Security Blog
The latest news and insights from Google on security and safety on the Internet
Google Public DNS over HTTPS (DoH) supports RFC 8484 standard
26 de junio de 2019
Posted by Marshall Vale, Product Manager and Alexander Dupuy, Software Engineer
Ever since we launched Google Public DNS in 2009, our priority has been the security of DNS resolution. In 2016, we launched a unique and innovative experimental service -- DNS over HTTPS, now known as DoH. Today we are announcing general availability for our standard DoH service. Now our users can resolve DNS using DoH at the dns.google domain with the same anycast addresses (like 8.8.8.8) as regular DNS service, with lower latency from our
edge PoPs
throughout the world.
General availability of DoH includes full RFC 8484 support at a new URL path, and continued support for the JSON API launched in 2016. The new endpoints are:
https://dns.google/dns-query (RFC 8484 –
GET and POST
)
https://dns.google/resolve (
JSON API
– GET)
We are deprecating internet-draft DoH support on the /experimental URL path and DoH service from dns.google.com, and will turn down support for them in a few months.
With Google Public DNS, we’re committed to providing fast, private, and secure DNS resolution through both DoH and DNS over TLS (
DoT
). We plan to support the JSON API until there is a comparable standard for webapp-friendly DoH.
What the new DoH service means for developers
To use our DoH service, developers should configure their applications to use the new DoH endpoints and properly handle HTTP 4xx error and 3xx redirection status codes.
Applications should use
dns.google instead of dns.google.com
. Applications can query dns.google at well-known
Google Public DNS addresses
, without needing an extra DNS lookup.
Developers using the older /experimental internet-draft DoH API need to
switch to the new /dns-query URL path
and confirm full RFC 8484 compliance. The older API accepts queries using features from early drafts of the DoH standard that are rejected by the new API.
Developers using the
JSON API
can use two new GET parameters that can be used for DNS/DoH proxies or DNSSEC-aware applications.
Redirection of /experimental and dns.google.com
The /experimental API will be turned down in 30 days and HTTP requests for it will get an HTTP redirect to an equivalent https://dns.google/dns-query URI. Developers should make sure DoH applications handle HTTP redirects by retrying at the URI specified in the Location header.
Turning down the dns.google.com domain will take place in three stages.
The first stage (in 45 days) will update the dns.google.com domain name to return 8.8.8.8 and other Google Public DNS anycast addresses, but continue to return DNS responses to queries sent to former addresses of dns.google.com. This will provide a transparent transition for most clients.
The second stage (in 90 days) will return HTTP redirects to dns.google for queries sent to former addresses of dns.google.com.
The final stage (in 12 months) will send HTTP redirects to dns.google for any queries sent to the anycast addresses using the dns.google.com domain.
We will post timelines for redirections on the
public‑dns‑announce
forum and on the
DoH migration page
. You can find further technical details in our
DoH documentation
, and if you have a question or problem with our DoH service, you can
create an issue on our tracker
or ask on our
discussion group
. As always, please provide as much information as possible to help us investigate the problem!
No hay comentarios :
Publicar un comentario
Etiquetas
#sharethemicincyber
#supplychain #security #opensource
android
android security
android tr
app security
big data
biometrics
blackhat
C++
chrome
chrome enterprise
chrome security
connected devices
CTF
diversity
encryption
federated learning
fuzzing
Gboard
google play
google play protect
hacking
interoperability
iot security
kubernetes
linux kernel
memory safety
Open Source
pha family highlights
pixel
privacy
private compute core
Rowhammer
rust
Security
security rewards program
sigstore
spyware
supply chain
targeted spyware
tensor
Titan M2
VDP
vulnerabilities
workshop
Archive
2024
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2023
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2022
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2021
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2020
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2019
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2018
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2017
dic
nov
oct
sept
jul
jun
may
abr
mar
feb
ene
2016
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2015
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2014
dic
nov
oct
sept
ago
jul
jun
abr
mar
feb
ene
2013
dic
nov
oct
ago
jun
may
abr
mar
feb
ene
2012
dic
sept
ago
jun
may
abr
mar
feb
ene
2011
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
2010
nov
oct
sept
ago
jul
may
abr
mar
2009
nov
oct
ago
jul
jun
mar
2008
dic
nov
oct
ago
jul
may
feb
2007
nov
oct
sept
jul
jun
may
Feed
Follow @google
Follow
Give us feedback in our
Product Forums
.
No hay comentarios :
Publicar un comentario