<div dir="ltr"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Dear users and nameserver operators,</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">We are very excited to announce that case randomization of DNS query names sent to authoritative nameservers has been enabled globally in Google Public DNS!</span><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> This means that almost all UDP queries (over 90% based on recent measurements) sent from Google Public DNS to authoritative nameservers are protected with case randomization. This significantly reduces the risk of cache poisoning attacks.</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">This is part of our ongoing efforts to enhance security against cache poisoning attacks, and as previously </span><a href="https://groups.google.com/g/public-dns-announce/c/MLsrx8dI2n4/m/X0OvJDOYGwAJ" style="text-decoration:none"><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">announced</span></a><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">, we have been in the process of enabling </span><a href="https://developers.google.com/speed/public-dns/docs/security#randomize_case" style="text-decoration:none"><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">case randomization</span></a><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> of DNS query names sent to authoritative nameservers by default since last year. We discovered that this mechanism, originally proposed in a March 2008 draft “</span><a href="https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00" style="text-decoration:none"><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Use of Bit 0x20 in DNS Labels to Improve Transaction Identity</span></a><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">”, is highly effective and widely supported. (For more information about our broader efforts, please read our presentations at </span><a href="https://indico.dns-oarc.net/event/43/contributions/917/" style="text-decoration:none"><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">OARC 38</span></a><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> and </span><a href="https://indico.dns-oarc.net/event/46/contributions/978/" style="text-decoration:none"><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">OARC 40</span></a><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">)</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">To mitigate query resolution failures due to non-compliant responses from a minority of servers, we have implemented a number of mechanisms: auto-detection of non-conformance, TCP retry for non-case-preserving responses, and a small exception list of non-compliant servers. Nevertheless, we strongly recommend that nameservers preserve the query name case in their response.</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">In addition to observing some failures to preserve query name cases, we have also observed some nameservers that respond to mixed-case queries with NXDOMAIN or timeout. This violates the DNS character case requirements (</span><a href="https://datatracker.ietf.org/doc/html/rfc1035#section-2.3.3" style="text-decoration:none"><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">RFC 1035 section 2.3.3</span></a><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">) and is more difficult to detect or work around. We strongly recommend nameservers to fix such issues.</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">If you believe you have discovered name resolution failures with Google Public DNS due to case randomization, please file a bug in our </span><a href="https://developers.google.com/speed/public-dns/groups#issue_tracker" style="text-decoration:none"><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">issue tracker</span></a><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">. We welcome any feedback at  </span><a href="https://developers.google.com/speed/public-dns/groups" style="text-decoration:none"><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">https://developers.google.com/speed/public-dns/groups</span></a><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">.</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">- Tianhao Chi</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="font-size:11pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">On behalf of Google Public DNS</span></p><p dir="ltr" style="color:rgba(0,0,0,0.87);font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:14px;line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span id="gmail-docs-internal-guid-37c9579c-7fff-39e8-08a8-b911abd065db"></span><br class="gmail-Apple-interchange-newline"></p></div>