[unseen]

Neat feature. In my opinion, they should go even further and make use of the information and inform the user, too:

"Your ISP (network administrator, ..) is intercepting and manipulating DNS requests. Do you want to use Google DNS instead?"

Comes in real handy when we need to have a "DnsManipulationDetector" in the future that checks if your DNS is actively censoring...

[codeka]

If your ISP is manipulating DNS like that, it's also possible that they're blocking UDP/53 to any host other than their own DNS servers as well.

Though it's certainly worth a shot, and I suppose Chrome could probably do a test query to 8.8.8.8 before recommending the switch.

[RexRollman]

Some people who probably view that with antitrust concerns, even though I agree that would be a good idea.

[dustingetz]

the environments where this is a problem - frequent one-word hosts - are intranets where you want to use the intranet DNS.

[gioele]

> "Your ISP (network administrator, ..) is intercepting and manipulating DNS requests. Do you want to use Google DNS instead?"

I would prefer

"Your ISP (network administrator, ..) is intercepting and manipulating DNS requests. Do you want to install a local caching DNS server and use it instead?"

Unbound [1] is a local DNS server that I have installed on all my machines. Small, fast, security-oriented, IPv6, BSD, made by NLnet Labs.

[1] http://unbound.net/

[lmm]

So you'd install a local caching DNS server that only chrome would use... and this is better than chrome doing its own DNS lookups how?

[gioele]

The grandparent said "use Google DNS" not "chrome doing its own DNS lookup".

If you use Google's DNS (or anybody's DNS) you are basically telling them which sites your are visiting. If you have a local DNS resolver you will not leak all that information to a single third party.

[lmm]

I don't understand. Your local DNS resolver still needs an upstream; either that is your existing broken DNS server, or it's google's DNS server; in either case we're back where we were. Sure, your local DNS resolver could do some caching, but so could chrome; and a local resolver doesn't combine your lookups with those of your neighbours, so you don't get any privacy advantage that way either.

[gioele]

> I don't understand. Your local DNS resolver still needs an upstream

No, not a single upstream.

When my browser asks my server on 127.0.0.1 to lookup news.ycombinator.com it will first contact the root DNS server, then `com` DNS server, then then `ycombinator.com` DNS server. Who knows about the fact that I was looking for `news.ycombinator.com`? only the `ycombinator.com` DNS server. Who knows about the fact that I was looking for `ycombinator.com`? only the `com` DNS server. Now I go to slashdot.org. Who will know about that? Only the `org` DNS server. If you use the Google DNS, Google will know that you requested both `news.ycombinator.com` and `slashdot.org`. Do you want them or any single company to have all these information?

Obviously you need an upstream, an authoritative server somewhere. But why do you need to concentrate all these requests on a single DNS server? ISP are actively tracking users and, probably, selling their DNS histories to advertiser. Nominum (makers of a widespread DNS server) is quite explicit about it: «Data gathering and measurement are a vital part of network operations and DNS data represents a rich vein to be mined that has been underutilized in the past». [1]

[1] http://www.nominum.com/technology/analytics

[lmm]

So you'd contact the root server directly? If that's really desirable behavior (and I suspect it isn't), why not just make chrome query the root servers and walk the hierarchy, not using a DNS server at all?