I recently came across this really mad idea by Google engineers: https://developers.google.com/speed/public-dns/docs/security#nonce_prefixes They try to protect against DNS spoofing by adding entropy in queries to root/TLD name servers. That's a braindead idea, because they can query all those servers using DNSSEC, which invalidates the reasoning itself. But the more important point is, that this solution is based on a misguided understanding of DNS itself. Let's take for instance "www.uit.int" as an example. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37704 ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1;; QUESTION SECTION: ;www.uit.int. IN A ;; ANSWER SECTION: www.uit.int. CNAME www.itu.int. www.uit.int. RRSIG CNAME 7 3 86400 2019... ;; AUTHORITY SECTION: itu.int. NS ns.itu.ch. itu.int. NS ns2.itu.ch. itu.int. NS ns3.itu.ch. [DNSSEC stuff] So we do get a resolution and a delegation. ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 48110 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1 ;; QUESTION SECTION: ;nonce-for-dummies.www.uit.int. IN A ;; AUTHORITY SECTION: int. SOA sns.dns.icann.org. ... [lot of DNSSEC NSEC3 non-existence proofs] But the modified request does not reveal even a hint, that the original query might be successful. If necessary, I'm happy to discuss the basics of DNS directly to the engineer, if somebody makes a contact. This discussion will include "non empty non-terminals" and the difference between DS and DNSKEY, both issues where Google public DNS fails.