Google Public DNS

Last updated

Google Public DNS is a Domain Name System (DNS) service offered to Internet users worldwide by Google. It functions as a recursive name server. Google Public DNS was announced on December 3, 2009, [1] in an effort described as "making the web faster and more secure." [2] [3] As of 2018, it is the largest public DNS service in the world, handling over a trillion queries per day. [4] Google Public DNS is not related to Google Cloud DNS, which is a DNS hosting service.

Contents

Service

The Google Public DNS service operates recursive name servers for public use at the four IP addresses listed below. [5] These addresses are mapped to the nearest operational server by anycast routing. [6]

Filters domains No
Passes ECS Yes
Validates DNSSEC Yes
Via DoH https://dns.google/dns-query
Via DoT dns.google
Via IPv4 8.8.8.8
8.8.4.4
Via IPv6 2001:4860:4860::8888
2001:4860:4860::8844

The service does not use conventional DNS name server software, such as BIND, instead relying on a custom-designed implementation, conforming to the DNS standards set forth by the IETF. It fully supports the DNSSEC protocol since 19 March 2013. Previously, Google Public DNS accepted and forwarded DNSSEC-formatted messages but did not perform validation. [7] [8]

Some DNS providers practice DNS hijacking while processing queries, redirecting web browsers to an advertisement site operated by the provider when a nonexistent domain name is queried. The Google service correctly replies with a non-existent domain (NXDOMAIN) response. [9]

The Google service also addresses DNS security. A common attack vector is to interfere with a DNS service to achieve redirection of web pages from legitimate to malicious servers. Google documents efforts to be resistant to DNS cache poisoning, including “Kaminsky Flaw” attacks as well as denial-of-service attacks. [10]

DNS64

The Google Public DNS64 service operates recursive name servers for public use at the two IP addresses listed below for use with NAT64. [11]

Filters domains No
Passes ECS Yes
Validates DNSSEC Yes
Via DoH https://dns64.dns.google/dns-query{?dns}
Via DoT dns64.dns.google
Via IPv6 2001:4860:4860::6464
2001:4860:4860::64

Privacy

Google stated that for the purposes of performance and security, the querying IP address will be deleted after 24–48 hours, but Internet service provider (ISP) and location information are stored permanently on their servers. [12] [13] [14]

History

In December 2009, Google Public DNS was launched with its announcement [15] on the Official Google Blog by product manager Prem Ramaswami, with an additional post on the Google Code blog. [16]

In January 2019, Google Public DNS adopted the DNS over TLS protocol. [17]

DNSSEC

At the launch of Google Public DNS, it did not directly support DNSSEC. Although RRSIG records could be queried, the AD (Authenticated Data) flag was not set in the launch version, meaning the server was unable to validate signatures for all of the data. This was upgraded on 28 January 2013, when Google's DNS servers silently started providing DNSSEC validation information, [18] but only if the client explicitly set the DNSSEC OK (DO) flag on its query. [19] This service requiring a client-side flag was replaced on 6 May 2013 with full DNSSEC validation by default, meaning all queries will be validated unless clients explicitly opt-out. [8]

Client subnet

Since June 2014, Google Public DNS automatically detects nameservers that support EDNS Client Subnet (ECS) options as defined in the IETF draft (by probing name servers at a low rate with ECS queries and caching the ECS capability), and will send queries with ECS options to such name servers automatically. [20]

Censorship in Turkey

In March 2014, use of Google Public DNS was blocked in Turkey after it was used to circumvent the blocking of Twitter, which took effect on 20 March 2014 under court order. The block was the result of earlier remarks by Prime Minister Tayyip Erdogan who vowed to "wipe out Twitter" following damaging allegations of corruption in his inner circle. The method became popular after it was determined that a simple domain name block was used to enforce the ban, which would easily be bypassed by using an alternate DNS resolver. Activists distributed information on how to use the service, and spray-painted the IP addresses used by the service as graffiti on buildings. Following the discovery of this method, Google Public DNS was blocked entirely. [21] [22] [23]

See also

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

The Domain Name System Security Extensions (DNSSEC) is a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

In computer networks, a reverse DNS lookup or reverse DNS resolution (rDNS) is the querying technique of the Domain Name System (DNS) to determine the domain name associated with an IP address – the reverse of the usual "forward" DNS lookup of an IP address from a domain name. The process of reverse resolving of an IP address uses PTR records. rDNS involves searching domain name registry and registrar tables. The reverse DNS database of the Internet is rooted in the .arpa top-level domain.

DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address. This results in traffic being diverted to any computer that the attacker chooses.

Multicast DNS (mDNS) is a computer networking protocol that resolves hostnames to IP addresses within small networks that do not include a local name server. It is a zero-configuration service, using essentially the same programming interfaces, packet formats and operating semantics as unicast Domain Name System (DNS). It was designed to work as either a stand-alone protocol or compatible with standard DNS servers. It uses IP multicast User Datagram Protocol (UDP) packets and is implemented by the Apple Bonjour and open-source Avahi software packages, included in most Linux distributions. Although the Windows 10 implementation was limited to discovering networked printers, subsequent releases resolved hostnames as well. mDNS can work in conjunction with DNS Service Discovery (DNS-SD), a companion zero-configuration networking technique specified separately in RFC 6763.

This article presents a comparison of the features, platform support, and packaging of many independent implementations of Domain Name System (DNS) name server software.

Extension Mechanisms for DNS (EDNS) is a specification for expanding the size of several parameters of the Domain Name System (DNS) protocol which had size restrictions that the Internet engineering community deemed too limited for increasing functionality of the protocol. The first set of extensions was published in 1999 by the Internet Engineering Task Force as RFC 2671, also known as EDNS0 which was updated by RFC 6891 in 2013 changing abbreviation slightly to EDNS(0).

<span class="mw-page-title-main">OpenDNS</span> Domain name system provided by Cisco using closed-source software

OpenDNS is an American company providing Domain Name System (DNS) resolution services—with features such as phishing protection, optional content filtering, and DNS lookup in its DNS servers—and a cloud computing security product suite, Umbrella, designed to protect enterprise customers from malware, botnets, phishing, and targeted online attacks. The OpenDNS Global Network processes an estimated 100 billion DNS queries daily from 85 million users through 25 data centers worldwide.

An IPv6 transition mechanism is a technology that facilitates the transitioning of the Internet from the Internet Protocol version 4 (IPv4) infrastructure in use since 1983 to the successor addressing and routing system of Internet Protocol Version 6 (IPv6). As IPv4 and IPv6 networks are not directly interoperable, transition technologies are designed to permit hosts on either network type to communicate with any other host.

DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.

Unbound is a validating, recursive, and caching DNS resolver product from NLnet Labs. It is distributed free of charge in open-source form under the BSD license.

DNSCurve is a proposed secure protocol for the Domain Name System (DNS), designed by Daniel J. Bernstein. It encrypts and authenticates DNS packets between resolvers and authoritative servers.

DNSCrypt is a network protocol that authenticates and encrypts Domain Name System (DNS) traffic between the user's computer and recursive name servers. DNSCrypt wraps unmodified DNS traffic between a client and a DNS resolver in a cryptographic construction, preventing eavesdropping and forgery by a man-in-the-middle.

A public recursive name server is a name server service that networked computers may use to query the Domain Name System (DNS), the decentralized Internet naming system, in place of name servers operated by the local Internet service provider (ISP) to which the devices are connected. Reasons for using these services include:

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. By March 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States. In May 2020, Chrome switched to DNS over HTTPS by default.

EDNS Client Subnet (ECS) is an option in the Extension Mechanisms for DNS that allows a recursive DNS resolver to specify the subnetwork for the host or client on whose behalf it is making a DNS query. This is generally intended to help speed up the delivery of data from content delivery networks (CDNs), by allowing better use of DNS-based load balancing to select a service address near the client when the client computer is not necessarily near the recursive resolver.

DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. The well-known port number for DoT is 853.

<span class="mw-page-title-main">Quad9</span> Global public recursive DNS resolver based in Switzerland

Quad9 is a global public recursive DNS resolver that aims to protect users from malware and phishing. Quad9 is operated by the Quad9 Foundation, a Swiss public-benefit, not-for-profit foundation with the purpose of improving the privacy and cybersecurity of Internet users, headquartered in Zürich. Quad9 is entirely subject to Swiss privacy law, and the Swiss government extends that protection of the law to Quad9's users throughout the world, regardless of citizenship or country of residence.

1.1.1.1 is a free Domain Name System (DNS) service by the American company Cloudflare in partnership with APNIC. The service functions as a recursive name server, providing domain name resolution for any host on the Internet. The service was announced on April 1, 2018. On November 11, 2018, Cloudflare announced a mobile application of their 1.1.1.1 service for Android and iOS. On September 25, 2019, Cloudflare released WARP, an upgraded version of their original 1.1.1.1 mobile application.

References

  1. Singel, Ryan (December 3, 2009). "Geez, Google Wants to Take Over DNS, Too". Wired. ISSN   1059-1028 . Retrieved November 3, 2023.
  2. "Introducing Google Public DNS". Official Google Blog. December 3, 2009. Retrieved November 3, 2023.
  3. Stone, Brad (December 3, 2009). "Pondering Google's Move Into the D.N.S. Business". Bits Blog. Retrieved November 3, 2023.
  4. "Google Public DNS turns 8.8.8.8 years old". Google Online Security Blog. Retrieved November 3, 2023.
  5. Mario Bonilla (June 9, 2011). "Announcement on public-dns-announce" . Retrieved October 10, 2012.
  6. "Frequently Asked Questions | Public DNS". Google for Developers. Retrieved November 3, 2023.
  7. "Frequently Asked Questions" . Retrieved July 3, 2017.
  8. 1 2 "Google Public DNS Now Supports DNSSEC Validation". Google Code Blog. June 1, 2013.
  9. Raphael, JR (December 3, 2009). "Google Public DNS and Your Privacy". PCWorld. Retrieved January 11, 2021.
  10. "Google Public DNS Security Threats and Mitigations" . Retrieved June 22, 2012.
  11. "Google Public DNS64". Google. June 3, 2016. Retrieved May 26, 2020.
  12. "Google Public DNS: Your Privacy". Google Inc. April 1, 2016. Retrieved September 5, 2016.
  13. "Google Privacy Policy". March 31, 2014. Retrieved July 1, 2014.
  14. "Google Public DNS and your privacy". PC World. December 4, 2009.
  15. "Introducing Google Public DNS". Official Google Blog. December 3, 2009. Retrieved November 3, 2023.
  16. "Introducing Google Public DNS". Google Code Blog. December 3, 2009.
  17. Beiersmann, Stefan (January 10, 2019). "Google spendiert seinen öffentlichen DNS-Servern TLS-Verschlüsselung". ZDNet.de (in German). Retrieved January 11, 2021.
  18. "Google's Public DNS does DNSSEC validation". nanog mailing list archives. January 29, 2013.
  19. Huston, Geoff (July 17, 2013). "DNS, DNSSEC and Google's Public DNS Service". CircleID.
  20. Wan, Shen (June 9, 2014). "Google Public DNS now auto-detects nameservers that support edns-client-subnet". Google Groups . Retrieved November 3, 2023.
  21. "Turkish citizens use Google to fight Twitter ban". The Verge. March 21, 2014. Retrieved March 24, 2014.
  22. "Twitter website 'blocked' in Turkey". BBC News. March 21, 2014. Retrieved November 3, 2023.
  23. "'We'll eradicate Twitter': Turkey blocks Twitter access". PCWorld. Retrieved November 3, 2023.