Google Makes DNS Over HTTPS Generally Available
Google this week announced the general availability of its standard DNS over HTTPS (DoH) service, which includes full RFC 8484 support.
The DoH protocol is meant for sending DNS queries and getting DNS responses over HTTP using TLS security for integrity and confidentiality, as detailed in RFC 8484.
Google has launched its DoH service in 2016, as an experiment, but is now confident to roll it out generally with full RFC 8484 support at a new URL path, as well as with support for the JSON API. The service builds on Google Public DNS, which was launched in 2009.
“Now our users can resolve DNS using DoH at the dns.google domain with the same anycast addresses (like 184.108.40.206) as regular DNS service, with lower latency from our edge PoPs throughout the world,” Google reveals.
“We are deprecating internet-draft DoH support on the /experimental URL path and DoH service from dns.google.com, and will turn down support for them in a few months,” the Internet company reveals.
Google Public DNS, the search giant explains, is meant to provide fast, private, and secure DNS resolution through both DoH and DNS over TLS (DoT). Thus, the JSON API will be supported until there is a comparable standard for webapp-friendly DoH.
Developers looking to leverage Google’s DoH service should configure their applications to use the new DoH endpoints, as well as to properly handle HTTP 4xx error and 3xx redirection status codes.
Developers should set apps to use dns.google instead of dns.google.com and should switch to the new /dns-query URL path and confirm full RFC 8484 compliance. Those using the JSON API can employ two new GET parameters for DNS/DoH proxies or DNSSEC-aware applications.
In 30 days, Google will turn down the /experimental API and HTTP requests for it will get an HTTP redirect to an equivalent https://dns.google/dns-query URI. Thus, developers should ensure DoH applications handle HTTP redirects by retrying at the URI specified in the Location header.
The dns.google.com will be taken down in three stages, Google also explains.
Within 45 days, the dns.google.com domain name will be updated to return 220.127.116.11 and other Google Public DNS anycast addresses, but will continue to return DNS responses to queries sent to former addresses of dns.google.com.
In 90 days, the company will return HTTP redirects to dns.google for queries sent to former addresses of dns.google.com. Finally, in 12 months, HTTP redirects will be sent to dns.google for all queries sent to the anycast addresses using the dns.google.com domain.
The Internet giant says it will post timelines for redirections on the public‑dns‑announce forum and on the DoH migration page. The company also published DoH documentation containing required technical details.