Set up DNSSEC & DNS security

Domain Name System (DNS) translates human-readable domain names like google.com into the machine-readable IP address of a website, like 172.217.3.206. To prevent threats to your domain like cache poison attacks and DNS spoofing, set up DNS Security Extensions (DNSSEC).

Turn on DNSSEC for your domain

Important:

  • Some Top-level Domains (TLDs) accept DNS Public Key (DNSKEY) records instead of Delegation Signer (DS) records.
  • If you originally purchased your domain name from Google Domains, DNSSEC might already be set up for you.

To set up DNSSEC for your domain, you must add specific resource records to your DNS or signing zone and publish them for your domain. If you use the automatic DNSSEC setup of Google Domains, we handle both steps for you. It can take up to 24 hours for the changes to update across the internet before DNSSEC is active.

  1. Sign in to Google Domains.
  2. Select your domain.
  3. At the top left, select Menu "" and then DNS.
  4. Select either Default name servers or Custom name servers.
  5. Scroll to the “DNSSEC” card or box.
    • For default name servers: Click Turn on. If DNSSEC is already turned on, “DNSSEC enabled” is displayed.
    • For custom name servers: Click Manage DS records and enter the info from your DNS provider.
      1. Enter the values given by your third-party DNS provider for custom name server DNSSEC or DNSKEY.
      2. To add multiple records at the same time, click Create new record.
      3. Click Save.

Tips:

  • If you choose not to wait for your DNSKEY records to be published, under “DNSSEC,“ expand the DNSSEC card and click Publish records now.
  • When you turn on DNSSEC, Google Domains automatically signs your DNS zone and publishes your Delegation Signer (DS) records within 2 hours.
Values needed for custom name server DNSSEC

If you use custom name servers, you must work with your third-party DNS provider to sign the DNS zone for your domain. For each DNSKEY, get the following values from your DNS provider:

  • Key tag: Numeric value that refers to an existing DNSKEY record.
  • Algorithm: Encryption algorithm that creates the security key in the DNSKEY record. It’s usually paired with a hash function like RSA/SHA1.
  • Digest type: Algorithm that creates the digest of a DNSKEY record. It’s also called a digest algorithm, digest hash, or digest hash function.
  • Digest: Hashed value of the DNSKEY record that uniquely identifies it and doesn't expose the value of the key. Based on the digest type, the length can be one of the following:
    • SHA1: 40 hexadecimal digits
    • SHA256: 64 hexadecimal digits
    • SHA384: 96 hexadecimal digits
Values needed for custom name server DNSKEYs

If you use custom name servers, contact your third-party DNS provider to sign in to the DNS zones for your domain. For each DNSKEY, get the following values from your DNS provider:

  • Flags: Information that lets the DNS and resolvers know how to interpret the DNSKEY record. By default, this value is set to 256 or 257.
  • Protocol: Indicates the version of DNSSEC used. This value is always set to 3.
  • Algorithm: Indicates the type of cryptographic algorithm used for the public or private key pair.
  • Public key: The key that DNS resolvers use to validate that the DNS records haven’t been tampered with.

Deactivate DNSSEC for your domain

  1. Sign in to Google Domains.
  2. Select your domain.
  3. Select Menu "" and then DNS.
  4. Scroll to the “DNSSEC” card or box.
    • For default name servers: Select Turn off.
    • For custom name servers: Next to each record, click Delete .
  5. Select Save.

Tips:

  • For custom name servers, to remove your DNSSEC-related resource records from your zone, you can work with your DNS provider.
  • When you turn off DNSSEC, Google Domains immediately unpublishes your domain’s DS records. After that change updates across the internet, your domain is no longer DNSSEC protected. This can take up to 48 hours. To complete the DNSSEC deactivation, Google Domains might unsign your DNS zone.

Use Dynamic DNS

Important: Dynamic DNS works with IPv4 and IPv6 addresses, but not at the same time.

Dynamic DNS allows you to direct your domain or a subdomain to a resource that's behind a gateway and has a dynamically assigned IP address. To use Dynamic DNS, you must use the default name servers of Google Domains.

If you set up Dynamic DNS with Google Domains, you can:

  • Create an A or AAAA record for your domain or subdomain that makes the Google name servers expect a dynamic IP.
  • Generate a username and password that your host or server can use to communicate the new IP address to the Google name servers.

After you set up Dynamic DNS, you must set up a client program on your host, server, or gateway that does the following:

  • Detects IP address changes
  • Uses the generated username and password
  • Communicates the new address to the Google name servers

Set up dynamic DNS

  1. On your computer, sign in to Google Domains.
  2. Select your domain.
  3. Click Menu "" and then DNS.
  4. Select Default name servers Google Domains (Active).
  • If “Custom name servers (Active)” is selected, you already have custom name servers and can't use Google Domains’ Dynamic DNS service.
  1. Click Show advanced settings.
  2. Click Manage dynamic DNS and then Create new record.
  3. To assign a Dynamic IP, enter the name of the subdomain or root domain.
  4. Click Save.

The following are some other options to manage your Dynamic DNS:

  • To view the record values: Next to the record, click the triangle.
  • To view the username and password created for a record: Click View Credentials.
  • To configure your gateway or client software so that it contacts the Google name servers: Use the username and password created for the record.
  • To delete a record:
    1. Go to “Resource records.”
    2. Next to “Dynamic DNS,” click the triangle.
    3. Select Delete.

Set up a client program on your gateway, host, or server

There are several popular dynamic DNS clients in use, like DDclient and INADYN. Most routers can detect IP changes and communicate them with the name servers through their built-in software.

Configure your dynamic DNS client with the following:

  • Provider or DNS or Service: The name of your DNS Provider
  • Username or credential: The generated username in the Dynamic DNS record
  • Password or credential: The generated password in the Dynamic DNS record

After you create the record and configure your client software, test the record. Enter the subdomain and domain into a browser, or appropriate client, and make sure they connect to the correct resource.

Tip: Google Domains uses the dyndns2 protocol.

Examples

DDclient now has support for Google Domains.

DDclient with Google Domains Support

ddclient.conf entries:

ssl=yes

protocol=googledomains

login=generated_username

password=generated_password

your_resource.your_domain.tld

General client configuration examples:

DDclient
without Google Domains support
INADYN

Sample ddclient.conf entries:

protocol=dyndns2

use=web

server=domains.google.com

ssl=yes

login=generated_username

password=generated_password

your_resource.your_domain.tld

Add the following to your inadyn.conf

system default@domains.google.com

username generated_username

password generated_password

alias sub.domain.tld

Update your Dynamic DNS record with the API

Dynamic DNS client software automatically updates your dynamic DNS record. You can perform manual updates with the API by making a POST request or GET to the following URL:
domains.google.com/nic/update
The API requires HTTPS. Here’s an example request:
https://username:password@domains.google.com/nic/update?hostname=subdomain.yourdomain.com&myip=1.2.3.4

Set a user agent

Important: You must also set a user agent in your request.

During a test with the URL directly above, domains.google.com/nic/update, web browsers generally add a user agent for you. The final HTTP query sent to our servers should be similar to this:

Example HTTP query:

POST /nic/update?hostname=subdomain.yourdomain.com&myip=1.2.3.4 HTTP/1.1
Host: domains.google.com
Authorization: Basic base64-encoded-auth-string
User-Agent: Chrome/41.0 your_email@yourdomain.com

Request Parameters:

Parameter Required or Optional Description
username:password Required The generated username and password associated with the host that is to be updated.
hostname Required The hostname to be updated.
myip
  • Optional for IPv4.
  • Required if you have an IPv6 address.
The IP address to which the host is set. If not supplied, we use the IP of the agent that sent the request.

Important: If your agent uses an IPv6 address, myip is required. You can check your agent’s IP address at: https://domains.google.com/checkip.

offline Optional Sets the current host to offline status. If an update request is performed on an offline host, the host is removed from the offline state.
Allowed values are:
  • yes
  • no

After the request is processed, one of the following responses is returned.

Important: Make sure you interpret the response correctly, or you risk blocking your client from our system.

Response Status Description
good {user’s IP address} Success The update was successful. You should not attempt another update until your IP address changes.
nochg {user’s IP address} Success The supplied IP address is already set for this host. You should not attempt another update until your IP address changes.
nohost Error The hostname doesn't exist, or doesn't have Dynamic DNS enabled.
badauth Error The username/password combination isn't valid for the specified host.
notfqdn Error The supplied hostname isn't a valid fully-qualified domain name.
badagent Error Your Dynamic DNS client makes bad requests. Ensure the user agent is set in the request.
abuse Error Dynamic DNS access for the hostname has been blocked due to failure to interpret previous responses correctly.
911 Error An error happened on our end. Wait 5 minutes and retry.
conflict A
conflict AAAA
Error A custom A or AAAA resource record conflicts with the update. Delete the indicated resource record within the DNS settings page and try the update again.
Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
true
true
true
93020
false
false