Verify using Google DNS

888 views
Skip to first unread message

Jim Popovitch

unread,
Dec 8, 2016, 1:48:51 PM12/8/16
to public-dns-discuss
It's been reported here before (by Alex) yet I can no longer find it.  :-(

How do I verify that my DNS queries are actually hitting Google DNS servers?

-Jim P.

Alex Dupuy

unread,
Dec 8, 2016, 2:26:01 PM12/8/16
to public-dns-discuss
I did answer this at https://groups.google.com/d/msg/public-dns-discuss/o_75vsHCeX4/0e15xMsSBAAJ but you wouldn't find that in search without knowing the answer, which is a TXT query to test.dns.google.com.

In addition to the test.dns.google.com/TXT query (described in detail at the end), there are other (less easily spoofed) mechanisms to check (if you are really paranoid about stealthy hijacking):

https://cmdns.dev.dns-oarc.net/ will tell you about the security of your browser's resolver (and if the Whois column of the results has all GOOGLE/GOOGLE-IPV6 then your queries are going through Google Public DNS)

You can partially replicate the Check My DNS resolver identification by hand (IPv4 only) using a simple DNS A query to whoami.akamai.net:

whoami.akamai.net has address 74.125.177.72

or a TXT query to o-o.myaddr.l.google.com:

$ dig -t TXT +short o-o.myaddr.l.google.com
"74.125.42.137"
"edns0-client-subnet 192.168.16.0/22"

and then verifying Google ownership of the resulting IP address at https://gwhois.org/74.125.177.72 (however that test is not as spoof-proof as Check My DNS) and the TXT query may return cached results for up to a minute, so the EDNS Client Subnet data may be wrong.

If you are using dig:

If you are using Google Public DNS
$ dig -t TXT +noall +answer +comment test.dns.google.com
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32653
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; ANSWER SECTION:
test.dns.google.com. 5 IN TXT "Thanks for using Google Public DNS."

If you are not using Google Public DNS
$ dig -t TXT +noall +answer +comment test.dns.google.com
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50328
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

If you are using nslookup (Windows, mostly):

If you are using Google Public DNS
$ nslookup -q=TXT test.dns.google.com
Server: 127.0.1.1
Address: 127.0.1.1#53
Non-authoritative answer:
test.dns.google.com text = "Thanks for using Google Public DNS."
Authoritative answers can be found from:

If you are not using Google Public DNS
$ nslookup -q=TXT test.dns.google.com 4.2.2.1
Server: 4.2.2.1
Address: 4.2.2.1#53
** server can't find test.dns.google.com: NXDOMAIN

Jim Popovitch

unread,
Dec 8, 2016, 4:04:13 PM12/8/16
to public-dns-discuss
Top Notch Alex, Thanks!!

-Jim P.

 
Reply all
Reply to author
Forward
0 new messages