DNS Privacy Project

Skip to end of metadata
Go to start of metadata

On April 1st 2016 Google announced a Public DNS-over-HTTPS service:


The API is only a beta and whilst not based on a standard, any public server that offers encrypted DNS to users is a good thing. But note that there is an active I-D in the general area of DNS-over-HTTP:


Our understanding is that this service was made available as a convenient web interface to test DNS queries, and potentially for use in some lightweight applications. It was simply intended to be a complimentary offering to the work of the DPRIVE working group with regard to DNS Privacy.  

We took a look at it at the recent IETF Hackathon and starting coding a prototype implementation in getdns just for fun. Here are some things we note:

  • The query API is quite limited: No Msg ID and only one EDNS0 option supported (ECS). For example, the EDNS chain query draft is now approved and future support for this would be nice. 

  • For DNSSEC the only option is to trust Google to do the validation, this API does not support validating stubs obtaining DNSSEC records.

  • Also interesting to note that when DNSSEC validation fails, the error comment includes a link to the DNSviz tool to try to figure out the failure!
  • They don't use the IP address directly for the queries, instead they use dns.google.com which resolved to and 2a00:1450:4009:803::200e from the Buenos Aires Hackathon. It is likely this is served by the Google web service cloud which ultimately uses as a back end for the resolution.
  • When a query is made via the web interface provided at https://dns.google.com it seems that QUIC over IPv6 is always used
  • We also notice that the server will answer do DNS-over-HTTP on port 80. 
  • No labels