Why Google Public DNS?
As web pages become more complex and include more resources from multiple origindomains, clients need to perform multiple DNS lookups to render a single page.The average Internet user performs hundreds of DNS lookups each day,slowing down their browsing experience.As the web continues to grow, greater load is placed on existing DNSinfrastructure.
Since Google's search engine already crawls the web on a daily basis and in theprocess resolves and caches DNS information, we wanted to leverage ourtechnology to experiment with new ways of addressing some of the existing DNSchallenges around performance and security.We are offering the service to the public in the hope of achieving the followingaims:
- Provide end users with an alternative to their current DNS service.Google Public DNS takes some new approaches that we believe offer more validresults, increased security, and, in most cases, better performance.
- Help reduce the load on ISPs' DNS servers.By taking advantage of our global datacenter and caching infrastructure,we can directly serve large numbers of user requests without having to queryother DNS resolvers.
- Help make the web faster and more secure.We are launching this service to test some new ways to approach DNS-relatedchallenges.We hope to share what we learn with developers of DNS resolvers and thebroader web community and get their feedback.
Google Public DNS: what it is and isn't
Google Public DNS is a recursive DNS resolver, similar to other publiclyavailable services.We think it provides many benefits, including improved security,fast performance, and more valid results.See below for an overview of the technicalenhancements we've implemented.
Google Public DNS is not, however, any of the following:
- A top-level domain (TLD) name service.
- A DNS hosting or failover service.Google Public DNS is not a third-party DNS application service providerthat hosts authoritative records for other domains.If you are looking for a high-volume, programmable, authoritative name serverusing Google's infrastructure, try Google's Cloud DNS.
- An authoritative name service.Google Public DNS servers are not authoritative for any domain.Google maintains another set of name servers that are authoritative fordomains it has registered, hosted at ns[1-4].google.com.
- A malware-blocking service.Google Public DNS rarely performs blocking or filtering, though it may if webelieve this is necessary to protect our users from security threats, oras required by law. In such extraordinary cases, it fails to answer;it does not create modified results.
Overview of benefits and enhancements
Google Public DNS implements a number of security, performance, and complianceimprovements.We provide a brief overview of those enhancements below.If you're a developer or deployer of DNS software, we hope you'll also read thetechnical information pages on this site for more information on these features.Ultimately, our hope is to share our insights and inspire the community to adoptsome of these features in all DNS resolvers.The changes are grouped into 3 categories:
Performance
Many DNS service providers are not sufficiently provisioned to be able tosupport high-volume input/output and caching, and adequately balance load amongtheir servers.Google Public DNS uses large, Google-scale caches, and load-balances usertraffic to ensure shared caching, letting us answer a large fraction of queriesfrom cache.
For more information, see the page on performance benefits.
Security
DNS is vulnerable to various kinds of spoofing attacks that can "poison"a name server's cache and route its users to malicious sites.The prevalence of DNS exploits means that providers have to frequently applyserver updates and patches.In addition, open DNS resolvers are vulnerable to being used to launchdenial-of-service (DoS) attacks on other systems.To defend against such attacks, Google has implemented several recommendedsolutions to help guarantee the authenticity of the responses it receives fromother name servers, and to ensure our servers are not used for launching DoSattacks.Besides full support of the DNSSEC protocol, these include adding entropy torequests, rate-limiting client traffic, and more.
In addition, Google Public DNS may not resolve certain domains if we believethis is necessary to protect Google’s users from security threats.
For more information, see the page on security benefits.
Correctness
Google Public DNS does its best to return the right answer to every query everytime, in accordance with the DNS standards.Sometimes, in the case of a query for a mistyped or non-existent domain name,the right answer means no answer, or an error message stating the domain namecould not be resolved.It also may not resolve certain domains if we believe this is necessary toprotect our users from security threats.Google Public DNS never redirects users, unlike some open resolvers and ISPs.