Frequently Asked Questions  |  Public DNS  |  Google for Developers (2024)

General

What is Google Public DNS?

Google Public DNS is a free, global Domain Name System (DNS) resolution service,that you can use as an alternative to your current DNS provider.

Why is Google working on a DNS service?

We believe that a faster and safer DNS infrastructure could significantlyimprove the web browsing experience. Google Public DNS has made manyimprovements in the areas of speed, security, and validity of results.We've shared these improvements in ourdocumentation,to contribute to an ongoing conversation within the web community.

Can I use Google Public DNS to host my domain name?

Google Public DNS is not an authoritative DNS hosting service and cannot beused as one. If you are looking for a high-volume, programmable, authoritativename server using Google's infrastructure, try Google's Cloud DNS.

Does Google Public DNS offer the ability to block or filter out unwanted sites?

Google Public DNS is a DNS resolution and caching server; it does not performblocking or filtering of any kind, except for certain domains in rare cases,where:

• we believe this is necessary to protect Google's users from security threats
• we are legally required to block a specific domain or domains. (Learn moreat the Blocking page).

But we believe that blocking functionality is usually best performed by theclient.If you are interested in enabling such functionality, you should considerinstalling a client-side application or browser add-on for this purpose.

Are there any cross-product dependencies with Google Public DNS?

Google Public DNS is an independent service.

Do I need a Google Account to use Google Public DNS?

Use of Google Public DNS does not require any account.

How is Google Public DNS different from my ISP's DNS service or other open DNS resolvers? How can I tell if it is better?

Open resolvers and your ISP all offer DNS resolution services.We invite you to try Google Public DNS as your primary or secondary DNS resolveralong with any other alternate DNS services.There are many things to consider when identifying a DNS resolver that works foryou, such as speed, reliability, security, and validity of responses.Unlike Google Public DNS, some ISPs and open resolvers block, filter, orredirect DNS responses for commercial purposes. Also see the answer to theDoes Google Public DNS offer the ability to block or filter outunwanted sites? question.

How does Google Public DNS handle non-existent domains?

If you issue a query for a domain name that does not exist, Google Public DNSalways returns an NXDOMAIN record, as per the DNS protocol standards.The browser should show this response as a DNS error.If, instead, you receive any response other than an error message (for example,you are redirected to another page), this could be the result of the following:

• A client-side application such as a browser plug-in is displaying an alternatepage for a non-existent domain.
• Some ISPs may intercept and replace all NXDOMAIN responses with responses thatlead to their own servers.If you are concerned that your ISP is intercepting Google Public DNS requestsor responses, you should contact your ISP.

Will Google Public DNS be used to serve ads in the future?

We are committed to preserving the integrity of the DNS protocol.Google Public DNS will never return the address of an ad server for anon-existent domain.

What is DNS over HTTPS (DoH)?

DNS resolution over an encrypted HTTPS connection.DNS over HTTPS greatly enhances privacy and security between a stub resolverand a recursive resolver, and complements DNSSEC to provide end-to-endauthenticated DNS lookups.

Use and support

I am using another DNS service now. Can I also use Google Public DNS?

You can set Google Public DNS to be your primary or secondary DNS resolver,along with your current DNS resolver.Please remember that operating systems treat DNS resolvers differently:some prefer your primary DNS resolver and only use the secondary if the primaryfails to respond, while others round-robin among each of the resolvers.

If there are differences in security or filtering between configured resolvers,you get the weakest level of security or filtering of all the resolvers.NXDOMAIN filtering or redirection to block pages may work sometimes,but SERVFAIL does not block domains unless all resolvers return SERVFAIL.

Is Google Public DNS suitable for all types of Internet-enabled devices?

Google Public DNS can be used on any standards-compliant network device.If you find any situation where Google Public DNS does not work well,please let us know.

Can I run Google Public DNS on my office computer?

Some offices have private networks that allow you to access domains that youcan't access outside of work.Using Google Public DNS might limit your access to these private domains.Please check your IT department's policy before using Google Public DNS on youroffice computer.

In which countries is Google Public DNS available?

It is available to Internet users around the world, though your experience mayvary greatly based on your specific location.

Does Google Public DNS work with all ISPs?

Google Public DNS should work with most ISPs, assuming you have access to changeyour network DNS settings.

Do I need to use both Google Public DNS IP addresses?

You can use Google as your primary service by just using one of the IPaddresses.However, be sure not to specify the same address as both primary andsecondary servers.

Does it matter in what order I specify the IP addresses?

The order does not matter.Either IP can be your primary or secondary name server.

What is the SLA for the service?

There is no Service Level Agreement (SLA) for the free Google Public DNSservice.

I'm running an ISP. Can I redirect my users to Google Public DNS?

ISPs that want to use Google Public DNS should follow theISP instructions to see if they need to doanything before sending queries to Google Public DNS.

How can I get support from the Google Public DNS team?

We recommend that you join our Google Groupsto get useful updates from the team and ask any questions you have.If you are encountering a problem and would like to report it,please see Reporting issues for procedures.

Technical

How does Google Public DNS know where to send my queries?

Anycast routing directs your queries to the closest Google Public DNS server.For more information on anycast routing, see theWikipedia entry.

Google Public DNS uses Name Server (NS) records published in the DNS root zoneand zones of top-level domains to find the names and addresses of the DNSservers that are authoritative for any domain. Some of those name servers alsouse anycast routing.

Where are your servers currently located?

Google Public DNS servers are available worldwide. There are two answers to thisquestion, one for clients and another for the DNS servers from which GooglePublic DNS gets the answers it returns to clients.

When clients send queries to Google Public DNS, they are routed to the nearestlocation advertising the anycast address used (8.8.8.8, 8.8.4.4, or one ofthe IPv6 addresses in 2001:4860:4860::). The specific locations advertisingthese anycast addresses change due to network conditions and traffic load, andinclude nearly all of the Core data centers and Edge Points of Presence (PoPs)in the Google Edge Network.

Google Public DNS sends queries to authoritative servers from Core data centersand Google Cloud region locations.Google publishes a list of the IP address ranges Google Public DNS may use toquery authoritative DNS servers (not all the ranges in the list are used). Youcan use it for geo-location of DNS queries lacking EDNS Client Subnet (ECS)data, and to configure ACLs to allow higher query rates from Google Public DNS.

In addition to this FAQ, Google also publishes the list as a DNS "TXT" record.Google updates both sources weekly with additions, modifications, and removals.Each IP address range entry includes the IATA code for the nearest airport.Automation for GeoIP data or ACLs should get this data via DNS, not by scrapingthis web page (see below for an example).

Locations of IP address ranges Google Public DNS uses to send queries

34.64.0.0/24 icn34.64.1.0/24 icn34.64.2.0/24 icn34.101.0.0/24 cgk34.101.1.0/24 cgk34.101.2.0/24 cgk34.153.64.0/24 dia34.153.65.0/25 dia34.153.65.128/26 dia34.153.65.192/26 dmm34.153.66.0/24 dmm74.125.16.128/26 bom74.125.16.192/26 yyz74.125.17.128/26 cbf74.125.17.192/26 dfw74.125.18.0/25 iad74.125.18.128/26 syd74.125.18.192/26 lhr74.125.19.0/25 mrn74.125.19.128/25 yyz74.125.40.0/25 mrn74.125.40.128/26 lhr74.125.40.192/26 rno74.125.41.0/24 tpe74.125.42.0/24 atl74.125.43.0/25 tul74.125.43.128/25 lhr74.125.44.0/24 mrn74.125.45.0/24 tul74.125.46.0/24 lpp74.125.47.0/24 bru74.125.72.0/24 cbf74.125.73.0/24 bru74.125.74.0/24 lpp74.125.75.0/24 chs74.125.76.0/24 cbf74.125.77.0/24 chs74.125.78.0/24 chs74.125.79.0/24 lpp74.125.80.0/24 dls74.125.81.0/24 dub74.125.92.0/24 mrn74.125.112.0/24 lpp74.125.113.0/24 cbf74.125.114.128/26 lpp74.125.114.192/26 grq74.125.115.0/24 tul74.125.177.0/24 atl74.125.178.0/24 bom74.125.179.0/25 cbf74.125.179.128/26 hkg74.125.179.192/26 cbf74.125.180.0/24 chs74.125.181.0/25 bru74.125.181.128/26 lax74.125.181.192/26 grq74.125.182.0/24 cbf74.125.183.0/24 cbf74.125.184.0/24 chs74.125.185.0/25 chs74.125.185.128/26 tul74.125.185.192/26 bll74.125.186.0/25 dls74.125.186.128/26 cbf74.125.186.192/26 tpe74.125.187.0/25 dls74.125.187.128/26 fra74.125.187.192/26 las74.125.189.0/24 cbf74.125.190.0/24 sin74.125.191.0/24 tul172.217.32.0/25 lhr172.217.32.128/26 sin172.217.32.192/26 mel172.217.33.0/25 syd172.217.33.128/25 fra172.217.34.0/26 fra172.217.34.64/26 bom172.217.34.128/26 del172.217.34.192/26 bom172.217.35.0/26 gru172.217.35.64/26 lhr172.217.35.128/26 gru172.217.35.192/26 cbf172.217.36.0/24 atl172.217.37.0/25 gru172.217.37.128/26 lpp172.217.37.192/26 cbf172.217.38.0/25 bom172.217.38.128/26 tul172.217.38.192/26 cgk172.217.39.128/26 scl172.217.39.192/26 tul172.217.40.0/25 grq172.217.40.128/25 las172.217.41.0/25 grq172.217.41.128/26 cbf172.217.41.192/26 bru172.217.42.0/25 tpe172.217.42.128/26 cmh172.217.42.192/26 atl172.217.43.0/25 yul172.217.43.128/26 sin172.217.43.192/26 tpe172.217.44.0/25 yul172.217.44.128/26 fra172.217.44.192/26 sin172.217.45.0/25 yul172.217.45.128/25 fra172.217.46.0/24 dls172.217.47.0/25 sin172.217.47.128/25 lhr172.253.0.0/25 lax172.253.0.128/25 mel172.253.1.0/25 lax172.253.1.128/26 waw172.253.1.192/26 fra172.253.2.0/25 lax172.253.2.128/26 fra172.253.2.192/26 mad172.253.3.0/25 nrt172.253.3.128/25 lbg172.253.4.0/25 hkg172.253.4.128/25 lbg172.253.5.0/25 hkg172.253.5.128/25 mad172.253.6.0/25 hkg172.253.6.128/25 nrt172.253.7.0/25 chs172.253.7.128/26 nrt172.253.7.192/26 grq172.253.8.0/25 iad172.253.8.128/26 iad172.253.8.192/26 icn172.253.9.0/25 iad172.253.9.128/26 atl172.253.9.192/26 lax172.253.10.0/25 iad172.253.10.128/25 fra172.253.11.0/25 zrh172.253.11.128/26 cmh172.253.11.192/26 grq172.253.12.0/25 zrh172.253.12.128/25 mil172.253.13.0/25 kix172.253.13.128/26 mil172.253.13.192/26 waw172.253.14.0/25 zrh172.253.14.128/26 cmh172.253.14.192/26 cgk172.253.15.0/25 kix172.253.15.128/26 bom172.253.15.192/26 chs172.253.192.0/24 cbf172.253.193.0/25 kix172.253.193.128/26 slc172.253.193.192/26 fra172.253.194.0/25 hhn172.253.194.128/26 cbf172.253.194.192/26 lhr172.253.195.0/25 hhn172.253.195.128/26 fra172.253.195.192/26 iad172.253.196.0/25 cbf172.253.196.128/26 tul172.253.196.192/26 slc172.253.197.0/25 fra172.253.197.128/26 lbg172.253.197.192/26 bom172.253.198.0/25 hhn172.253.198.128/26 dfw172.253.198.192/26 kix172.253.199.0/25 fra172.253.199.128/26 kix172.253.199.192/26 cbf172.253.200.128/26 slc172.253.200.192/26 cgk172.253.201.0/25 syd172.253.201.128/25 tlv172.253.202.0/24 bll172.253.204.0/25 syd172.253.204.128/26 tlv172.253.204.192/26 bom172.253.205.0/24 lhr172.253.206.0/24 waw172.253.209.0/25 ckv172.253.209.128/25 chs172.253.210.0/24 iad172.253.211.0/25 sin172.253.211.128/26 icn172.253.211.192/26 bom172.253.212.0/25 tul172.253.212.128/26 scl172.253.212.192/26 chs172.253.213.0/25 iad172.253.213.128/26 del172.253.213.192/26 dmm172.253.214.0/25 iad172.253.214.128/26 cbf172.253.214.192/26 fra172.253.215.0/25 bru172.253.215.128/26 bom172.253.215.192/26 sin172.253.216.0/25 chs172.253.216.128/26 sin172.253.216.192/26 trn172.253.217.0/25 tul172.253.217.128/25 trn172.253.218.0/25 uos172.253.218.128/26 syd172.253.218.192/26 cbf172.253.219.0/25 scl172.253.219.128/26 chs172.253.219.192/26 gru172.253.220.0/25 bom172.253.220.128/26 scl172.253.220.192/26 tul172.253.221.0/25 cbf172.253.221.128/26 iad172.253.221.192/26 bom172.253.222.0/25 slc172.253.222.128/26 cmh172.253.222.192/26 bom172.253.223.0/25 slc172.253.223.128/26 cmh172.253.223.192/26 iad172.253.224.0/24 cgk172.253.225.0/24 fra172.253.226.0/24 del172.253.227.0/25 ckv172.253.227.128/26 mad172.253.227.192/26 ber172.253.228.0/25 uos172.253.228.128/26 mil172.253.228.192/26 ber172.253.229.0/25 las172.253.229.128/26 mel172.253.229.192/26 del172.253.230.0/25 gru172.253.230.128/26 bom172.253.230.192/26 mel172.253.231.0/25 las172.253.231.128/26 lax172.253.231.192/26 bru172.253.232.0/25 las172.253.232.128/26 slc172.253.232.192/26 fra172.253.233.0/25 gru172.253.233.128/25 ber172.253.234.0/24 gru172.253.235.0/25 nrt172.253.235.128/25 bom172.253.236.0/25 nrt172.253.236.128/26 nrt172.253.236.192/26 sin172.253.237.0/25 hkg172.253.237.128/25 zrh172.253.238.0/25 nrt172.253.238.128/25 yul172.253.239.0/25 slc172.253.239.128/26 tpe172.253.239.192/26 tlv172.253.240.0/24 tul172.253.241.0/24 dhr172.253.242.0/24 chs172.253.243.0/24 ckv172.253.244.0/25 bom172.253.244.128/26 lax172.253.244.192/26 jnb172.253.245.0/24 las172.253.246.0/24 hhn172.253.247.0/24 syd172.253.248.0/24 bru172.253.249.0/25 atl172.253.249.128/26 del172.253.249.192/26 jnb172.253.250.0/24 cmh172.253.251.0/24 dfw172.253.252.0/24 icn172.253.253.0/24 icn172.253.254.0/24 dls172.253.255.0/24 waw173.194.90.0/24 cbf173.194.91.0/24 scl173.194.93.0/24 tpe173.194.94.0/24 cbf173.194.95.0/24 tul173.194.96.0/25 dub173.194.96.128/25 fra173.194.97.0/24 chs173.194.98.0/24 lpp173.194.99.0/25 tul173.194.99.128/25 dmm173.194.100.0/24 mrn173.194.101.0/24 tul173.194.102.0/24 atl173.194.103.0/24 cbf173.194.168.0/25 nrt173.194.168.128/26 nrt173.194.168.192/26 iad173.194.169.0/24 grq173.194.170.0/24 grq173.194.171.0/25 tpe173.194.171.128/26 del173.194.171.192/26 jnb192.178.36.0/25 cbf192.178.36.128/26 tpe192.178.36.192/26 phx192.178.37.0/26 cbf192.178.37.64/26 phx192.178.37.128/25 bru192.178.38.0/26 phx192.178.38.64/26 mrn192.178.38.128/26 sin192.178.38.192/26 cmh192.178.39.0/26 cmh192.178.39.64/26 bom192.178.39.128/25 tlv192.178.64.0/24 yyz192.178.65.0/26 iad192.178.65.64/26 del192.178.65.128/25 cmh192.178.66.0/25 cbf192.178.66.128/25 del192.178.67.0/26 cmh192.178.67.64/26 scl192.178.67.128/25 rno192.178.92.0/26 arn192.178.92.64/26 iad192.178.92.128/26 yyz192.178.92.192/26 cbf192.178.93.0/26 phx192.178.93.64/26 cmh192.178.93.128/26 arn192.178.93.192/26 cbf192.178.94.0/26 arn192.178.94.64/26 cmh192.178.94.128/26 slc192.178.94.192/26 dfw192.178.95.0/26 gru192.178.95.64/26 qro192.178.95.128/25 qro192.178.112.0/26 cbf192.178.112.64/26 tul192.178.112.128/26 cbf192.178.112.192/26 dls192.178.113.0/26 cbf192.178.113.64/26 tul192.178.113.128/26 aus192.178.113.192/26 cbf192.178.114.0/25 cmh192.178.114.128/25 fwa192.178.115.0/26 cmh192.178.115.64/26 dfw192.178.115.128/26 cmh192.178.115.192/26 iad192.178.116.0/26 grq192.178.116.64/26 cmh192.178.116.128/25 del2404:6800:4000::/48 bom2404:6800:4003::/48 sin2404:6800:4005::/48 hkg2404:6800:4006::/48 syd2404:6800:4008::/48 tpe2404:6800:400a::/48 kix2404:6800:400b::/48 nrt2404:6800:4013::/53 mel2404:6800:4013:800::/53 del2404:f340:10::/48 icn2404:f340:4010::/48 cgk2600:1900:4260::/54 dmm2600:1900:4260:400::/54 dia2607:f8b0:4001::/48 cbf2607:f8b0:4002::/48 atl2607:f8b0:4003::/48 tul2607:f8b0:4004::/52 iad2607:f8b0:4004:1000::/52 lax2607:f8b0:400c::/48 chs2607:f8b0:400d::/48 mrn2607:f8b0:400e::/48 dls2607:f8b0:4020::/48 yul2607:f8b0:4023::/54 ckv2607:f8b0:4023:400::/54 uos2607:f8b0:4023:800::/54 slc2607:f8b0:4023:c00::/54 las2607:f8b0:4023:1000::/54 dfw2607:f8b0:4023:1400::/54 cmh2607:f8b0:4023:1800::/54 yyz2607:f8b0:4023:1c00::/54 rno2607:f8b0:4023:2000::/54 phx2607:f8b0:4023:2400::/54 qro2607:f8b0:4023:2800::/54 aus2607:f8b0:4023:2c00::/54 fwa2607:f8b0:4024::/48 ckv2800:3f0:4001::/48 gru2800:3f0:4003::/48 scl2a00:1450:4001::/48 fra2a00:1450:4008::/48 ber2a00:1450:4009::/48 lhr2a00:1450:400a::/48 zrh2a00:1450:400b::/48 dub2a00:1450:400c::/48 bru2a00:1450:4010::/48 lpp2a00:1450:4013::/48 grq2a00:1450:4025::/54 hhn2a00:1450:4025:400::/54 dhr2a00:1450:4025:800::/54 waw2a00:1450:4025:c00::/54 bll2a00:1450:4025:1000::/54 mad2a00:1450:4025:1400::/54 lbg2a00:1450:4025:1800::/54 mil2a00:1450:4025:1c00::/54 tlv2a00:1450:4025:2000::/52 trn2a00:1450:4025:3000::/52 arn2c0f:fb50:4001::/48 jnb

Getting location data programmatically

The address ranges can be fetched as a JSON file:

curl https://www.gstatic.com/ipranges/publicdns.json

You can use the following Python script to create a list of IP address rangesthat Google Public DNS will use to make queries to authoritative DNS servers.

This data is also available at locations.publicdns.goog. as a TXT record.However the data size means that DNS TXT records is no longer an appropriateformat. We are replacing the TXT record with the JSON formatted file describedabove. If you are using the TXT record, please switch to using the JSON fileinstead since we plan to remove the TXT record at some point in the future.

curl https://www.gstatic.com/ipranges/publicdns.json | jq '.prefixes[] | .ipv4Prefix // .ipv6Prefix '

#!/usr/bin/env python3"""An example to fetch and print the Google Public DNS IP ranges."""import ipaddressimport jsonimport urllib.requestpublicdns_url = 'https://www.gstatic.com/ipranges/publicdns.json'def read_url(url): try: s = urllib.request.urlopen(url).read() return json.loads(s) except urllib.error.HTTPError: print('Invalid HTTP response from %s' % url) return {} except json.decoder.JSONDecodeError: print('Could not parse HTTP response from %s' % url) return {}def main(): publicdns_json = read_url(publicdns_url) print('{} published: {}'.format(publicdns_url, publicdns_json.get('creationTime'))) locations = dict() ipv4, ipv6 = set(), set() for e in publicdns_json['prefixes']: if e.get('ipv4Prefix'): ip = ipaddress.IPv4Network(e.get('ipv4Prefix'), strict=False) ipv4.add(ip) if e.get('ipv6Prefix'): ip = ipaddress.IPv6Network(e.get('ipv6Prefix'), strict=False) ipv6.add(ip) locations[ip] = e.get('scope') print('IP ranges used by Google Public DNS for contacting ' 'authoritative DNS servers:') for i in list(ipv4) + list(ipv6): print(i, locations[i])if __name__ == '__main__': main()

Is Google Public DNS based on open source software, such as BIND?

Google Public DNS is Google's own implementation of the DNS standards.

Are there plans to release Google Public DNS code as open source software?

At this time, there are no plans to open source Google Public DNS.But we have detailed all the steps we have taken to increase speed, security,and standards compliance.

Does Google Public DNS support IPv6?

Google Public DNS has IPv6 addresses for incoming requests from clientswith IPv6 connectivity and responds to all requests for IPv6 addresses,returning AAAA records if they exist.We fully support IPv6-only authoritative name servers.The IPv6 resolver addresses are provided in the instructions forgetting started with Google Public DNS.

Note that you may not see IPv6 results for Google web sites.To optimize the user experience, Google only serves AAAA records to clientswith good IPv6 connectivity.This policy is completely independent of Google Public DNS, and is enforced byGoogle's authoritative name servers.For more information, please see the Google over IPv6 page.

For IPv6-only networks and systems, you can use Google Public DNS64 to getsynthesized AAAA records for domain names with A records but no AAAA records.These synthesized AAAA records direct IPv6-only clients to a NAT64 gatewayusing a well-known IPv6 prefix reserved for NAT64 service.Just configure your systems following the getting started instructions,replacing the resolver addresses with the DNS64 IPv6 configuration.

Does Google Public DNS support the DNSSEC protocol?

Google Public DNS is a validating, security-aware resolver.All responses from DNSSEC signed zones are validated unless clients explicitlyset the CD flag in DNS requests to disable the validation.

How can I find out if I am using DNSSEC?

You can do a simple test by visiting http://www.dnssec-failed.org/.This site has been specifically configured to return a DNS error due to a brokenauthentication chain.If you don't receive an error, you are not using DNSSEC.

How does Google Public DNS handle lookups which fail DNSSEC validation?

If Google Public DNS cannot validate a response (due to misconfiguration,missing or incorrect RRSIG records, etc.), it will return an error response(SERVFAIL) instead.However, if the impact is significant (e.g. a very popular domain is failingvalidation), we may temporarily disable validation on the zone until the problemis fixed.

How can I find out why a given domain fails DNSSEC validation?

Verisign Labs' DNS Analyzer and Sandia National Laboratories'DNSViz are two DNSSEC visualization tools that show the DNSSECauthentication chain for any domain.They show where breakages occur and are useful for looking up the source ofDNSSEC failures.

Google Public DNS is serving old data. Can I force it to refresh its data?

You can use the Flush Cache tool to refresh the Google Public DNS cachefor common record types and most domain names.You do not need to prove ownership of the domain to flush it,but you must solve a reCAPTCHA that restricts automated abuse of the service.

Flushing any record type for a domain that you have registered or sub-delegatedwith NS records not only flushes cached responses for the type,it also flushes delegation information about the name servers for that domain.When you have recently changed name servers(by changing registrars or DNS hosting providers)it is critical to do this before flushing subdomains like www,so they are not refreshed from stale data on your old DNS servers.

If Google Public DNS is returning answers with stale CNAME records,you need to flush the CNAME record type for each CNAME domain,starting from the last CNAME in the chain, and working back to the queried name.After you flush all the CNAMEs, flush queried names with any record types thatare responding with the stale CNAME.

There are some limitations on what can be flushed:

• Domains using EDNS Client Subnet (ECS) for geolocation cannot be flushed– for any domains using ECS, set TTLs for ECS-enabled records short enough(15 minutes or less) that you never need to flush them.

• The only way to flush all subdomains, or all record types for a domain name,is to flush each record type for each domain name you want to flush.If this is not practical, you can always wait for the record TTLs to expire(these are generally limited to six hours even if the actual TTL is longer).

• To flush internationalized domain names such as пример.example,use the punycoded form (xn‑‑e1afmkfd.example for the above example).Domains with characters other than ASCII letters, digits, hyphen, orunderscore cannot be flushed.

Does Google Public DNS secure the so-called "last-hop" by encrypting communication with clients?

Traditional DNS traffic is transported over UDP or TCP without encryption.We also provide DNS over TLS and DNS over HTTPS which encrypts thetraffic between clients and Google Public DNS.You may try it at: https://dns.google.

Why do we need DNS over HTTPS when we already have DNSSEC?

DNS over HTTPS and DNSSEC are complementary.Google Public DNS uses DNSSEC to authenticate responses from name serverswhenever possible.However, in order to securely authenticate a traditional UDP or TCP responsefrom Google Public DNS, a client would need to repeat the DNSSEC validationitself, which very few client resolvers currently do.DNS over HTTPS encrypts the traffic between stub resolvers and Google PublicDNS, and complements DNSSEC to provide end-to-end authenticated DNS lookups.

Are there tools that I can use to test the performance of Google Public DNS against that of other DNS services?

There are many freely available tools that you can use to measure Google PublicDNS's response time.We recommend Namebench.Regardless of the tool you use, you should run the tool against a large numberof domains—more than 5000—to ensure statistically significantresults.Although the tests take longer to run, using a minimum of 5000 domains ensuresthat variability due to network latency (packet loss and retransmits) isminimized, and that Google Public DNS's large name cache is thoroughlyexercised.

To set the number of domains in Namebench, use the Number of tests GUIoption or the -t command line flag;see the Namebench documentation for more information.

When I run ping or traceroute against the Google Public DNS resolvers, the response latency is higher than that of other services. Does this mean Google Public DNS is always slower?

In addition to the ping time, you also need to consider the average time toresolve a name.For example, if your ISP has a ping time of 20 ms, but a mean name resolutiontime of 500 ms, the overall average response time is 520 ms.If Google Public DNS has a ping time of 300 ms, but resolves many names in 1 ms,the overall average response time is 301 ms.To get a better comparison, we recommend that you test the name resolutions of alarge set of domains.

How does Google Public DNS work with CDN geo-location?

Many sites that provide downloadable or streaming multimedia host their contentwith DNS-based third-party content distribution networks (CDNs), such as Akamai.When a DNS resolver queries an authoritative name server for a CDN's IP address,the name server returns the closest (in network distance) address to theresolver, not the user.In some cases, for ISP-based resolvers as well as public resolvers such asGoogle Public DNS, the resolver may not be in close proximity to the users.In such cases, the browsing experience could be slowed down somewhat.Google Public DNS is no different from other DNS providers in this respect.

To help reduce the distance between DNS servers and users, Google Public DNS hasdeployed its servers all over the world.In particular, users in Europe should be directed to CDN content servers inEurope, users in Asia should be directed to CDN servers in Asia, and users inthe eastern, central and western U.S. should be directed to CDN servers in thoserespective regions.We have also publishedthis informationto help CDNs provide good DNS results for multimedia users.

In addition, Google Public DNS uses a technical solution calledEDNS Client Subnet as describedin the RFC. This allows resolvers to passin part of the client's IP address (the first 24/56 bits or less for IPv4/IPv6respectively) as the source IP in the DNS message, so that name servers canreturn optimized results based on the user's location rather than that of theresolver.

Privacy

What information does Google log when I use the Google Public DNS service?

The Google Public DNS privacy page has a complete list of informationthat we collect.Google Public DNS complies with Google's main privacy policy, availableat our Privacy Center.

Your client IP address is only logged temporarily (erased within a day or two),but information about ISPs and city/metro-level locations are kept longerfor the purpose of making our service faster, better, and more secure.

Is any of the information collected stored with my Google account?

No stored data is associated with any Google account.

No, except in thelimited circ*mstances described in Google's privacy policy,such as legal processes and enforceable governmental requests.(See also Google's Transparency Report on user data requests.)

Does Google correlate or combine information from temporary or permanent logs with any personal information that I have provided Google for other services?

As the privacy page states, we do not combine or correlate log data inthis way.