Posted by Yunhong Gu, Team Lead, Google Public DNS launched  Google Public DNS three years ago to help make the Internet faster and more secure. Today, we are taking a major step towards this security goal: we now fully support DNSSEC (Domain Name System Security Extensions ) validation on our Google Public DNS resolvers. Previously, we accepted and forwarded DNSSEC-formatted messages but did not perform validation. With this new security feature, we can better protect people from DNS-based attacks and make DNS more secure overall by identifying and rejecting invalid responses from DNSSEC-protected domains.DNS cache poisoning , which tries to “pollute” the cache of DNS resolvers (such as Google Public DNS or those provided by most ISPs) by injecting spoofed responses to upstream DNS queries.https://developers.google.com/speed/public-dns . In particular, more details about our DNSSEC support can be found in the FAQ  and Security  pages. Additionally, general specifications of the DNSSEC standard can be found in RFCs 4033 , 4034 , 4035 , and 5155 .Update March 21 : We've been listening to your questions and would like to clarify that validation is not yet enabled for non-DNSSEC aware clients. As a first step, we launched DNSSEC validation as an opt-in feature and will only perform validation if clients explicitly request it. We're going to work to minimize the impact of any DNSSEC misconfigurations that could cause connection breakages before we enable validation by default for all clients that have not explicitly opted out.Update May 6 : We've enabled DNSSEC validation by default. That means all clients are now protected and responses to all queries will be validated unless clients explicitly opt out.
 
 
 
 
 
 
 
  
 
 
 
4 comments :
Does Google publish any live statistics about the state of its DNS network?
I'm very happy that you're going full steam into DNSSEC and other DNS security best practices deployment, and want to advocate Google DNS to other people, but alas, you aren't actually compliant with the DNSSEC specifications at the moment for the simple reason that if the DO bit is not set in queries you aren't doing any validation. This is simply wrong; you should return SERVFAIL for any validation failure, to any client.
Cheers,
Sabahattin
It is truly a great and helpful piece of information.
I am satisfied that you simply shared this useful information with us.
Please stay us informed like this. Thanks for sharing information.
breaking news
Is there anyone at google assigned to do the work to get the google.com domain DSNSEC signed? We've got a chicken and egg problem where end users won't take the time to engage with DNSSEC if the sites they frequently access are not signed. If someone is working on it, what is the target deployment date/quarter?
Post a Comment