New Innovations Unveiled at Cisco Live 2024


Measuring All the DNS Things

By Angelique Medina
| | 10 min read


Today, ThousandEyes is launching our first ever Global DNS Performance Report, covering the state of domain name system (DNS) infrastructure around the globe, for both IPv4 and IPv6. This report will be the first edition of what will become an annual release. We’ve been looking at the performance of DNS infrastructures since 2015, measuring the resolution time of public recursive resolvers and root servers, and analyzing DNS behavior in China. Our previous rankings (covering public resolvers) were published on this blog only a few months ago.

So why publish a report? Several reasons. For one thing, DNS is still a bit of a “dark art” that many IT practitioners and leaders pay little attention to, not understanding that its performance and security can significantly impact digital experience. There’s also limited coverage of DNS performance overall, particularly when it comes to IPv6.

So instead of doing measurements of various DNS infrastructure at different times throughout the year, we decided to aggregate our coverage (and expand our research scope). This also gave us the opportunity to update our testing methodology, which I’ll dive into further below. The end result is a comprehensive report on DNS infrastructures, as seen through a global lens.

So, what did we test? Fifteen public DNS resolvers, ten managed DNS services, thirteen root servers—plus, we did deep DNS traces on top enterprises and SaaS providers to understand the state of DNS resiliency.

TL;DR version

For those who just want a summary of our top performers, this is for you (but you’re going to want to read on and download the full report anyway).

Below are the top three performers based on averaged global measurements for the three DNS infrastructures we tested:

  • Top three public DNS resolvers: Cloudflare, Google and OpenDNS
  • Top three managed DNS providers: Cloudflare, Dyn, and NS1
  • Top three root servers: E, F, and D

What did we measure, how did we measure, and why? Keep on reading.

Our Methodology

Using vantage points located in over 170 cities (58 for IPv6) around the globe, we queried each of the tested DNS infrastructures at regular intervals over a period of thirty days, which yielded over 15 million data points. We looked at the average resolution time to each of the infrastructures and calculated averages for global, regional, and country-specific performance. In some cases, we also looked at network latency as a portion of resolution time.

In our previous performance tests, we used unmanaged vantage points that did not support IPv6. For our latest performance evaluation, we’ve switched to using ThousandEyes vantage points for our tests. This allows us to measure IPv6 performance and also dig deeper into network connectivity to understand its influence on overall resolution time.

State of DNS Resilience

One component of our DNS report that we’ve not covered before is an analysis of DNS resilience among large enterprise and SaaS providers—basically, how many large enterprises and SaaS providers are relying on a single source for their authoritative DNS. This is somewhat orthogonal to our performance measurements, except that we felt that it was critical to surface and spotlight. We wanted to understand what lessons were learned from the Dyn DDoS attack that took place almost exactly two years ago, in which major brands such as, Instagram, Airbnb, and others were taken offline.

What we found was surprising, especially given how devastating the Dyn attack was on many businesses. A large percentage of the companies we looked at are relying on just one source to serve their authoritative DNS records, leaving them vulnerable to effectively getting taken offline if that single source becomes unavailable.

In many cases, it’s simply a lack of awareness of best practice. Companies often think that they’re resilient because they have more that one nameserver, when in fact they are not. True DNS resilience means that your authoritative DNS records are served from diverse networks, facilities and routed prefixes. It’s certainly possible to do this on your own. But it’s typically easier (and less costly) to outsource your authoritative DNS to one or more third party service, which can often offer better performance and scalability across a broader geographic scope.

Managed DNS Services

For those enterprises and Saas providers who are evaluating managed DNS services—which you may want to if you’re looking to get redundancy for your DNS—we looked at performance trends across various regions for a variety of DNS services, including those offered by DNS-focused vendors, public cloud providers and other infrastructure as a service companies.

We found that the best performers overall were Cloudflare, Dyn and NS1. Notably, we found that (with the exception of Cloudflare) DNS specialists perform best across the broadest set of regions, while some cloud and other infrastructure providers not exclusively focused on DNS, don’t perform as well—particularly outside of North America and Europe.

Public Recursive Resolvers

We also looked at fifteen public DNS resolvers, some of which are well known, others are obscure or regional. Of the fifteen we tested, the top three for both IPv4 and IPv6 were Cloudflare, Google and OpenDNS. Although the fairly new resolvers, Quad9 and CleanBrowsing also did very well.

Table with mean resolution time in milliseconds for public DNS resolvers
Figure 1: Mean resolution time in milliseconds for all geos (IPv4), excluding China.

Public resolver performance is not only useful for consumers—enterprises and SaaS providers should also be aware of how public DNS resolvers perform regionally so they can understand how it impacts user experience of their application or service. Enterprises may also want to use a public DNS resolver for branch offices that are lite on IT assets and where a regional ISP’s default DNS may not perform well.

Other Findings

Also covered in the report are a key Internet infrastructure—the global roots—which are comprised of thirteen anycast DNS services that underlie the connectivity and scale of the domain name system. We also look at service availability across all the DNS infrastructure we cover, how the DNS is impacted by censorship programs in China, and look at anomalous behavior related to network, routing or application issues.

What’s Next?

The 2018 Global DNS Performance Report is just the beginning of our expanded DNS coverage. We’ll continue to expand scope and explore ways to enhance our methodology for subsequent annual reports. In the meantime, download the report and get ready for more DNS-related blog posts over the coming months. If you want a refresher on how the DNS impacts digital experience and also want some highlights from the report, check out our Digital Experience Begins with DNS eBook.

Subscribe to the ThousandEyes Blog

Stay connected with blog updates and outage reports delivered while they're still fresh.

Upgrade your browser to view our website properly.

Please download the latest version of Chrome, Firefox or Microsoft Edge.

More detail