Google Public DNS for ISPs

Anyone, including Internet Service Providers (ISPs) and large organizations, is free to use Google Public DNS, but we apply rate limits to each client to protect our service. High query volumes from a single IPv4 address (or IPv6 /64 network prefix) may be throttled if they exceed these limits.

Before you start using Google Public DNS

If you plan for clients to send queries to Google Public directly, and are not using carrier-grade NAT (CG-NAT) to map clients to IPv4 addresses, you can skip these steps and follow instructions in the "Using Google Public DNS directly" section.

  1. Find your peak DNS queries per second (QPS) rate.

    You can measure this with NetFlow or sFlow data from your network devices, or with the statistics or query logs of your resolvers. If you cannot do any of these, just estimate the DNS query rate.

    The peak rates should not count instantaneous bursts, but average traffic over one or two seconds at the busiest time of day. Google Public DNS allows short traffic bursts that briefly exceed the limit.

  2. Find the number of routable IP addresses that send DNS queries.

    If you use shared resolvers to aggregate (and perhaps cache) DNS queries, just count how many external IP addresses the resolvers use.

    If devices will send DNS queries directly to Google Public DNS, count the number of external IP addresses the devices would use, accounting for any NAT or carrier-grade NAT address mapping.

  3. Compare your per-IP address rate(s) to the default rate limits.

    Ideally you should have specific rates for each IP address, but it is okay to simply divide the overall QPS rate by the number of IP addresses.

    • Your per-IP address QPS rate is less than 1000 QPS

      You can configure Google Public DNS however you like; you do not need to request a rate limit increase.

    • Your per-IP address QPS rate exceeds 1000 QPS

      If devices on your networks can query Google Public DNS directly, and doing so reduces the per-IP address QPS rate below the limit, you can choose to use that approach without a rate limit increase.

      Otherwise, you need to request a rate limit increase.

  4. Configure use of Google Public DNS

    Use one of the methods in the following section.

Configure Google Public DNS

Using Google Public DNS directly

ISPs can configure network configuration infrastructure such as DHCP to return Google Public DNS addresses (8.8.8.8, 8.8.4.4, and IPv6) so that clients on their networks will use Google Public DNS directly. This is the simplest and most reliable approach. By having network clients send DNS queries directly to Google Public DNS each client is rate limited individually and non-abusive clients are very unlikely to be affected by throttling.

Using Google Public DNS from local resolvers

It is also possible for ISPs to use local resolvers for client queries, and to have the local resolvers forward the queries to Google Public DNS. This may be necessary for regulatory reasons or operational ISP requirements.

Home routers or other network devices

Most local resolvers run on ISP-managed routers, firewalls, or DSL/cable modems. Where these are for a single customer and have their own IP address they work just like clients using Google Public DNS directly.

Shared caching resolvers

To reduce latency for DNS queries, especially for ISPs located far from Google resolver locations, ISPs can use caching DNS resolvers that serve many clients. This can reduce the volume of DNS queries sent to Google Public DNS, but concentrating it to a few IP addresses makes it more likely to be throttled. ISPs with shared resolvers forwarding queries to Google Public DNS should monitor DNS query rates and request a rate limit increase if rates exceed their limit, or more than 1% of queries do not get a response.

Other actions ISPs can take

Request a rate limit increase

ISPs using shared caching resolvers or IPv4 addresses with CG-NAT may need higher rate limits to ensure consistent service. Before requesting an increase, ISPs with caching resolvers should check their query logs and those using CG-NAT should check their network traffic logs to confirm more than 1000 QPS sustained for IP addresses in the request.

You can file a rate limit increase request through the Google Public DNS Issue Tracker.

Google Public DNS can be configured to respond with REFUSED errors when clients with increased rate limits are throttled. If you need this signal, mention it in your rate limit increase request.

Use alternative resolvers together with Google Public DNS

ISPs can also configure Google Public DNS as one of several resolver services for their clients or shared caching resolvers. This can increase DNS reliability and eliminate single points of failure. The FAQ highlights issues to consider when configuring multiple DNS resolvers.

Use Google Public DNS as an emergency fallback

ISPs can configure Google Public DNS as an emergency fallback, but if the DNS query volume is high, queries are likely to be throttled when switching over to Google Public DNS if the sustained query volume per client IP exceeds the default rate limits (1000 QPS).

To properly provision the Google Public DNS service to handle surges in demand, we rely on accurate baseline traffic levels. We cannot provide rate limit increases for clients that are not sending traffic volume that does not even approach the default rate limits.

A better approach for ISPs with high query volume, that want to use Google Public DNS as an emergency fallback only, is to configure Google Public DNS resolvers together with several alternative resolver addresses as fallbacks. If the fallbacks are activated, this would spread your DNS traffic across multiple providers, reducing the risk of hitting rate limits.

Peer with Google

Medium to large ISPs using Google Public DNS for their DNS resolution should set up network peering with Google. Doing this establishes a relationship with the Google NOC that can be used for escalation if there are connectivity or reachability issues from the ISP network to Google's networks, including the Google Public DNS IP addresses.