The Domain Name System is the protocol used to resolve web domain names to the IP addresses of their associated servers. Generally, an ISP will provide its own DNS servers for customers to use, although there are many open DNS servers available online that do not authenticate their users. However, the DNS protocol has recently been the target of several attacks.
Google hopes that its DNS servers will prevent such attacks, including 'DNS poisoning', in which attackers can insert fraudulent DNS records into a DNS server's cache. In this attack, a malicious user will send a DNS server a query for a domain that the server is unlikely to be authoritative for. The server then refers the query to another DNS server, further up the hierarchical chain of DNS servers.
In the meantime, the attacker floods the original DNS server with fake responses appearing to come from the queried machine. The original DNS server believes the fake response and populates its cache with the attacker's incorrect DNS record.
Google said that it has implemented several features in its own DNS servers designed to stop these and other attacks. They include protecting against the classic buffer overflow errors, overprovisioning server resources, and limiting the rate at which queries can be made (thus reducing the likelihood of denial of service attacks).
In August last year, Dan Kaminskhy of IOActive unveiled a core design flaw in the DNS protocol that would allow attackers to spoof any DNS entity, up to and including top level domains such as .com. This effectively meant that a skilled attacker could effectively take over the web. Kaminsky worked with a large number of key companies to help develop an interim patch to stop such attacks occuring, although the design flaw in DNS still exists.
Google is not the only organization providing free DNS services designed to enhance security. OpenDNS offers a free service that alerts users when they attempt to surf to a known phishing site using its DNS servers.