Traditional DNS queries and responses are sent over UDP or TCP without encryption. This is vulnerable to eavesdropping and spoofing (including DNS-based Internet filtering). Responses from recursive resolvers to clients are the most vulnerable to undesired or malicious changes, while communications between recursive resolvers and authoritative nameservers often incorporate additional protection.
To address this problem, Google Public DNS offers DNS resolution over an encrypted HTTPS connection. DNS-over-HTTPS greatly enhances privacy and security between a client and a recursive resolver, and complements DNSSEC to provide end-to-end authenticated DNS lookups.
query(
name,
type = "1",
cd = FALSE,
ct = "application/x-javascript",
do = FALSE,
edns_client_subnet = "0.0.0.0/0",
random_padding = NULL
)dig(
name,
type = "1",
cd = FALSE,
ct = "application/x-javascript",
do = FALSE,
edns_client_subnet = "0.0.0.0/0",
random_padding = NULL
)
item to lookup. Valid characters are numbers, letters, hyphen, and dot. Length
must be between 1 and 255. Names with escaped or non-ASCII characters
are not supported. Internationalized domain names must use the
punycode format (e.g. "xn--qxam").
If an IPv4 string is input, it will be transformed into
a proper format for reverse lookups.
RR type can be represented as a number in [1, 65535] or canonical
string (A, aaaa, etc). More information on RR types can be
found here.
You can use 255 for an ANY query.
(Checking Disabled) flag. Use `TRUE` to disable DNSSEC validation; Default: `FALSE`.
(Content Type) Desired content type option. Use `application/dns-message` to receive a binary DNS message in the response HTTP body instead of JSON text. Use `application/x-javascript` (the default) to explicitly request JSON text. Other content type values are ignored and default JSON content is returned.
(DNSSEC OK) flag. Use `TRUE` include DNSSEC records (RRSIG, NSEC, NSEC3); Default: `FALSE`.
The edns0-client-subnet option. Format is an IP
address with a subnet mask. Examples: 1.2.3.4/24,
2001:700:300::/48.
If you are using DNS-over-HTTPS because of privacy concerns, and do
not want any part of your IP address to be sent to authoritative
nameservers for geographic location accuracy, use
edns_client_subnet=0.0.0.0/0. Google Public DNS normally sends
approximate network information (usually replacing the last part of
your IPv4 address with zeroes). 0.0.0.0/0 is the default.
clients concerned about possible side-channel privacy attacks using the packet sizes of HTTPS GET requests can use this to make all requests exactly the same size by padding requests with random data. To prevent misinterpretation of the URL, restrict the padding characters to the unreserved URL characters: upper- and lower-case letters, digits, hyphen, period, underscore and tilde.
a list with the query result or NULL if an error occurred
To perform vectorized queries with only answers (and no metadata) use
bulk_query()).
<https://developers.google.com/speed/public-dns/docs/doh/json>
# NOT RUN {
if (tinytest::at_home()) {
query("rud.is")
dig("example.com", "255") # ANY query
query("microsoft.com", "MX")
dig("google-public-dns-a.google.com", "TXT")
query("apple.com")
dig("17.142.160.59", "PTR")
}
# }
Run the code above in your browser using DataLab