one small additional dependency on 8.8.8.8 affect the end user's control in any way? It's just one more IP address that has to be allowed to be able to use YouTube, and it's equally as documented as the others (i.e. not documented at all).

                    Additionally, 8.8.8.8 uses anycast routing to distribute the requests over many servers. So it's not like having "one fixed IP" is any worse than having one fixed domain, as you seem to be implying. It's not a single point of failure.

                    • pixl97 1868 days ago
                      You do realize that many networks use DNS security products, right?

                      These networks block all DNS traffic to 'random' DNS servers, including 8.8.8.8 to prevent any number of different attacks. The security device can examine the DNS packet and say 'youtube.com = allowed', or 'yourtube.com = not allowed'. It can also to the reverse "if youtube.com 'expected_ip_set' then allow". By requiring this device to use outside DNS servers you are punching holes in the network for no particularly valid reason.

                      Unfiltered and uncontrolled DNS is a security risk. I can transmit all your company information out of your network easily with DNS queries.

                           get a $UUENCODED_DATA.sequence_id.attack.com
                      • shawnz 1868 days ago
                        Good points, although in this case allowing outgoing access to YouTube already allows unrestricted exfiltration of data (you could send a PM or post a comment on a video)
                    • smcl 1868 days ago
                      Ah I see - well if your position is that it's not that much of a big deal to add one more IP address and that customers shouldn't mind that much ... then that's pretty subjective. However the reason we are here and talking about this is that one very prominent customer really DOES mind. Judging from the other responses, this person is not alone.

                      The bigger picture here is that Google has a lot of power and any time they do something like hard-coding their own DNS server in a product (which could be construed as saying "we ARE the internet") people get worried and annoyed, whether this was a benign oversight, innocent mistake or a deliberate act.

        • tfehring 1868 days ago
          One reason to care is that https://pi-hole.net is DNS-based.
          • alias_neo 1868 days ago
            This was how I found out actually, see my other comment for more detail, but yes, this is one very good reason we would want control over our DNS.
        • sofaofthedamned 1868 days ago
          Not just Google - when you cast you handoff a URL to the CC to stream from - this could be from Netflix, or anywhere really. 8.8.8.8 as a brute-force backup I can understand, but by default it should be taking the network DHCP settings.
          • fixermark 1868 days ago
            That default, sadly, would basically guarantee the thing doesn't work for all too many users. And as a consumer electronics product (especially in the sub-$50 price-range), the market-smart thing to do is configure the defaults to work in the saddle-point of worst-case and common scenario (i.e. badly-configured local router talking to a standards-hostile ISP's DHCP configurations).
            • josteink 1868 days ago
              > That default, sadly, would basically guarantee the thing doesn't work for all too many users.

              Bold claim. Citation needed.

            • pdkl95 1868 days ago
              The proper thing to do is to use the DNS settings the DHCP server provided and testing those settings by providing a server the device can lookup and connect to (with TLS). If the server proved it's authenticity, the DNS settings work. (some devices might cache this result, others might do this during startup)

              If an error occurs or a reasonably short timeout expires, the device can: if it has UI the user will see, it can report the problem to the user and ask if it's ok to try a common fix (which can be explained in detail in an optional "[technical details]" popup). If the user approves, then retry with the hardcoded DNS server (or any other workaround). If the device doesn't have a UI that could realistically ask this type of question, automatically trying the fix when the DNS test fails might be appropriate.

              TL;DR - don't make assumptions about the user's situation, even if you think it is "market-smart". Test for the required behavior and fail-safely by enabling the common workarounds.

              • fixermark 1868 days ago
                > it can report the problem to the user

                How? And what should the user do with that information?

                This device is not architected for users who know what DNS, DHCP, or TLS are, much less who care.

                • pdkl95 1868 days ago
                  > This device is not architected for users who know what DNS, DHCP, or TLS are, much less who care.

                  The only technical data I suggested showing the user was an optional "technical details" popup, for the rare cases when someone (perhaps you) actually was interested in that information.

                  > How?

                  Iff there is a useful UI, the same way they show anything to the user. I suggested automatically failing over to the hardcoded DNS server (or similar workarounds) automatically. (If the device is literally a lightbulb and the only "UI" is if the lightbulb is on or off, user interaction doesn't make sense; just failover.

                  > And what should the user do with that information?

                  At a minimum, the are informed that something about their network required using a workaround. However, you seem to be missing the point: the minimal amount of user interaction I'm suggesting isn't (primarily) about informing the user. It's about asking permission to use their network contrary to how their network asked to be used. You are a guest on their network..

                  (if the DHCP server didn't provide a DNS serer, then there is no problem; just use a known server)

                  More importantly, I'm mostly talking about testing and failing over to a the builtin DNS server, instead of simply assuming it's needed in "some" cases and turning it on for everyone. This shouldn't be difficult. The DHCP already happened, do the DNS lookup and check a special URL over TLS. If it fails or times out change the DNS to Cloudflare or Google's service and retry.

                  • fixermark 1868 days ago
                    That seems to add a lot of logic and interaction complexity to work around a problem that is only a problem for people who already have the technical skill to remap 8.8.8.8 to their preferred DNS server anyway.
              • shawnz 1868 days ago
                > don't make assumptions about the user's situation

                Using 8.8.8.8 is exactly the opposite of an assumption. It always works in any config, that's the point.

                EDIT: Besides, obviously, the OP's extremely unusual config, where he is effectively just blocking the service with his firewall. Why isn't he outraged about having to unblock all of YouTube's other IPs? What's special about 8.8.8.8?

                • Sylamore 1868 days ago
                  8.8.8.8 isn't a youtube IP, it's Google's DNS service. Most networks hand out their own DNS and generally expect clients on their network to be using it. While most consumer home networks are very permissive not every network is and not respecting the dns server handed to a client by DHCP is broken behavior.
                  • shawnz 1868 days ago
                    I adressed these points already in other places through this thread: Why would it be any different if they just hardcoded the IP to YouTube? Would that also be "not respecting the DNS server from the DHCP client"? What if they used a proprietary protocol (not DNS) to look up the IP to YouTube?

                    Just because your network provides a DNS server does not mean that it makes sense to use that DNS server for every single IP address lookup in every piece of software. It's there for general internet browsing purposes, not specialized proprietary purposes like this.

                • vetinari 1868 days ago
                  The point that 8.8.8.8 doesn't always work. The linked article is about highlighting exactly that.
        • syn0byte 1868 days ago
          CDN and routing optimization ala 'ECS'. Also ISPs that inject or screw with DNS queries. Its easier and more importantly cheaper to get all the same metrics and data from other sources rather than DNS. (And you already consented for those other data sources.)

          I don't trust they aren't evil, they are. I trust they are also smart.

      • fixermark 1868 days ago
        If you're savvy enough to configure your own DNS server, you're probably savvy enough to modify ip table resolution.
    • becauseiam 1868 days ago
      Good behaviour really is honoring the resolvers provided in a DHCP answer.
  • kop316 1868 days ago
    What I ended up doing to ensure this for any of the devices I have is use pfSense to force all DNS queries to go to my DNS server:

    https://docs.netgate.com/pfsense/en/latest/dns/blocking-dns-...

  • cotillion 1868 days ago
    Just the fact that you can't cast your own local content when the mothership is down makes me want to throw out all cast devices. Ignoring DNS servers seems like a very minor issue.
    • fixermark 1868 days ago
      Have you verified you can't cast your own local content if 8.8.8.8 is down? I thought it did a fallback.
      • mthoms 1868 days ago
        I've not tried it myself, but the title does say the device won't start without it.
  • ChuckMcM 1868 days ago
    Gotta love Paul's approach. Amazing to see things that break when you run a black hole DNS server on your inside network. I have a Samsung TV that won't complete boot until it has verified there aren't any firmware updates at Samsung. I finally resorted to copying the http response traffic and having an a bit of code on my RasPi return it when the TV asks (it says "no new firmware for you"). Of course these sorts of tricks will fail when vendors get wise to them and start returning an encrypted time and date nonce in the response.
    • mrweasel 1868 days ago
      The extend to which modern appliances feel a need to be internet connected is getting ridicules. My TV isn't going to be internet connected, even if it's able to. It simply have no reason to.

      Smart TVs in particular should not be a thing. The TV manufactures have proven themself incapable of writing and maintaining software, so at this point they should accept defeat and just produce the TVs with enough HDMI connections.

      • ChuckMcM 1868 days ago
        > My TV isn't going to be internet connected, even if it's able to.

        I admire your sentiment but recognize that on the current path that means at some point in the future this choice will mean "I don't have a TV." What is missed here, and alluded to in other comments, is that the costs for things are being subsidized by selling the digital exhaust they generate. Creating more exhaust means more margin, less (or even zero) exhaust means less margin. Since consumer electronics compete on price, a zero exhaust device will cost more and won't sell as well. So the market won't produce them. Further, the ability to convert a consumer device to one that generates zero exhaust will get targeted, and since there is no way to "win" that race, the final act will be a consumer device that refuses to operate if its ability to spew digital breadcrumbs is disrupted. Just like HP "all in one" printers will refuse to scan a document if they are low on ink. They don't need ink to scan, but the purpose of the printer is to create a recurring revenue stream for high margin ink, so all functions are in service to that purpose. Allowing utility that would mitigate the need to buy ink is unacceptable.

        • userbinator 1868 days ago
          This article from a while back (almost 6 years!) turned me off the idea of "smart" TVs completely: https://news.ycombinator.com/item?id=6759426

          Fortunately, you can currently still spend a little extra to "stupify" a smart TV --- figure out what LCD panel it uses, then replace the "smart" part of it with a suitable driver board (search the Internet for "HDMI LVDS" --- these are basically what computer monitors use.) Interfaces are reasonably standard so they're compatible with a wide range of panels. Example: https://www.aliexpress.com/item/10-bit-lvds-controller-for-p...

        • mrweasel 1868 days ago
          Sadly I have to agree with you, that is the way we're heading. Short term, for TVs, I can just buy a large monitor and a sound bar, if I'm willing to pay more.

          Your general concept for "digital exhaust" is good though. It's extremely clear in phones. I can either pay a for Apple and limit my exhaust, or I can get an Android phone and pay the difference with my data.

      • slededit 1868 days ago
        A lot of people I know are specifically shopping for smart TVs. They want a Netflix box with a screen.
  • mrcarruthers 1868 days ago
    My Roku does (almost) the same thing. It defaults to 8.8.8.8 to attempt to block dns proxies, but if you block 8.8.8.8 on your router, unlike the Chromecast, it will actually use the DNS server my router provides.
    • nickspacek 1868 days ago
      I believe that this approach also used to work with the Chromecast.
  • cfv 1868 days ago
    My oven should not refuse to work if my gas pipes are not from the same maker. The ability to set up my own products to whatever config I like is not an extraordinary request. Especially when it's the default operating mode with an off brand product. Google should collectively be ashamed.
  • crankylinuxuser 1868 days ago
    For those running Linux machines for networking..

         sudo iptables -t nat -I OUTPUT --dst 8.8.8.8 -p tcp --dport 53 -j REDIRECT --to-ports 53
         sudo iptables -t nat -I OUTPUT --dst 8.8.4.4 -p tcp --dport 53 -j REDIRECT --to-ports 53
         sudo iptables -t nat -I OUTPUT --dst 8.8.8.8 -p udp --dport 53 -j REDIRECT --to-ports 53
         sudo iptables -t nat -I OUTPUT --dst 8.8.4.4 -p udp --dport 53 -j REDIRECT --to-ports 53
    
    What that does, is catches requests coming in from the network going to Google's DNS, and redirects them to that local machine's port 53 (be it tcp or udp).

    Its an ugly hack, but things like PiHoles can reliably do this with little to no extra load, and keep the google spy engine off your tracks. But then we'll have to discuss using a chrome..

  • scrollaway 1868 days ago
    I'm always shocked at how easy it is for people to fall into the "Google is evil!!1" trap on such trivial stuff (and funnily enough, much more serious privacy issues related to Google are ignored/downvoted).

    Hardcoded DNS servers are common. Extremely common in a bunch of IOT devices, given how broken some ISPs are. This is a non-story and the only reason it's being upvoted is because Google is doing it, and they also control the DNS server.

    You know what would be an actual story though? If Google used Google DNS to spy on people. If anyone has concrete evidence that they're doing that, that is a big fucking deal. Not some email about a google-complaint-of-the-week.

    Edit: To be clear I'd agree that in a high quality product there needs to be a way to change the DNS servers. Then again, this is a $30 device to hook up TVs, and I've seen $200 routers lacking that ability.

    ----

    Edit 2, elaborating on the above: You make a cheap device that will likely end up in millions of homes and your #1 support issue is "It doesn't work [because my ISP is terrible therefore my network configuration is shit]!". What do you do? Do you tell your consumers to suck it up and talk to their ISP? Or do you… hardcode a DNS server that you at least know will work?

    "Issues" like this one are non-issues and distract from the myriad of very real privacy issues coming out of Google. Yes, this should be configurable at the very least… then again, Google products aren't exactly known for their wonderful configurability.

    • anilakar 1868 days ago
      It's being upvoted because the issue was raised by none other than the father of DNS.
      • creeble 1868 days ago
        Well... Paul Mockepetris may not agree with that. But he's also the kind of guy who wouldn't mind.
      • scrollaway 1868 days ago
        Given the ratio of people who upvote stories based on their title without clicking through, I highly doubt that.
        • dang 1868 days ago
          We don't know what that ratio is, as we don't track it, and I'm skeptical that anyone does.
          • scrollaway 1868 days ago
            shrugs I wasn't referring specifically to HN, nor was I trying to suggest I know the exact ratio. What I know is it's extremely unlikely that this story is being upvoted because of that given that 1. A lot of people upvote on title alone (I'll die on that hill); 2. Not many people know who Paul Vixie is; 3. Those that do might not notice the name in the UI/email (I certainly didn't).
            • mburns 1868 days ago
              That’s something you believe. Die on whatever hill you choose.

              The top comment on HN explains who Paul Vickie is. I believe people tend to read comments before reading the article or voting.

              • scrollaway 1868 days ago
                The current top comment was not written at the time I wrote mine, and was not top comment until less than an hour ago.

                If you want a spot on my hill, I have room to rent.

    • apostacy 1868 days ago
      This isn't a case of an IOT device though. My Chromecast went through massive amount of trouble to use Google's DNS servers, to serve ads behind my pi-hole.

      It would respect all of my DHCP parameters, but silently ignore DNS settings.

      It was clearly intentional to serve ads. I had to set up a firewall to force it to use my DNS server. And eventually even that stopped working with an update (which themselves are really hard to block).

      I think the Chromecast is the ideal Google device, and a preview of what Google's model is: It slowly removes features through updates that you cannot turn off, and would rather fail completely than not be able to serve you ads.

      • scrollaway 1868 days ago
        I can't really entertain the suggestion that pi-holes are considered by Google as a serious-enough threat that they'd go through this trouble just to fuck with it.

        Seriously, think about the venn diagram of Chromecast users and pi-hole users. It looks a lot like a tennis ball being dropped into the sun.

        • apostacy 1868 days ago
          Um, the pi-hole wasn't specifically targeted. They just wouldn't accept anything other than Google's DNS. Some ISPs will do DNS hijinks too, like transparently intercepting port 53 traffic and re-routing it.
        • quickben 1868 days ago
        • disiplus 1868 days ago
          i don't think its totally unreasonable. the same thing could be said about the people who used adblock back in the day, but im sure google knowing what they know now would never let it thru. im pretty sure they are actively thinking about it now and how to ensure that they can deliver what they want directly to our eyes no matter what. from the position of google everything else would be stupid, im pretty sure they learned the lesion.
          • scrollaway 1868 days ago
            Google would certainly be aware of pi-holes and the potential of the threat, but to put things back in context we're talking about a mass-market device which has to deal with bad network config, bad isps, bad routers, etc. What's more likely?
      • steelframe 1868 days ago
        I really gave Chromecast an honest run for the money. One day at the start the of the weekend, it started hanging at 80% when initiating streaming content I had purchased on the Play store. The forums had a ton of other people who were complaining about the same thing. Google had pushed out an update that they apparently hadn't event done the most rudimentary testing on. They didn't roll back, and they didn't fix it until after the weekend. I replaced it with a Roku, and I no longer trust Google to do consumer devices.
      • FactolSarin 1868 days ago
        The Chromecast doesn't serve ads. Individual services you run on it might, but I doubt those are being served through Google's DNS server.
        • alias_neo 1868 days ago
          The Chromecast hard-codes Google DNS so _any_ service you run on it resolves through Google DNS.
      • fixermark 1868 days ago
        How is "hardcoding 8.8.8.8" a "massive amount of trouble?"
      • FakeComments 1868 days ago
        > would rather fail completely than not be able to serve you ads.

        Google is an ad company; if you don’t watch the ads, you’re not a useful product.

        It doesn’t matter you “bought a product”, this behavior is their corporate DNA. It’s the Office to their Microsoft. Time and time again, we see a clear behavior from Google: that everything feeds the ad machine — or else!

        • SmellyGeekBoy 1868 days ago
          As always, don't let facts get in the way of a good rant.
          • FakeComments 1868 days ago
            There is a continual and persistent trend in Google’s behavior, across a broad range of products. While any lone action might be explainable, as a pattern, they’re poor conduct.
      • Legogris 1868 days ago
        Could you solve this by just routing 8.8.8.8 to your own DNS inside your network?
        • apostacy 1868 days ago
          How is that simple? I know a lot of developers that couldn't easily do that.
          • Spivak 1868 days ago
            I wouldn't necessarily expect a developer to know how to manipulate network traffic. The OSI model extends a bit to humans as well. But any network engineer can add a DNAT rule.
        • alias_neo 1868 days ago
          This is how I solved it.

          Someone above says an update prevented this somehow, though.

          • jrockway 1868 days ago
            It seems unlikely to me that the DNS client has the sophistication to know that it's not Google's 8.8.8.8 that it's talking to. That would be a nightmare to maintain; the 8.8.8.8 team changes some implementation detail, and then all Google clients stop working (and are now unable to update because they refuse to resolve DNS names)? I doubt they implemented that because it's crazy.
            • mthoms 1868 days ago
              >It seems unlikely to me that the DNS client has the sophistication to know that it's not Google's 8.8.8.8 that it's talking to

              I don't know much about DNS but based on what I do know I would think this to be trivial(?). All you'd need to do is make a request for a domain that doesn't exist. Something like "is-this-google-dns-im-connecting-with.google" or <salted hash of current timestamp>.com. Google DNS could be coded to respond accordingly.

              So no DNS response, or not the response you were expecting = not Google DNS.

              • cwkoss 1868 days ago
                Clever, kind of reminds me of how map makers insert fake 'trap streets' to prove copyright theft.
            • pixl97 1868 days ago
              >It seems unlikely to me that the DNS client has the sophistication to know that it's not Google's 8.8.8.8 that it's talking to.

              DNS over TLS and DNS over HTTPS will change that. Google has pushed encryption in all their other products, and is pushing these implementations so do not be surprised when their end user devices use it by default.

            • alias_neo 1868 days ago
              I also don't see a way they could do it, but then I only know just enough to be dangerous, as they say.
      • mgoetzke 1868 days ago
        how is it showing you ads ? Haven't seen any yet.
        • rmoriz 1868 days ago
          pi-hole also blocks tracking services. And I'm sure chromecast is full of tracking to enhance the value of your account.
          • SmellyGeekBoy 1868 days ago
            Surely you'd know, right? As Pi-Hole logs all of this stuff.
            • rmoriz 1868 days ago
              just install apps or use chrome to browse (on Chromecast Ultra of course)
      • em-bee 1866 days ago
        hmm, won't that all get worse with DND over HTTPS?

        here i thought DoH was the panacea, solving all our DNS troubles. but this is one case where DoH doesn't help at all. on the contrary. with DoH we will have no control at all where our apps resolve their DNS requests.

      • znpy 1868 days ago
        I was going to post something similar. This is not an accident or a mistake. This was done on purpose.
      • pexaizix 1868 days ago
        >My Chromecast went through massive amount of trouble to use Google's DNS servers

        No it didn't, it just queried 8.8.8.8 instead of whatever DNS server your DHCP configuration told it to use.

        Putting "nameserver 8.8.8.8" in /etc/resolv.conf and marking it read-only would have the same effect. Doesn't look like much trouble does it?

        • adsadadsad 1868 days ago
          Maybe. But it's trivial, for your ADSL/DSL/Fiber shitty $30 router to intercept port 53/(udp|tcp) bind it to it's own local dnsmasq or whatever and then send DNS onward to DHCP DNS servers supplied by your ISP. When I say trivial I mean I've seen it happen on several setups, old me - we'll just change the DNS on this box to bust the cache here to 1.1.1.1(CF)/8.8.8.8(EvilG) but still end up a shitty ISP dns servers (and their poisoned cache regardless). There's a reason for the push for DNS over HTTPS.

          You think you're guaranteed to be querying 8.8.8.8 with "nslookup hostname.tld 8.8.8.8"?

          • josteink 1868 days ago
            > bind it to it's own local dnsmasq or whatever and then send DNS onward to DHCP DNS servers supplied by your ISP... There's a reason for the push for DNS over HTTPS.

            This is looking at things and totally backwards. You have a local problem, a broken router and you suggest we fix this by changing how all edge nodes on the internet works.

            In the age of ever increasing, untrustworthy IOT-devices, you don’t solve this problem by taking control away from the network operator. You need to increase his control. Taking DNS out of his hands is literally madness.

            Good luck trying to block their attempts to spy and report on you now!

            DNS over HTTPS is going to cause a shitload more problems than it solves.

            • skybrian 1868 days ago
              In a world of mobile devices and public WiFi spots set up by random businesses, you're saying we should trust the network operator? That's a rather odd argument.
            • forgottenpass 1868 days ago
              >DNS over HTTPS is going to cause a shitload more problems than it solves.

              Oh, absolutely. What I wonder is if people don't notice this, or they do but believe Google is right in pushing fundamental internet design decisions that prioritize Google's incidental access to surveillance data over a high quality and resilient network for everyone.

              • LinuxBender 1868 days ago
                I believe that they have created a double-edged razor blade. DoH can protect people that have malicious ISP's. It also hands over a lot more control to Google. I don't like either of those scenarios.

                By control, what I mean is that once DoH usage to G servers hits critical mass, they can decide who can visit what. Not that they would, but they can. People generally do what people can do.

            • adsadadsad 1868 days ago
              I'm not sure Im following why is HTTPS going to cause a shitload more problems?
              • zrm 1868 days ago
                Because it's encrypted to the app rather than the endpoint's OS or local DNS, so it's more difficult for the system owner to override it or implement a systemic policy.

                The performance characteristics are also rather unfortunate. TCP handshake + TLS handshake with multiple public key operations + TCP protocol overhead adds quite a lot of both latency and computation vs. UDP DNS. DoH is even worse. There would have been ways (e.g. DNSCurve) to get equivalent or better security with less latency and computation if it weren't for horrible middleboxes breaking everything they don't understand.

                And all that complexity is attack surface.

              • josteink 1868 days ago
                Not HTTPS. DNS over HTTPS.

                If we create internet infrastructure (like DNS over HTTPS) which prevents network operators from actually operating their networks, I’m 100% confident we will find it has bad, unintended and irreversible consequences.

                • joshstrange 1868 days ago
                  If by "network operators" you mean ISP's then I don't care. They have proven beyond a shadow of a doubt that they are malicious ones more often than not and I want them to be a dumb pipe NOT someone who is mucking around with my network. I will take being able to PICK who I trust my DNS with over being forced to use my ISP's any day of the week. One of those things I can change, one of them I cannot.
                  • josteink 1868 days ago
                    By network operator I mean me, the person controlling my own local network.

                    Also: ISPs behave nice almost everywhere in the world where there is proper regulation.

                    What you have in the US is not a technical problem. It’s a regulatory one.

                    • disiplus 1868 days ago
                      yup, hey i bought this device, that i cannot see what it is doing exactly. great.
                • LinuxBender 1868 days ago
                  Agreed. Many orgs will end up null routing the DoH resolver IP addresses. I warned them about this from the start of DoH development and they ignored me, since most end users won't block anything.
          • pexaizix 1868 days ago
            Yes I know. I've had it happen to me with a Huawei HG556a. You could disable it with admin access... which the ISP would not give you. Fun times.

            A good way of bypassing this would be to simply have Google run their DNS server in a port other than 53. But I don't believe you can set a different port in /etc/resolv.conf

            • adsadadsad 1868 days ago
              Possibly feasible with local netfilter/iptables rules or maybe userland proxy/rerouter. set /etc/resolv.conf to localhost:53, have that forward to 8.8.8.8:1053 or whatever, but without encryption it could be detected I'm guess with deep packet filtering (hopefully beyond the thoroughput constraints of eyeball ISPs)
        • apostacy 1868 days ago
          Is it reasonable to fail if you can't access a specific DNS server? This is unexpected behavior.

          And I don't have access to the /etc/resolv.conf on my Chromecast, that's the problem! Anyway, there's a new thread on this specific phenomenon. I'm glad I'm not the only one: https://news.ycombinator.com/item?id=19170671

          • kurtisc 1868 days ago
            If it's a hot-fix for ISP troubles then I can imagine it being overlooked. Nobody working at Google would ever fail to connect to 8.8.8.8 while developing it.
        • adsadadsad 1868 days ago
          Oh and in the chromecast (non-ultra anyway), chromecast attempts to ignore any DNS servers supplied by your DHCP - hence why the watch-TV VPN's smartdns fails. Good luck rooting your Chromecast and chattr +i it's /etc/resolv.conf
          • SmellyGeekBoy 1868 days ago
            How does a device "attempt to ignore" DNS servers supplied by DHCP? Like all devices connected to a network it must either use DHCP to get your DNS server or use a hardcoded value, it's not some kind of conspiracy.
            • adsadadsad 1868 days ago
              "Attempt to ignore" Great question. So it uses hardcoded values of 8.8.8.8/8.8.4.4, unless it can't contact them by testing to resolve connectivity-test.google.com (or something like that), if it can't then it falls back to the DNS servers provided by your DHCP server/router. So to use smartdns with chromecast you have to both set your router to provide the SmartDNS servers and also blackhole 8.8.8.8/8.8.4.4 on your shitty ISP router (iirc static routes) - conspiracy? - i'll leave that to you? (the smartdns route is necessary since chromecast don't have their own VPN facility)
    • judge2020 1868 days ago
      > You know what would be an actual story though? If Google used Google DNS to spy on people.

      this. I highly doubt Google is actually using DNS for tracking or connecting queries to someone's account, especially when they say they don't [1].

      Many people say "use Cloudflare DNS if you're worried about privacy", but Google effectively makes the same claim as Cloudflare that they don't use DNS to track you. The only plus you get from Cloudflare is how they get KPMG to audit and ensure they're not logging IPs forever.

      1: https://developers.google.com/speed/public-dns/privacy

      • manyxcxi 1868 days ago
        CloudFlare makes their money differently than Google though. Google wants figure out how to most efficiently put other people’s ads in front of me, and to sell my attention for the most value. Even if they have absolutely no ulterior motives (evil or otherwise), Google’s business is one such that they have every motive to abuse my privacy for their own gain.

        CloudFlare doesn’t make their money off of brokering my attention, they have a decent track record of doing the ‘right’ things (or at least not the ‘wrong’ things), and they’ve made some decently pro-privacy statements in the past.

        It seems that everyone wants to collect data on everything and figure out how to sell it off, so I’m not putting it out of the realm of possibility that CloudFlare could do shady stuff and abuse my privacy as well- but their general line of business doesn’t require it the way Google’s does.

        All things otherwise equal, I’m gonna trust the company who’s business isn’t selling my profile a bit more for most things. I used to use Google DNS a lot, now I use CloudFlare’s. I trust them both more than Comcast, AT&T, and Verizon with respect to technical competency and security at the very least.

        • saalweachter 1868 days ago
          Why do you think CloudFlare has less incentive to sell your data than Google?

          Both CloudFlare and Google are for-profit corporations which want to take actions to maximize their profits. Insomuch as they are profit maximizing, we should expect them to take actions where the expected gain is greater than the expected cost, and to prioritize actions which have the maximum gain over actions which are only barely profitable.

          If the cost -- in terms of extra labor and reputation if the data-selling becomes public -- is estimated to be less than people are willing to pay for the data, why would any profit-seeking corporation choose not to sell your data?

          We can't trust companies not to sell poisoned food, even though that's a huge reputational hit. We can't trust companies manufacturing herbal, vitamin or nutritional supplements to actually put the herb, vitamin or nutritional factor they claim they are in the bottles they sell. We can't trust the makers of USB cables to produce cables that actually meet the USB specifications. Why should we believe that any corporation, regardless of whether or not you pay them for their goods and services, would leave the money to be made selling your data on the table, even if there's a potential reputational hit if the practice becomes public?

          • mises 1868 days ago
            Google's stock-in-trade is personal data. They use it to sell, and they use it to gather more data and to make data about that data. It's kind of scary.

            But Cloudflare's business model is different: they get rich by making the internet faster. Plus, it's great publicity for them. Their customer acquisition focuses largely on winning developers (by letting them use a great, barely cut-down-at-all service for free) so they use it in companies later. This helps with that a lot.

      • eeeeeeeeeeeee 1868 days ago
        You have to trust any place you send your traffic, but I trust Cloudflare more than Google simply because of their business model. People get too caught up in "evil!" but it's simply about business models and how likely a business is to bend towards unethical behavior to stay in business, or continue to grow revenue/profits.

        Cloudflare doesn't need to analyze my data to make money -- they offer a great service that people will throw money at them to use.

      • rmoriz 1868 days ago
        > I highly doubt Google is actually using DNS for tracking or connecting queries to someone's account, especially when they say they don't [1].

        But pi-hole (or other privacy dns appliances/services) also block tracking targets. By enabling/enforcing the "free and unaltered internet experience" Google also ensures access to tracking.

      • JohnFen 1868 days ago
        > I highly doubt Google is actually using DNS for tracking or connecting queries to someone's account, especially when they say they don't

        Why do you doubt it? This behavior would be consistent with Google's behavior generally.

    • dictum 1868 days ago
      This is unduly paternalistic: a story is whatever the HN community decides to pay attention to, even if that leaves out important stories or puts a spotlight on minor trivia.

      > You know what would be an actual story though? If Google used Google DNS to spy on people. If anyone has concrete evidence that they're doing that, that is a big fucking deal.

      I'm an optimist, but I'm also cynical enough to foresee the same complaints — it's not a story! everyone does it — if that came to pass.

      Prevention is important because in real life you can almost never recoup the losses as easily. You can take it to the courts etc. but if your data leaks, it's out there, you can't undo it.

      • scrollaway 1868 days ago
        > This is unduly paternalistic

        You're right, I'm sorry. I edited my post a bit to soften it.

        > I'm an optimist, but I'm also cynical enough to foresee the same complaints

        Well, maybe. I would hope not, specifically because Google has made previous guarantees that they do not use that data for spying.

        It's different when it's your ISP, which already does tons of shady shit and buried somewhere in your TOS that they do this stuff.

        I don't find it any more acceptable, but it would or at least should be a bigger story if Google was doing it with Google DNS.

        • pixl97 1868 days ago
          You do realize your ISP can spy on any DNS records passing its routers with deep packet inspection right? Only DNS(HTTPS/TLS) can fix that.
    • tyingq 1868 days ago
      "I'm always shocked at how easy it is for people to fall into the "Google is evil!!1" trap on such trivial stuff"

      Google's smart though. They know that rolling out unsavory ideas in small pieces keeps it under the radar.

      They didn't, for example, push the organic search results under the fold all at once.

      This could be innocuous, or part of some larger agenda.

      • JorgeGT 1868 days ago
        This is usually called salami slicing: https://en.wikipedia.org/wiki/Salami_slicing See also the boiling frog fable: https://en.wikipedia.org/wiki/Boiling_frog
        • thecatspaw 1868 days ago
          Or privacy zuckering
        • misterhtmlcss 1868 days ago
          That's like my favorite comedy, but few people know their history well enough to laugh at the jokes anymore :(
      • OedipusRex 1868 days ago
        I don't really see the point of changing the DNS settings to watch YouTube, either way Google will know what you're watching. I know the Chromecast can do other casting but I assume those services (Netflix, Hulu, etc) are using more than just DNS queries as well to see what you watch. And if you're casting local media then no DNS goes out at all.
        • tyingq 1868 days ago
          Could be some other motivation, like making it not work in typical corporate environments, where arbitrary external DNS access isn't a given. Perhaps to upsell some other, more expensive device.

          (Maybe not this, just an example to note that motivation can be hard to discern)

      • dictum 1868 days ago
        Irrespective of motivations/agenda, we can look at the current state of the consumer-facing Internet (the trend continues): https://news.ycombinator.com/item?id=16421072
    • lelf 1868 days ago
      > If Google used Google DNS to spy on people

      Are you seriously thinking they don't store/analyse/use that kind of information??? (That's every site you visit, at minimum.)

      • joshuamorton 1868 days ago
        Yes.

        They don't. They guarantee they don't.

        The spooky answer is they don't need it.

        • mthoms 1868 days ago
          They don't retain IP addresses beyond 48 hours but they may retain other information (permanently). For example, the domain requested, your ISP and your approximate location (city or region).

          https://developers.google.com/speed/public-dns/privacy

          So, while it can't be traced back to you, it is absolutely useful information for their business. Why do you think they offer the service? To be nice?

        • llukas 1868 days ago
          This guarantee is one TOS change away from vanishing...
          • joshuamorton 1868 days ago
            Then they'd need to announce that to all of the users of their DNS service.

            You tell me how to do that.

            • mthoms 1868 days ago
              They'd do it the same way every web service since the beginning of the internet has done it.

              "By using service X you are agreeing to be bound by the terms located at .... "

              • joshuamorton 1868 days ago
                Changing privacy policies doesn't work that way. You have to inform users of the changes, or they can claim that they didn't know and aren't bound by it.

                That's why whenever companies change their ToS you get email/notifications/actual mail informing you of the changes.

                You can't do that for DNS.

                • mthoms 1863 days ago
                  > Changing privacy policies doesn't work that way.

                  Legally speaking, yes it does. It's a free service. The only obligation they have is to make their terms freely accessible, and to publicize any major changes.

                  You seem to be implying that Google and other free DNS providers have never changed their privacy policies since there's no good way to notify the users. Google's own website (and the Internet Archive) totally contradict this.

                  https://developers.google.com/speed/public-dns/privacy

                  "Last updated October 29, 2018."

        • JohnFen 1868 days ago
          > They guarantee they don't.

          They claim that they don't. You have no way of knowing if they're lying or not, though, so it boils down to "do you trust Google?"

          You do, and that's fair. I don't, and that's also fair.

    • eeeeeeeeeeeee 1868 days ago
      I would actually find it much more annoying from a troubleshooting perspective if every single IOT device I buy has a different hard-coded DNS server, provided by that manufacturer, instead of the one set by my local DHCP server. Because when the DNS set by your network fails, everything fails almost instantly and it's fairly easy to spot the problem from any device on your network.

      RE: configurability ... I thought one of the main reasons people went with Google over Apple, specifically with Android, was precisely because of their configurability. Every person I talk to that left iOS tells me this.

      • scrollaway 1868 days ago
        Android is the exception IMO. Google's product are notoriously unconfigurable. For example, Chrome got a lot of flak over this especially in its early days.

        Android also seems to be going the way of iOS on many fronts, because as it turns out, this philosophy makes things hard to maintain.

    • jglazko 1868 days ago
      Note that the original email complaint linked to was written by Paul Vixie, one of the major DNS creators/contributors.
    • clubm8 1868 days ago
      >You know what would be an actual story though? If Google used Google DNS to spy on people. If anyone has concrete evidence that they're doing that, that is a big fucking deal.

      In general data that exists can be supoenaed, and if the logs don't exist a court order can make them begin to exist.

    • reaperducer 1868 days ago
      Hardcoded DNS servers are common

      Common != Right.

    • Rapzid 1868 days ago
      I have a said expensive router, a Nighthawk, that will only advertise itself as the DNS and proxy requests. Unfortunately it's really bad at that and I was getting lots of lookup failures. Now I hardcode most of my devices to 8.8.8.8 .

      I can totally see how they and other IoT vendors would want to do that. What boggles my mind is that so many people believe the feature implemented was "Use 8.8.8.8 and break otherwise so we can trojan our DNS into places" instead of "Hardcode 8.8.8.8 so it works in most cases".

    • kilroy123 1868 days ago
      Personally, I think they kind of _are_. I now no longer point to or use Google's DNS because of this. Call me paranoid.
      • scrollaway 1868 days ago
        For what it's worth I don't think that's paranoid at all. You don't want to deal with Google, so you don't introduce them to your network, that's reasonable.

        What is paranoid IMO is some commenters' (as well as seemingly Paul Vixie's) implication that Google does this trick with the Chromecast to better spy on people, which completely goes against Occam's Razor.

        • cwkoss 1868 days ago
          I mean, spying on people is the foundation of their entire ad market. They have means and motive, the only question is whether they've followed through.
    • peterwwillis 1868 days ago
      > If Google used Google DNS to spy on people

      It's not "spying". Google DNS just "monetizes data sent through Google servers". Like they do with Chrome Data Saver, or Amp, or Calendar, or Contacts, or Voice, or GKeyboard, or Photos, or Maps, or Gmail, or Search, or...

    • CivBase 1868 days ago
      > You know what would be an actual story though? If Google used Google DNS to spy on people.

      What constitutes "spying" to you? Do you honestly believe Google isn't mapping your IP address to your account and monitoring your DNS requests to influence the ads they serve to you?

      • mankyd 1868 days ago
        https://developers.google.com/speed/public-dns/privacy

        > We don't correlate or combine information from our temporary or permanent logs with any personal information that you have provided Google for other services.

        • CivBase 1868 days ago
          Fair enough.
          • pdkl95 1868 days ago
            That page is full of doublespeak. They claim they "don't keep personally identifiable information or IP information" in the permanent logs, but then go on to explain how they log everything else that you would need to track someone. In addition to saving everything about the DNS query itself (domain, record type, etc)j, they also admit to logging (quoting from the above URL):

            * Client's AS (autonomous system or ISP), e.g. AS15169

            * User's geolocation information: i.e. geocode, region ID, city ID, and metro code

            * Absolute arrival time in seconds

            While Google's AS that the use as an example is huge[1], sometimes the AS is very revealing[2] and only map to a few addresses[3]. Combined with the geo-data, if you're on a smaller AS, Google has better tracking data than the IP address that is easy to correlate back to unique users[4].

            As for their claim that "We don't correlate or combine information from our temporary or permanent logs with any personal information that you have provided Google for other services."

            There is a lot of carefully chosen language in that claim. You didn't "provide" them with the AS number or geo-data; they looked that stuff up based on your IP address. How are they defining "personal information", and exactly what counts as "provided Google for other services."? These are totally undefined terms and companies have a tendency to evolve their definitions of important-but-not-strictly-defined terminology as the Overton window shifts and bad behavior becomes sufficiently normalized that they can use the "everybody is doing it" excuse.

            But looking at it in terms of what they currently say misses the larger problem: unless they have shown that their ability to amend this policy is restrict by a Ulysses Contract[5][6], they can change their policy at any time. They can also have the policy changed by an external power, against their will (e.g. a court could order them to start logging (w/ a timestamp) who communicated with them[7], even if they didn't want to.

            [1] "IPs Originated (v4): 8,717,056" https://bgp.he.net/AS15169

            [2] Google is admitting to logging which entry on this list each DNS requests originated from (warning, big page, only has US data): https://www.whatismyip.com/asn/US/

            [3] "IPs Originated (v4): 256" https://bgp.he.net/AS54007

            [4] https://news.ycombinator.com/item?id=17170468

            [5] https://en.wikipedia.org/wiki/Ulysses_pact

            [6] https://www.youtube.com/watch?v=zlN6wjeCJYk

            [7] https://en.wikipedia.org/wiki/Pen_register (or a NSL, etc)

    • tomaskafka 1868 days ago
      I always assumed the whole point of 8.8.8.8 is to spy on me. Why would they do it otherwise?
    • JohnFen 1868 days ago
      > Hardcoded DNS servers are common.

      Indeed. And they're terrible. Maybe making a stink about a big player like Google doing this might encourage others to rethink the practice.

      Probably not, of course, but the alternative of just shutting up and taking it isn't any better.

    • baptou12 1868 days ago
      Other IOT manufacturers who hardcode the DNS into devices do not own the DNS servers, do they ?
    • tatoalo 1868 days ago
      I agree with you on the "G is evil" and so on, I've used Google WiFi and used Cloudflare DNS(as a test) with no problem...(the serious discussion would be why people blindly trust Cloudflare over x or y or z, out of scope now :D)
    • vbezhenar 1868 days ago
      "Broken" ISP are likely to intercept DNS requests, so really the only option against them is something like DNS over HTTPS.
      • scrollaway 1868 days ago
        [citation needed] on that "likely" word. I've seen instances of that, but they're extremely rare because intercepting DNS altogether is a fucked up thing to do for an ISP.

        Seen far, far more instances of:

        - ISPs shipping shitty network devices / awful factory settings

        - ISP's own DNS servers being terrible in various ways

        - Uncle Steve "the IT guy of the family" having messed with the network settings and nobody knows why 1 youtube video in 20 doesn't load but we just ignore it.

        • loeg 1868 days ago
          Centurylink hijacks 100% of real NXDOMAINs to their DNS servers and replaces them with a redirect to their internal portal. They "have" a configuration knob to disable the behavior, but it doesn't work or isn't reliably persisted; it never sticks. Big residential ISP.
        • igetspam 1868 days ago
          TimeWarner and Comcast have both done it toe. TWC did of to let me know of a TOS violation and Comcast uses it as part of their setup. If you don't allow them to hijack DNS and show you things that you have to click through, you may find yourself unable to route traffic at all until you call them. I've dealt with this with every move in CA (about a half dozen times) and my move to TX. Seems pretty likely to me.
        • rmoriz 1868 days ago
          the amount of broken, intercepting and censoring DNS out there does not make Google a community service, though.
    • dragonwriter 1868 days ago
      > this is a $30 device to hook up TVs,

      Nitpick, but more like $70; you may be confusing Chromecast Ultra with the base Chromecast.

      • scrollaway 1868 days ago
        Yes, you're correct. The Chromecast Ultra isn't sold here in Europe so I didn't make the connection.
        • yardstick 1868 days ago
          Chromecast Ultra is sold in the UK, which is Europe (even if we do end up leaving the EU).
          • loeg 1868 days ago
            OP said:

            > The Chromecast Ultra isn't sold here

            • vetinari 1868 days ago
              And the OP was wrong; Chromecast Ultra is being sold here in Europe.
              • loeg 1868 days ago
                What? How do you know where OP lives or what is sold there? "Here" and "here" refer to different places depending on who is speaking.
                • dragonwriter 1868 days ago
                  “here in Europe” is not the same as “here” by itself, because the “in Europe” part specifies exactly what “here” means.
    • sofaofthedamned 1868 days ago
      IIRC Meraki used to ping 8.8.8.8 as a connectivity check...
    • IncRnd 1868 days ago
      The author of that email, Paul Vixie, is not some random person saying, "Google is evil!!!" He is eminently qualified to speak about DNS, since he designed it.
      • scrollaway 1868 days ago
        And did I suggest he wasn't qualified to speak about DNS?
    • OnlyRepliesToBS 1868 days ago
      lol
  • koolba 1868 days ago
    This is pretty crappy and is the type of thing that would prevent you from a bunch of purely local use cases like pointing it at your local media server.

    Is this the Paul Vixie?

  • ctime 1868 days ago
    Its not just this device, its others like the Google Home.

    Why? Because ISPs and home networks are awful a non-trivial amount of time. It also gives leverage to Evil ISPs to hold Google ransom for the DNS queries needed to make the thing work propertly.

    I dont think the average person knows or cares how fragile the internet actually is (unless, of course, you happen to live in China, which activiely manipulates and breaks DNS routinely for glorious reasons)

  • EastSmith 1868 days ago
    We desperately need PrivacyFirst product reviews with 1 to 5 ratings, links to buy, reviews, etc. Someone please build it and put your referral links there - I will click on them all.

    Recently I wanted to buy home speakers and realized that all devices with top reviews need an app to function, and I need to agree to some privacy terms, etc.

    We need to have have old school products where I am giving you X bucks and you leave me alone.

  • imagiko 1868 days ago
    I'm a dumdum when it comes to understanding stuff about DNS. Why is this bad, and are there any good resources for understanding how these are used by companies to extract more information about our habits?
    • pbhjpbhj 1868 days ago
      If someone controls your DNS they can monitor and/or control your internet traffic flow.

      Like controlling your phone exchange, one can either watch who you connect to, or connect you to other phones regardless of the phones you try to connect to.

      • kllrnohj 1868 days ago
        Except in this case nobody is controlling your DNS, as Chromecast doesn't let you make arbitrary DNS requests via it.

        So Google/Chromecast only knows what DNS lookups Chromecast makes, which changes nothing with regards to privacy or anything else. It can't watch what you're doing, it can't snoop on your web traffic, etc...

  • deagle50 1868 days ago
    DNAT 8.8.8.8:53 back to your own DNS server.
    • pixl97 1868 days ago
      This will only last until Google pushes its devices to use DNS over TLS/HTTPS.

      https://developers.google.com/speed/public-dns/docs/dns-over...

      >To address these problems, Google Public DNS offers DNSSEC-validating resolution over an encrypted HTTPS connection using a web-friendly API that does not require browser or OS configuration or installing an extension. DNS-over-HTTPS greatly enhances privacy and security between a client and a recursive resolver, and complements DNSSEC to provide end-to-end authenticated DNS lookups.

    • brandeded 1868 days ago
      Came here to say exactly this. Why even make a fuss about it? Bro, do you even NAT?

      The argument is Google can record what you're sending your Chromecast. Well, (sorry for the crudeness) no shit... You're using Google hardware. If you're going to act like the DoD and not use Huawei switches, then don't use Huawei switches.

      If you so choose, you must look at Google as malevolent as the US DoD would see an attacking nation state, and actively do things about it (like not buy their hardware). Otherwise, shut yo trap.

      • mthoms 1868 days ago
        Cool, I'll be sure to tell my mother-in-law that if she's concerned about her privacy, she just needs to use NAT "bro".
        • andoriyu 1868 days ago
          So to be clear, you think google MUST use 8.8.8.8 on its own chromecast device in order to spy on your mother-in-law?

          A more plausible version - google knows most of the people use shitty ISP provided DNS servers, so instead it's using faster DNS that wouldn't inject shit as your ISP will.

          EDIT: never mind. It's for ads.

        • growse 1868 days ago
          Tell her that if she's worried about Google spying on her, it's probably best not buy a Google-made device with Google-owned software on it transmitting usage data back to Google.
          • mthoms 1868 days ago
            This may be fair for "free" service like search. It gets way more complicated when the consumer is (a) paying for the device, (b) paying for the content they consume and (c) paying for the bandwidth it uses.

            All I have to do now is explain to my mother-in-law that she hasn't paid "enough". I'm sure she'll totally understand.

          • deagle50 1868 days ago
            This is what I've been telling my friends and family after I gave up trying to improve their network setup. At some point you have to take a stand and stop trying to have it both ways.
  • hannob 1868 days ago
    Given that ISPs like to play with traffic and have been using censoring DNS servers again and again I can't blame Google for taking away one piece of potentially failing networking infrastructure and using their own.

    It's not nice, but it's not Google who started this.

    • joshstrange 1868 days ago
      You are missing the point, it's not that they first try 8.8.8.8 then falling back to ISP/defaults, they are requiring 8.8.8.8 for DNS which is BS.
      • hannob 1868 days ago
        If they would fallback to the ISP's DNS server they'd encourage the ISP to block access to their DNS, which arguably would be even worse.
        • mthoms 1868 days ago
          Honest question: is that even legal?
          • CobrastanJorji 1868 days ago
            In the US? Oh man, it's even worse than that. ISPs can probably legally choose to block whatever, including editorially blocking content they find offensive. Your ISP could legally choose to just start blocking port 443 because they want to make sure you're not looking at anything inappropriate. Comcast will straight up mutate HTML content sometimes to insert their own JavaScript: https://news.ycombinator.com/item?id=15890551
    • ClashTheBunny 1868 days ago
      What happens when all DNS but the ISP's is blocked? I've been in many a corporate and cheapo Internet situation like this.
  • bubblethink 1868 days ago
    This is not necessarily to force ads, although that is a good side benefit. It's more to force geoblocking of content which smartdns operators circumvent. chromecast is afterall is a consumption device. If you stop consuming things you are fed, what are you ?
  • Fnoord 1868 days ago
    I have and use a Chromecast Ultra and redirect all traffic outward to port 53 to an internal DNS server which blocks ads and utilizes DNSSEC. I don't block 8.8.8.8 specifically though but it cannot be used by normal means as it would get redirected
  • kissgyorgy 1868 days ago
    My bigger issue with this kind of behavior (beside that I have the exact same issue with it) that I can't watch anything even from my local network when the internet is down from my ISP. Very frustrating.
  • jdc0589 1868 days ago
    ouch. I've got a free 4k Apple TV on the way I was planning on selling, but I may sub it in for my old Chromecast....

    No way Im turning pihole off, and Im not gonna get a legit router setup to reroute 8.8.8.8.....

  • fixermark 1868 days ago
    This guy sure is angry that his consumer electronics device is architected to be maximally convenient to set-up and use for the common user.

    He may want to consider an alternative product. Or use his 1337 hacker skills to modify his already-customized local routing configuration to just do the thing this consumer electronics device is assuming is standard (i.e. accessing services by IP on the Internet) by telling his network to proxy 8.8.8.8 to some other IP he designates.

    • bobthedino 1868 days ago
      Not sure what you meant by "1337 hacker skills" (sounds sarcastic to me) but the guy in question helped create the Domain Name System!
      • fixermark 1868 days ago
        I know, and yes, it was intended to be sarcastic. ;)

        He of all people should understand that the practical implementation of DNS and DHCP has become so broken by bad-acting ISPs that consumer electronics devices end up side-stepping the spec entirely so the thing works for the common consumer user.

  • hendersoon 1868 days ago
    I redirect all outbound DNS queries from my untrusted/IoT and guest VLANs to an internal caching DNS server for this reason. I use Pihole [1] which also blocks ads in mobile apps and such, very convenient.

    Providing a DNS server via DHCP is insufficient as many IoT devices ignore it for tracking purposes. Similar deal with blocking port 53 outbound, they just refuse to work.

    [1]: https://pi-hole.net/

  • walrus01 1868 days ago
    Something that's always highly amusing is when people who have no idea who Paul Vixie is try to school him about anything DNS related...

    Never fails to make me chuckle.

  • accrual 1867 days ago
    I don't disagree that this is a Bad Thing.

    I like to use a BSD based router and a PF firewall. My solution:

        match in on $i inet proto udp from any to !($i) port {53 123} rdr-to ($i)
    
    "Any UDP packet destined for port 53 (DNS) or 123 (NTP) that is not the gateway ("$i"), redirect them to gateway ("$i").

    The gateway has daemons listening and caching requests for performance. The client has no idea this is happening.

    It works great for me.

  • r3vrse 1868 days ago
    Just static route Google DNS back to your gateway. Works fine for me.

    As others have said though, who buys a Google device thinking it's not gonna talk to Google?

  • sasasassy 1867 days ago
    Chromecast didn't even need a Google account a while back. Now (last few years) it forces it on you for no discernible reason. Supposedly now you can use their Google Home app to search for apps to install that work with Chromecast, which is already possible in the Play Store. The easy solution is to use an old version.
  • muppetman 1868 days ago
    I reject (not just drop, reject as in send back an ICMP message) 8.8.8.8 and 8.8.4.4 in my home network, and my Chromecast Ultra works just fine. I know it's talking to the PiHole too because I see it in my logs.

    So I don't believe the OP, even though it's the living legend that is PV.

  • leowinterde 1868 days ago
    Very questionable, as fallback possibly ok but not forced. Is it the same with home mini devices?
    • dastx 1868 days ago
      I've confirmed that this is the case a while ago. Google Home, Google Home Mini. Netflix seems to do this as well with their apps.
  • llacb47 1868 days ago
    This might explain why whenever I use a different DNS, some google subdomains refuse to connect.
  • homero 1868 days ago
    My router enforces quad9 and my Chromecast is fine. How's that different?

    Maybe my router masquerades the dns port and answers vs blocking other dns outright?

  • johnmarcus 1868 days ago
    Why didn’t he just return the device if he doesn’t like the way the Google product used Google services to function?
  • sadris 1868 days ago
    Just DNAT 8.8.8.8 to your DNS server.
  • chemmail 1868 days ago
    SO this guy is complaining that he is using a google product to use another google product and needs to use google in between to have that happen. Right.
  • collsni 1868 days ago
    1to1 Nat your traffic that is what I did
  • reneberlin 1868 days ago
    No more wonders?!
  • reneberlin 1868 days ago
    tldr-shortcut: expectation doesn't "meat" crushed tech-stack. Maybe there is a wet-ware problem 2b solved. (It's friday night,guess - i'm too drunk to be xpected gentle conv.)
  • clanrebornsx 1868 days ago
    Why not use ckoudflare DNS.

    Google DNS is used for data mining... that's how Google crawls sites which are being requested.

    Google doesn't crawl whole web yet.

    Google also checks what site is doing how much traffic based on the DNS requests it figured out the traffic it gets and then ranks it appropriately for the search term making fake SEO ranking much harder.

  • moonbug 1868 days ago
    grumpy old man yells at cloud.
  • Zecar 1869 days ago
    This is really shady of Google to do, and the fact that they think that it's acceptable just shows how far we've come. "Don't be evil" apparently means "spy on people, censor based on politics, help dirtbags stuck in the 12th century treat women as property, and assist totalitarian regimes to stay in power and censor their populace".

    Google is literally cartoonishly evil at this point. That slogan of theirs is an absolute joke.

    • givinguflac 1868 days ago
      Oh they know, it’s why they got rid of it and it lives on as a sub note in employee guidelines. Because no one reads those.
  • ajross 1868 days ago
    Yeah. I know we'd all want to believe that the response and reaction here would be the same if it was pointed to 1.1.1.1, but... yeah, we know better. Everyone would point out that consumer ISPs server polluted data and that Cloudflare clearly provides better service, and relying on that instead of the local garbage is quite obviously a benefit to the device user.

    But this is Google, and people here have iPhones, so sharpen those pitchforks and light the torches. It's really getting out of control at this point.

    • toast0 1868 days ago
      It's not unreasonable to attempt to use DHCP provided DNS servers. It's not unreasonable to use fallback DNS servers when the DHCP provided servers don't work. It would be a bit strange, but maybe not altogether unreasonable to run a fully recursive DNS client with root.hints and what not.

      I guess you could argue over reasonableness of favoring the fallback DNS over DHCP. It's not reasonable to ignore DHCP when the fallback DNS doesn't work though. It doesn't matter what fallback DNS you're using.

      • JohnFen 1868 days ago
        > It's not unreasonable to use fallback DNS servers when the DHCP provided servers don't work.

        I don't know about "reasonable" or "unreasonable". I do know that there's no way I'd allow this in my network. My DHCP servers point to my own DNS server for a good reason, and I am completely invested in ensuring that nobody bypasses it to the best of my ability.

        • pault 1868 days ago
          Can you route 8.8.8.8 to your DNS server?
          • JohnFen 1868 days ago
            Yes, you can. Can this device detect that you've done that and refuse to work anyway? That, I don't know.
            • Spivak 1868 days ago
              When I was at university the network in the dorm actually blocked access to Google's DNS servers so I had to route 8.8.8.8 to their DNS servers. Chromecast worked fine after.

              I cant wait until 8.8.8.8 becomes the "address" of the local DNS server as more and more people start to hijack it. We had to hijack it at my old work because some random vendor's devices were hardcoded and we needed them to see our internal names.

            • Natanael_L 1868 days ago
              If they would use DNS over HTTPS, then yes they could
          • arrty88 1868 days ago
            Came here to ask this
            • Spivak 1868 days ago
              I can confirm that it works fine and haven't had a device complain yet.

              I'm actually surprised that more networks don't route the addresses of all the public DNS servers to their resolver.

        • ajross 1868 days ago
          > I am completely invested in ensuring that nobody bypasses it to the best of my ability.

          Then your network is a private walled garden and not "the internet", and I don't know why you expect consumer devices designed to be able to get to the open internet to work unmodified.

          I mean, I'm sure your decisions are made with the best intent, but how is what you're doing any different technically than the DNS hijacking the Comcast et. al. have been caught doing?

          • JohnFen 1868 days ago
            > Then your network is a private walled garden and not "the internet"

            This is true of all LANs.

            > how is what you're doing any different technically than the DNS hijacking the Comcast et. al. have been caught doing?

            It's not technically any different. However, there's a very huge non-technical difference: it's my network, and I have every right to configure it however I wish. When others engage in hijacking, they are interfering with traffic they have no right to be interfering with.

          • jstanley 1868 days ago
            > how is what you're doing any different technically than the DNS hijacking the Comcast et. al. have been caught doing?

            Because he's doing it on his network with his devices that he paid for.

            He's not meddling with the traffic of paying customers.

      • Topgamer7 1868 days ago
        I think the difference is that the chromecast would not function without 8.8.8.8. Thus requiring you use googles services to use a google product. That is not cool.
        • kllrnohj 1868 days ago
          Cast itself requires you to use googles services to use the product. It bounces off of Google's servers for app & stream setup, along with authentication.

          So does it really matter if it uses 8.8.8.8 to resolve the connection to google vs. some other DNS server? It's still going to connect to google's data center to do the singular function of the device.

          And as the product itself is billed as an internet streaming appliance the cloud connection doesn't seem odd or surprising, either. It fits the functionality of the product.

          • ignoramous 1868 days ago
            > So does it really matter if it uses 8.8.8.8 to resolve the connection to google vs. some other DNS server?

            It might since there are DNS providers (OpenDNS, AdGuard) that help create blacklists or use one out of the box (family filters, privacy oriented filters, etc).

            Also, not sure if true, but Google might be required to comply with local laws and 'block' websites through NXDomains.

            • TomMarius 1868 days ago
              How would you use the device if you blacklisted its cloud?
              • wtallis 1868 days ago
                It's more about the fact that this device is unnecessarily requiring you to open a hole in that layer of security, potentially leaving other devices exposed if the exception for the Chromecast Ultra is not properly configured.
                • kllrnohj 1868 days ago
                  The device requires you to open holes to its cloud. Why does which IP it demands is open matter here? If you want to blackhole IPs yeah it's going to be painful at times. But you signed up for that by trying to blackhole IPs, no?
        • sowbug 1868 days ago
          Isn't using a company's product exactly when you'd expect a dependency on that company's service?
          • bashinator 1868 days ago
            This is an artificial dependency. There is no good reason why this device should require a specific nameserver. Here are some reasons I can think of that this would be required:

            * Getting device metrics for Google's internal use

            * DNS lookups that are only available from querying google directly - in other words, recursion is disabled for some records needed by the device

            The first case should be entirely optional, the second case is deliberate subversion of internet standards.

            • sowbug 1868 days ago
              I spent some time researching consumer hardware that consistently sacrificed usability for architectural purity. I'll update this reply as soon as I find an example.
              • bashinator 1867 days ago
                I'm trying to figure out how this use of DNS would improve usability for the device owner, and how implementing the DNS client in a standard way could be considered "architectural purity".
                • sowbug 1867 days ago
                  You're repeating yourself.
          • __jal 1868 days ago
            Personally, I expect devices that claim to function with TCP/IP, DNS, https, etc. actually function with them, and not with a tiny subset of their proprietary implementations.

            If Google wants to sell captive toys well, that's nothing I'd ever buy, but they're free to. But it needs to be clear that it is a proprietary widget, dependent on Google's services and incapable of operating in environments where those dependencies are unacceptable.

            • scarface74 1868 days ago
              Were you really under any illusion that all set top boxes/dongles weren’t proprietary widgets?
          • CapacitorSet 1868 days ago
            It's not a dependency that I expect of browsing devices. I expect to be able to use eg. a TV, a radio or an ebook reader entirely without relying on the vendor, save for technical support maybe.
            • sowbug 1868 days ago
              Chromecast isn't a browsing device.
          • SilverSurfer972 1868 days ago
            You don't have every single car brand with their own fuel at the gas station right?
            • sowbug 1868 days ago
              If a car brand did, I would find it surprising that a buyer of that brand would complain about it.
              • mrighele 1868 days ago
                He would complain if he was forced to buy _only_ that brand's gasoline.

                That's in fact the approach of many printer manufacturers regarding toner/ink cartridges, and usually users complain about that.

                • sowbug 1868 days ago
                  I wrote "buyer," not "user" or "complainer." I have no problem with self-appointed Good Samaritans who leave anti-Lexmark Amazon reviews. But a buyer of a car requiring the manufacturer's gas would understand what he or she was getting into.
          • scarface74 1868 days ago
            Just a random aside. You couldn’t download third party apps on the 3rd generation AppleTV, but without jailbreaking, the community made a Plex app, merely by running a Python script and redirecting DNS to your computer that intercepted calls to the Apple Trailers app.

            https://github.com/iBaa/PlexConnect I’m sure some inventive person could figure out a creative use for a ChromeCast.

            But overall, I agree with you.

            • sowbug 1868 days ago
              You're being consistent with Richard Stallman's model of freedom for general-purpose PCs vs. appliances:

              As for microwave ovens and other appliances, if updating software is not a normal part of use of the device, then it is not a computer. In that case, I think the user need not take cognizance of whether the device contains a processor and software, or is built some other way. However, if it has an "update firmware" button, that means installing different software is a normal part of use, so it is a computer.

              Many of the objections in comments to this post are expressed in terms of standards compliance or interoperability. I think it makes more sense to analyze whether it's a general-purpose PC or not.

              https://stallman.org/stallman-computing.html

          • SilverSurfer972 1868 days ago
            DNS is a protocol not a service
            • DaniloDias 1868 days ago
              Respectfully, DNS Spelled out is "Domain Name Service"

              There is both a protocol and a service associated with DNS.

            • sowbug 1868 days ago
              I think you meant to reply to the parent comment.
        • toast0 1868 days ago
          That's why I said "It's not reasonable to ignore DHCP when the fallback DNS doesn't work though"
          • jethro_tell 1868 days ago
            It should probably be the other way around from a product perspective. The box is super simple, it's basically a black box, and having some ISP serving you an ad instead of your video link would make it seem like it 'doesn't work' for most customers. A device like that is more likely to be returned than to go through support. However, if you're competent to care about which DNS server you use, or you're doing something like blocking DNS traffic that doesn'r originate from your DNS recurser, you have the capability to change the DNS settings yourself without incurring a bunch of support burden or returning the device out of frustration.

            There should be an option in the box settings that lets you choose, google, dhcp, or manual dns servers. Probably in that order.

  • gsich 1869 days ago
    Shitty device then. Or is there a legitimate usecase for such behaviour?
    • isostatic 1868 days ago
      Google DNS came about because of a very real problem of shitty ISPs giving shitty DNS servers that gave fake results (especially in NXDomain cases)

      I can see why you would want to use a known-good dns provider in your product, however at the very least there should be an ability to turn off such behaviour.

      • vetinari 1868 days ago
        It is not shitty ISPs giving fake results.

        It is me. My resolver does that and it is for a reason. Disrespecting what the local network tells you to use just leads to arms race.

        • creeble 1868 days ago
          This is easy to say until you've found yourself supporting 10s of thousands of devices across the world and are the guy support calls when people complain about (what turns out to be) broken DNS servers at hundreds of ISPs.

          People who buy little internet devices usually don't respond well to "it's your ISP" when their day-to-day web browsing experience is just fine to them.

          If your resolver does that, you're going to be the 0.01% that complains, rather than the 2-5% that is crushing customer support.

          Not saying that makes it "right", just saying it fixes it.

          • vetinari 1868 days ago
            I know, that it looks just like a quick fix, and it gets things done.

            However, that quick fix does a damage. Why don't you use it just like a fallback. Why use it, when everything works right?

            • creeble 1868 days ago
              Because it often doesn't work right, and there's no way to tell.

              One of the most common complaints we get is that things "are slow to start" or that "I click and it's slow to respond". After long and expensive remote diagnosis, this turns out to be slow DNS, and 8.8.8.8 fixes it. Falling back to it wouldn't change the user experience.

        • fixermark 1868 days ago
          That's the issue though---there was already an arms race (between users and ISPs), and it was making it hard to create reliable consumer electronics devices because DNS logic is complicated and the complexity adds cost (and more importantly, pushes configuration burden from the device onto the user).

          It sucks that customization was damaged in the arms race, but that's the nature of measure-countermeasure in web technologies across the board. Every web technology is a three-edged sword: the spec, the intention behind the spec, and the real-world implementation of the spec.

          DNS / DHCP implementation drifted from intention years ago.

          • vetinari 1868 days ago
            Behavior like this will make it even worse for developers; that's what arms races do.
        • yardstick 1868 days ago
          To be fair once DNS over TLS/HTTP become mainstream, local DNS servers won’t work without valid certificates, which I’m guessing will be a pain even with letsencrypt and co.
          • vetinari 1868 days ago
            If you have a machine joined into a domain (Active Directory, FreeIPA, others), it already has a custom CA certificate installed into its store. So this domain CA will just sign the certificate for the local DNS server, like it does for other local TLS services. If you don't, just make up a local CA and install the cert on your machines or devices.

            No need to drag letsencrypt and co into the game, that's only for publicly facing machines.

            • yardstick 1868 days ago
              What about PiHoles as well as consumer devices like Chromecast? Once CC uses DNS over TLS etc it’s game over for local consumer DNS servers. No way to configure a custom CA within CC.

              (I’m a fan of local DNS for many reasons and so I think DoT is two steps forward for privacy and 3 steps backward for everything else)

              • vetinari 1868 days ago
                DNS over TLS is easy to block (it is separate port), that's why browsers are pushing for DNS over HTTPS, so you cannot make them fall back on local DNS so easily.

                With DoH, it will be more difficult, but still possible - you will have to run your own proxy. I imagine, that folks that came up pihole, will package something similar that includes proxy.

                On such networks, devices that won't allow to enroll custom certificates won't get onto Internet. It is then up to the user, what he or she prefers, privacy and control or that specific product.

                I actually like DoT a DoH as protocols, from the privacy point of view. However, I don't like their implementations and the lockdown they are used for, where they try to establish the tunnel out of the local networks, taking control out of their owners.

            • pixl97 1868 days ago
              Right, because your Chromecast will let you install your CA cert on it....
              • vetinari 1868 days ago
                As it is, it won't, and it doesn't need to.

                In the future, if it would need one to resolve domain names, I guess it won't get onto Internet without it, then. It was just around 30 euro anyway.

        • thecatspaw 1868 days ago
          Google doesnt care about a piHole or similar, its such a tiny tiny part of their customers its not worth fighting it at this point
          • vetinari 1868 days ago
            Still, Google is tightening the screws: moving DNS resolver into the browser, instead of using the system one; moving DNS over to https+ESNI to hide among other traffic; forcing their own DNS servers instead of user configured. That's all together means, that they do not trust not only the ISPs, but neither the user, and that they want to have a unobstructed communication channel out of their software to the mothership, privacy and control by the users be damned.

            So the pihole community is tiny, but that may be the reason, why Google thinks that they are worth the sacrifice: after all, there is just a few of them.

            • heavenlyblue 1868 days ago
              Nah. I use 8.8.8.8 at home simply because it was a long time since providers in the UK didn’t try to intercept the failed DNS queries.

              On top of that, Virgin Media resolver managed to go offline particularly regularly.

              So here we are: what user sees is that a particular device doesn’t work, while others do. So they obviously blame the ones adhering to standards.

    • dastx 1868 days ago
      > Or is there a legitimate usecase for such behaviour?

      Yes, to track you better.

      • fixermark 1868 days ago
        • mthoms 1868 days ago
          Interesting then, that they chose to do this instead of giving monetary and technical support to the already established opendns.org

          Kind of like they started Knol to compete directly with Wikipedia.

          • vatueil 1868 days ago
            Despite what the name may suggest, OpenDNS has always been a for-profit company, and they used to serve ads in the same way ISPs have been criticized for. Offering an alternative to OpenDNS was a good choice.
            • mthoms 1868 days ago
              Ah yes, you're right. It definitely seemed like they attempted to portray themselves as some kind of non-profit if memory serves.
        • Rebelgecko 1868 days ago
          There's so much latency already with the chromecast. how much difference does a few tens of milliseconds make?
        • gsich 1868 days ago
          Not on a Chromecast. And not with every DNS. And no time difference is shown in the blogpost.
  • optimuspaul 1868 days ago
    I don't understand, why does he have a google product if he doesn't want to support google?
  • nemonemo 1868 days ago
    From this post, it is unclear whether the DNS given by DHCP should be 8.8.8.8, or the device only needs reachability to 8.8.8.8. I think if the latter is true, it seems acceptable, given the internet can be unpredictable, and Google network reachability would be correlated among services.
    • izuchukwu 1868 days ago
      I could be misunderstanding, but if subsequent requests are to be made with the DNS provided by DHCP, reachability to 8.8.8.8 would only be helpful to disambgiuate what kind of network error is causing a failure to make network calls regularly. Otherwise, reachability would be best tested with, for example, a Google domain using the provided DNS.