Practicing safe DNS with Google

Practicing safe DNS with Google

Summary: Google is now supporting Domain Name System Security Extensions in its Internet Public DNS service.


The Internet's a dangerous place for an innocent Web browser to be searching alone for the right Web page, so the Domain Name System Security Extensions (DNSSEC) was created to make searching safer. That's the good news. The bad news is that DNSSEC adoption has been lagging. Now, Google has announced that it's supporting DNSSEC in its Google Public DNS service.

DNSSEC is slowly making the Internet safer. (Credit: Community DNS)

The DNS is the master address list for the Internet. Thanks to it, you can simply type in a human-readable URL, such as my own Web site's, instead of writing out its IPv4 address "" That's all well and good, but DNS doesn't have any built-in way to make sure that the IP address information it's feeding your browser is the real address.

That security hole has led to a kind of attack known as DNS cache poisoning. In it, you can click your way to what appears to be the site you want to go to, but under the surface, your browser is directed by a bad DNS address to a malware-loaded site.

DNSSEC addresses this, wrote Yunhong Gu, Team Leader for Google Public DNS, "by authenticating DNS responses using digital signatures and public key cryptography. Each DNS zone maintains a set of private/public key pairs, and for each DNS record, a unique digital signature is generated and encrypted using the private key. The corresponding public key is then authenticated via a chain of trust by keys of upper-level zones. DNSSEC effectively prevents response tampering because in practice, signatures are almost impossible to forge without access to private keys. Also, the resolvers will reject responses without correct signatures."

So, you might think if you switched to Google's Public DNS servers, you'd automatically get the benefits of DNSSEC and you'd have one less Internet worry. Alas, you'd be wrong.

You see, as Gu, explained, "Effective deployment of DNSSEC requires action from both DNS resolvers and authoritative name servers. Resolvers, especially those of ISPs and other public resolvers, need to start validating DNS responses. Meanwhile, domain owners have to sign their domains. Today, about 1/3 of top-level domains have been signed, but most second-level domains remain unsigned. We encourage all involved parties to push DNSSEC deployment and to further protect Internet users from DNS-based network intrusions."

In addition, because DNSSEC is still uncommon, Web browsers tend to do a lousy job of supporting it. Chrome has had built-in DNSSEC support since version 14, but for other Web browsers you have to add in DNSSEC support with extensions. At this time there are DNSSEC extensions for Firefox and Internet Explorer. There's also a Chrome DNSSEC extension, which helps make it clearer when you're visiting a site that's been authenticated by DNSSEC. As far as I've been able to determine there are no such extensions or native support for DNSSEC in Opera or Safari.

So, while Gu states that, "DNSSEC is a critical step towards securing the Internet. By validating data origin and data integrity, DNSSEC complements other Internet security mechanisms, such as SSL," even with Google's support it's still not widely supported. Indeed, "only 7% of queries from the client side are DNSSEC-enabled (about 3% requesting validation and 4% requesting DNSSEC data but no validation) and about 1% of DNS responses from the name server side are signed. Overall, DNSSEC is still at an early stage and we hope that our support will help expedite its deployment."

Let's hope it does. Anything we can do to make the Internet safer is a win in my book.

Related Stories:

Topics: Security, Browser, Google, Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • NO thanks!

    So long as an ad company who sells search calls (especially Google whom is already behind most of the poisoned search result incidents, and cares not if the highest bidder for keywords is a malware website) is behind DNS redirects, the word "safety" can't be attached to it.

    The only safe DNS is your own, and I'd rather a local web browser throw up a 404 error page than redirect me to some ad distribution companies idea of what site I SHOULD be going to.
    • wrong

      Don't be an idiot. The article is clearly more about the technology than the fact that Google now supports it, in spite of the headline. Nonetheless, it should have been perfectly obvious even to the hysterically paranoid, like yourself, from the article that DNSSEC is what *prevents* Google from supplying poisoned DNS resolutions.

      They are implementing a new standard that would stop them from doing that. Not that this would bother them, as of course they don't do that in the first place. Supplying poisoned results would achieve them nothing, certainly nothing to do with the 'highest bidder'. Redirection to ones advertisers has zero to do with DNS. Ignorance isn't an excuse for loud mindless chattering.

      And no, your local DNS certainly isn't safer than Google's unless you have also implemented this new system. And if you have, then they are identically safe, by definition.
    • Not why Google supports it

      Google supports it because it is a common victim of DNS redirects. I've seen an ISP redirect Google's search query to their own search supported by Yahoo. Nothing like going to Google, type in the search and hey search results from another search engine because the ISP has some special deal with the other search engine. Thus, I use open DNS instead of my ISP's DNS.

      Then there's the malware which do their own redirection to get more malware installed or other reasons.
  • Global ID Requirments for the internet?

    FU buddy. I can go my entire day, in real life, traveling, making retail purchases, interacting (within harms range) of real people and never have to flash my ID. As a matter of fact, I don't want every single person I interact with for my entire life, to have that much information about me, it's called "Privacy".

    Yet the moment I go onto the internet, suddenly everyone one wants to know my real name, age, sex, location, where I go, what I look at, what times I do these things and how often. They want to know what I think about and why and how to "CONTROL" it.

    And that is what this is really about, control. What's worse, it's not just the government that's trying so hard to manipulate us into letting them control what we think, is big corporations, like google doing it.
  • only half the story

    Google have been experimenting with DNSSEC support in their resolves for some time and it had never operated correctly. Perhaps because Google are using their own home-brew resolver, not something tested and true.

    Further, Google's servers do not by default validate DNSSEC data. You have to request validation, which most of the client OSes won't do, ever. So all this is just a marketing gimmick.
  • Lol

    Google makes the web safer and all the stupid conspiracy theorists use it as proof that Google is evil.
    Give us a call when you grow up, k?