Google Public DNS

Posted on Thu 10 November 2016 in Security

I'm sure we all have heard the worst and the best about Google Public DNS, so here's why I like it and why I recommend it to anyone who doesn't know how to do otherwise.

Why use it

  • It doesn't lie about NXDOMAINS. OpenDNS used to do it, a few common DNS servers still do it, it's bad and they should feel bad about it.

  • It doesn't censor anything. ISP DNS servers are required to censor things because of their close relationship to countries. Google don't care about that and, as far as I know, never censored a website on request.

  • It validates DNSSEC! Most ISP DNS servers probably won't be doing that for the next 10 years! Even if clients should do it too, that's already a great step forward.

  • It respects strictly the published TTL. When someone publishes a zone that can be cached for up to N seconds, they will keep it for up to N seconds. Bad DNS servers have been known for not respecting that, caching more that allowed and serving outdated records.
    This is partly responsible for the whole "wait 48h for DNS propagation" bullshit. DNS can otherwise be very fast and efficient.

  • There's a cache flush web service! This is just amazing and I would love all DNS severs to provide something like that.
    https://developers.google.com/speed/public-dns/cache
    If you want to test your DNS zones, TTL and DNSSEC in real world situations, that's a very useful tool.

  • Everyone can use it! ISP DNS servers are usually only accessible from the ISP's network. If you use a VPN sometimes, you need another DNS server. Any good VPN will provide one and it will switch automatically, but if you're using (that piece of shit) NetworkManager for instance you're not lucky and would be better off with one DNS server you can use all the time. DNS management on GNU/Linux is a mess.

Of course, you may prefer your own local resolver, or your ISP's resolver if it's great, and that's a very good thing for the Internet.
But when talking to the average user or doing tech support, using 8.8.8.8 can solve many stupid problems created by bad DNS servers.

This is exactly why when some random person need a DNS resolver, I point to 8.8.8.8. It does the job as it's meant to and does it very reliably.

Why not to use it

Of course I'm a cybersecurity person and an article here would seem empty without a cyberwar-related part. Let's analyze the potential threat.

What information you give Google by using 8.8.8.8:

  • The hostnames you may have contacted.
    Just to make sure everyone reading this gets it, this is NOT your browsing history. Google merely know you may have used Amazon and Twitter recently, not in any case what pages you have been on. I'm writing this because I've seen people say and repeat this, stop it, please.
    For more informations about that point, see RFC 7626.

What Google can theoretically do while you're using 8.8.8.8 (or any other DNS server):

  • Log the informations mentioned before

    • It's not worth much as it only very incomplete data (only hostnames), not accurately tied to a person. (only by an IPv4 address, maybe changing and most likely used by multiple persons randomly behind a NAT)
    • Anonymous and aggregated query data is however very useful for Internet statistics (how many people can use IPv6 in 2016?) and security research (how many requests to a malware-related or phishing domain?)
  • Send anything they want since you won't ever validate the DNSSEC records yourself (even if you should) and most domains still don't have any signature

    • They have promised not to do it, and people mostly use Google Public DNS because they don't. They have built trust and have no reason to beak it, and this kind of attack is obvious.
    • Unless they also do the next item, that would be stopped by SSL/TLS.
  • Impersonate any server (without public key pinning) because Google is also a Certificate Authority

    • That would be illegal, very easily detected, and would destroy Google for many reasons.
    • But to be fair, people like Verisign have had much more than this ability for decades and no one seems to give a shit.
  • Censor anything

    • But then again, people would stop using it, since that's one of the first reasons to use it in the first place.

Google Public DNS is still better than most ISP DNS servers.
Google Public DNS is way better than telling people who have no idea what DNS is to "just install unbound".