How to use GRC's new DNS Benchmark, noting that malware protection is likely the primary benefit of avoiding your ISP's default DNS

Posted by Paul Braren on Apr 4 2018 (updated on Apr 7 2018) in
  • HowTo
  • Network
  • Review
  • What is DNS?

    THE GLUE THAT HOLDS THE INTERNET TOGETHER

    The Domain Name System (or DNS) converts human readable domain names (like: www.google.com) into Internet Protocol (IP) addresses (like: 173.194.39.78).
    Computers can only communicate using series of numbers, so DNS was developed as a sort of “phone book” that translates the domain you enter in your browser into a computer readable IP.

    New DNS Benchmark 1.3.6668.0 Released

    Earlier this Apr 04 2018 evening, I noticed that the version the latest DNS Benchmark download has a splash screen showing as version 1.3.6668.0. In a way, you could say that this version doesn't even exist quite yet, according to the slightly outdated DNS Benchmark Version History. The last time Steve updated that page was likely back in 2010, when the last version of DNS Benchmark was released. It's still works fine, right through to Windows 10 Build 1709 though. What we learned during Steve's on-air mention yesterday that all he planned to change in his new release was the built-in list of IPs, that's in, no other known bugs needed fixing. This is why I'm not at all worried that my recent set of screensheets that I took when testing out Cloudflare's new 1.1.1.1 DNS are somehow obsolete.

    What's new in this release?

    how-TinkerTry-validated-DNS-Benchmark-1.3.6668.0-release-date
    Steve Gibson signed the new DNSBench.exe version 1.3.6668.0 on Wednesday, April 4 2018 4:59:57PM.

    I noticed that Cloudflare and Quad9 primary and secondary DNS IP addresses have now been baked right into the tool, so you won't have to add them manually, making things even simpler, see also my step-by-step guide below. As featured in my recent Cloudflare 1.1.1.1 DNS article, the only somewhat more popular public DNS offerings left out in this build that can easily be added manually is Norton ConnectSafe's 199.85.126.20 and 199.85.127.20.

    How do I know this was released today? By the digital signature in the executable file. As seen in the screenshot, in File Explorer, I right-clicked on the DNSBench.exe executable, chose Properties and then the Digital Signatures tab, I then highlighted the one entry and clicked on the Details button.

    TinkerTry-home-lab-previewed-Feb-2018
    My home lab.

    I do regret removing my own home's Ubiquiti 10.10.1.1 router from my test results screenshots in my recent Cloudflare 1.1.1.1 article, so subsequent tests will include it. Just like Steve's 10.1.0.0 router shown at the top of his screenshot. Also note that such local DNS from a local router will be fastest, as it's a local lookup with essentially no pesky distance-based latency. You know, physics and all, that speed-of-light thing. The speed difference isn't always as apparent though, when using consumer grade routers. They tend to really just forward all DNS requests to your ISP, by default, and don't really do the local DNS lookups with DNS caching that my compact VMware vSphere home lab datacenter greatly appreciates.

    Why is DNS speed important?

    Did you know that loading many popular web sites require hundreds of requests for various elements? This is especially the case for media-rich home pages, such as cnn.com. Yes, today, it requires 151 requests just to finish loading, and that's with ad blocking turned on. Without ad blocking, it's actually 424 requests! Many of those requests require a round-trip DNS requests, including various off items. All those lookup milliseconds can quickly add up to several seconds total, partly because of the sequential loading that some page elements require.

    To test page load times yourself, open Chrome, visit cnn.com, then if you're on a PC press F12 or if you're on a Mac, click on View, Developer, Developer Tools. Next, select the Network tab, and click the 3 dots to choose Dock Side position (mine is on the bottom). Now you're ready to just refresh the web page, noting that the "Disable cache" checkbox is automatically on by default for this "Developer" tool's lovely waterfall view, as pictured below. Note that there are helpful summary statistics along the bottom.

    cnn-with-ad-blocking-shown-in-Chrome-F12-view--TinkerTry
    cnn.com with ad blocking
    cnn-no-ad-blocking-shown-in-Chrome-F12-view--TinkerTry
    cnn.com with no ad blocking

    DNSPerf
    DNS Performance Analytics and Comparison screenshot from Apr 01 2018.

    You can actually temporarily change just your system's DNS to various DNS services, then try loading a rich web page a few times, performing your own informal benchmarking of the effects of trying out the various public DNS services that are listed below, for example. Once you decide which you like, it's best to put your system back at DHCP, then change your router's DNS instead.

    Since DNS speeds are determined by your location, and your particular ISPs connection to the internet, relying solely on 3rd parties like DNSPerf for DNS speed rankings is insufficient. DNS Benchmark let's you quickly home in on the top performers, from your location, the only location that matters to you.

    DNS Benchmark Instructions

    I have developed my own instructions so I can use them for consistency in my own home network tests. They may be helpful for you too, to refer to when running DNS Benchmark on your network.

    GRC-certificate-in-Edge-Browser-cropped
    1. Download the latest version of the tiny, portable (no install required) DNS Benchmark directly from Steve Gibson's site GRC here.
    2. Be sure all your other systems and devices on your network are idle, even better, disconnected and/or powered off. This step may be more important to follow if repeated runs of DNS Benchmark give you wildly inconsistent results.
    3. Launch DNS Benchmark DNSBench.exe on your Windows system that is at idle, wait for it to finish its automated discovery process, which is indicated by the animated spinning dark red logo at upper-right .
    4. Click on the Nameservers tab.
    5. Right-click Remove Redirecting Servers, which gets rid of the light-brown entries that clutter up your results, and I'd rather not point my system to a DNS that redirects elsewhere anyway. This shouldn't eliminate any of the public DNS providers featured in this article.
    6. If you have a DNS provider you'd like to add such as Norton ConnectSafe's 199.85.126.20 and 199.85.127.20, simply use the Add/Remove button found at top-left, adding each IP, one at a time. All the other services featured in this article are already built-in to the latest DNS Benchmark version 1.3.6668, but all older versions will also need Quad9 and Cloudflare IPs added manually. Did you skip Step 1 above? See also the list of various public DNS services below.
    7. At top-right, click on Run Benchmark, then wait a while for it to complete, refraining from using your system to do anything else.
    8. You may find that you can't quite see the results for the IPs of interest, just drag the lower edge of the Window to make it taller, as I did for my screenshots above.
    9. Based mostly on your desired features, and partially on your benchmark results, use your "winning" IPs to replace the DNS IPs in your router's DNS settings. As mentioned here back in November of 2017, I'd also like to figure out implementing DNSSEC in my Ubiquiti EdgeRouter Lite someday, and am unsure whether that could impact performance signficantly.
    657

    Steve Gibson talks all about Cloudflare's 1.1.1.1 DNS at this exact spot in Security Now 657: ProtonMail. He explains that using 1.0.0.1 as your primary isn't a good idea as a long-term strategy, as he was seeing very low speed test results. I didn't see that same behavior at all, with 1.0.0.1 frequently besting most other DNS IPs, including 1.1.1.1. He also explains that for many users, their ISPs might be very fast due in part to physical proximity, but they are unlikely to offer any sort of privacy as far as what they do with your browsing habit data. Steve and I are both using Cox Communications, but he's in CA, and I'm in CT. Interesting. Maybe it's time for some tracert'ing.

    Like my article above, Steve also mentions you'll need to manually add the 1.1.1.1 to your list of DNS servers to be tested, since DNS Benchmark hasn't been updated since 2010. I would add that you should also add Quad9's 9.9.9.9 as well. Well, that was this morning, read onward.

    Free Public DNS Primary and Secondary IP Addresses

    This is a small subset of the many public DNS services out there, focusing on the one's I've had more experience with personally, or others have commented they've found to be reliable and valuable for their home networks. I encourage you to choose not soley on benchmark speeds, but on security and/or filtering too, based on your family's needs and priorities.

    Cloudflare 1.1.1.1 - speed and privacy

    Google Public DNS - speed

    Quad 9 - privacy, speed, and malware filtering

    • offering DNSSEC

      9.9.9.9
      149.112.112.112 or 2620:fe::fe *
      • * For the secondary DNS, the IPv6 version is preferred, details here

    OpenDNS Internet Security - family friendly packages (part of Cisco)

    • offering DNSCrypt

      208.67.222.222
      208.67.220.220

    Norton ConnectSafe - family friendly

    • not currently offering DNS over HTTPS, DNSSEC, or DNSCrypt

      199.85.126.20
      199.85.127.20

    How to change your router's DNS configuration

    The DNS IP you set up here will be automatically doled out to all DHCP connected devices on your home's network, or, your router tells connected client to use the router's own IP address, forwarding to your chosen public DNS whenever non-cached, non-local lookups are needed. The advantage to this one change is that the DNS change is instantly in effective for all connected devices, and relatively easy to do. Only works if you have access to login to your home's network's router, however.

    While I cannot possibly support folks who try and fail to get into their routers and change their WAN connections DNS setting for any number of reasons, Quad9 apparently somehow does! I can also get folks pointed in the right direct with this vendor list of how to guides that I created here.

    D-Link

    FRITZ!

    Netgear

    Linksys

    TP-Link

    Ubiquiti

    I wrote this step-by-step guide on configuring DNS forwarding on EdgeRouter EdgeOS:

    edge-router-lite-update

    Apr 05 2018 Update

    While the DNS Benchmark Version History hasn't been updated quite yet, the verbiage across the top of his screenshot sure makes it pretty clear what was added to the latest release.

    Apr-05-2018-DNS-Benchmark-screenshot-of-GRC-webpage-by-TinkerTry
    See the red arrow for Steve's added features in this release. The screenshot itself is not updated through, and still shows the older release along the bottom edge.

    Apr 07 2018 Update

    As an alternative to DNS Benchmark, on Windows, Mac, or Linux, you can drop to a command line/terminal window and issue the ancient tracert command, to test your performance against each DNS service you're interested in.

    IN the intended section below, you'll see results from my home in zip code 06019 (Wethersfield, Connecticut, USA), on my Cox Communications wired internet connection.

    You can see the name of each DNS service from tracert too, and I added the number of hops to this summary of my results here:

    • 07 hops - 1dot1dot1dot1.cloudflare-dns.com
    • 08 hops - dns.quad9.net
    • 10 hops - google-public-dns-a.google.com

    Get it, 1dot1dot1dot1, fun naming idea.

    Here's a transcript of the session used for my screenshot below.

        C:\Users\pbraren>tracert 9.9.9.9
    
        Tracing route to dns.quad9.net [9.9.9.9]
        over a maximum of 30 hops:
    
          1     5 ms     3 ms     6 ms  ubnt.lab.local [10.10.1.1]
          2    13 ms    17 ms    19 ms  10.4.144.1
          3    19 ms    11 ms    12 ms  100.120.244.56
          4    16 ms    21 ms    24 ms  100.120.244.218
          5    54 ms    36 ms    20 ms  dllsdsrc01-gex03010999.rd.dl.cox.net [68.1.1.73]
          6    35 ms    41 ms    34 ms  ae-15.sayonara-sam.a01.nycmny01.us.bb.gin.ntt.net [129.250.194.153]
          7    27 ms    23 ms    35 ms  xe-0-0-6-3.a01.nycmny01.us.ce.gin.ntt.net [129.250.198.150]
          8    28 ms    24 ms    26 ms  dns.quad9.net [9.9.9.9]
    
        Trace complete.
    
        C:\Users\pbraren>tracert 8.8.8.8
    
        Tracing route to google-public-dns-a.google.com [8.8.8.8]
        over a maximum of 30 hops:
    
          1     5 ms     4 ms     5 ms  ubnt.lab.local [10.10.1.1]
          2    15 ms    19 ms    11 ms  10.4.144.1
          3    33 ms    14 ms    16 ms  100.120.244.56
          4    34 ms    28 ms    21 ms  100.120.244.218
          5    21 ms    24 ms    27 ms  nyrkbprj01-ae3.0.rd.ny.cox.net [68.1.5.157]
          6    23 ms    33 ms    22 ms  68.105.31.110
          7     *        *        *     Request timed out.
          8    28 ms    32 ms    26 ms  108.170.227.208
          9    24 ms    29 ms    43 ms  209.85.245.191
         10    26 ms    25 ms    28 ms  google-public-dns-a.google.com [8.8.8.8]
    
        Trace complete.
    
        C:\Users\pbraren>tracert 1.1.1.1
    
        Tracing route to 1dot1dot1dot1.cloudflare-dns.com [1.1.1.1]
        over a maximum of 30 hops:
    
          1     9 ms     4 ms    12 ms  ubnt.lab.local [10.10.1.1]
          2    23 ms    20 ms    16 ms  10.4.144.1
          3    33 ms    13 ms    14 ms  100.120.244.56
          4    23 ms    27 ms    30 ms  100.120.244.218
          5    23 ms    23 ms    22 ms  nyrkbprj01-ae3.0.rd.ny.cox.net [68.1.5.157]
          6    23 ms    24 ms    22 ms  199.27.132.255
          7    27 ms    23 ms    26 ms  1dot1dot1dot1.cloudflare-dns.com [1.1.1.1]
    
        Trace complete.
    
        C:\Users\pbraren>
    tracert-results
    Here's a simple command line test you can perform, to determine how many hops between your network and each DNS service. You can also see some timings for each hop.

    Apr 07 2018 Update

    I'm sorry that I overblew the likelihood of chooing a slightly faster DNS could affect your browser speeds. Time and further research have revealed many articles like this one:

    So alternative DNS does not prevent the ISP or the destination site from knowing the IP address – and hence the identity – of the other party.
    ...
    Will Cloudflare Speed up Your Web Browsing?
    No. They may in fact resolve domain names a few milliseconds faster than your ISP’s DNS, but there’s not going to be enough of a difference for you to notice. The reality of web browsing speed is that it’s determined by the sites as long as your Internet package is faster than 15 Mbps.
    ...
    DNS lookups are not a significant part of web page load time, so eliminating them altogether wouldn’t make any difference.
    ...

    This also means that I'm likely to stick with Quad9 for my home's DNS.

    In an unfortunate bit of bad timing, I experienced some intermittent slow DNS lookups lately (browser saying "Resolving" at bottom-left for unusually long), and seemed to only experience this on Quad9. Other than this hiccup, months of using Quad9 for all my home's networked systems has been flawless. I've contacted Quad9, and will report back with the outcome.

    I try to avoid doing this, but I need to try to set things right by changing my article title accordingly.
    From:
    How to use GRC's new DNS Benchmark featuring Google, Quad9, and Cloudflare tests to help improve your browsing speed, privacy, and security
    To:
    How to use GRC's new DNS Benchmark, noting that malware protection is likely the primary benefit of avoiding your ISP's default DNS


    See also at TinkerTry

    cloudflare-1-1-1-1-may-be-a-google-public-dns-alternative-to-try-for-more-speed

    quad9-may-be-a-google-public-dns-alternative-to-try-for-more-privacy

    edge-router-lite-update

    replaced-linksys-with-eero-after-also-testing-luma

    dslreports-speedtest

    See also

    • Cloudflare launches 1.1.1.1 DNS service that will speed up your internet
      cloudflare-dns-service-1-1-1-1-slug

      Apr 01 2018 by Tom Warren at The Verge

      ...
      The service is using https://1.1.1.1, and it’s not a joke but an actual DNS resolver that anyone can use. Cloudflare claims it will be “the Internet’s fastest, privacy-first consumer DNS service.” While OpenDNS and Google DNS both exist, Cloudflare is focusing heavily on the privacy aspect of its own DNS service with a promise to wipe all logs of DNS queries within 24 hours.
      ...

    • How to Pick the Best Threat-blocking DNS Provider
      Rainbow-report-thumbnail

      Dec 23 2017 by Gabor at Rainbow & Unicorn

      A handful of alternative DNS services offer protection from malware, ransomware and phishing. Providers like OpenDNS and Quad9 can blackhole DNS requests for blocking network traffic associated with botnets, phishing and exploits. These DNS providers promise some level of threat protection, but what do they know? Do they know things? Let’s find out!

    • Free and Public DNS Servers
      Updated list of the best publicly available and completely free DNS servers
      free-and-public-dns-servers-2626062

      Nov 17 2017 by Tim Fisher at Lifewire.

      Quad9 uses real time information about what websites are malicious and blocks them completely. No content is filtered - only domains that are phishing, contain malware, and exploit kit domains will be blocked. No personal data is stored. An unsecure pubic DNS is also available from Quad9 at 9.9.9.10 but they do not recommend using that as a secondary domain in your router or computer setup. See more in the Quad9 FAQ.

    • Is Your ISP Hijacking Your DNS Traffic?
      is-your-isp-hijacking-your-dns-traffic

      Jul 06 2016 by Babak Farrokhi at RIPE NETWORK COORDINATION CENTRE.

      You might not have noticed, but there are chances that your ISP is playing nasty tricks with your DNS traffic.