Google boosts DNS safety

Google Inc. has taken steps to prevent Internet users from being redirected to bogus sites.

In an announcement yesterday, the search engine company said it now fully supports Domain Name System Security Extension (DNSSEC) validation on its Google Public DNS (domain name system) resolvers.

Public DNS, Google’s own DNS lookup service which has been running since 2009, translates “human readable” domain names such as in an Internet Protocol address that can be recognized by a browser and accessed by computers.

Google Public DNS serves more than 130 billion DNS queries on average from more than 70 million unique IP address each day, according to the company. Only seven per cent of queries from the client side are DNSSEC enabled and about one per cent of DNS responses from the name server side are signed.
(image from

However, Google said, current DNS protection systems have now lagged behind attack strategies and hacker tools. A large number of Internet attacks today target the name resolution process by attempting to provide the IP addresses of malicious Web sites to DNS queries.


More malware sneaking through DNS channel
1.3 million DNS servers still vulnerable to cache poisoning

“Probably the most common DNS attack is DNS cache poisoning which tries to pollute the cache of DNS resolvers (such as Google Public DNS or those provided by most ISPs) by injecting spoofed responses to up-stream queries,” according to a blog post from Yuhong Gu, team lead for Google Public DNS.

The counter these attacks, he said, resolvers need to be able to verify the authenticity of the response.

“DNSSEC solves the problem by authenticating DNS responses using digital and public key cryptography,” according to Yuhong.

He said previously Google accepted and forwarded DNSSEC formatted messages but did not do any validation. With the new security feature, Google is now identifying and rejecting invalid responses from DNSSEC-protected domains.

He said each DNS zone has a set of private/public key pairs and each DNS record has a unique digital signature generated and encrypted using the private key. The public key is further authenticated by a series of keys.

“DNSSEC effectively prevents response tampering because in practices signature keys are almost impossible to forge without access to private keys,” he said. “Also resolvers will reject responses without correct signatures.”

The Google Public DNS team lead said DNSSE is still at an early stage and it needs support.

Effective deployment of DNSSEC requires resolvers, especially those of Internet Service Providers and other public resolvers to start validating DNS responses. Domain owners also need to sign their domains. Google said only one third of top level domains have been signed and most of second-level domains are unsigned.

Find out more about Google Public DNS here

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now