Google Public DNS is a

Domain Name System The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various information ...

(DNS) service offered to

Internet The Internet (or internet) is the Global network, global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a internetworking, network of networks ...

users worldwide by

Google Google LLC (, ) is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial ...

. It functions as a recursive name server. Google Public DNS was announced on December 3, 2009, in an effort described as "making the web faster and more secure." As of 2018, it is the largest public DNS service in the world, handling over a trillion queries per day. Google Public DNS is not related to Google Cloud DNS, which is a

DNS hosting service A DNS hosting service is a service that runs Domain Name System (DNS) servers. Most, but not all, domain name registrars include DNS hosting service with registration. Free DNS hosting services also exist. Many third-party DNS hosting services ...

Service

The Google Public DNS service operates recursive name servers for public use at the four IP addresses listed below. These addresses are mapped to the nearest operational server by

anycast Anycast is a network addressing and routing methodology in which a single IP address is shared by devices (generally servers) in multiple locations. Routers direct packets addressed to this destination to the location nearest the sender, using ...

routing Routing is the process of selecting a path for traffic in a Network theory, network or between or across multiple networks. Broadly, routing is performed in many types of networks, including circuit-switched networks, such as the public switched ...

. The service does not use conventional DNS

name server A name server is a computer application that implements a network service for providing responses to queries against a directory service. It translates an often humanly meaningful, text-based identifier to a system-internal, often numeric identi ...

software, such as

BIND BIND () is a suite of software for interacting with the Domain Name System (DNS). Its most prominent component, named (pronounced ''name-dee'': , short for ''name Daemon (computing), daemon''), performs both of the main DNS server roles, acting ...

, instead relying on a custom-designed implementation, conforming to the DNS standards set forth by the

IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet standard, Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster ...

. It fully supports the

DNSSEC The Domain Name System Security Extensions (DNSSEC) is a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System ( DNS) in Internet Protocol ( IP) networks. The protoco ...

protocol since 19 March 2013. Previously, Google Public DNS accepted and forwarded DNSSEC-formatted messages but did not perform validation. Some DNS providers practice

DNS hijacking DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server unde ...

while processing queries, redirecting web browsers to an advertisement site operated by the provider when a nonexistent domain name is queried. The Google service correctly replies with a non-existent domain (NXDOMAIN) response. The Google service also addresses DNS security. A common attack vector is to interfere with a DNS service to achieve redirection of web pages from legitimate to malicious servers. Google documents efforts to be resistant to

DNS cache poisoning DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e ...

, including "Kaminsky Flaw" attacks as well as

denial-of-service In computing, a denial-of-service attack (DoS attack) is a cyberattack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host con ...

attacks.

DNS64

The Google Public DNS64 service operates recursive name servers for public use at the two IP addresses listed below for use with NAT64.

Privacy

Google stated that for the purposes of performance and security, the querying

IP address An Internet Protocol address (IP address) is a numerical label such as that is assigned to a device connected to a computer network that uses the Internet Protocol for communication. IP addresses serve two main functions: network interface i ...

will be deleted after 24–48 hours, but

Internet service provider An Internet service provider (ISP) is an organization that provides a myriad of services related to accessing, using, managing, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, no ...

(ISP) and

location In geography, location or place is used to denote a region (point, line, or area) on Earth's surface. The term ''location'' generally implies a higher degree of certainty than ''place'', the latter often indicating an entity with an ambiguous bou ...

information are stored permanently on their servers.

History

In December 2009, Google Public DNS was launched with its announcement on the Official Google Blog by product manager Prem Ramaswami, with an additional post on the

Google Code Google Developers (previously Google Code) , application programming interfaces (APIs), and technical resources. The site contains documentation on using Google developer tools and APIs—including discussion groups and blogs for developers usin ...

blog. In January 2019, Google Public DNS adopted the

DNS over TLS DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by prevent ...

protocol.

DNSSEC

At the launch of Google Public DNS, it did not directly support

. Although RRSIG records could be queried, the AD (Authenticated Data) flag was not set in the launch version, meaning the server was unable to validate signatures for all of the data. This was upgraded on 28 January 2013, when Google's DNS servers silently started providing DNSSEC validation information, but only if the client explicitly set the DNSSEC OK (DO) flag on its query. This service requiring a client-side flag was replaced on 6 May 2013 with full DNSSEC validation by default, meaning all queries will be validated unless clients explicitly opt-out.

Client subnet

Since June 2014, Google Public DNS automatically detects nameservers that support

EDNS Client Subnet EDNS Client Subnet (ECS) is an option in the Extension Mechanisms for DNS that allows a recursive DNS resolver to specify the subnetwork for the host or client on whose behalf it is making a DNS query. This is generally intended to help speed up ...

(ECS) options as defined in the IETF draft (by probing name servers at a low rate with ECS queries and caching the ECS capability), and will send queries with ECS options to such

s automatically.

Censorship in Turkey

In March 2014, use of Google Public DNS was blocked in

Turkey Turkey, officially the Republic of Türkiye, is a country mainly located in Anatolia in West Asia, with a relatively small part called East Thrace in Southeast Europe. It borders the Black Sea to the north; Georgia (country), Georgia, Armen ...

after it was used to circumvent the blocking of

Twitter Twitter, officially known as X since 2023, is an American microblogging and social networking service. It is one of the world's largest social media platforms and one of the most-visited websites. Users can share short text messages, image ...

, which took effect on 20 March 2014 under court order. The block was the result of earlier remarks by Prime Minister

Tayyip Erdogan Tayyip () is a Turkish given name for males. Tayyip may refer to: * Recep Tayyip Erdoğan (born 1954), Turkish politician, and Prime Minister of the Republic of Turkey from 2003 to 2014, and current President of Turkey since 2014 *Tayyip Talha Sa ...

who vowed to "wipe out Twitter" following damaging allegations of corruption in his inner circle. The method became popular after it was determined that a simple domain name block was used to enforce the ban, which would easily be bypassed by using an alternate DNS resolver. Activists distributed information on how to use the service, and spray-painted the IP addresses used by the service as

graffiti Graffiti (singular ''graffiti'', or ''graffito'' only in graffiti archeology) is writing or drawings made on a wall or other surface, usually without permission and within public view. Graffiti ranges from simple written "monikers" to elabor ...

on buildings. Following the discovery of this method, Google Public DNS was blocked entirely.

References

External links

Official developers blog

Google Public DNS
{{DEFAULTSORT:Google Public Dns Public DNS Alternative Internet DNS services Internet properties established in 2009