Domain Name System (DNS) translates human-readable domain names like google.com into the machine-readable IP address of a website, like 172.217.3.206. To prevent threats to your domain like cache poison attacks and DNS spoofing, set up DNS Security Extensions (DNSSEC).
Turn on DNSSEC for your domain
Important:
- Some Top-level Domains (TLDs) accept DNS Public Key (DNSKEY) records instead of Delegation Signer (DS) records.
- If you originally purchased your domain name from Google Domains, DNSSEC might already be set up for you.
- If your domain has an ALIAS record, you cannot enable DNSSEC. Learn more about ALIAS records.
To set up DNSSEC for your domain, you must add specific resource records to your DNS or signing zone and publish them for your domain. If you use the automatic DNSSEC setup of Google Domains, we handle both steps for you. It can take up to 24 hours for the changes to update across the internet before DNSSEC is active.
- Sign in to Google Domains.
- Select your domain.
- At the top left, select Menu DNS.
- Select either Default name servers or Custom name servers.
- Scroll to the “DNSSEC” card or box.
- For default name servers: Click Turn on. If DNSSEC is already turned on, “DNSSEC enabled” is displayed.
- For custom name servers: Click Manage DS records and enter the info from your DNS provider.
- Enter the values given by your third-party DNS provider for custom name server DNSSEC or DNSKEY.
- To add multiple records at the same time, click Create new record.
- Click Save.
Tips:
- If you choose not to wait for your DNSKEY records to be published, under “DNSSEC,“ expand the DNSSEC card and click Publish records now.
- When you turn on DNSSEC, Google Domains automatically signs your DNS zone and publishes your Delegation Signer (DS) records within 2 hours.
If you use custom name servers, you must work with your third-party DNS provider to sign the DNS zone for your domain. For each DNSKEY, get the following values from your DNS provider:
- Key tag: Numeric value that refers to an existing DNSKEY record.
- Algorithm: Encryption algorithm that creates the security key in the DNSKEY record. It’s usually paired with a hash function like RSA/SHA1.
- Digest type: Algorithm that creates the digest of a DNSKEY record. It’s also called a digest algorithm, digest hash, or digest hash function.
- Digest: Hashed value of the DNSKEY record that uniquely identifies it and doesn't expose the value of the key. Based on the digest type, the length can be one of the following:
- SHA1: 40 hexadecimal digits
- SHA256: 64 hexadecimal digits
- SHA384: 96 hexadecimal digits
If you use custom name servers, contact your third-party DNS provider to sign in to the DNS zones for your domain. For each DNSKEY, get the following values from your DNS provider:
- Flags: Information that lets the DNS and resolvers know how to interpret the DNSKEY record. By default, this value is set to 256 or 257.
- Protocol: Indicates the version of DNSSEC used. This value is always set to 3.
- Algorithm: Indicates the type of cryptographic algorithm used for the public or private key pair.
- Public key: The key that DNS resolvers use to validate that the DNS records haven’t been tampered with.
Deactivate DNSSEC for your domain
- Sign in to Google Domains.
- Select your domain.
- Select Menu DNS.
- Scroll to the “DNSSEC” card or box.
- For default name servers: Select Turn off.
- For custom name servers: Next to each record, click Delete .
- Select Save.
Tips:
- For custom name servers, to remove your DNSSEC-related resource records from your zone, you can work with your DNS provider.
- When you turn off DNSSEC, Google Domains immediately unpublishes your domain’s DS records. After that change updates across the internet, your domain is no longer DNSSEC protected. This can take up to 48 hours. To complete the DNSSEC deactivation, Google Domains might unsign your DNS zone.
Use Dynamic DNS
Important: Dynamic DNS works with IPv4 and IPv6 addresses, but not at the same time.
Dynamic DNS allows you to direct your domain or a subdomain to a resource that's behind a gateway and has a dynamically assigned IP address. To use Dynamic DNS, you must use the default name servers of Google Domains.
If you set up Dynamic DNS with Google Domains, you can:
- Create an A or AAAA record for your domain or subdomain that makes the Google name servers expect a dynamic IP.
- Generate a username and password that your host or server can use to communicate the new IP address to the Google name servers.
After you set up Dynamic DNS, you must set up a client program on your host, server, or gateway that does the following:
- Detects IP address changes
- Uses the generated username and password
- Communicates the new address to the Google name servers
Set up dynamic DNS
- On your computer, sign in to Google Domains.
- Select your domain.
- Click Menu DNS.
- Select Default name servers Google Domains (Active).
- If “Custom name servers (Active)” is selected, you already have custom name servers and can't use Google Domains’ Dynamic DNS service.
- Click Show advanced settings.
- Click Manage dynamic DNS Create new record.
- To assign a Dynamic IP, enter the name of the subdomain or root domain.
- Click Save.
The following are some other options to manage your Dynamic DNS:
- To view the record values: Next to the record, click the triangle.
- To view the username and password created for a record: Click View Credentials.
- To configure your gateway or client software so that it contacts the Google name servers: Use the username and password created for the record.
- To delete a record:
- Go to “Resource records.”
- Next to “Dynamic DNS,” click the triangle.
- Select Delete.
Set up a client program on your gateway, host, or server
There are several popular dynamic DNS clients in use, like DDclient and INADYN. Most routers can detect IP changes and communicate them with the name servers through their built-in software.
Configure your dynamic DNS client with the following:
- Provider or DNS or Service: The name of your DNS Provider
- Username or credential: The generated username in the Dynamic DNS record
- Password or credential: The generated password in the Dynamic DNS record
After you create the record and configure your client software, test the record. Enter the subdomain and domain into a browser, or appropriate client, and make sure they connect to the correct resource.
Tip: Google Domains uses the dyndns2 protocol.
Examples
DDclient now has support for Google Domains.
DDclient with Google Domains Support |
ddclient.conf entries:
|
General client configuration examples:
DDclient without Google Domains support |
INADYN |
Sample ddclient.conf entries:
|
Add the following to your inadyn.conf
|
Update your Dynamic DNS record with the API
domains.google.com/nic/update
https://username:[email protected]/nic/update?hostname=subdomain.yourdomain.com&myip=1.2.3.4
Set a user agent
Important: You must also set a user agent in your request.
During a test with the URL directly above, domains.google.com/nic/update
, web browsers generally add a user agent for you. The final HTTP query sent to our servers should be similar to this:
Example HTTP query:
POST /nic/update?hostname=subdomain.yourdomain.com&myip=1.2.3.4 HTTP/1.1
Host: domains.google.com
Authorization: Basic base64-encoded-auth-string
User-Agent: Chrome/41.0 [email protected]
Request Parameters:
Parameter | Required or Optional | Description |
username:password |
Required | The generated username and password associated with the host that is to be updated. |
hostname |
Required | The hostname to be updated. |
myip |
|
The IP address to which the host is set. If not supplied, we use the IP of the agent that sent the request.
Important: If your agent uses an IPv6 address, |
offline |
Optional | Sets the current host to offline status. If an update request is performed on an offline host, the host is removed from the offline state. Allowed values are:
|
After the request is processed, one of the following responses is returned.
Important: Make sure you interpret the response correctly, or you risk blocking your client from our system.
Response | Status | Description |
good {user’s IP address} |
Success | The update was successful. You should not attempt another update until your IP address changes. |
nochg {user’s IP address} |
Success | The supplied IP address is already set for this host. You should not attempt another update until your IP address changes. |
nohost |
Error | The hostname doesn't exist, or doesn't have Dynamic DNS enabled. |
badauth |
Error | The username/password combination isn't valid for the specified host. |
notfqdn |
Error | The supplied hostname isn't a valid fully-qualified domain name. |
badagent |
Error | Your Dynamic DNS client makes bad requests. Ensure the user agent is set in the request. |
abuse |
Error | Dynamic DNS access for the hostname has been blocked due to failure to interpret previous responses correctly. |
911 |
Error | An error happened on our end. Wait 5 minutes and retry. |
conflict A |
Error | A custom A or AAAA resource record conflicts with the update. Delete the indicated resource record within the DNS settings page and try the update again. |