Testing 36200 DNS servers
IntroductionDNS is an important part of the Internet and the speed and security are paramount for a good browsing experience. I thought it would be a good idea to scan the internet for DNS servers and test every single one of them. However, the latency of a particular DNS server depends highly on the distance and connection technology between you and the DNS server, and since I'm geographically located in Denmark, the results speed-wise only pertain to people located in/around Denmark.
Testing methodologyI scanned the IPv4 Internet using NMap on port 53/UDP and stopped the scan after a few hours. The results were DNS 36200 servers, some of which are owned by ISPs, companies and a whole lot of private people. Since the IP scan was randomized, it should represent a good sample.
Almost all DNS servers have some sort of caching mechanism that makes sure requested DNS names are kept for as long as the Time-To-Live (TTL) as defined by the domain owner. To ensure we don't just test a bunch of cached entries, we need to test uncached domains as well.
Reliability is also important, so we need to register when a query is dropped. The drop might be from a router between us and the DNS server, or it might be the DNS server itself, so we can't exactly measure the reliability of a particular server, but a high rate of dropped packets will disqualify never the less.
Security is also an important factor, and there are 2 main things to look for:
There are a bunch of "known good" DNS servers out there that has a good reputation for being stable and fast. I added them to the list, just to make sure we test them as well.
- Google: 220.127.116.11
- OpenDNS: 18.104.22.168
- Level3: 22.214.171.124
- UltraDNS: 126.96.36.199
Note that I did not add secondary clusters for each of the nameservers.
Performing the test
GRC has a DNS benchmark tool that accomplishes the cached, non-cached and reliability tests, but it only supports 200 nameservers at the same time. I split the list into chunks and used the command line to automate checking 200 servers at the time.
After it finished running, I sorted the lists by average response time and ended up with the 200 fastest DNS servers. I then ran the test again on those servers and ended up with the 10 fastest DNS servers.
Each of those 10 servers then went through a DNSSEC validation test:
- dig sigok.verteiltesysteme.net @<DNS IP HERE> (should return NOERROR)
- dig sigfail.verteiltesysteme.net @<DNS IP HERE> (should return SERVFAIL)
The 10 servers were then subjected to the DNS spoofability test over at GRCs DNS page to determine the source port and transaction ID entropy.
The table below is ordered from fastest to slowest based on the average response time.
|188.8.131.52||ipweb.dk||No||N/A (rate limit)|
|184.108.40.206||Welcom Hosting Aps||Yes||Moderate|
If we take a look at just the popular DNS servers - as above, order by latency relative to my geographical location.
ConclusionIt seems TDC's DNS server is the fastest but unfortunately it has bad anti-spoofing capabilities. It seems there is no clear winner regarding speed and security. UltraDNS has the best security but was also the slowest (70% slower than TDC) of the servers in relation to my geographical location. I'm sure that people located closer to the servers will have lower latency, and then UltraDNS becomes the clear winner.
In the end, there is little to no difference between the top 10 DNS servers and even the 4 popular servers. Run a test yourself to see just how big the difference is between your current DNS server and the popular ones, maybe there is better latency and a little more secuirty to get.