What is Google Public DNS?
Google Public DNS is a free, global Domain Name System (DNS) resolution service, that you can use as an alternative to your current DNS provider.
Why is Google working on a DNS service?
We believe that a faster and safer DNS infrastructure could significantly improve the web browsing experience. Google Public DNS has made many improvements in the areas of speed, security, and validity of results. We've shared these improvements in our documentation, to contribute to an ongoing conversation within the web community.
Can I use Google Public DNS to host my domain name or website?
No. Google Public DNS is not an authoritative DNS hosting service. If you are looking for a high-volume, programmable, authoritative name server using Google's infrastructure, try Google's Cloud DNS.
Does Google Public DNS offer the ability to block or filter out unwanted sites?
No. Google Public DNS is purely a DNS resolution and caching server; it does not perform any blocking or filtering of any kind, except that it may not resolve certain domains in extraordinary cases if we believe this is necessary to protect Google’s users from security threats. But we believe that blocking functionality is usually best performed by the client. If you are interested in enabling such functionality, you should consider installing a client-side application or browser add-on for this purpose.
Are Googlers using Google Public DNS?
Yes. Googlers have been using Google Public DNS since a couple of months before the launch. Also, we have been using it to power our Wi-Fi networks for visitors as well as our free public Wi-Fi network in Mountain View, California.
Are there any cross-product dependencies with Google Public DNS?
Google Public DNS is an independent service.
Do I need a Google Account to use Google Public DNS?
How is Google Public DNS different from my ISP's DNS service or other open DNS resolvers? How can I tell if it is better?
Open resolvers and your ISP all offer DNS resolution services. We invite you to try Google Public DNS as your primary or secondary DNS resolver along with any other alternate DNS services. There are many things to consider when identifying a DNS resolver that works for you, such as speed, reliability, security, and validity of responses. Unlike Google Public DNS, some ISPs and open resolvers block, filter, or redirect DNS responses for commercial purposes.
How does Google Public DNS handle non-existent domains?
If you issue a query for a domain name that does not exist, Google Public DNS always returns an NXDOMAIN record, as per the DNS protocol standards. The browser should show this response as a DNS error. If, instead, you receive any response other than an error message (for example, you are redirected to another page), this could be the result of the following:
- A client-side application such as a browser plug-in is displaying an alternate page for a non-existent domain.
- Some ISPs may intercept and replace all NXDOMAIN responses with responses that lead to their own servers. If you are concerned that your ISP is intercepting Google Public DNS requests or responses, you should contact your ISP.
Will Google Public DNS be used to serve ads in the future?
No. We are committed to preserving the integrity of the DNS protocol. Google Public DNS will never return the address of an ad server for a non-existent domain.
What is DNS-over-HTTPS?
DNS resolution over an encrypted HTTPS connection. DNS-over-HTTPS greatly enhances privacy and security between a stub resolver and a recursive resolver, and complements DNSSEC to provide end-to-end authenticated DNS lookups.
Use and support
I am using another DNS service now. Can I also use Google Public DNS?
Yes. You can set Google Public DNS to be your primary or secondary DNS resolver, along with your current DNS resolver. Please remember that operating systems treat DNS resolvers differently: some will only use your primary DNS resolver and use the secondary in case the primary one fails, while others will round-robin among each of the resolvers.
Is Google Public DNS suitable for all types of Internet-enabled devices?
Yes. Google Public DNS can be used on any standards-compliant network device. If you find any situation where Google Public DNS does not work well, please let us know.
Can I run Google Public DNS on my office computer?
Some offices have private networks that allow you to access domains that you can't access outside of work. Using Google Public DNS might limit your access to these private domains. Please check your IT department's policy before using Google Public DNS on your office computer.
In which countries is Google Public DNS available?
It is available to Internet users around the world, though your experience may vary greatly based on your specific location.
Does Google Public DNS work with all ISPs?
Google Public DNS should work with most ISPs, assuming you have access to change your network DNS settings.
Do I need to use both Google Public DNS IP addresses?
No. You can use Google as your primary service by just using one of the IP addresses. However, be sure not to specify one address as both primary and secondary servers.
Does it matter in what order I specify the IP addresses?
No, the order does not matter. Either IP can be your primary or secondary name server.
What is the SLA for the service?
We are not providing an SLA for this service at this time.
I'm running an ISP. Can I redirect all my users to Google Public DNS?
Yes. But at this time, Google Public DNS is a service without an SLA. If you do want to use Google Public DNS, please create a ticket on the Issue Tracker to discuss with us first.
How can I get support from the Google Public DNS team?
We recommend that you join our Google Groups to get useful updates from the team and ask any questions you have. If you are encountering a problem and would like to report it, please see Reporting issues for procedures.
Where are your servers currently located?
Google Public DNS servers are available worldwide. Here are the subnets from which Google Public DNS sends requests to authoritative name servers, and their associated IATA airport codes:
184.108.40.206/24 tpe 220.127.116.11/24 bru 18.104.22.168/24 grq 22.214.171.124/24 mrn 126.96.36.199/24 mrn 188.8.131.52/24 tpe 184.108.40.206/24 atl 220.127.116.11/24 tul 18.104.22.168/24 mrn 22.214.171.124/24 tul 126.96.36.199/24 lpp 188.8.131.52/24 bru 184.108.40.206/24 cbf 220.127.116.11/24 bru 18.104.22.168/24 lpp 22.214.171.124/24 chs 126.96.36.199/24 cbf 188.8.131.52/24 chs 184.108.40.206/24 chs 220.127.116.11/24 dls 18.104.22.168/24 cbf 22.214.171.124/24 mrn 126.96.36.199/24 mrn 188.8.131.52/24 atl 184.108.40.206/24 atl 220.127.116.11/24 chs 18.104.22.168/24 bru 22.214.171.124/24 cbf 126.96.36.199/24 cbf 188.8.131.52/24 chs 184.108.40.206/24 chs 220.127.116.11/24 dls 18.104.22.168/24 dls 22.214.171.124/24 sin 126.96.36.199/24 tul 188.8.131.52/24 cbf 184.108.40.206/24 scl 220.127.116.11/24 bru 18.104.22.168/24 tpe 22.214.171.124/24 tul 126.96.36.199/24 dub 188.8.131.52/24 lpp 184.108.40.206/24 tul 2001:4860:400b::/48 dls 2404:6800:4003::/48 sin 2404:6800:4008::/48 tpe 2607:f8b0:4001::/48 cbf 2607:f8b0:4002::/48 atl 2607:f8b0:4003::/48 tul 2607:f8b0:400c::/48 chs 2607:f8b0:400d::/48 mrn 2607:f8b0:400e::/48 dls 2800:3f0:4003::/48 scl 2a00:1450:400b::/48 dub 2a00:1450:400c::/48 bru 2a00:1450:4010::/48 lpp 2a00:1450:4013::/48 grq
This list is subject to additions, modifications, and even reductions as we continue to deploy and support our service.
How does Google Public DNS know which data center to send me to?
Google Public DNS uses anycast routing to direct all packets to the closest DNS server. For more information on anycast routing, see the Wikipedia entry.
Is Google Public DNS based on open source software, such as BIND?
No. Google Public DNS is Google's own implementation of the DNS standards.
Does Google Public DNS comply with the DNS standards set forth by the IETF?
Are there plans to release Google Public DNS code as open source software?
At this time, there are no plans to open source Google Public DNS. But we have detailed all the steps we have taken to increase speed, security, and standards compliance.
Does Google Public DNS support IPv6?
Yes. Google Public DNS has IPv6 addresses for incoming requests from clients with IPv6 connectivity and responds to all requests for IPv6 addresses, returning AAAA records if they exist. We fully support IPv6-only authoritative name servers. The IPv6 resolver addresses are provided in the instructions for getting started with Google Public DNS.
Note that you may not see IPv6 results for Google web sites. To optimize the user experience, Google only serves AAAA records to clients with good IPv6 connectivity. This policy is completely independent of Google Public DNS, and is enforced by Google's authoritative name servers. For more information, please see the Google over IPv6 page.
For IPv6-only networks and systems, you can use Google Public DNS64 to get synthesized AAAA records for domain names with A records but no AAAA records. These synthesized AAAA records direct IPv6-only clients to a NAT64 gateway using a well-known IPv6 prefix reserved for NAT64 service. Just configure your systems following the getting started instructions, replacing the resolver addresses with the DNS64 IPv6 configuration.
Does Google Public DNS support the DNSSEC protocol?
Yes. Google Public DNS is a validating, security-aware resolver. All responses from DNSSEC signed zones are validated unless clients explicitly set the CD flag in DNS requests to disable the validation.
How can I find out if I am using DNSSEC?
You can do a simple test by visiting http://www.dnssec-failed.org/. This site has been specifically configured to return a DNS error due to a broken authentication chain. If you don't receive an error, you are not using DNSSEC.
How does Google Public DNS handle lookups which fail DNSSEC validation?
If Google Public DNS cannot validate a response (due to misconfiguration, missing or incorrect RRSIG records, etc.), it will return an error response (SERVFAIL) instead. However, if the impact is significant (e.g. a very popular domain is failing validation), we may temporarily disable validation on the zone until the problem is fixed.
How can I find out why a given domain fails DNSSEC validation?
Verisign Labs' DNS Analyzer and Sandia National Laboratories' DNSViz are two DNSSEC visualization tools that show the DNSSEC authentication chain for any domain. They show where breakages occur and are useful for looking up the source of DNSSEC failures.
Google Public DNS is caching an outdated record. Is there a way I can get Google Public DNS to refresh its cache?
Yes! You can use the Flush Cache tool to refresh Google Public DNS's cache for a particular domain.
Does Google Public DNS secure the so-called "last-hop" by encrypting communication with clients?
Yes! Traditional DNS traffic is transported over UDP or TCP without encryption. We also provide DNS-over-HTTPS which encrypts the traffic between clients and Google Public DNS. You may try it at: https://dns.google.com.
Why do we need DNS-over-HTTPS when we already have DNSSEC?
DNS-over-HTTPS and DNSSEC are complementary. Google Public DNS uses DNSSEC to authenticate responses from name servers whenever possible. However, in order to securely authenticate a traditional UDP or TCP response from Google Public DNS, a client would need to repeat the DNSSEC validation itself, which very few client resolvers currently do. DNS-over-HTTPS encrypts the traffic between stub resolvers and Google Public DNS, and complements DNSSEC to provide end-to-end authenticated DNS lookups.
I looked online and it seems that there are a lot of issues with open resolvers such as DDoS attacks, large-scale spoofing etc. Why did you make Google Public DNS an open resolver?
There are many articles online about some of the threats that open resolvers face. We made a conscious decision to be open and we have taken what we believe to be adequate precautions. See the security benefits page for information on the precautions we have taken to help protect our users from spoofing and cache poisoning, and to mitigate DNS-based DDoS attacks.
Are there tools that I can use to test the performance of Google Public DNS against that of other DNS services?
There are many freely available tools that you can use to measure Google Public DNS's response time. We recommend Namebench. Regardless of the tool you use, you should run the tool against a large number of domains—more than 5000—to ensure statistically significant results. Although the tests take longer to run, using a minimum of 5000 domains ensures that variability due to network latency (packet loss and retransmits) is minimized, and that Google Public DNS's large name cache is thoroughly exercised.
To set the number of domains in Namebench, use the Number of tests GUI
option or the
-t command line flag;
see the Namebench documentation for more information.
When I run
traceroute against the Google Public DNS resolvers, the response latency is higher than that of other services. Does this mean Google Public DNS is always slower?
No. In addition to the ping time, you also need to consider the average time to resolve a name. For example, if your ISP has a ping time of 20 ms, but a mean name resolution time of 500 ms, the overall average response time is 520 ms. If Google Public DNS has a ping time of 300 ms, but resolves many names in 1 ms, the overall average response time is 301 ms. To get a better comparison, we recommend that you test the name resolutions of a large set of domains.
I've read claims that Google Public DNS can slow down certain multimedia applications or websites. Are these true?
Many sites that provide downloadable or streaming multimedia host their content with DNS-based third-party content distribution networks (CDNs), such as Akamai. When a DNS resolver queries an authoritative name server for a CDN's IP address, the name server returns the closest (in network distance) address to the resolver, not the user. In some cases, for ISP-based resolvers as well as public resolvers such as Google Public DNS, the resolver may not be in close proximity to the users. In such cases, the browsing experience could be slowed down somewhat. Google Public DNS is no different from other DNS providers in this respect.
To help reduce the distance between DNS servers and users, Google Public DNS has deployed its servers all over the world. In particular, users in Europe should be directed to CDN content servers in Europe, users in Asia should be directed to CDN servers in Asia, and users in the eastern, central and western U.S. should be directed to CDN servers in those respective regions. We have also published this information to help CDNs provide good DNS results for multimedia users.
In addition, Google Public DNS engineers have proposed a technical solution called EDNS Client Subnet. This proposal allows resolvers to pass in part of the client's IP address (the first 24/64 bits or less for IPv4/IPv6 respectively) as the source IP in the DNS message, so that name servers can return optimized results based on the user's location rather than that of the resolver. To date, we have deployed an implementation of the proposal for many large CDNs (including Akamai) and Google properties. The majority of geo-sensitive domain names are already covered.
What information does Google log when I use the Google Public DNS service?
Your client IP address is only logged temporarily (erased within a day or two), but information about ISPs and city/metro-level locations are kept longer for the purpose of making our service faster, better, and more secure.
Is any of the information collected stored with my Google account?
Does Google share the information it collects from the Google Public DNS service with anyone outside Google?
Does Google correlate or combine information from temporary or permanent logs with any personal information that I have provided Google for other services?