Is Google Public DNS Safe?

Google recently launched a public DNS service similar to the popular service over at OpenDNS, you can find it on Googlecode here –

The first obvious reaction for the infosec crowd (with all the recent DNS flaws), is to question the security of the Google DNS service.

HD Moore has done some good analysis on the service as outlined below.

Yesterday, Google launched its new Public DNS service. Among the benefits that Google is claiming for the new service is that it helps to secure DNS for users. Is that an accurate claim?

One of the big issues that security researcher Dan Kaminsky disclosed about DNS insecurity in 2008 was that DNS request information isn’t quite as random as it should be. The way DNS works is that each DNS request is supposed to carry with it a random number transaction ID. But it turns out that the random number is only one out of 65,000. DNS is at risk when there isn’t enough randomization and a hacker can ‘guess’ the number.

So is Google’s Public DNS random enough? I got a comment from famed security researcher, H D Moore on that point. Moore knows what he’s talking about when it comes to DNS exploits as his Metasploit tool was among the first to have a weaponized version of the Kaminsky DNS flaw.

It seems like the port allocation of the Google DNS system is adequately random even though it’s drawing from a fairly small port range.

So the claims this could be a more secure DNS server for most systems are true, it will protect against DNS cache poisoning attacks at least.

Moore has now put together a mapping of Google’s source port distribution on the Public DNS service. In his view, it looks like the source ports are sufficiently random, even though they are limited to a small range of ports.

According to HD, it looks like Google’s focus on security might be on the right track and the DNS could be good at preventing cache poisoning attacks.

His sample size is only 10,000 requests here, which isn’t a huge number but does give a decent sample in my view. He has also graphed source ports, transaction IDS and a comparison of source ports to those transaction IDs.

I’ll switch over from OpenDNS and give the Google system a try, maybe it’ll reduce the lag time a little.

If anyone else is already using it, do share with us your thoughts in the comment section below.

Source: Internet News (Thanks Navin)

Posted in: Networking Hacking Tools

, , , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

15 Responses to Is Google Public DNS Safe?

  1. Luigi Rosa December 16, 2009 at 10:23 am #

    Keep in mind that if you do not use a local resolver, the CDN based contents (like Akamai and may others) will be delivered from a server that is not the best for your IP.

    So, you will have a smller lag for DNS query, but a bigger one for CDN contents.

    I am staying with my local resolver administered by myself.

  2. Phill Thomas December 16, 2009 at 11:24 am #

    I think 99% of users will never notice anything lag difference (if there is indeed any additional), I personally think its useful to have the likes of google offering this kind of service, it could potentially take off the strain or requirements to run internal DNS and give sys admins more time to drink coffee :)

  3. scriptjunkie December 16, 2009 at 8:04 pm #

    Unfortunately, RTT tends to rule DNS query speeds, and local resolvers are a heck of a lot closer. My measured query latency to Google for a nearby site lookup is .19 seconds. To my local DNS, it’s .01 second for the request. For a random name, ( the local resolver took almost .02 seconds and Google took an astonishing 1.20 seconds (mostly in the miss of[my local domain] which is automatically tried first due to the default local domain appending, but whatever, every OS does it). So yeah they have some cool ideas, but I’m not that impressed or switching my default DNS. And yes, I do notice an additional 1.2 second delay every time I hit a new domain while surfing.

    IMNSHO, it is interesting for the implementer of a DNS system, especially the security part ( but it can’t supply a replacement for a local resolver.

  4. googtester December 16, 2009 at 8:58 pm #


    I always test new products from google and also currently using googles public dns, its giving much better results then open dns, but the features of open dns like filtering etc. are not supported by google yet.

    Hope google will impreove it more and implement it as one of its popular services from google.

  5. Darknet December 17, 2009 at 5:38 am #

    Well it matters to users outside of the US, I’m in Malaysia for example and the ISP DNS servers are shite…they are frequently down, slow to respond and sometimes purposely fail to resolve certain sites on order of the government. So I’ve always had the habit of using OpenDNS anyway, this is a valid alternative to me and if Google is using a CDN type setup with a node in SE’ll definitely be faster than OpenDNS.

  6. Morgan Storey December 17, 2009 at 12:11 pm #

    I think its also a decent idea to use these as forwarders on your local DNS, heck you can put open DNS in as well. Thats what I tend to do as the root servers are simply to slow to respond here in Australia most of the time.

  7. Wojtek December 17, 2009 at 1:36 pm #

    A view from France…

    My ISP’s DNS is faster than Google or OpenDNS (by maybe 10%) but I would need to make more tests, especially to break down the difference in terms of RTT and DNS speed per se.

    Looking at the wild discussion in the US, it would seem that DNSes provided by ISPs over there are not that good. I guess this is because you have 3 zillions ISPs while we have just a handful. All of them have decent DNSes (both speed and stability) and switching to Google would not change much.

    An obvious advantage is that you need to remember and (see, I know tham by heart) instead of 984.398.165.26 and 594.365.23.900 (these, for some reason, never worked for me, no matter how hard I tried)

  8. silicon.shaman December 17, 2009 at 2:41 pm #

    Been using google’s DNS for a couple of weeks now, the improved lag time isn’t really enough to be noticeable, [although it is improved]. What does make a difference is the improved reliability of look-ups.

    As for the flaw…well it is only in testing stage. I figure they’ll probably patch that as the uptake on the service improves. But for now it’s not an issue.

  9. Hemanth G December 17, 2009 at 4:31 pm #

    I’m Switching from OPENDNS to Google, its been a few days and i already miss a few of OPENDNS feature’s like filtering, but the time lag has definitely reduced by about 10%.

    Unless Google add more features to its DNS service its unlikely i will continue with it.

  10. Varun December 18, 2009 at 4:52 am #

    Try namebench to see which of the public DNS server systems are fastest for you. For me Google DNS ended almost at the bottom of the list having 11-12 similar services. I am based out of Bangaloe.

  11. Darknet December 18, 2009 at 9:00 pm #

    With namebench Google primary ( actually came out faster on average than my local ISP resolver.

  12. pfff December 18, 2009 at 11:16 pm #

    How about when “LSD” AKA HD Moore was backdooring people? Was he doing “good work” then to? Your old as dirt, don’t you remember when the hapless Perl program was a trojan punk?

  13. CC December 19, 2009 at 2:33 pm #

    Why give Google such power to control all your traffic?
    You might say that you already do that with your ISP and you are right! but your ISP isn’t Google they only provide internet service not all the other stuff Google is involved with.

    Google cares about security to a certain point, beyond this point they shift to $$$ and consider many other things to relate this service with the endless services they offer, Google is not a security firm, they do everything now from mobile phone to operating systems. Security is of little concern to them, It cannot be any other way and their actions over the last few years show that it is an aggressive control seeking big money corporation that all of the world already need to use(if you do not use the Google search it is really your loss so you cant just stop it).

    Do you really want Google to control every bit of communication coming out of your computer? I know I don’t, the email and web search are enough for me. They already scan my mail but apparently it is not enough and their new goal is to control all my traffic, the ads I watch, the porn I watch and EVERYTHING ELSE

    Google crossed to ‘the dark side’, sometime after they bought you-tube, there is no reason to feed them with more power so naturally don’t go for Google DNS.

  14. elpeor December 21, 2009 at 12:10 pm #

    I had stop using openDNS because It was blocking some spanish politics webpages, I just changed my DNS and I could open that web pages. I do not trust openDNS anymore.

  15. Marco February 9, 2010 at 5:13 pm #

    Yesterday I have tested the Google DNS server in my PS3. The download of a 217mb lage video-file reduces to 90 seconds (Internet via cable modem DS 20.000 / US 1.024). Using the original DNS server of my provider the same download terminated after 4 to 5 minutes. During online-playing I didn’t remark any problem. I cannot really say, if there is an improvement as the games are working online in the same speed. It could be that the data-queries and data-responses from the internet and to the internet is more fluent with the Google DNS server.

    I will try for another few days the google servers and if there won’t be any problems, the Google DNS server will be the first server to use. and it is a big difference to spend only 90 secnds for a 217mb donwload as waiting 4 to 5 minutes!!!! :-)