Google Public DNS – Performance and Security

January 5th, 2011 Leave a comment 3 comments
Like the article?
Google Public DNS

DNS is necessary for the Internet to function properly. Unfortunately, poor network performance from DNS servers can slow down the browsing experience. While performance problems are serious, DNS is also vulnerable to even more serious security threats such as cache poisoning. Typically, the DNS servers used for browsing the Internet are either the ones run by your Internet provider or servers that you run which forward requests to the root servers (i.e. a caching-only nameserver). Fortunately for your performance and your security, there is another option. Google runs a public DNS system where you can freely use Google’s DNS servers. You can learn more at the Google Public DNS web pages. While these pages will show you HOW to use the servers, here’s more about WHY you would use it.

First of all, it is important to understand what Google’s public DNS service isn’t. It isn’t a DNS hosting system like DynDNS. These servers are not authoritative for any zones. They are simply forwarding servers. They also do not protect you from malware. While the servers are more secure, which we’ll discuss in a moment, they do not filter any results.

From a performance perspective, using Google’s DNS servers will likely increase your browsing performance. A typical web pages makes several DNS queries to fetch all the associated resources. This can put considerable load on DNS servers and most providers are under provisioned. Google’s DNS service has plenty of capacity to prevent high loads on the DNS servers. Furthermore, by having DNS servers distributed geographically in various data centers, Google can provide servers that are closer to the users. This reduces network latency and improves performance.

Google has also developed a novel approach to improving the performance of their DNS servers. Their servers are grouped in clusters that load-balance and share a name resolution cache. But beyond this, Google has implemented a unique prefetching algorithm that is intended to maximize the number of name queries that get resolved from the nameserver’s cache. This greatly improves performance.

DNS cache poisoning occurs where an attacker requests a non-existent record from a nameserver and then floods it with spoofed replies that point to an attacker’s IP. Google has a number of methods in place to prevent cache poisoning. By over provisioning resources, Google protects their nameservers from distributed denial of service attacks. They also ensure that the servers have adequate resources to validate DNS responses. This validation is performed to ensure that replies are legitimate and protect against simple cache poisoning attacks.

In order to protect against more sophisticated cache poisoning attacks, Google has implemented a number of systems to introduce entropy to their DNS system. This includes using random network ports, random case in requests and randomizing the choice of nameservers. These methods defend against more sophisticated attacks.

If you need to use DNS servers for simple name resolution, you might consider using Google’s public DNS service rather than the DNS servers provided by your Internet service provider. Using Google’s servers can improve the performance of name resolution which will enhance your browsing experience while at the same time providing better protection against DNS related attacks such as cache poisoning.

Help us spread the word!
  • Twitter
  • Facebook
  • LinkedIn
  • Pinterest
  • Delicious
  • DZone
  • Reddit
  • Sphinn
  • StumbleUpon
  • Google Plus
  • RSS
  • Email
  • Print
Don't miss another post! Receive updates via email!

3 comments

  1. maxim says:

    Yeah, sure. Now google wil know what i’m visiting even if I not use google search site. Great.

  2. Tristan says:

    And the biggest reason not to use google DNS is that all CDN’s will fail. Unless you are in California. Because you will start using the CDN nodes that are nowhere near you, increased latency and decreased speed will hamper streaming media, as well as download services like iTunes, or Zune.

  3. Adam says:

    As it has been recently discussed on /. using any other name servers than your own ISP may not be such a good idea.

    This is due to a fact that CDNs depend on a name server location to provide a response with an IP that is closest to you.

    If you are on the east coast and use west coast name server you may be directed to CDN servers on the east coast this shooting yourself in the foot.

    Also, do not you think google has too much information about you as it stands ? I do.

Comment