Google Public DNS’s approach to fight against cache poisoning attacks

The Domain Name System (DNS) translates domain names into IP addresses, enabling devices to communicate on the internet. DNS was originally designed without security measures, making it vulnerable to attacks like cache poisoning, where attackers spoof responses to redirect users. Google Public DNS employs various techniques to mitigate cache poisoning, including source port and query ID randomization, as outlined in RFC 5452. They have also implemented DNS Cookies, but found limited support among authoritative servers. Query name case randomization, proposed in a 2008 draft, has proven effective and is now deployed by Google Public DNS by default, covering over 90% of UDP traffic to nameservers. Google Public DNS has also implemented DNS-over-TLS (ADoT) for encrypted communication with authoritative nameservers, providing both security and privacy. By implementing these countermeasures, Google Public DNS aims to provide a secure and reliable DNS resolution service. They encourage DNS server operators to adopt these security mechanisms and collaborate to improve DNS security overall. Google Public DNS provides protection against passive cache poisoning attacks for over 90% of authoritative queries. DNS server operators are advised to support multiple security mechanisms to enhance DNS security. Google Public DNS is actively involved in the DNS community to improve security standards. For more technical details, refer to their presentations at DNS-OARC 38 and 40.