Our evaluation of public DNS services began in May 2015, when DNS expert Mehmet Akcin contributed a guest post comparing the performance of top public DNS providers based on latency measurements to each of their servers. We then reprised his work last year, which revealed similar results in overall rankings (Google’s 184.108.40.206 led in both reports).
But a lot has changed since last year. The big news, announced on April Fools’ Day of this year, was Cloudflare’s launch of its public DNS service 220.127.116.11, which it touts not only for its high performance, but also its security and privacy.
Given the growth of IPv6, we also decided to expand the scope of our measurements to include IPv6 DNS services. We’ll be covering IPv6 performance in an upcoming blog post.
Today, we’re going to unpack our results from measuring the performance of eleven popular public DNS providers, including recently launched Cloudflare. We hope the presented conclusions will help you make an informed decision of provider based on where you’re located.
Why is DNS Important?
The Domain Name System (DNS) is fundamental to how the Internet works today. It’s effectively the Internet’s phonebook, mapping human-readable domain names to IP addresses. If a site’s DNS record is unavailable, the service is unreachable to users. DNS performance is also critical to overall user experience, as it’s one of multiple steps that’s needed to successfully load a service. Latency to the DNS server adds to overall time to page load.
Why Use Public DNS?
By default, DNS services will be provided by your Internet service provider, but there are many reasons why you would want to change your DNS settings to point to a different, third-party service. ISPs may not have reliable DNS performance, and many lack sufficient encryption mechanisms, leaving DNS query traffic vulnerable to compromise. They may also collect DNS query data from their users, although this may also be a concern with some public DNS services.
Overall, public DNS providers often offer superior speed and security, and if you live in a country where censorship is an issue, a public DNS service may also help you avoid government or ISP restrictions.
We gathered performance data by conducting latency tests to the primary DNS server IP address for each provider. Our tests send a resolution request every hour from more than 1000 vantage points in almost 50 countries and 200 networks (autonomous systems). Each vantage point measures the latency between it and the nearest recursive resolver for each public DNS provider.
Measurements were taken for eleven public DNS providers: Cloudflare, Comodo, DNS.WATCH, Dyn, FreeDNS, Google, Level 3, OpenDNS, OpenNIC, SafeDNS and Verisign. We collected data over the course of 30 days—between June 28 and July 28—which resulted in more than 700,000 data points for each of these providers.
Results: Newcomer Cloudflare Bests Them All
Looking at average latency to all of the providers across all geographic regions, Cloudflare leads with an overall mean latency of 18.46 ms, followed by last years lead, Google, at 24 ms.
While Google did not take the lead this year, its overall performance improved, as its average latency dropped from 32.94 ms last year. OpenDNS also improved over last year—dropping to 30.42 ms average latency from 44.98 ms. Dyn held steady behind Google and OpenDNS, even though its average latency increased to 58.96 ms from 44.98 ms last year. SafeDNS broke into the top five this year, a huge leap considering it came in last in our 2017 comparison.
If we look at mean latency over time, we see that overall performance is relatively stable, particularly for the top five performers. One obvious exception is DNS.WATCH, where we observed extremely high latency between July 14-18. It’s unclear what led to this prolonged performance degradation, but once resolved, it returned to its previous performance baseline, which slightly outperformed FreeDNS.
Figure 3 shows average latency over time for all providers except DNS.WATCH. The top three providers had predictable latency through the entire test period, while other providers like Level 3 and Comodo had more erratic performance.
In the table below, you can see that the top providers had lower average latency variability, while those providers ranked near the bottom of the rankings had a higher performance variability. So top providers not only had better average performance, they were also more consistently high performing.
While Cloudflare leads globally, there are variations across regions and countries. The below table shows mean latency broken out by continent for each provider. Cloudflare and Google basically split the map: Google has a slight edge in performance for North America and Latin America, but Cloudflare leads in Europe and Asia.
On a country level, Cloudflare and Google fare well, with a few exceptions on each side. Russia and India in particular have increased latency connecting to Cloudflare, while Google has increased latency in Ukraine and Romania. Mexico and Turkey have high latency connecting to both providers.
Comparing Primary and Secondary Server Performance
Across the top ranked providers, we also looked at the performance of their secondary DNS service address. Comparing latency to Google’s 18.104.22.168 (Google B) and Cloudflare’s 22.214.171.124 (Cloudflare B) alongside the primary service address of these providers.
Performance is similar between the primary and secondary service, with less than a 2 ms gap between them, with the exception of Google’s 126.96.36.199 in APAC, which is on average 6.56 ms faster.
A Closer Look at Cloudflare
Cloudflare is one of the top Content Delivery Network (CDN) providers, so it’s able to leverage its massive network of over 150 data centers around the globe to resolve queries very close to end users. If we look at the hop-by-hop network path between monitoring points in multiple cities and 188.8.131.52, we can see that records are being served up very close to where the query is originating—in most cases in the same city. Cloudflare accomplishes this using anycast, which directs users to the optimal data center in order to minimize latency.
In figure 8, we can see that multiple locations are serving up 184.108.40.206. These locations match the locations of the querying agents. The penultimate hop also shows that queries are getting served from the same city or a neighboring city.
Aside from performance, there may be other reasons to consider Cloudflare (or a similar provider), namely privacy and security. Cloudflare states that it purges its DNS logs after 24 hours to maintain the privacy of its users. It also limits the amount of information shared with queried servers by using query name (QNAME) minimization (RFC 7816), which can reduce the risk of data leakage. QNAME minimization truncates a query name to the portion that is relevant to the zone being queried, thereby limiting the amount of information shared with each queried server. For example, with a query for the A record of thousandeyes.com, Cloudflare would only send the .com portion of the query name to a root nameserver and ask for NS records, since the root server can provide only that information.
Cloudflare also supports encryption for DNS resolution, using DNS over TLS or DNS over HTTPS (DoH). Bear in mind, however, that neither of these encryption methods are straightforward to setup. Unless you’re willing to spin up a local server or modify your operating system’s resolver libraries (for DNS over TLS), or do some advanced configuration of a browser like Firefox or install its beta 62 version (for DoH), you’re out of luck in taking advantage of the in-transit protection these options can offer. Given the complexities of using these encryption mechanisms, their current value may be limited, particularly for the average consumer.
In our 2017 comparison, we predicted that Google would remain in the lead due to its sizeable geographic reach—but what a difference a year makes. Cloudflare’s 220.127.116.11, which only launched four months ago, has toppled Google in overall performance. Google’s 18.104.22.168 still offers compelling performance, however, and remains #1 in North America over Cloudflare.
We intend to make these public DNS provider assessments a more frequent part of our Internet research offerings, so stay tuned. We’re also going to be reevaluating the providers we include in our next round, so if you have candidates you’d like to propose, please let us know. We’ll be covering IPv6 DNS service performance for a selection of public DNS resolvers, which will be our inaugural report on these offerings. You won’t want to miss it, so be sure to subscribe to our blog to get notified when it’s available.