by Martin Brinkmann on January 14, 2019 in Google – 13 comments
Google revealed last week that it added support for the privacy feature DNS-over-TLS to the company’s public DNS service Google Public DNS.
Google launched Google Public DNS in 2009 at a time when many Internet companies started to hop on the DNS bandwagon. Some companies exited the DNS business again, Symantec retired Norton ConnectSafe (DNS) in 2018, while others such as Cloudflare, Verisign, Quad9 DNS or AdGuard DNS launched in recent years.
Google claims that its service is the “world’s largest public Domain Name Server (DNS) recursive resolver”; it turns domain names into IP addresses required for communication on the Internet.
DNS-over-TLS and DNS-over-HTTPS are two approaches to making DNS requests more private by using encryption. One of the main differences between the two implementations is the port that is used. DNS-over-TLS uses port 853, DNS-over-HTTPS the standard HTTPS port 443.
Mozilla started to experiment with DNS-over-HTTPS in recent development versions of Firefox already, and it is likely that other browser makers and DNS provider will start to support these privacy features eventually as well.
Google implemented the DNS-over-TLS specification outlined in RFC7766.and suggestions to improve the implementation; Google’s implementation uses TLS 1.3 and supports TCP fast open, and pipelining.
Most experts would probably agree that encrypting DNS to improve privacy and security, e.g. from tampering, is beneficial and desirable.
The main issue with Google’s implementation at this point in time is that it is not widely available. It is supported on Android 9 devices only at the time officially, and as a stubby resolver for Linux.
Google’s implementation guideline highlights for Windows and Mac OS X that the operating systems don’t support DNS-over-TLS by default. The only option at this point to add support would be to set up a proxy resolver according to Google.
Windows users may use something like Simple DNSCrypt to encrypt DNS traffic
Closing Words
Users who use Google DNS already benefit from google’s implementation of DNS-over-TLS provided that it is supported on their devices or set up using proxies. Users who don’t trust Google or don’t want to send all their DNS traffic to Google won’t start using Google Public DNS because encryption does not change that.
Now You: Which DNS provider do you use, and why?