Google Public DNS

From Wikipedia, the free encyclopedia - View original article

 
Jump to: navigation, search

Google Public DNS is a freely provided DNS (Domain Name System) service announced on 3 December 2009,[1] as part of Google's self-proclaimed effort to make the web faster.[2][3] According to Google, as of 2013, Google Public DNS is the largest public DNS service in the world, handling more than 130 billion requests on an average day.[4]

Google Public DNS provides the following recursive nameserver addresses for public use,[5] mapped to the nearest operational server location by anycast routing:[6]

IPv4 addresses
IPv6 addresses[7]

Services[edit]

The service does not use third party DNS management software such as BIND, instead relying on a custom-built implementation, with limited IPv6 support, conforming to the DNS standards set forth by the IETF. It fully supports the DNSSEC protocol since 19 March 2013 (previously Google Public DNS accepted and forwarded DNSSEC-formatted messages but did not perform validation).[8] [9] Many popular DNS providers practice DNS hijacking while processing queries, causing web browsers to redirect to an advertisement site run by the provider when a nonexistent domain name is entered, explicitly breaking the DNS specification.[10] In contrast, Google's service correctly replies with an NXDOMAIN (non-existing domain)[11] code in this situation, and this feature alone is cited by many new users to justify switching.[12]

Google also specifically addresses the security of Domain Name Serving, whereby third parties interfere with a DNS service to try to redirect users from legitimate to malicious websites. They document their efforts to be resistant to DNS cache poisoning including “Kaminsky Flaw” attacks as well as Denial-of-service attacks.[13]

Google claims various efficiency and speed benefits,[14] such as using anycast routing to send users to the closest worldwide data center, overprovisioning servers to handle even malicious traffic, and load-balancing servers using two cache levels, with a small per-machine cache containing the most popular names and another pool of machines partitioned by the name to be looked up. This second level cache reduces the fragmentation and cache miss rate that can result from just increasing the number of servers.

Privacy[edit]

It is stated that for the purposes of performance and security, only the user's IP address (deleted after 24 hours), ISP, and location information (kept permanently) are stored on the servers.[15][16][17]

According to Google's privacy policy, “We [Google] may combine personal information from one service with information, including personal information, from other Google services.” While there is no mention of the DNS service in the main policy—the privacy page of the DNS service states that information is not “correlated or combined” with “personally identifiable information”—the question remains whether a generic but persistent tracking identity is considered “personally identifiable information.”

History[edit]

In December 2009, Google Public DNS was launched with its announcement[18] on the Official Google Blog by product manager Prem Ramaswami, with an additional post on the Google Code blog.[19]

DNSSEC[edit]

Since 6 May 2013, Google Public DNS has enabled the DNSSEC validation by default; meaning all queries will be validated unless clients explicitly opt out.[20]

At the launch of Google Public DNS, it did not directly support DNSSEC. Although RRSIG records of course could be queried, the AD flag (Authenticated Data, meaning the server was able to validate signatures for all of the data) was never set in the launch version. This was upgraded on 28 January 2013, when Google's DNS servers silently started providing DNSSEC validation information,[21] but only if the client explicitly set client the DNSSEC OK (DO) flag on its query.[22] This service requiring a client-side flag was replaced on 6 May 2013 with full DNSSEC validation by default.

See also[edit]

References[edit]

  1. ^ Geez, Google Wants to Take Over DNS, Too Wired, 3 December 2009
  2. ^ Introducing Google Public DNS, Official Google Blog
  3. ^ Pondering Google's Move Into the D.N.S. Business New York Times, 4 December 2009
  4. ^ Gu, Yunhong. "Google Public DNS Now Supports DNSSEC Validation". Google Online Security Blog. Retrieved 20 March 2013. 
  5. ^ Google DNS Speed
  6. ^ Google DNS FAQ Countries
  7. ^ Mario Bonilla   View profile    More options (2011-06-09). "Announcement on public-dns-announce". Groups.google.com. Retrieved 2012-10-10. 
  8. ^ "Frequently Asked Questions". Retrieved 4 December 2009. 
  9. ^ Google Online Security Blog: Google Public DNS Now Supports DNSSEC Validation
  10. ^ "Public DNS Server with no hijacking!". Retrieved 22Jun2012. 
  11. ^ What Is NXDOMAIN? Email PDF Print Mar/13/12 (2012-03-13). "What Is Nxdomain?". Dnsknowledge.com. Retrieved 2013-05-24. 
  12. ^ "Google Launches Public DNS". Retrieved 22 June 2012. 
  13. ^ "Google Public DNS Security Threats and Mitigations". Retrieved 22 June 2012. 
  14. ^ "Google Public DNS Performance Benefits". Retrieved 22 June 2012. 
  15. ^ "Public DNS Privacy FAQ". Code.google.com. 2012-10-05. Retrieved 2012-10-10. 
  16. ^ "Google Privacy Policy". Google.com. 2012-07-27. Retrieved 2012-10-10. 
  17. ^ "Google Public DNS and your privacy". PC World. 4 December 2009. 
  18. ^ Introducing Google Public DNS Official Google Blog, 3 December 2009
  19. ^ "Introducing Google Public DNS". Google Code Blog. 3 December 2009. 
  20. ^ "Google Public DNS Now Supports DNSSEC Validation". Google Code Blog. 1 June 2013. 
  21. ^ "Google's Public DNS does DNSSEC validation". nanog mailing list archives. 29 January 2013. 
  22. ^ Huston, Geoff (17 July 2013). "DNS, DNSSEC and Google's Public DNS Service". CircleID. 

External links[edit]