Practicing safe DNS with Google

Google is now supporting Domain Name System Security Extensions in its Internet Public DNS service.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

The Internet's a dangerous place for an innocent Web browser to be searching alone for the right Web page, so the Domain Name System Security Extensions (DNSSEC) was created to make searching safer. That's the good news. The bad news is that DNSSEC adoption has been lagging. Now, Google has announced that it's supporting DNSSEC in its Google Public DNS service.

DNSSEC is slowly making the Internet safer. (Credit: Community DNS)

The DNS is the master address list for the Internet. Thanks to it, you can simply type in a human-readable URL, such as my own Web site's practical-tech.com, instead of writing out its IPv4 address "" That's all well and good, but DNS doesn't have any built-in way to make sure that the IP address information it's feeding your browser is the real address.

That security hole has led to a kind of attack known as DNS cache poisoning. In it, you can click your way to what appears to be the site you want to go to, but under the surface, your browser is directed by a bad DNS address to a malware-loaded site.

DNSSEC addresses this, wrote Yunhong Gu, Team Leader for Google Public DNS, "by authenticating DNS responses using digital signatures and public key cryptography. Each DNS zone maintains a set of private/public key pairs, and for each DNS record, a unique digital signature is generated and encrypted using the private key. The corresponding public key is then authenticated via a chain of trust by keys of upper-level zones. DNSSEC effectively prevents response tampering because in practice, signatures are almost impossible to forge without access to private keys. Also, the resolvers will reject responses without correct signatures."

So, you might think if you switched to Google's Public DNS servers, you'd automatically get the benefits of DNSSEC and you'd have one less Internet worry. Alas, you'd be wrong.

You see, as Gu, explained, "Effective deployment of DNSSEC requires action from both DNS resolvers and authoritative name servers. Resolvers, especially those of ISPs and other public resolvers, need to start validating DNS responses. Meanwhile, domain owners have to sign their domains. Today, about 1/3 of top-level domains have been signed, but most second-level domains remain unsigned. We encourage all involved parties to push DNSSEC deployment and to further protect Internet users from DNS-based network intrusions."

In addition, because DNSSEC is still uncommon, Web browsers tend to do a lousy job of supporting it. Chrome has had built-in DNSSEC support since version 14, but for other Web browsers you have to add in DNSSEC support with extensions. At this time there are DNSSEC extensions for Firefox and Internet Explorer. There's also a Chrome DNSSEC extension, which helps make it clearer when you're visiting a site that's been authenticated by DNSSEC. As far as I've been able to determine there are no such extensions or native support for DNSSEC in Opera or Safari.

So, while Gu states that, "DNSSEC is a critical step towards securing the Internet. By validating data origin and data integrity, DNSSEC complements other Internet security mechanisms, such as SSL," even with Google's support it's still not widely supported. Indeed, "only 7% of queries from the client side are DNSSEC-enabled (about 3% requesting validation and 4% requesting DNSSEC data but no validation) and about 1% of DNS responses from the name server side are signed. Overall, DNSSEC is still at an early stage and we hope that our support will help expedite its deployment."

Let's hope it does. Anything we can do to make the Internet safer is a win in my book.

Related Stories:

Editorial standards