Google Public DNS
Google Public DNS is a Domain Name System (DNS) service offered to Internet users worldwide by Google. It functions as a recursive name server. Google Public DNS was announced on 3 December 2009,[1] in an effort described as "making the web faster and more secure".[2][3] As of 2018, it is the largest public DNS service in the world, handling over a trillion queries per day.[4] Google Public DNS is not related to Google Cloud DNS, which is a DNS hosting service.
Service
The Google Public DNS service operates recursive name servers for public use at the following four IP addresses.[5] The addresses are mapped to the nearest operational server by anycast routing.[6]
DoH addresses | https://dns.google/dns-query https://dns.google/resolve? (optional) |
IPv4 addresses | 8.8.8.8 8.8.4.4 |
IPv6 addresses | 2001:4860:4860::8888 2001:4860:4860::8844 |
The service does not use conventional DNS name server software, such as BIND, instead relying on a custom-designed implementation, conforming to the DNS standards set forth by the IETF. It fully supports the DNSSEC protocol since 19 March 2013. Previously, Google Public DNS accepted and forwarded DNSSEC-formatted messages but did not perform validation.[7][8]
Some DNS providers practice DNS hijacking while processing queries, redirecting web browsers to an advertisement site operated by the provider when a nonexistent domain name is queried. The Google service correctly replies with a non-existent domain (NXDOMAIN) response.[9]
The Google service also addresses DNS security. A common attack vector is to interfere with a DNS service to achieve redirection of web pages from legitimate to malicious servers. Google documents efforts to be resistant to DNS cache poisoning, including “Kaminsky Flaw” attacks as well as denial-of-service attacks.[10]
DNS64
The Google Public DNS64 service operates recursive name servers for public use at the following two IP addresses for use with NAT64.[11] These servers are compatible with DNS over HTTPS.
DoH addresses | https://dns64.dns.google/dns-query{?dns} https://dns64.dns.google/resolve?name=ipv4only.arpa&type=AAAA (optional) |
IPv6 addresses | 2001:4860:4860::6464 2001:4860:4860::64 |
Privacy
Google stated that for the purposes of performance and security, the querying IP address will be deleted after 24–48 hours, but Internet service provider (ISP) and location information are stored permanently on their servers.[12][13][14]
History
In December 2009, Google Public DNS was launched with its announcement[15] on the Official Google Blog by product manager Prem Ramaswami, with an additional post on the Google Code blog.[16]
In January 2019, Google DNS adopted the DNS over TLS protocol.[17]
DNSSEC
At the launch of Google Public DNS, it did not directly support DNSSEC. Although RRSIG records could be queried, the AD (Authenticated Data) flag was not set in the launch version, meaning the server was unable to validate signatures for all of the data. This was upgraded on 28 January 2013, when Google's DNS servers silently started providing DNSSEC validation information,[18] but only if the client explicitly set the DNSSEC OK (DO) flag on its query.[19] This service requiring a client-side flag was replaced on 6 May 2013 with full DNSSEC validation by default, meaning all queries will be validated unless clients explicitly opt out.[8]
Client subnet
Since June 2014, Google Public DNS automatically detects nameservers that support EDNS Client Subnet (ECS) options as defined in the IETF draft (by probing name servers at a low rate with ECS queries and caching the ECS capability), and will send queries with ECS options to such name servers automatically.[20]
Censorship in Turkey
In March 2014, use of Google Public DNS was blocked in Turkey after it was used to circumvent the blocking of Twitter, which took effect on 20 March 2014 under court order. The block was the result of earlier remarks by Prime Minister Tayyip Erdogan who vowed to "wipe out Twitter" following damaging allegations of corruption in his inner circle. The method became popular after it was determined that a simple domain name block was used to enforce the ban, which would easily be bypassed by using an alternate DNS system. Activists distributed information on how to use the service, and spray-painted the IP addresses used by the service as graffiti on buildings. Following the discovery of this method, Google Public DNS was blocked entirely.[21][22][23]
References
- Geez, Google Wants to Take Over DNS, Too Wired, 3 December 2009
- Introducing Google Public DNS, Official Google Blog
- Pondering Google's Move Into the D.N.S. Business New York Times, 4 December 2009
- "Google Public DNS and Location-Sensitive DNS Responses", Google, 27 February 2017.
- Mario Bonilla (2011-06-09). "Announcement on public-dns-announce". Groups.google.com. Retrieved 2012-10-10.
- Google DNS FAQ Countries
- "Frequently Asked Questions". Retrieved 3 July 2017.
- "Google Public DNS Now Supports DNSSEC Validation". Google Code Blog. 1 June 2013.
- Raphael, JR (2009-12-03). "Google Public DNS and Your Privacy". PCWorld. Retrieved 2021-01-11.
- "Google Public DNS Security Threats and Mitigations". Retrieved 22 June 2012.
- "Google Public DNS64". Google. 2016-06-03. Retrieved 2020-05-26.
- "Google Public DNS: Your Privacy". Google. 2016-04-01. Retrieved 2016-09-05.
- "Google Privacy Policy". Google. 2014-03-31. Retrieved 2014-07-01.
- "Google Public DNS and your privacy". PC World. 4 December 2009.
- Introducing Google Public DNS Official Google Blog, 3 December 2009
- "Introducing Google Public DNS". Google Code Blog. 3 December 2009.
- Beiersmann, Stefan (2019-01-10). "Google spendiert seinen öffentlichen DNS-Servern TLS-Verschlüsselung". ZDNet.de (in German). Retrieved 2021-01-11.
- "Google's Public DNS does DNSSEC validation". nanog mailing list archives. 29 January 2013.
- Huston, Geoff (17 July 2013). "DNS, DNSSEC and Google's Public DNS Service". CircleID.
- Public-DNS-announce mailing list: Google Public DNS now auto-detects nameservers that support edns-client-subnet
- "Turkish citizens use Google to fight Twitter ban". The Verge. Retrieved 24 March 2014.
- "Twitter website 'blocked' in Turkey", BBC News, 20 March 2014. Retrieved 23 March 2014.
- "'We'll eradicate Twitter': Turkey blocks Twitter access", PCWorld, 21 March 2014. Retrieved 22 March 2014