Upcoming Change to TLS Connection Handling for Google Public DNS (DoT/DoH)

16 views
Skip to first unread message

Ernesto Level

unread,
Oct 15, 2025, 4:28:01 PM (14 hours ago) Oct 15
to public-dns-discuss

Dear Google Public DNS Users,


We are writing to inform you about an upcoming change in how our servers establish secure connections for DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH).


To enhance security and adhere to standards, we will be enforcing stricter Application-Layer Protocol Negotiation (ALPN) validation during the TLS handshake. This means that for a TLS connection to be successful, the client and the server must successfully negotiate a common application protocol. The list of valid TLS ALPN protocol IDs can be found in https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids


What is changing?

Currently, in some cases where a client and server do not share any supported ALPN protocols, the connection might still proceed with a fallback. After this change, TLS handshakes will be rejected if the client's list of advertised ALPN protocols has no overlap with those supported by Google Public DNS.


What is the impact?

We expect this change to affect a very small number of clients – less than 0.01% who are specifying invalid protocol IDs, e.g. “ipv6=no”. Specifically, clients that are not advertising standard ALPN protocols for the service they are trying to use (DoT or DoH) may experience connection failures.


What do I need to do?

If you are using DoT or DoH with Google Public DNS, please ensure your client is correctly configured to advertise the appropriate standard ALPN protocols:


  • For DNS-over-HTTPS (DoH), clients should advertise standard HTTP protocols, such as “h2” (HTTP/2) and “http/1.1”.

  • For DNS-over-TLS (DoT), clients should advertise the standard “dot” protocol.


Most standard-compliant DoT and DoH client software and libraries handle this correctly. This change is unlikely to affect you if your software is up to date. If you find that is not feasible to perform this change, please contact us via https://developers.google.com/speed/public-dns/groups#issue_tracker


This change will be rolled out starting 2025-10-27.


The Google Public DNS Team

Reply all
Reply to author
Forward
0 new messages