Google Public DNS now supports RFC 8484 DoH on 8.8.8.8

[Alexander Dupuy]

Dear Google Public DNS users,

In the Google Security Blog today, we are announcing GA support for for the RFC 8484 standard DNS over HTTPS (DoH) protocol web API. In addition to full support for the final RFC standard version, we now support the DoH API from 8.8.8.8 and our other anycast IP addresses.

Technical details of the updated service are in our DoH documentation, and DoH application developers and users of those applications will need to migrate to the new DoH endpoints in the next few months.

If you have a problem using the updated Google DoH service, you can create an issue on our tracker or ask on our discussion group. As always, please provide as much information as possible to help us investigate the problem!

Alexander Dupuy

[Alex Dupuy]

A reminder for anyone using DNS over HTTP (DoH) with the dns.google.com/experimental URL.

In just over a week, starting on July 23, support for early IETF internet draft versions of DoH at https://dns.google.com/experimental will be discontinued, and DoH queries to the service will receive HTTP 301 redirects to https://dns.google/dns-query (preserving any ?dns=... GET parameter).

Anyone using a DoH client that uses dns.google.com/experimental should reconfigure it to use the new URL, and in some cases may need to update the software of the DoH client. Clients that may be configured to use this deprecated URL include:

• DNSCrypt-Proxy (https://dnscrypt.info)
• Cloudflared and other DoH proxies using the Golang CoreDNS library (https://coredns.io)

Older versions of the CoreDNS DoH client support are not compatible with the RFC 8484 DoH API (they use an obsolete MIME type). Developers using CoreDNS-based DoH clients should be sure to update to a more recent version of CoreDNS using the application/dns-message MIME type. This is necessary to work with the DoH service at dns.google/dns-query.

Developers should consider adding support for following HTTP redirects so that these sorts of changes are transparent to users. Anyone can test HTTP redirect support in a DoH client by configuring the DoH URL with an https://8.8.8.8/ base. DoH queries to https://8.8.8.8/experimental are already redirected in exactly the same way that queries to https://dns.google.com/experimental will be redirected starting July 23.

See https://developers.google.com/speed/public-dns/docs/doh/migration#timeline for more details on the migration of dns.google.com/experimental and other DoH services using dns.google.com.