Google is adding DNS-over-TLS support to its Public DNS (Domain Name System) protocol to provide security and privacy for DNS traffic between users and their resolvers.
The DNS protocol is used to convert the user-friendly domain names into IP addresses which can be easily understood by computers. The aim of using domain name systems like 188.8.131.52 is to make the internet faster for users, safeguard the privacy, and access internet sites more reliably and securely.
Google Public DNS is the largest public DNS recursive resolver. Google mentioned that just like the search queries can expose sensitive information, the domains looked up via DNS can also be confidential and can be vulnerable to spoofing from attackers.
Adding TLS (Transport Layer Security) to DNS will mean that the DNS traffic will now be encrypted, and no middleman would be able to access it. It will secure the queries between devices and Google Public DNS, using the same security technology that protects HTTPS web connections.
“The DNS environment has changed for the better since we launched Google Public DNS over eight years ago. Back then, as today, part of Google Public DNS’ mission has been to improve the security and accuracy of DNS for users all over the world,” mentioned Google in a blog post.
“But today, there is an increased awareness of the need to protect users’ communication with their DNS resolvers against forged responses and safeguard their privacy from network surveillance.”
Along with the DNS-over-TLS support, the search engine giant has applied the RFC 7766 recommendations which will reduce the load of using TLS. The RFC 7766 recommendations include support for TLS 1.3, TCP fast open, as well as pipelining of multiple queries and responses over a single connection.
“All of this is deployed with Google’s serving infrastructure which provides reliable and scalable management for DNS-over-TLS connections,” added Google.
The new service is now available for users of Android 9 (Pie). Users of Advanced Linux can use the stubby resolver from dnsprivacy.org for the new service.