During the 1990s, most DNS resolvers were open, i.e. any host could send a query and obtain an answer from a DNS resolver and most of them handled recursive queries as well. Then, during the 2000s, open DNS resolvers suffered from more and more security problems and best current practices suggest that DNS resolvers that are installed inside company networks should only be accessed by the users of company and that requests from remote users would be blocked.

In a recent announcement google decided to go against this best current practice by providing open DNS resolvers that allow anyone to obtain DNS answers. The open google resolvers are reachable via two anycast addresses :

• 8.8.8.8
• 8.8.4.4

Compared to classical DNS resolvers, google announces the following features and caveats :

• google's resolvers use new resolver code and not the existing DNS resolvers. Unfortunately, their code is (not yet ?) open source
• google's resolvers cache frequently used DNS names and refreshes records before they expire
• google's resolvers take care of avoiding the recent security problems that have affected the DNS
• google's resolvers do not yet support IPv6 completely (they can provide AAAA records but cannot send queries by using IPv6) despite the push for IPv6 inside google
• google's resolvers do not yet implement DNSEC
• google's resolvers log information about the requests received, their origin, ...

An interesting point to watch about google's DNS resolvers is whether they become the default for google products such as Chrome or android and if so how Content Distribution Networks such as Akamai will be able to continue to use DNS to redirect requests to local caches. If all Internet users rely on google's resolvers, CDNs will have to adapt...