New level of privacy on offer as Google supports DNS-over-TLS

News by Tom Reeve

Google's introduction of DNS-over-TLS is another step in securing the internet's inherently insecure legacy domain resolution system.


DNS-over-TLS makes browsing more private but still doesn't solve all DNS security issues. (pic: kimax/Getty Images)

Google has announced that it now supports DNS-over-TLS, allowing users of its public DNS service to encrypt DNS queries between the browser and the lookup service.

It was described by security expert Alan Woodward, professor of computer science at the University of Surrey, as an important step in securing the internet’s inherently insecure domain name system which converts alphanumeric web addresses into IP addresses to route messages to the appropriate server.

Google launched its public DNS service eight years ago which enables users to opt out of their internet service providers DNS by pointing their browser’s DNS lookup at IP address 8.8.8.8.

Google Public DNS serves more than a trillion queries a day for an estimated 10 percent of the world’s internet users, the internet giant says.

Google product manager Marshall Vale and software engineer Puneet Sood said in a blog post that the DNS environment has improved significantly since the launch of Google public DNS when security and accuracy were much more of an issue in parts of the world.

Now they say there is more of a focus on the need to protect users’ privacy and security when using the internet, and the DNS-over-TLS protocol specifies how to encrypt and secure traffic between users and the DNS resolvers.

Google is not the first to offer a DNS-over-TLS service. In April Cloudflare launched its 1.1.1.1 service, described as the fastest, privacy-first consumer DNS service.

However, with the introduction of its new offering, Google will be far the biggest provider and therefore this is a significant step in securing DNS, a legacy system which relies on implicit trust and can be hijacked and corrupted in myriad ways such as cache poisoning, Woodward told SC Media UK.

Cache poisoning would require the implementation of DNSEC, but that isn’t to downplay the importance of DNS-over-TLS. "Basically what Google has done is very worthwhile but it’s a step on a journey," he said.

Google’s announcement coincided with a report from FireEye’s Mandiant Incident Response and Intelligence teams identifying a wave of DNS hijacking affecting dozens of domains across the globe. The attack, which the researchers have linked to Iran, uses a number of techniques including modifying DNS A records and DNS NS records and directing traffic through an attacker-operated DNS redirector.

Woodward said that DNS-over-TLS might not have stopped these attacks because the attacks were directed against the DNS resolvers themselves.

He said, "TLS is good for privacy but also stops some forms of injection which are useful. All in all, DNS is another part of that soft underbelly of the web that it’s nice to see providers beginning to harden."

While there are issues of speed of resolution with TLS, Google feels it has addressed these issues by using recommendations in RFC 7766 to minimise TLS overheads including support for TLS 1.3, TCP fast open and pipelining of multiple queries and out-of-order responses over a single connection. Combined with Google’s server infrastructure, it feels it will be able to provide reliable and scalable encrypted DNS resolution.

Vale and Sood provide links to a configuration guide, and Google will also monitor its Issue Tracker and discussion groups to help resolve problems.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews