Google fully implements security feature on DNS lookups

Google will validate signatures on DNSSEC-enabled records

Google has fully implemented a security feature that ensures a person looking up a website isn't inadvertently directed to a fake one.

The Internet company has run its own free public Domain Name System (DNS) lookup service, called Public DNS, since 2009. DNS lookups are required to translate a domain name, such as www.idg.com, into an IP address that can be called into a browser.

But DNS systems can be tampered with by hackers. In an attack called "cache poisoning," a DNS server is hacked and modified so that a user looking for www.idg.com is directed to a different website.

ISPs and other network operators have been slowly implementing DNS Security Extensions (DNSSEC), which uses public key cryptography to digitally "sign" the DNS records for websites.

DNSSEC requires a fair amount of work to implement. Domain owners have to ensure their sites are digitally signed. About one-third of top-level domains are signed, but most second-level domains are not, according to Google. ISPs and other network providers must also configure their systems.

Google said it is now checking the digital signatures on DNSSEC-formatted messages, an important step in ensuring correct DNS queries.

"Previously, we accepted and forwarded DNSSEC-formatted messages but did not perform validation," wrote Yunhong Gu, team lead for Google Public DNS. "With this new security feature, we can better protect people from DNS-based attacks and make DNS more secure overall by identifying and rejecting invalid responses from DNSSEC-protected domains."

Google's technical pages on DNSSEC state that if it cannot validate a domain, it will return an error response. But if a very popular domain is failing to validate, it may exclude the site from its blacklist until the problem is fixed.

Google's Public DNS answers more than 130 billion queries from more than 70 million IP addresses per day, Gu wrote. Only 7 percent of those queries request DNSSEC information, however.

"Overall, DNSSEC is still at an early stage and we hope that our support will help expedite its deployment," Gu wrote.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Tags Googlesecurity

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?