Introduction to Google Public DNS

Why Google Public DNS?

As web pages become more complex and include more resources from multiple origin domains, clients need to perform multiple DNS lookups to render a single page. The average Internet user performs hundreds of DNS lookups each day, slowing down their browsing experience. As the web continues to grow, greater load is placed on existing DNS infrastructure.

Since Google's search engine already crawls the web on a daily basis and in the process resolves and caches DNS information, we wanted to leverage our technology to experiment with new ways of addressing some of the existing DNS challenges around performance and security. We are offering the service to the public in the hope of achieving the following aims:

  • Provide end users with an alternative to their current DNS service. Google Public DNS takes some new approaches that we believe offer more valid results, increased security, and, in most cases, better performance.
  • Help reduce the load on ISPs' DNS servers. By taking advantage of our global datacenter and caching infrastructure, we can directly serve large numbers of user requests without having to query other DNS resolvers.
  • Help make the web faster and more secure. We are launching this service to test some new ways to approach DNS-related challenges. We hope to share what we learn with developers of DNS resolvers and the broader web community and get their feedback.

Google Public DNS: what it is and isn't

Google Public DNS is a recursive DNS resolver, similar to other publicly available services. We think it provides many benefits, including improved security, fast performance, and more valid results. See below for an overview of the technical enhancements we've implemented.

Google Public DNS is not, however, any of the following:

  • A top-level domain (TLD) name service.
  • A DNS hosting or failover service. Google Public DNS is not a third-party DNS application service provider that hosts authoritative records for other domains. If you are looking for a high-volume, programmable, authoritative name server using Google's infrastructure, try Google's Cloud DNS.
  • An authoritative name service. Google Public DNS servers are not authoritative for any domain. Google maintains another set of name servers that are authoritative for domains it has registered, hosted at ns[1-4].google.com.
  • A malware-blocking service. Google Public DNS rarely performs blocking or filtering, though it may if we believe this is necessary to protect our users from security threats. In such extraordinary cases, it simply fails to answer; it does not create modified results.

Overview of benefits and enhancements

Google Public DNS implements a number of security, performance, and compliance improvements. We provide a brief overview of those enhancements below. If you're a developer or deployer of DNS software, we hope you'll also read the technical information pages on this site for more information on these features. Ultimately, our hope is to share our insights and inspire the community to adopt some of these features in all DNS resolvers. The changes are grouped into 3 categories:

Performance

Many DNS service providers are not sufficiently provisioned to be able to support high-volume input/output and caching, and adequately balance load among their servers. Google Public DNS uses large, Google-scale caches, and load-balances user traffic to ensure shared caching, letting us answer a large fraction of queries from cache.

For more information, see the page on performance benefits.

Security

DNS is vulnerable to various kinds of spoofing attacks that can "poison" a name server's cache and route its users to malicious sites. The prevalence of DNS exploits means that providers have to frequently apply server updates and patches. In addition, open DNS resolvers are vulnerable to being used to launch denial-of-service (DoS) attacks on other systems. To defend against such attacks, Google has implemented several recommended solutions to help guarantee the authenticity of the responses it receives from other name servers, and to ensure our servers are not used for launching DoS attacks. Besides full support of the DNSSEC protocol, these include adding entropy to requests, rate-limiting client traffic, and more.

In addition, Google Public DNS may not resolve certain domains if we believe this is necessary to protect Google’s users from security threats.

For more information, see the page on security benefits.

Correctness

Google Public DNS does its best to return the right answer to every query every time, in accordance with the DNS standards. Sometimes, in the case of a query for a mistyped or non-existent domain name, the right answer means no answer, or an error message stating the domain name could not be resolved. It also may not resolve certain domains if we believe this is necessary to protect our users from security threats. Google Public DNS never redirects users, unlike some open resolvers and ISPs.