Which ISPs are so bad that you want to use external services, which are further in distance than your ISP, for speed? When I test with my ISP, they beat all of these services (both IPv4 and IPv6). They're simply closer to me in terms of hops.
My router is another story though. The Fritzbox (>200eur router) adds 6ms of latency, and that's what is advertised over DHCP. (Might still be fine, since cached queries are faster than the ping time to the ISP.) Note that my tests were all with uncached queries (random subdomains of a domain), so it always had to go out and ask an external server (though it could cache the NS record for the domain).
It would be more interesting to see how are they doing for some websites in the long tail, try the 900th, 9000th, and 90000th most popular sites instead of the top. And try some locations which are not actual datacenters?
Mentally you need to add a big asterisk to tests of CDNs, and by extension "dns done like a cdn" from VPS provider networks (content networks). That's not where users come from (eyeball networks), and therefore not where they focus their efforts in peering and route-optimizing.
I think we'll start seeing the standard configuration of 1.1.1.1,8.8.8.8 everywhere.
Google/Cloudflare tackled the UX of free DNS spectacularly with these gold IP addresses. It's the primary reason I use them instead of OpenDNS, which was an earlier player in this space.
9.9.9.9 does not seem to be geographically-aware. Here are the resolutions for the same domain name (CNAME referring to the hopefully closest edge server), from France.
% dig [domain] @8.8.8.8 +short
[id].kxcdn.com.
p-frpa00.kxcdn.com. # France
% dig [domain] @9.9.9.9 +short
[id].kxcdn.com.
s-us-ca00.kvcdn.com. # America
p-ussj00.kxcdn.com.
% dig [domain] @1.1.1.1 +short
[id].kxcdn.com.
p-frpa00.kxcdn.com. # France
% dig [domain] @ns0.fdn.fr +short # My ISP resolver
[id].kxcdn.com.
p-frpa00.kxcdn.com. # FranceJust run your own DNS resolver if you value your privacy. With prefetching and caching there will be little difference in performance.
You can run a benchmark of your own using namebench. I recommend you uncheck the options for the included nameservers or it will take a very long time to run and enter only the DNS servers you want to test manually. It can use your Firefox browsing history as a source for domains to resolve.
Ignore the "incorrect" and "hijacked" warnings, I think the program has hardcoded, outdated IP ranges for popular services which causes those.
If you want to see the performance from even more locations here is a more detailed benchmark https://www.cdnperf.com/tools/cdn-latency-benchmark/0d8b484e...
Or you can even use a CLI https://perfops.net/cli to run custom tests from any location
Unfortunately no tests for IPv6 connections. Disappointing considering that all DNS traffic I generate will be over IPv6.
Besides response time, the next level of comparison is how well geo-DNS-based services (global load balancing, etc.) support these resolvers. AFAIK 8.8.8.8 gives decent results in most places, though I've seen suboptimal US-centric results from Quad9 in Asia. Support for RFC 7871 (Client Subnet in DNS Queries) comes into play here too.
The OpenNIC project has a database of community/private DNS servers with certain standards.
Is there a tutorial on setting up your own? I've got a huge hosts file and would like it to affect all the devices at my home but setting up a DNS server always seemed high-level black magic to me.
Moscow, Russia
test1 test2 test3 test4 test5 test6 test7 test8 test9 test10 Average
adguard 6 ms 8 ms 4 ms 8 ms 11 ms 5 ms 7 ms 4 ms 4 ms 22 ms 7.90
google2nd 4 ms 4 ms 5 ms 22 ms 30 ms 18 ms 3 ms 27 ms 3 ms 3 ms 11.90
yandex 5 ms 9 ms 5 ms 9 ms 87 ms 50 ms 9 ms 9 ms 5 ms 60 ms 24.80
google 3 ms 18 ms 3 ms 20 ms 29 ms 165 ms 3 ms 18 ms 3 ms 19 ms 28.10
cloudflare2nd 45 ms 44 ms 46 ms 44 ms 46 ms 44 ms 44 ms 45 ms 65 ms 48 ms 47.10
quad9 47 ms 48 ms 47 ms 48 ms 46 ms 57 ms 46 ms 44 ms 46 ms 45 ms 47.40
opendns 45 ms 47 ms 46 ms 59 ms 47 ms 45 ms 47 ms 49 ms 51 ms 44 ms 48.00
norton 52 ms 49 ms 53 ms 52 ms 58 ms 56 ms 51 ms 48 ms 54 ms 52 ms 52.50
cleanbrowsing 96 ms 48 ms 60 ms 46 ms 49 ms 46 ms 45 ms 49 ms 44 ms 46 ms 52.90
neustar 54 ms 56 ms 52 ms 59 ms 50 ms 57 ms 55 ms 57 ms 59 ms 54 ms 55.30
comodo 80 ms 88 ms 73 ms 113 ms 79 ms 75 ms 75 ms 74 ms 74 ms 90 ms 82.10
cloudflare 1000 ms 1000 ms 1000 ms 1000 ms 1000 ms 1000 ms 1000 ms 1000 ms 1000 ms 1000 ms 1000.00From Waimanalo, Hawaii cloudflare times out:
test1 test2 test3 test4 test5 test6 test7 test8 test9 test10 Average
192.168.50.1 154 ms 157 ms 154 ms 154 ms 154 ms 154 ms 156 ms 158 ms 155 ms 184 ms 158.00
cloudflare 1000 ms 1000 ms 1000 ms 1000 ms 1000 ms 1000 ms 1000 ms 1000 ms 1000 ms 1000 ms 1000.00
google 106 ms 82 ms 80 ms 158 ms 113 ms 148 ms 82 ms 107 ms 106 ms 81 ms 106.30
quad9 91 ms 99 ms 111 ms 106 ms 90 ms 97 ms 89 ms 91 ms 89 ms 88 ms 95.10
opendns 105 ms 81 ms 96 ms 120 ms 82 ms 110 ms 81 ms 115 ms 105 ms 83 ms 97.80
norton 82 ms 80 ms 82 ms 94 ms 84 ms 91 ms 82 ms 80 ms 82 ms 83 ms 84.00
cleanbrowsing 135 ms 158 ms 245 ms 136 ms 132 ms 132 ms 133 ms 138 ms 133 ms 145 ms 148.70
yandex 287 ms 389 ms 256 ms 256 ms 258 ms 256 ms 258 ms 257 ms 258 ms 255 ms 273.00
adguard 290 ms 270 ms 319 ms 295 ms 433 ms 340 ms 261 ms 351 ms 290 ms 264 ms 311.30
neustar 86 ms 82 ms 83 ms 84 ms 80 ms 90 ms 80 ms 81 ms 84 ms 83 ms 83.30
comodo 149 ms 148 ms 152 ms 152 ms 153 ms 148 ms 150 ms 147 ms 148 ms 151 ms 149.80Quad9 has several IPs and different services, see (https://www.heise.de/imgs/18/2/3/1/7/9/4/7/quad9-feature-mat...). For some reason this is hidden on the quad9 website.
This tests the performance / distance between vps data centers and the dns server's data centers. imho it's better to have a test web page that consumers visit and establishes a tcp connection to those dns services and estimate the rtt of a single packet from the time it took to establish the connection, or test via the https interface for services that support it.
Anecdotally, I know a guy who runs a local Cloud provider in the greater-Beijing area (part of Hebei proveince). He told me Cloudflare has struck a deal with the government to have integration with them, presumably with higher standard than normal tech providers.
That might explain why CloudFlare has good performance across the globe, which in a large part related to China.
https://pulse.turbobytes.com/results/5ac1f967ecbe4078c200ee4...
Cloudflare consistently times out from these networks.
Netherlands - AS13127 Philippines - AS135132 Thailand - AS17552 (One of the largest consumer internet providers) US - AS7018 (AT&T)
What about services which use anycast/geolocation to decide where to serve you data from? They will get bad location data as they will get the location of the resolver. This can have a direct impact on services.
An example of my own is from about 10 years ago when Netflix started streaming. We got a Roku and signed up but the service terrible due to the stream stopping to buffer every few minutes. After researching and trying several things I eventually came across the fact that the stream was coming from servers in over a thousand miles away with pretty bad latency between. Long story short, I eventually figured out it was due to my using the level3 resolvers for DNS. As soon as I changed to our ISP's DNS servers it worked great and the data was streaming from very close.
What is the benefit to Google/CloudFlare of providing free DNS resolution? Why do they offer it?
Why is google DNS listed as "private"? They permanently log all of your DNS queries.
What I don't understand is how these services are offered at apparently no cost.
Sure, I expect Google is slurping all of my connections to help build an ad profile on me. But what about the other companies? They've got to keep the lights on somehow.
GRC's DNS Benchmark[0]
For anyone who wants to test their DNS servers. It is Windows binary, but works fine on Wine.
Things to look for in comparing recursive DNS servers performance:
The 95%ile DNS response time for cached/uncached names. The 95%ile DNS response when one/some of the authoritative nameservers is "lame" or not responding. (better yet, 99%ile, but that requires even more queries...)
The average packet loss to the nameserver. (As many resolvers use the default of a 5s timeout, better resolvers use a 1s timeout, the best stub resolvers would use a dynamic timeout, but afaik, none do...).
Do they implement DNSSEC validation? What is their story for domains that break DNSSEC (eg: https://www.internetsociety.org/resources/deploy360/2014/cas...)?
Do they implement RFC7129 (authenticated denial of existence)? This can be used to prevent your service being used to attack an authoritative nameserver, prevents leaks of useless domains (eg machines looking up untitled.pdf as a domain), and allows you to return NXDOMAIN with much lower latency, making DNS search paths faster. RFC8020 (NXDOMAIN: There is really nothing underneath) would be another example where you can prevent leaking names, and return faster responses from a smaller cache (although I admit I've never seen anyone implement RFC8020 yet).
Will they accept (signed) responses into their cache in the additional section? Again, this can significantly reduce the time for uncached responses.
[hint: These are good reasons you should sign your domain, it can make things faster and reduce load on your authoritative nameserver!]
What is their story for domains that need a cache flush?
Do they (correctly) implement IPv6 from the recursive to the authoritative nameservers? Do they (correctly) implement IPv6 from the stub to the recursive nameserver?
How big is their cache? How long do things stay in their cache? There's no point being close to a nameserver with an empty cache. Querying www.google.com isn't really going to tell you much about their cache depth, nor is the Alexa 1M. You need a very very wide variety of names.
Do they provide good GeoIP responses? There's no point in getting an answer for the middle of the US in <1ms if you happen to be 300ms away in Asia somewhere. The DNS response was fast, but the webserver it sent you to is going to give you abysmal performance. This is often done with EDNS0-Client-Subnet, but it can also be fudged by making the outbound IPs for the iterative requests being diverse enough for different localities.
Do they "lie" about names? In what circumstances do they lie? Do they NXDOMAIN malicious domains? adult websites? ad domains? random websites? Do they redirect ad websites to their own ad farm? How do their lies handle DNSSEC?
Do they perform QNAME minimalisation to help protect your queries from servers that don't need it?
What other features do they implement to make sure their cache is never poisoned?
What is their abuse plan? If I send them a vast number of queries what happens? Do they send back TrunCated responses and force me over TCP? Will they respond with SERVFAIL? Or will they drop the queries? Or will they pass them all through to the authoritative nameservers? Do I need to do anything (other than stop sending abusive amounts of load) to be unblocked? What if the reason I'm sending a large number of queries is because I'm a carrier grade NAT IP pool and I have one broken/bad user?
What is their reliability story? Is it expected that they will go down for 10 minutes every now and again?
What do they do about general Internet Hygiene? Do they have protects against being used for reflection attacks?
Do they do preemptive lookups to keep their cache warm or is someone always guaranteed to have to wait for the full resolution? How do they make sure they don't accidentally DoS authoritative nameservers with preemptive resolutions?
Things not to look for:
ICMP/mtr times are essentially meaningless, except as providing general information about routing decisions.
The mean response time, as it tends to be washed out by cached response times, and what you don't care about is if it takes 15ms or 17ms on average, as you can't perceive the difference. What you _do_ care about is if one nameserver has 1/5000 queries which take >1s as that will become a frequent noticeable problem when your surfing.
Just looking at a few common names that are likely to be in the cache. Yes, those are important, but as with anything at scale, it's the long tail that's actually interesting and will dominate your perception of performance. You can set up your own domain, and search for random strings and force the full end-to-end query flow. (Beware about wildcard domains for this, if your domain is signed, in theory the nameserver could synthesize responses without going back to your nameserver).
Where are your vantage points for measurements? Many people appear to measure from places like AWS zones, and then report spectacular performance for DNS servers also hosted in the same AWS zones โ despite most of their users not being hosted there.
Hmm, I'm sure there's more, but that's off the top of my head.
(Disclaimer: Once upon a time, I was one of the engineers oncall for Google Public DNS, so I have Opinions)
Hi, could someone explain to me what this DNS stuff is about like I'm 5? How is it related to private browsing?
Hmmm. Off the bat, CloudFlare ICMP for me is worse than Google:
http://www.jaruzel.com/files/ICMP-CloudFlareDNS-vs-Google-te...
I'll stick with Google I think. UK/London btw.
Safari barfs on visiting https://1.1.1.1 as linked in the article. Certificate invalid (though it looks fine). Rather unfortunate regarding perception; it's an interesting service!
I let it (the story) sit a day after 4/1 just to make sure it wasn't really an April Fools' joke. But today I made it my primary DNS server and it's performing very well. Glad there's another player in the private DNS space.
I wonder how well 4.2.2.x compares...
Then again, a few ms of difference is unlikely to make any noticeable effect in real-world use cases where clients already have local DNS caching and the bulk of the time is data transfer, not DNS lookups.
No tests for Africa?
I've been using Quad9, if anything just because I feel Google already knows too much about me anyway. So far no complaints about it.
Why is Montreal reporting abnormally high response times across the board?
For example:
# Cloudflare Toronto 3.42ms vs. Montreal 17ms;
# Google Toronto 9.42ms vs. Montreal 16.71ms.
How do other services compare? Like https://blog.uncensoreddns.org/dns-servers/ https://dns.watch/ https://ipredator.se/page/services#service_dns
I wasn't aware of Quad9, it seems like a pretty great option for those that are easy targets of scams/phishing.
I switched all my devices to CloudFlare 'cause it 2x faster than Google DNS in my location - Europe.
Will website name in certificate shared by server during handshake kill the DNS over https purpose?
Out of curiosity, are there any negatives for everyone to funnel their DNS traffic through a single provider? Might be paranoia, and it may in this case just be putting all of your traffic through company_a vs all of your traffic through company_b scenario, but I've been curious since this was announced.
Why is Montreal abnormally high for all services?
google is faster for me in the bay area from comcast network. Using both ping and dig for testing
It is blocked in Turkey.
Cloudflare it is then!
Thanks, great response times from my NYC droplet.
test1 test2 test3 test4 test5 test6 test7 test8 test9 test10 Average
quad9 1 ms 2 ms 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms 1.10
cloudflare 2 ms 1 ms 1 ms 2 ms 1 ms 1 ms 1 ms 2 ms 1 ms 1 ms 1.30
comodo 1 ms 2 ms 2 ms 3 ms 2 ms 1 ms 2 ms 1 ms 1 ms 2 ms 1.70
adguard 2 ms 2 ms 3 ms 2 ms 2 ms 2 ms 2 ms 2 ms 2 ms 2 ms 2.10
cleanbrowsing 2 ms 4 ms 2 ms 2 ms 2 ms 2 ms 14 ms 16 ms 2 ms 2 ms 4.80
norton 6 ms 7 ms 7 ms 7 ms 8 ms 7 ms 6 ms 7 ms 7 ms 7 ms 6.90
namecheap 7 ms 7 ms 7 ms 7 ms 7 ms 7 ms 7 ms 7 ms 7 ms 7 ms 7.00
neustar 8 ms 7 ms 7 ms 8 ms 9 ms 6 ms 7 ms 7 ms 7 ms 7 ms 7.30
namecheap2nd 8 ms 8 ms 7 ms 9 ms 9 ms 8 ms 10 ms 8 ms 8 ms 8 ms 8.30
opendns 20 ms 1 ms 1 ms 30 ms 2 ms 8 ms 1 ms 16 ms 15 ms 3 ms 9.70
google2nd 16 ms 1 ms 1 ms 17 ms 1 ms 24 ms 1 ms 16 ms 17 ms 14 ms 10.80
google 17 ms 1 ms 1 ms 17 ms 1 ms 41 ms 1 ms 17 ms 18 ms 15 ms 12.90
cloudflare2nd 1 ms 2 ms 1 ms 1 ms 1000 ms 2 ms 2 ms 1 ms 2 ms 2 ms 101.40
yandex 101 ms 102 ms 104 ms 101 ms 115 ms 103 ms 107 ms 100 ms 105 ms 136 ms 107.40
test1 test2 test3 test4 test5 test6 test7 test8 test9 test10 Average
namecheap2nd 45 ms 45 ms 44 ms 45 ms 48 ms 45 ms 45 ms 46 ms 48 ms 45 ms 45.60
cloudflare2nd 45 ms 49 ms 48 ms 47 ms 45 ms 44 ms 45 ms 45 ms 46 ms 46 ms 46.00
namecheap 46 ms 48 ms 48 ms 44 ms 45 ms 45 ms 46 ms 45 ms 45 ms 48 ms 46.00
cleanbrowsing 46 ms 46 ms 44 ms 56 ms 45 ms 44 ms 48 ms 46 ms 44 ms 46 ms 46.50
google2nd 49 ms 47 ms 47 ms 45 ms 51 ms 47 ms 46 ms 44 ms 43 ms 46 ms 46.50
comodo 46 ms 47 ms 48 ms 49 ms 46 ms 47 ms 44 ms 45 ms 47 ms 50 ms 46.90
adguard 49 ms 48 ms 45 ms 46 ms 46 ms 48 ms 49 ms 48 ms 48 ms 48 ms 47.50
google 46 ms 49 ms 47 ms 47 ms 45 ms 47 ms 47 ms 49 ms 44 ms 67 ms 48.80
opendns 47 ms 46 ms 47 ms 64 ms 48 ms 49 ms 46 ms 64 ms 64 ms 48 ms 52.30
cloudflare 44 ms 48 ms 45 ms 50 ms 48 ms 110 ms 45 ms 48 ms 45 ms 47 ms 53.00
quad9 46 ms 49 ms 45 ms 47 ms 49 ms 153 ms 46 ms 45 ms 48 ms 46 ms 57.40
neustar 66 ms 66 ms 66 ms 67 ms 66 ms 66 ms 66 ms 67 ms 66 ms 67 ms 66.30
norton 91 ms 67 ms 67 ms 67 ms 66 ms 66 ms 67 ms 66 ms 67 ms 67 ms 69.10
yandex 176 ms 279 ms 176 ms 174 ms 188 ms 178 ms 179 ms 176 ms 174 ms 179 ms 187.90Does anyone actually believe that google isnโt hoovering up personal data with its DNS service?
I feel like people forgot about how CloudFlare, Google, et. al. can new effectively censor content they don't agree with:
https://fightthefuture.org/article/the-new-era-of-corporate-...
..and even though CloudFlare back pedaled on that particular decision somewhat, it still happened.
If you really want something fast and secure, run your own caching DNS that uses root DNS servers.
Is DNS configuration ever considered as a factor in "DNS performance"? IME as an end user, it makes a significant difference.
For example if it takes seven queries to resolve a name "A" versus two queries to look up a name "B", then in almost all cases, irrespective of the distance to a cache, looking up A is going to be noticeably slower than looking up B. Indirection is only one example. Even worse are configuations that knowingly trigger retries and wait for client timeouts in order to present a client with a particular nameserver.
Indirection and other "DNS tricks" come at a cost. IME, these are not compensated for via the proximity of a cache.
There's a lot more to consider than just performance when deciding whom to share your browsing habits with. Why would you choose Cloudflare or Google?
This isn't an endorsement of Quad9 or OpenDNS; I just don't know enough about them. However, the fact that Cloudflare and Google are privacy-and-security nightmares is well documented.
OpenNIC offers DNSCrypt.
but why would you compare something like cloudflare which is a DDOS prevention service to DNS service?
Google and Privacy=Yes ... sure.
I presume that Google uses this as part of it's surveillance operation.
dig +noall +stats @1.0.0.1 news.ycombinator.com; dig +noall +stats @1.1.1.1 news.ycombinator.com; dig +noall +stats @208.67.220.220 news.ycombinator.com; dig +noall +stats @208.67.222.222 news.ycombinator.com; dig +noall +stats @8.8.4.4 news.ycombinator.com; dig +noall +stats @8.8.8.8 news.ycombinator.com
Fixed? =P
I removed some of the records form the article after reading some of the comments here. Cloudflare, Google, and OpenDNS only.
Kind of cool, I switched it up and ran it against 10 sites I frequent... was pretty impressed to see how well OpenDNS was doing.
Pushed a shell script to compare all of them from your location:
https://github.com/cleanbrowsing/dnsperftest