Google Public DNS has enabled case randomization globally
Tianhao Chi
chitianhao at google.com
Wed Jul 26 16:46:40 UTC 2023
Dear users and nameserver operators,
We are very excited to announce that case randomization of DNS query names
sent to authoritative nameservers has been enabled globally in Google
Public DNS! This means that almost all UDP queries (over 90% based on
recent measurements) sent from Google Public DNS to authoritative
nameservers are protected with case randomization. This significantly
reduces the risk of cache poisoning attacks.
This is part of our ongoing efforts to enhance security against cache
poisoning attacks, and as previously announced
<https://groups.google.com/g/public-dns-announce/c/MLsrx8dI2n4/m/X0OvJDOYGwAJ>,
we have been in the process of enabling case randomization
<https://developers.google.com/speed/public-dns/docs/security#randomize_case>
of DNS query names sent to authoritative nameservers by default since last
year. We discovered that this mechanism, originally proposed in a March
2008 draft “Use of Bit 0x20 in DNS Labels to Improve Transaction Identity
<https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00>”, is
highly effective and widely supported. (For more information about our
broader efforts, please read our presentations at OARC 38
<https://indico.dns-oarc.net/event/43/contributions/917/> and OARC 40
<https://indico.dns-oarc.net/event/46/contributions/978/>)
To mitigate query resolution failures due to non-compliant responses from a
minority of servers, we have implemented a number of mechanisms:
auto-detection of non-conformance, TCP retry for non-case-preserving
responses, and a small exception list of non-compliant servers.
Nevertheless, we strongly recommend that nameservers preserve the query
name case in their response.
In addition to observing some failures to preserve query name cases, we
have also observed some nameservers that respond to mixed-case queries with
NXDOMAIN or timeout. This violates the DNS character case requirements (RFC
1035 section 2.3.3
<https://datatracker.ietf.org/doc/html/rfc1035#section-2.3.3>) and is more
difficult to detect or work around. We strongly recommend nameservers to
fix such issues.
If you believe you have discovered name resolution failures with Google
Public DNS due to case randomization, please file a bug in our issue tracker
<https://developers.google.com/speed/public-dns/groups#issue_tracker>. We
welcome any feedback at
https://developers.google.com/speed/public-dns/groups.
- Tianhao Chi
On behalf of Google Public DNS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230726/295b85ec/attachment.html>
More information about the dns-operations
mailing list