Donate
‹ Back
Deploy360 19 March 2013

Google Public DNS – DNSSEC Validation

Google logoGoogle provides DNSSEC validation through the use of their “Google Public DNS” servers.  If your local DNS resolvers do not perform DNSSEC validation, you can change your operating system to point to the following DNS servers operated by Google for either (or both) IPv4 and IPv6:

8.8.8.8
8.8.4.4

2001:4860:4860::8888
2001:4860:4860::8844

Once configured, all future DNS queries will be resolved using these DNS servers and DNSSEC validation (if requested) will be performed by Google’s servers.  You will then benefit from the added protection of DNSSEC validation.

Typically this configuration is changed wherever you modify your network settings.  In Windows, this is usually in your “Control Panel” while in Mac OS X this will be in the Network part of your “System Preferences”.  For Linux and other operating systems the exact procedure will vary.

Note that there is one important caveat here – you have to request DNSSEC validation when you send the DNS query to Google’s Public DNS servers, i.e. they will only validate the DNS query if you request it.  To do that you need an application that supports DNSSEC.  For web browsers, there are add-ons and extensions for both Google Chrome and Mozilla Firefox:

If you are an application developer, there are DNS developer libraries that support DNSSEC available in a wide range of programming languages so that you can add DNSSEC support to your application.

You can test DNSSEC validation by attempting to visit one of the deliberately misconfigured sites listed on our DNSSEC Tools page.

Google provides the following information about using their Public DNS service:

The addition of DNSSEC was announced in March 2013 and noted that Google Public DNS is currently “serving more than 130 billion DNS queries on average (peaking at 150 billion) from more than 70 million unique IP addresses each day.”

Note: To get the most value out of DNSSEC, you need to use a DNSSEC-validating resolver, and also sign your domains. If you have domains registered, learn about how your can sign your domains with DNSSEC using domain name registrars.

‹ Back

Related articles

The Two Sides of DNSSEC – Signing and Validation
Domain Name System Security Extensions (DNSSEC)5 August 2014

The Two Sides of DNSSEC – Signing and Validation

There are two sides of DNSSEC, Signing and Validation, that together provide the increased level of security offered by DNSSEC...

Plan - Where We Need To Get DNSSEC Validation Happening
Domain Name System Security Extensions (DNSSEC)2 May 2014

Plan – Where We Need To Get DNSSEC Validation Happening

For DNSSEC to succeed, we need to get DNSSEC validation happening within DNS resolvers at many different levels within the...

State of DNSSEC Deployment 2016
State of DNSSEC Deployment 2016
Domain Name System (DNS)31 December 2016

State of DNSSEC Deployment 2016

This report provides a snapshot of the state of deployment of DNSSEC as of the end of 2016. Please download the...

Join the conversation with Internet Society members around the world