Google Public DNS is a free alternative Domain Name System (DNS) service that is offered to Internet users around the world. The public DNS service and servers that are offered are maintained and owned by Google. It functions as a recursive name server providing domain name resolution for any host on the Internet. The service was announced on 3 December 2009, in an effort described as "making the web faster and more secure". As of 2014, Google Public DNS is the largest public DNS service in the world, handling 400 billion requests per day.
Service
Google Public DNS operates recursive name servers for public use at the two following IP addresses: 8.8.8.8 and 8.8.4.4 for IPv4 service, as well as 2001:4860:4860::8888 and 2001:4860:4860::8844, for IPv6 access. The addresses are mapped to the nearest operational server by anycast routing.
The service does not use a conventional DNS name server, such as BIND, instead relying on a custom-built implementation, with limited IPv6 support, conforming to the DNS standards set forth by the IETF. It fully supports the DNSSEC protocol since 19 March 2013. Previously Google Public DNS accepted and forwarded DNSSEC-formatted messages but did not perform validation.
Some DNS providers practice DNS hijacking while processing queries, redirecting web browsers to an advertisement site operated by the provider when a nonexistent domain name is entered. This is considered intentional breaking of the DNS specification. The Google service correctly replies with a non-existent domain (NXDOMAIN) response.
The Google service also addresses DNS security. A common attack vector is to interfere with a DNS service to achieve redirection of web pages from legitimate to malicious servers. Google documents efforts to be resistant to DNS cache poisoning, including âKaminsky Flawâ attacks as well as denial-of-service attacks.
Google claims various efficiency and speed benefits, such as using anycast routing to send user requests to the closest data center, over-provisioning servers to handle denial-of-service attacks and load balancing servers using two cache levels with a small per-host cache containing the most popular names and another pool of servers partitioned by the name to be looked up. This second level cache reduces the fragmentation and cache miss rate that can result from increasing the number of servers.
Privacy
Google stated that for the purposes of performance and security, the querying IP address will be deleted after 24â"48 hours, but ISP and location information are stored permanently on their servers.
According to Google's general privacy policy, "We [Google] may combine personal information from one service with information, including personal information, from other Google services". However, Google Public DNS's policy specifically states that "We don't correlate or combine information from our temporary or permanent logs with any personal information that you have provided Google for other services."
History
In December 2009, Google Public DNS was launched with its announcement on the Official Google Blog by product manager Prem Ramaswami, with an additional post on the Google Code blog.
DNSSEC
At the launch of Google Public DNS, it did not directly support DNSSEC. Although RRSIG records could be queried, the AD (Authenticated Data) flag was not set in the launch version, meaning the server was able to validate signatures for all of the data. This was upgraded on 28 January 2013, when Google's DNS servers silently started providing DNSSEC validation information, but only if the client explicitly set the DNSSEC OK (DO) flag on its query. This service requiring a client-side flag was replaced on 6 May 2013 with full DNSSEC validation by default, meaning all queries will be validated unless clients explicitly opt out.
Since June 2014, Google Public DNS automatically detects nameservers that support edns-client-subnet (ECS) options as defined in the IETF draft (by probing nameservers at a low rate with ECS queries and caching the ECS capability), and will send queries with ECS options to such nameservers automatically.
Censorship in Turkey
In March 2014, use of Google Public DNS was blocked in Turkey after it was used to circumvent the blocking of Twitter, which took effect on 20 March 2014 under court order. The block was the result of earlier remarks by Prime Minister Tayyip Erdogan who vowed to "wipe out Twitter" following damaging allegations of corruption in his inner circle. The method became popular after it was determined that a simple domain name block was used to enforce the ban, which would easily be bypassed by using an alternate DNS system. Activists distributed information on how to use the service, and spray-painted the IP addresses used by the service as graffiti on buildings. Following the discovery of this method, the government moved to directly block Twitter's IP address, and Google Public DNS was blocked entirely.
Tools
- DNSd is a DNSSEC resolver through Google DNS-over-HTTPS implemented in C.
See also
- DynDNS
- DNS.com
- Norton ConnectSafe - a collection of DNS servers, some of which block sites tagged as security risks, pornography, and material described as being "non-family friendly"
- Open Root Server Network
- Public recursive name servers
- OpenDNS
- OpenNIC
References
External links
- Official blog