DNS Benchmark v2 Release 5 with Consultant License
Guest: If you own any earlier release of our DNS Benchmark you may immediately download its release #5 replacement. Running an earlier release will detect the new release and help you upgrade.
Although this release is cosmetic, appearance matters and affects ease of use. The biggest change, as seen in the image above, is that the DNS Benchmark now has a traditional Windows application menu to more fully expose its many features. This release is also "Consultant License Aware" and GRC will now issue a Consultant version when owners have previously purchased four "Personal Use" licenses. If you have previously purchased four DNSB licenses, or if you wish to upgrade your "Personal Use" license to Consultant, GRC's purchase process will direct you through that process. /Steve.
Be sure to checkout “Tips & Tricks”
Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!
/Steve.
BootAble – FreeDOS boot testing freeware
To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.
GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.
The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.
You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.
(You may permanently close this reminder with the 'X' in the upper right.)
Your router probably has a feature like mine. I get the same results because I have enabled a feature that causes the firewall to rewrite DNS to redirect it to the chosen DNS server. This basically completely breaks DNS Benchmark because as far as its concerned the Internet is now broken when sending a message to party A causes it to be received by party B. Check your firewall/router configuration for anything related to DNS and try making temporary changes and seeing what effect they have on the benchmark. If you would like more confirmation of what's going on, try only testing DoH. Since it doesn't use UDP, and is secured inside of a HTTPS session, your router can't mess with it. On my router testing only DoH works fine.
I agree with PHolder. Old insecure UDP based DNS is easily messed with by a router. Not all routers, but certainly pfSense and maybe also the Synology. If the router does re-direct an old DNS request, the device that originated the request can't tell. Normally, at least.
Hi. I have finally tried out dnsb on Windows today, I have been using it on ubuntu mainly.
I hit a similar issue, the test stopping just a couple of minutes in.
Now I use the NextDNS windows app which forces all connections through it. As soon as I disable it, the test runs through.
So is this a bug or a feature of the nextdns tool? It might be spotting the unusual high frequency of seemingly random queries and putting a stop to it. Or, it could just be badly written and it is collapsing under the unusual use.
I have no issues with nextdns in normal day to day use and the nextdns linux tool does not show this behaviour, making me suspect it might be a bug with the windows program.
Ok a quick update. I took a screenshot of my nextdns logs before it crapped out and saw lots of these DNS Rebind attempts showing in the blocked list whilst the benchmark was running.
For whatever reason, after this burst of rebind activity, my network connection fails and I need to quit the next dns service to restore connection.
@Steve - I wouldn't normally tag you, I don't think it's a bug on your end, I have dns rebind protection turned on with NextDNS, however - is there a reason why the benchmark may be causing so many rebind attemps?
for example: 172.rebindtest.com
(edit - added screenshots)
(edit 2) turned off DNS rebind protection and the benchmark went completed fine and my connectivity stayed up.
NextDNS does not transfer DNS queries according to "standards".
So when the DNSBench program queries DNS servers according to
standards, NextDNS interferes and sully's the dialog.
On the one hand, DNSBench ought to report that queries have not
been responded to, and move on, not stop and say nothing.
On the other hand, you've identified the mismatch - NextDNS is not
standard.
NextDNS handling DNS queries in non-standard ways may be
intentional and beneficial for whatever purposes a user has.
Comcast Business Router 2 by Technicolor with Security Edge
DNS server management also filters DNS queries, as do some
other routers, some ISPs, and some software like NextDNS.
DNSBench will not produce useful results if the DNS queries are
being filtered or manipulated between DNSBench and any DNS
server.
I think that no matter how @Steve Gibson might try to get
DNSBench to anticipate interference, there is probably no way to
anticipate filtering, especially because filtering is proprietary and
secret for a reason - they want to prevent malicious actors from
reverse engineering the filters and bypassing or gaming them.
So, coming to a grinding halt may be the way DNSBench responds
to your current version of NextDNS.
That may be a good thing.
It's a brute-force way of telling you that NextDNS is working as
promised.
Another version of NextDNS or DNSBench may be more elegant
in their incompatibilities, but essentially equivalent in DNSBench
saying "there are no standard DNS servers available" and
NextDNS is saying nothing, just blocking what it's programmers
consider outside an end user's "normal" use of DNS servers.
Thanks for adding NextDNS to the list of filters that interfere with
DNS server testing.
If NextDNS allows you to select your preferred DNS servers, then
turn it off, run DNSBench, select and install your preferred DNS
servers, and then re-enable NextDNS.
You can select your own preferred DNS servers while using NextDNS, but it depends on your setup method.
You can either use NextDNS's provided Anycast IP addresses for general setup or configure custom DNS-over-HTTPS (DoH) endpoints to force specific, closer servers.
Standard Setup ( IPv4/Router ): You can use the specific IPv4 addresses provided in your NextDNS panel ( e.g., 45.90.28.x ) in your router or device settings.
Encrypted Setup (DoH/DoT): You can specify your preferred endpoint, such as in your browser or OS settings, to ensure your traffic is encrypted.
Directing Traffic: When using the NextDNS app or CLI Command Line Interface, it generally handles the selection of the fastest node, but you can override this by forcing specific servers, though this is not recommended as it reduces the benefits of Anycast. [1, 2, 4, 5, 6]
For the best results, verify your setup on the NextDNS test page.
Gemini AI has suggested that the benchmark deliberately tests rebindtest.com to check the security of DNS servers and perhaps the flood of tests is overwhelming the nextdns virtual network adapter.
rebindtest.com is a domain maintained by Steve Gibson of GRC for
the DNS Benchmark tool.
When running the benchmark, queries to this domain test if your
DNS resolver improperly resolves local IP addresses (like or ), which
indicates vulnerability to DNS rebinding attacks. [1, 2]
Purpose: It verifies if your DNS provider blocks malicious DNS
rebinding, which attempts to trick browsers into attacking internal
network devices.
False Positives in Logs: If you see queries in your security logs
( for example, NextDNS or Pi-hole ), it is likely just the DNS
Benchmark tool analyzing your network, not an actual infection.
What it Checks: The test ensures that your DNS resolver does
not return private IP addresses for external domain names, a
technique used by attackers to bypass firewalls.
Result Interpretation: If the benchmark shows queries are blocked
or result in unexpected IPs, your system is likely protected against
this type of threat. [2, 3, 4]
The test is a standard part of the comprehensive DNS
benchmarking process to ensure security, not just speed. [5]
rebindtest.com is a domain maintained by Steve Gibson of GRC for
the DNS Benchmark tool.
When running the benchmark, queries to this domain test if your
DNS resolver improperly resolves local IP addresses (like or ), which
indicates vulnerability to DNS rebinding attacks. [1, 2]
Purpose: It verifies if your DNS provider blocks malicious DNS
rebinding, which attempts to trick browsers into attacking internal
network devices.
False Positives in Logs: If you see queries in your security logs
( for example, NextDNS or Pi-hole ), it is likely just the DNS
Benchmark tool analyzing your network, not an actual infection.
What it Checks: The test ensures that your DNS resolver does
not return private IP addresses for external domain names, a
technique used by attackers to bypass firewalls.
Result Interpretation: If the benchmark shows queries are blocked
or result in unexpected IPs, your system is likely protected against
this type of threat. [2, 3, 4]
The test is a standard part of the comprehensive DNS
benchmarking process to ensure security, not just speed. [5]
