Recommended DNS servers – which ones are the fastest and best protect the user?

12 October 2023

Recommended DNS servers - speed and protection test results

DNS (Domain Name System) is a service responsible for assigning IP addresses and other information to Internet domains. Each website has its own “identifier”, i.e. the mentioned IP address. In the case of hosting, many websites share a single address. Having a domain and assigning it to an IP address of a WWW server is not required to run a publicly available service, while entering a website using an IP address does not look professional. IP addresses associated with a given domain can be found by searching for a domain, e.g. in the Whois database or using the “ping” command in Windows (which will display only an IP address), or the “host” command in Linux.

ATTENTION!

We have updated the DNS server test with new providers and threats. The current test date is September 10, 2023.

Changes since the last test

This year, the following servers have not been checked: DNS.Watch (although the servers themselves respond, their website returns error code 502 which could mean a possible abandonment of the project) and OpenNIC (two Polish servers have been unavailable for a long time).

However, we have managed to test the new dns0.eu server which we mentioned about in the article from February 10, 2023.

There were no major changes in the testing process, except for the list of domains used in the performance test. Details are described below.

DNS server IP addresses are handled by IANA and ICANN. In Poland, Naukowa i Akademicka Sieć Komputerowa (NASK), is responsible for the domain registry and the .pl domain. DNS itself uses the UDP protocol when executing queries, and runs at the application layer of the OSI model, on default port 53. Usually, we have configured two IP addresses of different DNS providers which is a security in case one of them fails.

The “backbone of the Internet” are the so-called root servers. Their list is available on the https://root-servers.org/ website.

host command, dns
Getting basic information on a domain using the “host” command.

There are different DNS records that can be set for a domain. The most basic of them are:

  • A –  IPv4 address that the domain points to
  • AAAA – IPv6 address that the domain points to
  • CNAME – a canonical name, often used to indicate different domain prefixes instead of IP addresses (for example, avlab.pl can be the CNAME record for www.avlab.pl)
  • MX – address of server that hosts email
  • TXT – various additional information (e.g. Google Workspace verification code), also used to validate domain “ownership” when purchasing SSL certificates, and to configure SPF record

Routers provided by an ISP are often configured to use DNS servers in a carrier’s network. It is usually a good idea to change this setting to DNS servers owned by global carriers as they are generally more efficient and secure than those offered by Internet service providers. Some of them (listed below) also include additional functionalities in the form of blocking malicious domains, or those with adult content.

 

Comparison of DNS servers

Table with comparison of DNS servers: carrier name, IP addresses, carrier’s country, category filtering, support for DoH (DNS over HTTPS).

Name of DNS service

IP addresses

Carrier’s country (jurisdiction)

Category filtering, e.g. adult content and ads

Protection against malware and phishing

Support for DNS over HTTPS (DoH)

Cloudflare

1.1.1.1 and 1.1.1.2, 1.0.0.2 (malware blocking), 1.1.1.3 and 1.0.0.3 (malware and adult content blocking)

United States

NO

YES

YES

Google Public DNS

8.8.8.8 and 8.8.8.4

United States

NO

NO

YES

Quad9

9.9.9.9

United States

NO

YES

YES

Comodo Secure DNS

8.26.56.26 and 8.20.247.40

United States

NO

YES

NO

CleanBrowsing

185.228.168.168 and 185.228.169.168

United States

YES

YES

YES

Alternate DNS

76.76.19.19 and 76.223.122.150

United States

YES

YES

YES

AdGuard DNS

176.103.130.130 and 176.103.130.131

United States

YES

YES

YES

NextDNS

45.90.28.141 and 45.90.30.141

United States

YES

YES

YES

dns0.eu

193.110.81.0 and 185.253.5.0, 193.110.81.9 and 185.253.5.9 (malware blocking), 193.110.81.1 and 185.253.5.1 (adult content blocking)

France

NO

NO

YES

Comment on the table:

Almost all DNS servers are located with jurisdiction in the USA. Only four carriers provide at the same time category filtering and protection against malicious (in general) websites. It is pleasing that the vast majority of servers support DNS over HTTPS (DoH), i.e. requests encryption.

 

Configuration of DNS addresses

We change DNS addresses on a single device or on all of them (in the router settings). This is very important. In the case of modifying addresses, e.g. on a laptop, we will make only this single device communicate with the world via set of servers. Other devices in the network will resolve domains to IP addresses through DNS servers set up in a router. Please note that system’s DNSes have “priority” over those in the router configuration.

IPv4 configuration in Windows.
IPv4 configuration in Windows.

In the case of changing DNS addresses in the router configuration, the case is paradoxically easier. However, it should be remembered that it is better not to modify other settings if it is not known what they are for. In a browser, we open the IP address (most often) 192.168.0.1 or 192.168.1.1, or another, depending on the network structure and manufacturer of the router.

Usually, DNS settings are connected with Dynamic Host Configuration Protocol (DHCP) settings. The connection is responsible for automatic assigning information about the network to devices, among others, IP address, subnet masks, default gateway address, and DNS.

 

How to find out the router address?

There are several methods, and these depend mainly on the system:

  • Windows: Run the command prompt (from the Start Menu, search for “cmd”, or use shortcut Win+R and type “cmd”). Then type “ipconfig”, and look for Default Gateway. The visible address is the router address. This is by far the fastest way because in a home network rather DHCP assigns the configuration, and only few users set it statically (which makes sense in the case of servers and printers on the network). If you have the MikroTik equipment, I recommend using WinBox which in the Neighbours tab displays devices of this company in our network.
  • Linux: In the terminal just enter “ip r”, the address searched starts with the phrase “default via …”.
  • Android: The router address is visible in settings of the specific Wi-Fi network. However, I do not recommend changing the configuration from the level of mobile browsers due to the limited convenience (not every panel is adapted to smaller screens). It is better to download a dedicated application from the official store and use it because it allows quick access to the most important settings.
In the DNS server and Alternate DNS fields, we insert addresses of the selected provider.

Speed test of DNS servers

To test the speed of DNS servers, I used the dnsperf tool that downloads domains from the top 1000 list by Cloudflare Radar. It then automatically queries the specified DNS servers one by one with addresses from this list. In addition, I limited the number of queries per second to 10 which was due to the configuration of some servers — they reject all queries above this limit.

In previous editions of this test, we used the Alexa list. However, it is not currently up-to-date (some of its domains have already expired), so it could not be used this year.

The dnsperf tool requires a list in the format <domain> <dns_record>. The list by Cloudflare Radar contains only domain names, but using the following “sed” command it is easy to append “A” to 1000 lines in this file:

sed -i ‘s/$/ A/’ domain.txt

The table contains results (in milliseconds, so the Average Latency presented in seconds by dnsperf had to be multiplied by 1000) of the average response time from the domains stored in the file.

The smaller the value, the faster the server response (milliseconds).

Service name of DNS server

Test at 8 a.m.

Test at 2 p.m.

Test at 8 p.m.

Test the next day at 8 a.m.

Average score

Cloudflare

30

25.7

31.4

27.8

28.72

Google Public DNS

34.6

37.2

43.2

35

37.5

Quad9

78.9

77.7

80.1

81.9

79.65

Comodo Secure DNS

61.8

73.2

75.0

56.2

66.55

CleanBrowsing

69.2

52.1

49.9

50.1

55.32

Alternate DNS

219.3

436.2

261.1

414.8

332.85

AdGuard DNS

151.3

165.2

168.3

381.4

216.55

NextDNS

81.6

77.1

75.3

78.9

78.22

dns0.eu

68.3

74.5

65.3

65.9

68.5

Comment on the table:

The shortest response times each time were obtained by a DNS server operated by Cloudflare. Quite similar performance is provided by the Google server. The worst in this ranking are Alternate DNS and AdGuard DNS servers where the results definitely differ from the rest of the tested solutions. Other servers maintain a comparable level of response time.

 

Protection test against phishing (100 addresses per day)

In the test against phishing and malware, I used PhishTank and URLhaus lists respectively. The “wget” command was used to read the prepared lists. I needed a simple TXT file for this where the full URLs were saved in consecutive lines.

The PhishTank list could be remarkably easy to prepare for these requirements. It contains only domains (no IP addresses) in the second “column” which can be redirected to a file using the “awk” command, and then delete the first line containing the URL column using the “sed” command.

On the other hand, for the URLhaus list some additional steps were required. In addition to the fact that it contains IP addresses, there may occur duplicates of domains. To remove IP addresses I used the Replace option in Notepad++ with the search mode set to Regular Expressions. This left blank rows which, however, I removed with the “sed” command (this can also be done in Notepad++). I removed any duplicates with a combination of the “sort” and “uniq” commands, and finally redirected to the correct output file using the “head -100 domain.txt” command.

From the number 100 I subtracted the number of downloaded files with the “wget” command and thus obtained the number of blocked queries.

Blocked addresses (NXDOMAIN [*])

Cloudflare

Quad9

Comodo Secure DNS

CleanBrowsing

Alternate DNS

AdGuard DNS

NextDNS

dns0.eu

Day 1

75

45

29

55

28

40

30

89

Day 2

66

74

28

96

29

66

28

78

Day 3

47

61

32

93

12

18

12

61

[*] The so-called NXDOMAIN error means that in the DNS database of a specific operator, the domain is not associated with an IP address, i.e. the end user does not see a response from a given party.

 

Malware protection test (100 addresses per day)

Blocked addresses (NXDOMAIN [*])

Cloudflare

Quad9

Comodo Secure DNS

CleanBrowsing

Alternate DNS

AdGuard DNS

NextDNS

dns0.eu

Day 1

87

92

25

90

17

16

25

100

Day 2

86

92

31

86

20

19

32

100

Day 3

87

89

50

86

16

18

28

100

[*] The so-called NXDOMAIN error means that in the DNS database of a specific operator, the domain is not associated with an IP address, i.e. the end user does not see a response from a given party.

 

DNS server is an important aspect of our security

All devices send and receive some data. A user visits a website in a browser, the installed application queries its servers for updates, etc. DNS server can protect against various malicious activities. However, please note that malware is not only found on the Internet because we might as well infect the system by running malicious macros, an unknown application. Plugging an unknown flash drive is also a threat.

DNS does not protect against popular attacks found on the network (MITM, communication sniffing, ARP spoofing). We cannot count on either protection of webcam or HOSTS file. By the way, not many people mention it, but this simple file has a huge impact on security. Replacing a HOSTS file by malware can have devastating consequences:

[attacker_IP_address] mbank.pl

From now on, instead of on mBank’s website, after entering https://mbank.pl we will be on the website controlled by the attacker! If it is well prepared, we have no chance of noticing the attack (although you can compare the so-called certificate fingerprint, but nobody compares it every time). In the address bar you can see mbank.pl, and in practice we are connected to the criminal’s server.

Newsletter

SIGN UP

Newsletter

SIGN UP FOR EMAIL NOTIFICATIONS FOR ENGLISH CONTENT ONLY!
SIGN UP