It seems to me that a differentiation should be made between resolvers that scan lists for malware sites, those that do extensive scanning with custom lists, and those that do no scanning. My observations are that 1.1.1.1 is faster than 1.1.1.2 but that is because of checking a badware list. Furthermore, if a resolver like adguard or controlD or nextDNS is used, it SHOULD be slower than resolvers that don't check. Speed is not always the best measure.
Apples and Oranges
- Thread starter steveshank
- Start date
- Watchers 5
-
DNS Benchmark v2 is Finished and Available! Guest:
That's right. It took an entire year, but the result far more accurate and feature laden than we originally planned. The world now has a universal, multi-protocol, super-accurate, DNS resolver performance-measuring tool. This major second version is not free. But the deal is, purchase it once for $9.95 and you own it — and it's entire future — without ever being asked to pay anything more. For an overview list of features and more, please see The DNS Benchmark page at GRC. If you decide to make it your own, thanks in advance. It's a piece of work I'm proud to offer for sale. And if you should have any questions, many of the people who have been using and testing it throughout the past year often hang out here.
/Steve. -
Be sure to checkout “Tips & Tricks” Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!
/Steve. -
BootAble – FreeDOS boot testing freeware
To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.
GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.
The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.
You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.
(You may permanently close this reminder with the 'X' in the upper right.)
"... a differentiation should be made between resolvers that scan lists for malware sites, those that do extensive scanning with custom lists, and those that do no scanning. My observations are that 1.1.1.1 is faster than 1.1.1.2 but that is because of checking a badware list. Furthermore, if a resolver like adguard or controlD or nextDNS is used, it SHOULD be slower than resolvers that don't check. Speed is not always the best measure ..."
The challenge may be how to independently test if a DNS Nameserver
resolver is filtering, what it is filtering, and how successfully, how
competitively, compared to others.
Like testing anti-malware services - one may kill ALL cookies and
claim thousands of successes, another may intelligently scrutinize
those cookies and realize they are legit for our intended relationships
with sites and vendors, and then get a lesser 'rating' in how many
malware were found.
Suggestions on how to test and compare filtering DNS Nameserver
resolvers?
- - - - -
Q: Google, how can we test the effectiveness of filtering DNS Nameserver resolvers?
A: Test DNS filter effectiveness by querying known malicious/blocked domains ( e.g., using dig or nslookup ), verifying expected blocks ( NXDOMAIN, 0.0.0.0, or specific IPs ), and using automated tools or scripts to compare results against a baseline, ensuring legitimate traffic still resolves. [1, 2, 3, 4]
Testing methods
[1] https://cleanbrowsing.org/help/docs/verify-cleanbrowsing-dns-configuration/
[2] https://serverfault.com/questions/185918/is-there-an-easy-way-to-periodically-test-dns
[3] https://serverfault.com/questions/91063/how-do-i-benchmark-performance-of-external-dns-lookups
[4] https://techblog.nexxwave.eu/public-dns-malware-filters-tested-in-september-2024/
[5] https://www.senki.org/network-operations-scaling/dns-latency-and-performance-test-tools/
[6] https://www.titanhq.com/blog/4-myths-about-dns-filtering-and-some-truth/
[7] https://www.mdpi.com/2079-9292/11/8/1276
The challenge may be how to independently test if a DNS Nameserver
resolver is filtering, what it is filtering, and how successfully, how
competitively, compared to others.
Like testing anti-malware services - one may kill ALL cookies and
claim thousands of successes, another may intelligently scrutinize
those cookies and realize they are legit for our intended relationships
with sites and vendors, and then get a lesser 'rating' in how many
malware were found.
Suggestions on how to test and compare filtering DNS Nameserver
resolvers?
- - - - -
Q: Google, how can we test the effectiveness of filtering DNS Nameserver resolvers?
A: Test DNS filter effectiveness by querying known malicious/blocked domains ( e.g., using dig or nslookup ), verifying expected blocks ( NXDOMAIN, 0.0.0.0, or specific IPs ), and using automated tools or scripts to compare results against a baseline, ensuring legitimate traffic still resolves. [1, 2, 3, 4]
Testing methods
- Manual Querying (CLI): Use nslookup or dig (Linux/macOS) to query a specific, known-bad domain against your filtered resolver and an unfiltered public one (like ).
- Example:
$ dig @your_filtered_dns_IP malicious-domain.com
( Should return nothing, NXDOMAIN, or an error/filtered IP ).
- Example:
- Automated Scripting: Create a script (Bash/Python) to automate queries for lists of malicious and benign domains, logging if the filtering resolver blocks the bad ones and allows the good ones.
- Dedicated Tools: Use specialized tools or services designed for DNS benchmarking/testing (e.g., GRC's Domain Name Speed Benchmark, Pingdom DNS tests), which can highlight performance and configuration issues.
- Browser-Based Verification: For content-filtering DNS (like CleanBrowsing), visit a non-existent or blocked domain in a browser or use a DNS leak test site to verify the correct DNS service is being used.
- Packet Capture (Wireshark): Analyze DNS traffic to see if queries for blocked domains are answered correctly (e.g., no response, or an unexpected IP). [1, 2, 3, 4, 5]
- Effective: The filtered resolver returns no record (NXDOMAIN), a specific sinkhole IP ( e.g., 0.0.0.0, 127.0.0.1 ), or the IP of a block page for malicious domains, while still resolving safe domains.
- Ineffective: The filtered resolver returns the actual IP address of the malicious domain, just like an unfiltered resolver. [3, 4, 6, 7]
[1] https://cleanbrowsing.org/help/docs/verify-cleanbrowsing-dns-configuration/
[2] https://serverfault.com/questions/185918/is-there-an-easy-way-to-periodically-test-dns
[3] https://serverfault.com/questions/91063/how-do-i-benchmark-performance-of-external-dns-lookups
[4] https://techblog.nexxwave.eu/public-dns-malware-filters-tested-in-september-2024/
[5] https://www.senki.org/network-operations-scaling/dns-latency-and-performance-test-tools/
[6] https://www.titanhq.com/blog/4-myths-about-dns-filtering-and-some-truth/
[7] https://www.mdpi.com/2079-9292/11/8/1276
My observations are that measured performances of servers at big providers such as cloudflare, are about the same across their offerings, the non-filtered option ie 1.1.1.1 is not always observed to be above of its filtered counter parts 1.1.1.2/3 their performance is close enough to each other that taking into account real world use and constantly changing regional network traffic conditions (congestion/jitter), the difference is not noticeable.
PS: my measured cloudflare servers (or any other anycast ip based servers) might not be the same as the ones you are measuring. Tools like DNSB exists to help you make your own measurements.
Hi Steve,
I agree COMPLETELY and earlier in the development I HAD a feature that attempted to detect when a resolver was further helping its user by filtering "bad" IPs.
The trouble was, I was unable to design a reliable means of doing that. The idea would be to compare a resolver's reply to an attempted malicious domain lookup and compare that with a known unfiltered reply. The problem was, in today's internet, obtaining the list of unfiltered IP addresses is effectively impossible. Many DNS resolvers rotate their IP returns among a large list for load balancing. Others use the geography of your query to select for the geography of the IP returned, and so on.
The result would have been "false positive" beliefs of filtering where none was present. The other problem was that this would cause every DNSB user's client to APPEAR to be requesting the IPs of a large selection of known unsavory resolvers. For example, would all DNSB users feel comfortable having the benchmark continually asking for the IP of pornhub? And what about when they run it from their employer's network?
So it became clear that, much as this would be a super-cool feature, it was (a) impossible to do reliably and (b) kind of "icky" since the only way to verify a filtered reply would be to ask for a filtered domain name.
There is nothing stopping the user compiling a list of the DNS providers that do extra filtering on DNS and just benchmark those is there?
Create a custom list of all the servers that offer malware and adult site blocking and benchmark those, that way you can see who is the fastest for you of those that offer that service.
Create a custom list of all the servers that offer malware and adult site blocking and benchmark those, that way you can see who is the fastest for you of those that offer that service.
@GreenWine: "... There is nothing stopping the user compiling a list of the DNS providers that do extra filtering on DNS and just benchmark those is there? Create a custom list of all the servers that offer malware and adult site blocking and benchmark those, that way you can see who is the fastest for you of those that offer that service ..."
- - - - -
Great point:
Q: Google, are there lists of public and private DNS Nameserver resolvers that provide blocking and filtering services?
A: Yes, many lists exist for public and private DNS resolvers with blocking/filtering (malware, ads, adult content, custom lists), including options like Quad9, NextDNS, CleanBrowsing, AdGuard, Control D, OpenDNS, Pi-hole (private), and enterprise solutions like Cisco Umbrella/Cloudflare Gateway. [1, 2, 3, 4, 5]
Public DNS resolvers with filtering
[1] https://avoidthehack.com/best-dns-privacy
[2] [3] https://community.spiceworks.com/t/looking-for-dns-filtering-service-recommendations/728766
[4] https://www.recordedfuture.com/threat-intelligence-101/cyber-threat-landscape/dns-servers
[5] https://bitlaunch.io/blog/the-best-dns-servers-for-privacy/
[6] https://www.thousandeyes.com/blog/choosing-public-dns-resolver
[7] https://ettebiz.com/dns-filtering-solutions/
[8] https://www.geeksforgeeks.org/blogs/best-free-and-public-dns-servers/
[9] https://quad9.net/
[10]
[11] https://simeononsecurity.com/articles/dns-comparison-adguard-quad9-cloudflare-pi-hole/
- - - - -
Great point:
Q: Google, are there lists of public and private DNS Nameserver resolvers that provide blocking and filtering services?
A: Yes, many lists exist for public and private DNS resolvers with blocking/filtering (malware, ads, adult content, custom lists), including options like Quad9, NextDNS, CleanBrowsing, AdGuard, Control D, OpenDNS, Pi-hole (private), and enterprise solutions like Cisco Umbrella/Cloudflare Gateway. [1, 2, 3, 4, 5]
Public DNS resolvers with filtering
- Quad9: Blocks malicious domains (malware, phishing, botnets).
- CleanBrowsing: Offers multiple tiers: malicious, adult, or family-friendly (blocks adult, some social media).
- NextDNS/Control D/AdGuard: Highly customizable, blocking ads, trackers, security threats, parental controls (adult sites, specific apps).
- OpenDNS (Cisco): Free filtering (malware, phishing), custom allow/block lists, parental controls (basic).
- Cloudflare (Gateway): Enterprise-level secure DNS filtering/malware protection. [1, 2, 3, 5, 6, 7, 8, 9]
- Pi-hole: A popular self-hosted, network-wide ad and tracker blocker (runs on Raspberry Pi/VM).
- Enterprise/Managed: Cisco Umbrella, WebTitan, AppRiver Secure Surf, Cloudflare Gateway (advanced features, reporting, Zero Trust). [3, 7, 10, 11]
[1] https://avoidthehack.com/best-dns-privacy
[2] [3] https://community.spiceworks.com/t/looking-for-dns-filtering-service-recommendations/728766
[4] https://www.recordedfuture.com/threat-intelligence-101/cyber-threat-landscape/dns-servers
[5] https://bitlaunch.io/blog/the-best-dns-servers-for-privacy/
[6] https://www.thousandeyes.com/blog/choosing-public-dns-resolver
[7] https://ettebiz.com/dns-filtering-solutions/
[8] https://www.geeksforgeeks.org/blogs/best-free-and-public-dns-servers/
[9] https://quad9.net/
[10]
Yes! One of the coolest things I've seen is that when running the very high sample count benchmarks, all of the various resolvers for each of the providers winds up grouped together in DNSB's resolver performance ranking. It's really cool to see. So that tells us that we're really talking to the same-located resolvers.
You're 100% correct. My point was that I was attempting to auto-detect filtering and I was forced to conclude that it could not be reliably done.