DNS Privacy Project

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

On April 1st 2016 Google announced a Public DNS-over-HTTPS service:


The API is only a beta and whilst not based on a standard, any public server that offers encrypted DNS to users is a good thing. But note that there is an active I-D in the general area of DNS-over-HTTP:


Our understanding is that this service was made available as a convenient web interface to test DNS queries, and potentially for use in some lightweight applications. It was simply intended to be a complimentary offering to the work of the DPRIVE working group with regard to DNS Privacy.  

We took a look at it at the recent IETF Hackathon and starting coding a prototype implementation in getdns just for fun. Here are some things we note:

  • The query API is quite limited: No Msg ID and only one EDNS0 option supported (ECS). For example, the EDNS chain query draft is now approved and future support for this would be nice. 

  • For DNSSEC the only option is to trust Google to do the validation, this API does not support validating stubs obtaining DNSSEC records.

  • Also interesting to note that when DNSSEC validation fails, the error comment includes a link to the DNSviz tool to try to figure out the failure!
  • They don't use for the queries, instead they use dns.google.com on and 2a00:1450:4009:803::200e
  • When a query is made via the web interface provided at https://dns.google.com it seems that QUIC over IPv6 is always used
  • We also notice that the server will answer do DNS-over-HTTP on port 80. 
  • No labels