On April 1st 2016 Google announced a Public DNS-over-HTTPS service:
https://developers.google.com/speed/public-dns/docs/dns-over-https#introduction
The API is only a beta and whilst not based on a standard, any public server that offers encrypted DNS to users is a good thing. But note that there is an active I-D in the general area of DNS-over-HTTP:
https://datatracker.ietf.org/doc/draft-song-dns-wireformat-http/
Our understanding is that this service was made available as a convenient web interface to test DNS queries, and potentially for use in some lightweight applications. It was simply intended to be a complimentary offering to the work of the DPRIVE working group with regard to DNS Privacy.
We took a look at it at the recent IETF Hackathon and starting coding a prototype implementation in getdns just for fun. Here are some things we note:
The query API is quite limited: No Msg ID and only one EDNS0 option supported (ECS). For example, the EDNS chain query draft is now approved and future support for this would be nice.
For DNSSEC the only option is to trust Google to do the validation, this API does not support validating stubs obtaining DNSSEC records.
Also interesting to note that when DNSSEC validation fails, the error comment includes a link to the DNSviz tool to try to figure out the failure!
They don’t use the 8.8.8.8 IP address directly for the queries, instead they use dns.google.com which resolved to 216.58.208.142 and 2a00:1450:4009:803::200e from the Buenos Aires Hackathon. It is likely this is served by the Google web service cloud which ultimately uses 8.8.8.8 as a back end for the resolution.
When a query is made via the web interface provided at https://dns.google.com it seems that QUIC over IPv6 is always used
We also notice that the server will answer do DNS-over-HTTP on port 80.