Google Public DNS has enabled case randomization globally

[Tianhao Chi]

Dear users and nameserver operators,

We are very excited to announce that case randomization of DNS query names to nameservers has been enabled globally for Google Public DNS! This means that almost all UDP queries (over 90% based on recent measurements) sent from Google Public DNS to authoritative nameservers are protected with case randomization. This significantly reduces the risk of cache poisoning attacks.

This is part of our ongoing efforts to enhance security against cache poisoning attacks, and as previously announced, we have been in the process of enabling case randomization of DNS query names sent to authoritative nameservers by default since last year. We discovered that this mechanism, originally proposed in a March 2008 draft “Use of Bit 0x20 in DNS Labels to Improve Transaction Identity”, is highly effective and widely supported. (For more information about our broader efforts, please read our presentations at OARC 38 and OARC 40)

To mitigate query resolution failures due to non-compliant responses from servers, we have implemented a number of mechanisms: auto-detect non-conformance, TCP retry for non-case munged responses, and a small exception list of non-compliant servers. Nevertheless, we still strongly recommend nameservers to preserve the query case in the response.

We have also observed cases where nameservers for a set of domains respond incorrectly with NXDOMAIN or timeout to queries with mixed cases. We strongly recommend nameservers to fix this as required in RFC 1035 section 2.3.3.

If you believe you have discovered name resolution failures with Google Public DNS due to case randomization, please file a bug in our issue tracker. We welcome any feedback at  https://developers.google.com/speed/public-dns/groups.

- Tianhao Chi

On behalf of Google Public DNS