Some have suggested that encrypting DNS would be beneficial. There is even an experimental draft, but there's no benefit in encrypting DNS. If an attacker can snoop on your DNS requests, it follows that they can probably snoop on your Internet traffic, thus, they already know where you're going by the only address that matters—the IP address of the host you are trying to reach. There are two cases that I want to address, however:
- The IP address that you are contacting may be for a host that contains many web servers in a virtual hosting platform. Any of the low cost hosting sites like BlueHost or GoDaddy house many web sites per IP address. The only way to know which site you are talking to is to examine the HOST: header in the HTTP protocol. Like I already said, if an attacker can snoop on your DNS queries, they can probably snoop on your web traffic as well.
- The other case is SSL web sites. SSL negotiation occurs before the HTTP request is made, and that means the HOST: header has not been sent yet. An SSL host has to have a dedicated IP address, so snooping the IP address of the destination SSL host is sufficient to see where you're going.
Encrypting DNS is not useful. In fact, it would make look-ups slower. Imagine the load a recursive DNS server would be under just encrypting and decrypting queries.
The question is, why would you want to use Google's DNS? The biggest benefit is going to be for consumers whose ISP hijacks DNS requests for names that don't exist and returns an address for an advertising page. These helpful pages from the companies like Verizon, Comcast, OpenDNS and others are supposedly to help you find what you were really looking for, but really the purpose is to point you to a page with paid links generating revenue for the provider. It's not helpful for you. It is helpful for the provider.
In reality, using DNS in this manner breaks applications. Paul Vixie penned a decent overview in ACM Queue What DNS Is Not. Vixie takes issue with a number of ways DNS is used beyond its original intention, such as location identification and load balancing, but those uses don't really break anything. Hi-jacking does. There are many applications other than web browsers (browsing is the most visible, natch) that use DNS for name resolution and we should expect there to be more in the future. For those applications to work properly, they need to receive notification that hostnames don't exist. As Vixie points out, since DNS redirection is a revenue generator, good luck getting providers to stop.
If you can't opt out from your providers DNS redirection (as a Verizon FiOS customer, I know their instructions on opting out of DNS Assistance are incorrect), then using Google Recursive DNS may be your only option. For most consumers, if they don't opt out, the only real impact will be a search screen for typo'ed addresses.
