Security Experts:

Google Implements DNSSEC Validation for Public DNS

Google on Tuesday announced that it now fully supports DNSSEC (Domain Name System Security Extensions) validation on its Google Public DNS resolvers.

Previously, the search giant accepted and forwarded DNSSEC-formatted messages but didn’t actually perform validation.

“With this new security feature, we can better protect people from DNS-based attacks and make DNS more secure overall by identifying and rejecting invalid responses from DNSSEC-protected domains,” Yunhong Gu, Team Lead, Google Public DNS wrote in a blog post.

DNSSEC“DNSSEC is a critical step towards securing the Internet,” Gu continued. “By validating data origin and data integrity, DNSSEC complements other Internet security mechanisms, such as SSL. It is worth noting that although we have used web access in the examples above, DNS infrastructure is widely used in many other Internet applications, including email.”

Google said that its Public DNS currently serves more than 130 billion DNS queries on average each day. However, Google said, only 7% of those queries from the client side are DNSSEC-enabled, with approximately 3% requesting validation and 4% requesting DNSSEC data but no validation. About 1% of DNS responses from the name server side are signed, Google said.

“Effective deployment of DNSSEC requires action from both DNS resolvers and authoritative name servers,” Gu said. “Resolvers, especially those of ISPs and other public resolvers, need to start validating DNS responses. Meanwhile, domain owners have to sign their domains.”

According to Gu, about 1/3 of top-level domains have been signed, but most second-level domains remain unsigned.

According to the National Institute of Standards and Technology (NIST), there has been no progress in enabling DNSSEC on 98 percent of all 1,070 industry domains tested as of March 18, 2013.  

In a recent SecurityWeek column, Ram Mohan explained that while DNSSEC does not solve every Internet-based security issue, it does offer a more advanced level of user security for directory look-ups than is currently in use.

“For example, DNSSEC can ensure that a Web browser knows where to find the site you are trying to reach,” Mohan explained. “Browsers can employ this information to help protect users from phishing attacks and from being hijacked. Although browsers don't use DNSSEC in this way today, they easily could (and probably should.) Although you can still be hijacked and your site could still be the victim of phishing attacks, including DNSSEC in an overall security strategy will help to mitigate the risk to users.”

Mohan also suggested that DNSSEC complements other security technologies and provides a platform for yet-to-be-developed innovations.

In early 2012, Comcast moved to DNSSEC-validating DNS servers for its millions of customers, and signed all of the domains used by the company, such as www.comcast.net, making it first large ISP in the North America to have fully implemented DNSSEC.

“Overall, DNSSEC is still at an early stage and we hope that our support will help expedite its deployment,” Google’s Gu said.

More information on Google’s DNSSEC support can be found in the FAQ and Security pages.

Related Reading: DNSSEC Deployment -The Time is Now 

Related ReadingThe Implementation Challenges for DNSSEC

Related Reading: When DNSSEC Goes Bad: Recovering from DNSSEC Errors

Related Reading: Deploying DNSSEC - Four Ways to Prepare Your Enterprise

Related Reading: Five Strategies for Flawless DNSSEC Key Management and Rollover

Subscribe to the SecurityWeek Email Briefing
view counter