One Resolver to Rule Them All: Ranking the Performance of Public DNS Providers

Posted by on August 1st, 2018
August 14th, 2018

Our evaluation of public DNS services began in May 2015, when DNS expert Mehmet Akcin contributed a guest post comparing the performance of top public DNS providers based on latency measurements to each of their servers. We then reprised his work last year, which revealed similar results in overall rankings (Google’s 8.8.8.8 led in both reports).

But a lot has changed since last year. The big news, announced on April Fools’ Day of this year, was Cloudflare’s launch of its public DNS service 1.1.1.1, which it touts not only for its high performance, but also its security and privacy.

Given the growth of IPv6, we also decided to expand the scope of our measurements to include IPv6 DNS services. We’ll be covering IPv6 performance in an upcoming blog post.

Today, we’re going to unpack our results from measuring the performance of eleven popular public DNS providers, including recently launched Cloudflare. We hope the presented conclusions will help you make an informed decision of provider based on where you’re located.

Why is DNS Important?

The Domain Name System (DNS) is fundamental to how the Internet works today. It’s effectively the Internet’s phonebook, mapping human-readable domain names to IP addresses. If a site’s DNS record is unavailable, the service is unreachable to users. DNS performance is also critical to overall user experience, as it’s one of multiple steps that’s needed to successfully load a service. Latency to the DNS server adds to overall time to page load.

Why Use Public DNS?

By default, DNS services will be provided by your Internet service provider, but there are many reasons why you would want to change your DNS settings to point to a different, third-party service. ISPs may not have reliable DNS performance, and many lack sufficient encryption mechanisms, leaving DNS query traffic vulnerable to compromise. They may also collect DNS query data from their users, although this may also be a concern with some public DNS services.

Overall, public DNS providers often offer superior speed and security, and if you live in a country where censorship is an issue, a public DNS service may also help you avoid government or ISP restrictions.

Methodology

We gathered performance data by conducting latency tests to the primary DNS server IP address for each provider. Our tests send a resolution request every hour from more than 1000 vantage points in almost 50 countries and 200 networks (autonomous systems). Each vantage point measures the latency between it and the nearest recursive resolver for each public DNS provider.

Measurements were taken for eleven public DNS providers: Cloudflare, Comodo, DNS.WATCH, Dyn, FreeDNS, Google, Level 3, OpenDNS, OpenNIC, SafeDNS and Verisign. We collected data over the course of 30 days—between June 28 and July 28—which resulted in more than 700,000 data points for each of these providers.

Results: Newcomer Cloudflare Bests Them All

Looking at average latency to all of the providers across all geographic regions, Cloudflare leads with an overall mean latency of 18.46 ms, followed by last years lead, Google, at 24 ms.

Table with average DNS provider latency across geographic regions
Figure 1: Average provider latency across all geographic regions (2018).

While Google did not take the lead this year, its overall performance improved, as its average latency dropped from 32.94 ms last year. OpenDNS also improved over last year—dropping to 30.42 ms average latency from 44.98 ms. Dyn held steady behind Google and OpenDNS, even though its average latency increased to 58.96 ms from 44.98 ms last year. SafeDNS broke into the top five this year, a huge leap considering it came in last in our 2017 comparison.

If we look at mean latency over time, we see that overall performance is relatively stable, particularly for the top five performers. One obvious exception is DNS.WATCH, where we observed extremely high latency between July 14-18. It’s unclear what led to this prolonged performance degradation, but once resolved, it returned to its previous performance baseline, which slightly outperformed FreeDNS.

Chart with DNS provider latency over time
Figure 2: Provider performance was relatively stable for the duration of the test period, with the exception of DNS.WATCH.

Figure 3 shows average latency over time for all providers except DNS.WATCH. The top three providers had predictable latency through the entire test period, while other providers like Level 3 and Comodo had more erratic performance.

Detailed chart with DNS provider latency over time
Figure 3: Provider performance over time (not showing DNS.WATCH).

In the table below, you can see that the top providers had lower average latency variability, while those providers ranked near the bottom of the rankings had a higher performance variability. So top providers not only had better average performance, they were also more consistently high performing.

Table with detailed performance metrics for top DNS providers
Figure 4: Top providers have relatively stable performance, with less variance.

While Cloudflare leads globally, there are variations across regions and countries. The below table shows mean latency broken out by continent for each provider. Cloudflare and Google basically split the map: Google has a slight edge in performance for North America and Latin America, but Cloudflare leads in Europe and Asia.

Table with latency of DNS providers across different regions
Figure 5: Cloudflare and Google share top performance across different regions.

On a country level, Cloudflare and Google fare well, with a few exceptions on each side. Russia and India in particular have increased latency connecting to Cloudflare, while Google has increased latency in Ukraine and Romania. Mexico and Turkey have high latency connecting to both providers.

World maps with latency of Cloudflare and Google DNS
Figure 6: Cloudflare and Google have consistently high performance from vantage points around the world, with a few exceptions for each.

Comparing Primary and Secondary Server Performance

Across the top ranked providers, we also looked at the performance of their secondary DNS service address. Comparing latency to Google’s 4.4.4.4 (Google B) and Cloudflare’s 1.0.0.1 (Cloudflare B) alongside the primary service address of these providers.

Performance is similar between the primary and secondary service, with less than a 2 ms gap between them, with the exception of Google’s 4.4.4.4 in APAC, which is on average 6.56 ms faster.

Comparison table of latency for primary and secondary DNS servers for Cloudflare and Google
Figure 7: Mean latency by continent for Google and Cloudflare primary and secondary DNS service addresses.

A Closer Look at Cloudflare

Cloudflare is one of the top Content Delivery Network (CDN) providers, so it’s able to leverage its massive network of over 150 data centers around the globe to resolve queries very close to end users. If we look at the hop-by-hop network path between monitoring points in multiple cities and 1.1.1.1, we can see that records are being served up very close to where the query is originating—in most cases in the same city. Cloudflare accomplishes this using anycast, which directs users to the optimal data center in order to minimize latency.

In figure 8, we can see that multiple locations are serving up 1.1.1.1. These locations match the locations of the querying agents. The penultimate hop also shows that queries are getting served from the same city or a neighboring city.

Path visualization for Cloudflare DNS
Figure 8: Our path visualization shows Cloudflare’s DNS service resolving queries in the same city or neighboring city as the monitoring points.

Aside from performance, there may be other reasons to consider Cloudflare (or a similar provider), namely privacy and security. Cloudflare states that it purges its DNS logs after 24 hours to maintain the privacy of its users. It also limits the amount of information shared with queried servers by using query name (QNAME) minimization (RFC 7816), which can reduce the risk of data leakage. QNAME minimization truncates a query name to the portion that is relevant to the zone being queried, thereby limiting the amount of information shared with each queried server. For example, with a query for the A record of thousandeyes.com, Cloudflare would only send the .com portion of the query name to a root nameserver and ask for NS records, since the root server can provide only that information.

Cloudflare also supports encryption for DNS resolution, using DNS over TLS or DNS over HTTPS (DoH). Bear in mind, however, that neither of these encryption methods are straightforward to setup. Unless you’re willing to spin up a local server or modify your operating system’s resolver libraries (for DNS over TLS), or do some advanced configuration of a browser like Firefox or install its beta 62 version (for DoH), you’re out of luck in taking advantage of the in-transit protection these options can offer. Given the complexities of using these encryption mechanisms, their current value may be limited, particularly for the average consumer.

Homer D'oh!
Figure 9: Homer realizing the need for secure DNS query transport.

Takeaway

In our 2017 comparison, we predicted that Google would remain in the lead due to its sizeable geographic reach—but what a difference a year makes. Cloudflare’s 1.1.1.1, which only launched four months ago, has toppled Google in overall performance. Google’s 8.8.8.8 still offers compelling performance, however, and remains #1 in North America over Cloudflare.

What’s Next?

If you want to dig even deeper into the data (including country-specific metrics), check out a snapshot of our 2018 report, which you can compare to our 2017 report.

We intend to make these public DNS provider assessments a more frequent part of our Internet research offerings, so stay tuned. We’re also going to be reevaluating the providers we include in our next round, so if you have candidates you’d like to propose, please let us know. We’ll be covering IPv6 DNS service performance for a selection of public DNS resolvers, which will be our inaugural report on these offerings. You won’t want to miss it, so be sure to subscribe to our blog to get notified when it’s available.

Processing...