• by anilakar on 2/15/2019, 1:51:36 PM

    In case the name of the original poster does not ring a bell: https://en.wikipedia.org/wiki/Paul_Vixie

  • by calibas on 2/15/2019, 4:45:50 PM

    This should bother people here more than it does. The last thing the Internet needs is even more dependence upon Google. They've made it quite clear through their actions that they're not supporters of a free and open Internet: https://theintercept.com/2018/09/14/google-china-prototype-l...

    If people don't push back against these kinds of things, Google will continue to abuse their power. There shouldn't be an army of apologists here making excuses for them.

    As far as a solution goes, they can simply make 8.8.8.8 a fallback when something goes wrong. It's a disturbing trend to see them forcing things like this upon users.

  • by RickS on 2/15/2019, 5:32:52 PM

    More concerning to me was the fairly recent removal of non-phone-app setup. It used to be that a chromecast would display a 4 character code on screen, which could be used to activate it from the browser.

    Now, they require that it be managed with the google Home app, and have discontinued the method that allowed chromecast use without installing additional google software on your phone.

    This made for a really disheartening christmas experience, when I first assured my mother that no, we could skip this stuff with your phone, only to find out that no, she would indeed have to make that sacrifice.

    Especially frustrating is that my same devices, validated with the old method, continue to function just fine.

    Does anyone with more knowledge than I have know of a reason for this that isn't data-greedy or consumer-hostile? From my perspective, "Don't be evil" has been dead long enough that the bones are sunbleached.

  • by AdmiralAsshat on 2/15/2019, 3:57:43 PM

    Knowing who he is, my takeaway should be, "Wow! An Internet Hall of Famer weighing in against a Google product!"

    But my actual takeaway is, "Legends of the CS world write informal, pithy rants to Google just like the rest of us mortals."

  • by unethical_ban on 2/15/2019, 4:16:01 PM

    Jared Mauch's response was pretty rude.

    I don't mind defaults, but I do not like the inability to change.

    I wonder if it was clearly documented as a device requirement that 8.8.8.8 was needed. All prerequisites of function should be in the Quick Start Guide of the tool in question. Furthermore, users aren't always in control of the firewall/ACL on their network. If I go to Jack's Organic Coffee for a meeting and they only allow 1.1.1.1 out for DNS, I can't use my cast device? That's screwy.

  • by rasz on 2/15/2019, 7:59:35 PM

    Chrome is just as insistent on using 8.8.8.8. Took me >2 years of constant pestering to make Vivaldi finally patch some of it out.

    https://www.reddit.com/r/vivaldibrowser/comments/a23071/how_...

  • by alias_neo on 2/15/2019, 4:08:49 PM

    It's not new, and but limited to Chromecast Ultra, I detected this from several Android devices (phones) pre-Pie and configured my firewall to redirect those requests to my own DNS.

    Regardless of their reason, many of us don't want to use Google DNS and the just using their control over these devices to force people to 8.8.8.8/8.8.4.4.

    I haven't checked how Pie behaves yet but it provides an option in the UI to specify private DNS.

    Also, I found some time ago, and am not sure if it's still the case, but some of their first-party apps hard coded Google DNS, so seeing one at the system level was irrelevant.

  • by dastx on 2/15/2019, 1:49:12 PM

    I posted this a while ago on the /r/pihole subreddit. Since my router is a bit more restricted, I ended up blocking Google's DNS as they've been doing this in other devices and software as well. It seems that they only add one of the dns servers and fallback onto the DNS server provider by DHCP. My pihole number of queries suddenly jumped up after I blocked those IPs.

  • by jasonjayr on 2/15/2019, 1:52:05 PM

    I agree with the shadiness of this, but just to play devil's advocate here, is this to work around shitty ISP's that play games with DNS? Residential ISPs have not exactly been good faith actors in this game ...

  • by josteink on 2/15/2019, 1:49:26 PM

    Expect more of this once “DNS over HTTPS” takes hold.

    Nothing Google makes will ever respect your DHCP-server or local network settings ever again.

  • by chewz on 2/15/2019, 2:31:51 PM

    Set DNS to Google and do

    dig +short TXT whoami.ds.akahelp.net

    Then set to other DNS provider and do the same

    You will see that Google DNS is delivering ECS which helps with directing traffic to nearest CDN.

    I have quite secure DNS setup but still forward some queries to Google DNS (HBO, Spotify, etc.) just to take advantage of using ECS.

  • by richardwhiuk on 2/15/2019, 1:52:40 PM

    I've seen this been done before, and IME it's reasonable behavior.

    I've seen so many instances of computers configured with DNS servers which are extremely slow, or provide garbage results, that adding a known good DNS server to the list, and then parallel resolving across all of them is a perfectly legitimate thing to do.

  • by kop316 on 2/15/2019, 2:40:04 PM

    What I ended up doing to ensure this for any of the devices I have is use pfSense to force all DNS queries to go to my DNS server:

    https://docs.netgate.com/pfsense/en/latest/dns/blocking-dns-...

  • by cotillion on 2/15/2019, 1:58:53 PM

    Just the fact that you can't cast your own local content when the mothership is down makes me want to throw out all cast devices. Ignoring DNS servers seems like a very minor issue.

  • by ChuckMcM on 2/15/2019, 7:34:07 PM

    Gotta love Paul's approach. Amazing to see things that break when you run a black hole DNS server on your inside network. I have a Samsung TV that won't complete boot until it has verified there aren't any firmware updates at Samsung. I finally resorted to copying the http response traffic and having an a bit of code on my RasPi return it when the TV asks (it says "no new firmware for you"). Of course these sorts of tricks will fail when vendors get wise to them and start returning an encrypted time and date nonce in the response.

  • by mrcarruthers on 2/15/2019, 4:56:08 PM

    My Roku does (almost) the same thing. It defaults to 8.8.8.8 to attempt to block dns proxies, but if you block 8.8.8.8 on your router, unlike the Chromecast, it will actually use the DNS server my router provides.

  • by cfv on 2/15/2019, 9:56:19 PM

    My oven should not refuse to work if my gas pipes are not from the same maker. The ability to set up my own products to whatever config I like is not an extraordinary request. Especially when it's the default operating mode with an off brand product. Google should collectively be ashamed.

  • by crankylinuxuser on 2/15/2019, 2:00:36 PM

    For those running Linux machines for networking..

         sudo iptables -t nat -I OUTPUT --dst 8.8.8.8 -p tcp --dport 53 -j REDIRECT --to-ports 53
         sudo iptables -t nat -I OUTPUT --dst 8.8.4.4 -p tcp --dport 53 -j REDIRECT --to-ports 53
         sudo iptables -t nat -I OUTPUT --dst 8.8.8.8 -p udp --dport 53 -j REDIRECT --to-ports 53
         sudo iptables -t nat -I OUTPUT --dst 8.8.4.4 -p udp --dport 53 -j REDIRECT --to-ports 53
    
    What that does, is catches requests coming in from the network going to Google's DNS, and redirects them to that local machine's port 53 (be it tcp or udp).

    Its an ugly hack, but things like PiHoles can reliably do this with little to no extra load, and keep the google spy engine off your tracks. But then we'll have to discuss using a chrome..

  • by scrollaway on 2/15/2019, 1:53:25 PM

    I'm always shocked at how easy it is for people to fall into the "Google is evil!!1" trap on such trivial stuff (and funnily enough, much more serious privacy issues related to Google are ignored/downvoted).

    Hardcoded DNS servers are common. Extremely common in a bunch of IOT devices, given how broken some ISPs are. This is a non-story and the only reason it's being upvoted is because Google is doing it, and they also control the DNS server.

    You know what would be an actual story though? If Google used Google DNS to spy on people. If anyone has concrete evidence that they're doing that, that is a big fucking deal. Not some email about a google-complaint-of-the-week.

    Edit: To be clear I'd agree that in a high quality product there needs to be a way to change the DNS servers. Then again, this is a $30 device to hook up TVs, and I've seen $200 routers lacking that ability.

    ----

    Edit 2, elaborating on the above: You make a cheap device that will likely end up in millions of homes and your #1 support issue is "It doesn't work [because my ISP is terrible therefore my network configuration is shit]!". What do you do? Do you tell your consumers to suck it up and talk to their ISP? Or do you… hardcode a DNS server that you at least know will work?

    "Issues" like this one are non-issues and distract from the myriad of very real privacy issues coming out of Google. Yes, this should be configurable at the very least… then again, Google products aren't exactly known for their wonderful configurability.

  • by koolba on 2/15/2019, 1:54:08 PM

    This is pretty crappy and is the type of thing that would prevent you from a bunch of purely local use cases like pointing it at your local media server.

    Is this the Paul Vixie?

  • by ctime on 2/15/2019, 2:53:01 PM

    Its not just this device, its others like the Google Home.

    Why? Because ISPs and home networks are awful a non-trivial amount of time. It also gives leverage to Evil ISPs to hold Google ransom for the DNS queries needed to make the thing work propertly.

    I dont think the average person knows or cares how fragile the internet actually is (unless, of course, you happen to live in China, which activiely manipulates and breaks DNS routinely for glorious reasons)

  • by EastSmith on 2/15/2019, 4:27:41 PM

    We desperately need PrivacyFirst product reviews with 1 to 5 ratings, links to buy, reviews, etc. Someone please build it and put your referral links there - I will click on them all.

    Recently I wanted to buy home speakers and realized that all devices with top reviews need an app to function, and I need to agree to some privacy terms, etc.

    We need to have have old school products where I am giving you X bucks and you leave me alone.

  • by imagiko on 2/15/2019, 7:45:36 PM

    I'm a dumdum when it comes to understanding stuff about DNS. Why is this bad, and are there any good resources for understanding how these are used by companies to extract more information about our habits?

  • by deagle50 on 2/15/2019, 3:43:53 PM

    DNAT 8.8.8.8:53 back to your own DNS server.

  • by hannob on 2/15/2019, 3:51:19 PM

    Given that ISPs like to play with traffic and have been using censoring DNS servers again and again I can't blame Google for taking away one piece of potentially failing networking infrastructure and using their own.

    It's not nice, but it's not Google who started this.

  • by bubblethink on 2/15/2019, 3:24:19 PM

    This is not necessarily to force ads, although that is a good side benefit. It's more to force geoblocking of content which smartdns operators circumvent. chromecast is afterall is a consumption device. If you stop consuming things you are fed, what are you ?

  • by Fnoord on 2/15/2019, 4:24:16 PM

    I have and use a Chromecast Ultra and redirect all traffic outward to port 53 to an internal DNS server which blocks ads and utilizes DNSSEC. I don't block 8.8.8.8 specifically though but it cannot be used by normal means as it would get redirected

  • by kissgyorgy on 2/15/2019, 5:20:05 PM

    My bigger issue with this kind of behavior (beside that I have the exact same issue with it) that I can't watch anything even from my local network when the internet is down from my ISP. Very frustrating.

  • by jdc0589 on 2/15/2019, 2:48:29 PM

    ouch. I've got a free 4k Apple TV on the way I was planning on selling, but I may sub it in for my old Chromecast....

    No way Im turning pihole off, and Im not gonna get a legit router setup to reroute 8.8.8.8.....

  • by fixermark on 2/15/2019, 2:23:08 PM

    This guy sure is angry that his consumer electronics device is architected to be maximally convenient to set-up and use for the common user.

    He may want to consider an alternative product. Or use his 1337 hacker skills to modify his already-customized local routing configuration to just do the thing this consumer electronics device is assuming is standard (i.e. accessing services by IP on the Internet) by telling his network to proxy 8.8.8.8 to some other IP he designates.

  • by hendersoon on 2/15/2019, 7:28:50 PM

    I redirect all outbound DNS queries from my untrusted/IoT and guest VLANs to an internal caching DNS server for this reason. I use Pihole [1] which also blocks ads in mobile apps and such, very convenient.

    Providing a DNS server via DHCP is insufficient as many IoT devices ignore it for tracking purposes. Similar deal with blocking port 53 outbound, they just refuse to work.

    [1]: https://pi-hole.net/

  • by walrus01 on 2/15/2019, 6:10:10 PM

    Something that's always highly amusing is when people who have no idea who Paul Vixie is try to school him about anything DNS related...

    Never fails to make me chuckle.

  • by accrual on 2/17/2019, 3:48:14 AM

    I don't disagree that this is a Bad Thing.

    I like to use a BSD based router and a PF firewall. My solution:

        match in on $i inet proto udp from any to !($i) port {53 123} rdr-to ($i)
    
    "Any UDP packet destined for port 53 (DNS) or 123 (NTP) that is not the gateway ("$i"), redirect them to gateway ("$i").

    The gateway has daemons listening and caching requests for performance. The client has no idea this is happening.

    It works great for me.

  • by r3vrse on 2/16/2019, 2:13:22 AM

    Just static route Google DNS back to your gateway. Works fine for me.

    As others have said though, who buys a Google device thinking it's not gonna talk to Google?

  • by sasasassy on 2/16/2019, 9:41:02 PM

    Chromecast didn't even need a Google account a while back. Now (last few years) it forces it on you for no discernible reason. Supposedly now you can use their Google Home app to search for apps to install that work with Chromecast, which is already possible in the Play Store. The easy solution is to use an old version.

  • by muppetman on 2/16/2019, 6:31:31 AM

    I reject (not just drop, reject as in send back an ICMP message) 8.8.8.8 and 8.8.4.4 in my home network, and my Chromecast Ultra works just fine. I know it's talking to the PiHole too because I see it in my logs.

    So I don't believe the OP, even though it's the living legend that is PV.

  • by leowinterde on 2/15/2019, 1:48:34 PM

    Very questionable, as fallback possibly ok but not forced. Is it the same with home mini devices?

  • by llacb47 on 2/15/2019, 9:38:19 PM

    This might explain why whenever I use a different DNS, some google subdomains refuse to connect.

  • by homero on 2/16/2019, 2:16:33 AM

    My router enforces quad9 and my Chromecast is fine. How's that different?

    Maybe my router masquerades the dns port and answers vs blocking other dns outright?

  • by johnmarcus on 2/16/2019, 12:30:48 AM

    Why didn’t he just return the device if he doesn’t like the way the Google product used Google services to function?

  • by sadris on 2/15/2019, 6:37:36 PM

    Just DNAT 8.8.8.8 to your DNS server.

  • by chemmail on 2/15/2019, 11:09:55 PM

    SO this guy is complaining that he is using a google product to use another google product and needs to use google in between to have that happen. Right.

  • by collsni on 2/15/2019, 8:01:17 PM

    1to1 Nat your traffic that is what I did

  • by reneberlin on 2/15/2019, 9:20:55 PM

    No more wonders?!

  • by reneberlin on 2/15/2019, 9:25:45 PM

    tldr-shortcut: expectation doesn't "meat" crushed tech-stack. Maybe there is a wet-ware problem 2b solved. (It's friday night,guess - i'm too drunk to be xpected gentle conv.)

  • by Zecar on 2/15/2019, 1:40:03 PM

    This is really shady of Google to do, and the fact that they think that it's acceptable just shows how far we've come. "Don't be evil" apparently means "spy on people, censor based on politics, help dirtbags stuck in the 12th century treat women as property, and assist totalitarian regimes to stay in power and censor their populace".

    Google is literally cartoonishly evil at this point. That slogan of theirs is an absolute joke.

  • by gsich on 2/15/2019, 1:40:05 PM

    Shitty device then. Or is there a legitimate usecase for such behaviour?

  • by optimuspaul on 2/15/2019, 5:38:27 PM

    I don't understand, why does he have a google product if he doesn't want to support google?

  • by nemonemo on 2/15/2019, 4:18:31 PM

    From this post, it is unclear whether the DNS given by DHCP should be 8.8.8.8, or the device only needs reachability to 8.8.8.8. I think if the latter is true, it seems acceptable, given the internet can be unpredictable, and Google network reachability would be correlated among services.