Google Public DNS supports DNS-over-TLS: but you probably can't use it right now

[Karlston]

Google revealed last week that it added support for the privacy feature DNS-over-TLS to  the company's public DNS service Google Public DNS.

 

Google launched Google Public DNS in 2009 at a time when many Internet companies started to hop on the DNS bandwagon. Some companies exited the DNS business again, Symantec retired Norton ConnectSafe (DNS) in 2018, while others such as Cloudflare, Verisign, Quad9 DNS or AdGuard DNS launched in recent years.

 

Google claims that its service is the "world's largest public Domain Name Server (DNS) recursive resolver"; it turns domain names into IP addresses required for communication on the Internet.

 

DNS-over-TLS and DNS-over-HTTPS are two approaches to making DNS requests more private by using encryption. One of the main differences between the two implementations is the port that is used. DNS-over-TLS uses port 853, DNS-over-HTTPS the standard HTTPS port 443.

 

 

Mozilla started to experiment with DNS-over-HTTPS in recent development versions of Firefox already, and it is likely that other browser makers and DNS provider will start to support these privacy features eventually as well.

 

Google implemented the DNS-over-TLS specification outlined in RFC7766.and suggestions to improve the implementation; Google's implementation uses TLS 1.3 and supports TCP fast open, and pipelining.

 

Most experts would probably agree that encrypting DNS to improve privacy and security, e.g. from tampering, is beneficial and desirable.

 

The main issue with Google's implementation at this point in time is that it is not widely available. It is supported on Android 9 devices only at the time officially, and as a stubby resolver for Linux.

 

Google's implementation guideline highlights for Windows and Mac OS X that the operating systems don't support DNS-over-TLS by default. The only option at this point to add support would be to set up a proxy resolver according to Google.

 

Windows users may use something like Simple DNSCrypt to encrypt DNS traffic

Closing Words

Users who use Google DNS already benefit from google's implementation of DNS-over-TLS provided that it is supported on their devices or set up using proxies. Users who don't trust Google or don't want to send all their DNS traffic to Google won't start using Google Public DNS because encryption does not change that.

 

Source: Google Public DNS supports DNS-over-TLS: but you probably can't use it right now (gHacks - Martin Brinkmann)

[steven36]

Quote

Users who use Google DNS already benefit from google's implementation of DNS-over-TLS provided that it is supported on their devices or set up using proxies. Users who don't trust Google or don't want to send all their DNS traffic to Google won't start using Google Public DNS because encryption does not change that. 

 

MY VPN  says don't use other DNS with it  and not to trust DNScrypt because it belongs to Cisco, so i sure  won't be using Google anytime soon ..I have seen some VPNs  that were free giveaways or trials use Google DNS  witch made me wonder about the privacy of the VPN,  what kind of VPN  don't provide there  own DNS ? 🤣

 

Quote

DNScrypt is not required when using  our VPN service as all your traffic is encrypted including DNS requests. Furthermore, DNScrypt utilises the OpenDNS infrastructure (owned by Cisco) which may log DNS requests thus endangering your privacy and/or privacy.

 

I think there is a few of them that don't log at Open Nic  were you can use DNScrypt  you would have look and see  its listed witch ones don't log and use DNScrypt with, but most DNS services log unless you pay for one with your VPN or buy just DNS with no logging .

[stylemessiah]

DNSCrypt doesnt belong to Cisco, thats incorrect

 

I have been using dnscrypt-proxy (command line like a proper techie, not that awful Simple DNSCrypt - suppose its okay for average folks though) for quite some time now, on both my desktop, and my android devices...added benefit is the adblocking (i have a custom script to compile a blacklist from various sources on the net), which is far better than using hosts blocking...same adblocking on all my devices (currently have a 35Mb blacklist file - try getting any OS to use a hosts file that large without choking)

 

My DNSCrypt-Proxy resolution is from highest to lowest: local dnscrypt resolver (faster being local), then cloudflare (pretty quick) and google last...been able to use google ( DNS-over-HTTPS ) for ages

 

As for VPN, i still do not get how VPN users do not realise that while the service they are paying for says they dont log, you can bet they are in fact the most logged connections on earth...how do you guys not get that?, anyone using a VPN connection is automatically assumed to be doing something shady...who you going to log, those people or your average user on public ISP or google dns? Its the shooting fish in a barrel argument, youre going to catch more people if almost everyone using that service is doing something shady...those companies, if they dont already log for law enforcement on the sly, will bend over and dump their logs at the first sign of a search warrant....

 

I have been on the interwebs since the beginning, never used a VPN, never will, youre paying for a false sense of security........the simple fact is if you arent doing anything shady, you have nothing to worry about....

 

Not even going to get into how most people dont set up their VPN connection properly anyways, most of them are still leaking their IP and DNS queries all over the internet....

 

Last time im going to mention it on here, people just dont get the message theyre making themselves targets....

 

So bored with people who bang on about VPN's....fools paradise

[steven36]

2 hours ago, stylemessiah said:

 

So bored with people who bang on about VPN's....fools paradise

You live in a different region of the world from me , while just changing  DNS  may be simple enough to get you around isp site blocks were i live you don't need to use 3rd party DNS  to visit any sites , we never blocked any sites . every since  2012 our ISP send out warnings changing  DNS  want help you when using torrents  they log your ip and turn  you in to your ISP. Only ways to get around it is use a VPN with a kill switch , or you can buy a  leecher  or seed box and get around it.

 

2 hours ago, stylemessiah said:

Not even going to get into how most people dont set up their VPN connection properly anyways, most of them are still leaking their IP and DNS queries all over the internet....

Lol ,  that's  there problem not mine if they don't know how set up a vpn, if there vpn was any good to begin with the DNS  would not leak . If they don't know how to stop leaks with a VPN DNS they sure  would not  know how to use a 3rd party DNS  without it leaking period! I been using a  VPN of some kind every since the isp started sending out warnings in 2012 and never got a warning . The proof is in the pudding.

 

2 hours ago, stylemessiah said:

DNSCrypt doesnt belong to Cisco, thats incorrect 

  They don't belong to Cisco but it utilizes many DNS that log witch  you may well as install some spyware. than use DNS that log  I just said there is some at Open Nic you can use with it that don't log.  Thats the same  as in some countries they let you use encrypted software as long as they let the government log it.  All  the law has to do in any 5 eyes country is go to Google, Cisco  or Clouldflare and pull up your logs.

 

I'm  beyond bored , I'm sick of  people who don't care  about there privacy  try to convince  us using these things don't invade your privacy, when most of 2018 was one thing  after the other about how Google and Facebook  were breeched and there services gave your data to hackers .. Lol you live in  a country that ban encryption on some software, if they wasn't doing there job and blocking the AU  government from spying on  you  they would never of banned it. You the one live in a  fairy tale world and think tech companies and the governments  don't invade your privacy .  I dont  live in the EU were my country has privacy laws that protect  you so if i don't look out for myself no one else will and when it comes to big tech  they will keep taking it to court  in the EU tell they get a Judge that sides with them they simply get around it  by making you opt in . When Windows 10 came out  I think Google and Facebook  were behind most of the news  about  how bad it was for privacy to make you forget about them..Because i been on the internet since 2001 and every since Google and Facebook changed there privacy policy were they could harvest your data they was in the news . That was short lived  Microsoft got by 2018 without a scratch  while Google and Facebook were sued for one thing after the other.  

 

Most things that windows 10 do to invade your privacy they copied it from Google and Facebook.. Google copied the spyware of the 1990s early 2000s were to get something for free  you had to let them spy on you . Before they had software that spy on you the search engines had toolbars to spy on people in IE  they never been trustworthy. Most  Open Source and some paid apps  don't have a spying problem like big tech does,  Noticed I said most open source there are some vendors like Firefox who sold out to Google,  Apple  is no better they preach privacy but take billions a year from Google not to change search engines while on Linux in some distros Firefox is not allowed to install Google search in there browser  .      

 

I'm not a hater of any of these services , I use Google search  sometimes but never signed in , I use YouTube signed in sometimes and Google Cloud but hardly ever,  my Google Account  is done with fake info  and with a vpn  and i use it behind a vpn  sometimes i need the cloud to download somethings and YouTube has age restricted free movies  now were you need to sign in  . But i be darn  if i stay signed  in when its not needed or use there DNS. Google thinks  i live in some other country than i do because if i try to sign in outside of the place  i signed up with  ips  with my vpn  they block me out and ask for a phone number something  they want never get from me , Because from 2012-2018 i never signed  into Google  i just started signing back in this month so i'm not Google depended  . I only use it  because they have videos were i want to download or stream and have to use there service to do it. I use Firefox on Linux to sign in . For everything else  I use Waterfox were i keep Google cookies blocked .