Dnsdig - A script to test common DNS resolvers

There were some occasions to post this in a few threads.
So now I put it in a place.
Feel free to recommend DNS providers I should add (or remove).
Or anything else I suppose.

Example run

$ dnsdig

 Test common resolvers by calculating average response times of 3 queries.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------                                   
DNS               Primary          Secondary
                                   
AdGuard           94.140.14.14     94.140.15.15
CleanBrowsing     185.228.168.9    185.228.169.9
Cloudflare        1.1.1.1          1.0.0.1
Comodo            8.26.56.26       8.20.247.20
Control-D         76.76.2.2        76.76.10.2
dns0.eu           193.110.81.0     185.253.5.0
DNSFilter         103.247.36.36    103.247.37.37
Dyn/Oracle        216.146.35.35    216.146.36.36
FlashStart        185.236.104.104  185.236.105.105
Gcore             95.85.95.85      2.56.220.2
Google            8.8.8.8          8.8.4.4
Level3/Lumen      209.244.0.3      209.244.0.4
NextDNS           45.90.28.105     45.90.30.105
OpenDNS/Cisco     208.67.222.222   208.67.220.220
Quad9             9.9.9.9          149.112.112.112
SafeDNS           195.46.39.39     195.46.39.40
UltraDNS/Vercara  64.6.64.6        64.6.65.6
                                   
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 Do you wish to flush the DNS cache (y/N)? y

Current DNS 127.0.0.53
Avg time:  3.33333 ms

FlashStart 185.236.104.104
Avg time:  8.66667 ms

Cloudflare 1.1.1.1
Avg time:  17.6667 ms

SafeDNS 195.46.39.39
Avg time:  18.3333 ms

Control-D 76.76.2.2
Avg time:  28.3333 ms

Quad9 9.9.9.9
Avg time:  28.3333 ms

DNSFilter 103.247.36.36
Avg time:  29.3333 ms

NextDNS 45.90.28.105
Avg time:  29.3333 ms

Level3/Lumen 209.244.0.3
Avg time:  30 ms

UltraDNS/Vercara 64.6.64.6
Avg time:  36 ms

AdGuard 94.140.14.14
Avg time:  47 ms

OpenDNS/Cisco 208.67.222.222
Avg time:  50.6667 ms

Google 8.8.8.8
Avg time:  56 ms

Comodo 8.26.56.26
Avg time:  79.3333 ms

CleanBrowsing 185.228.168.9
Avg time:  94.3333 ms

Gcore 95.85.95.85
Avg time:  103.333 ms

dns0.eu 193.110.81.0
Avg time:  212 ms

Dyn/Oracle 216.146.35.35
Avg time:  241.667 ms

:information_source: Note :information_source:

As with many of my scripts .. this can be run remotely, with no need to download, as well:

bash <(curl -s https://gitlab.com/cscs/dnsdig/-/raw/main/dnsdig)
9 Likes

Nice script.

Based on something similar I had on a small PiHole device for some time, I would suggest the following:

  • Make it easy to also test a custom entry (your provider’s DNS)
  • Have an option to sort the results by time, so it’s easy to see which one is the fastest

Maybe make the query number a bit higher, or free choice. 3 is too little to detect hiccups, I think I had 10.

Thanks.

Usage: dnsdig

Options:
  -h, --help     Display this help message

Environment Variables:
  DOMAIN         Set the lookup domain
  SKIP           Skip the regular tests and header
  TESTDNS        Custom DNS server to test

https://gitlab.com/cscs/dnsdig/-/blob/main/dnsdig?ref_type=heads#L14

They should already be sorted by time by default.
(Except the current one which will be displayed at the top.)

Hm. It could certainly be increased. :thinking:

From my region the following are the top 14 fastest DNS server. It is funny that Google DNS and Oracle DNS did not make the cut. But OpenDNS and FlashStart did.

Not surprised that Cloudflare is there in the top 5. It is one of the most fastest DNS out there.

Firefox uses NextDNS, which is at the bottom, for Increased protection, i.e. secure DNS. Maybe it does make sense to shift to cloudflare DNS for using Secure DNS.

OpenDNS/Cisco 208.67.222.222
Avg time:  14 ms

DNSFilter 103.247.36.36
Avg time:  15 ms

FlashStart 185.236.104.104
Avg time:  17.3333 ms

Cloudflare 1.1.1.1
Avg time:  20 ms

Quad9 9.9.9.9
Avg time:  25 ms

SafeDNS 195.46.39.39
Avg time:  28.6667 ms

Comodo 8.26.56.26
Avg time:  43 ms

CleanBrowsing 185.228.168.9
Avg time:  44 ms

UltraDNS/Vercara 64.6.64.6
Avg time:  44 ms

AdGuard 94.140.14.14
Avg time:  47.3333 ms

Level3/Lumen 209.244.0.3
Avg time:  51.6667 ms

NextDNS 45.90.28.105
Avg time:  86.3333 ms
1 Like

Sure, mine were - Cloudfare at the top my current as well as the fastest item… it was nice to see a comparison and tickle my narcissistic tendencies :joy:

Current DNS 1.1.1.1
Avg time:  3 ms

Cloudflare 1.1.1.1
Avg time:  2.66667 ms

Quad9 9.9.9.9
Avg time:  3.66667 ms

Google 8.8.8.8
Avg time:  23.6667 ms

FlashStart 185.236.104.104
Avg time:  25.3333 ms

OpenDNS/Cisco 208.67.222.222
Avg time:  26 ms

AdGuard 94.140.14.14
Avg time:  26.3333 ms

Level3/Lumen 209.244.0.3
Avg time:  26.3333 ms

CleanBrowsing 185.228.168.9
Avg time:  26.6667 ms

Control-D 76.76.2.2
Avg time:  26.6667 ms

Comodo 8.26.56.26
Avg time:  27 ms

NextDNS 45.90.28.105
Avg time:  27 ms

DNSFilter 103.247.36.36
Avg time:  27.3333 ms

Gcore 95.85.95.85
Avg time:  98.6667 ms

SafeDNS 195.46.39.39
Avg time:  160 ms

UltraDNS/Vercara 64.6.64.6
Avg time:  201.667 ms

dns0.eu 193.110.81.0
Avg time:  209.333 ms

Dyn/Oracle 216.146.35.35
Avg time:  386 ms

Interestingly Cloudfare is faster than my current DNS in this run :rofl:

Nice script. Glad none of them is faster than my own local unbound instance.

1 Like

I have one entry with errors which throws a wrench in the sort:

Current DNS 127.0.0.53
Avg time:  0.666667 ms

UltraDNS/Vercara 64.6.64.6
Avg time:  21 ms

Comodo 8.26.56.26
Avg time:  22 ms

Level3/Lumen 209.244.0.3
Avg time:  22 ms

Cloudflare 1.1.1.1
Avg time:  23 ms

CleanBrowsing 185.228.168.9
Avg time:  24 ms

Google 8.8.8.8
Avg time:  40 ms

Quad9 9.9.9.9
Avg time:  51 ms

dns0.eu 193.110.81.0
Query errors
Avg time:  108.333 ms

AdGuard 94.140.14.14
Avg time:  21.6667 ms

Control-D 76.76.2.2
Avg time:  22.3333 ms

SafeDNS 195.46.39.39
Avg time:  25.6667 ms

OpenDNS/Cisco 208.67.222.222
Avg time:  27.6667 ms

Gcore 95.85.95.85
Avg time:  28.3333 ms

DNSFilter 103.247.36.36
Avg time:  29.6667 ms

Dyn/Oracle 216.146.35.35
Avg time:  30.6667 ms

FlashStart 185.236.104.104
Avg time:  41.3333 ms

NextDNS 45.90.28.105
Avg time:  68.3333 ms

Good to see that a local dns is already in there. I ran it from the git repo via curl, so I missed that.

Local unbound instance? Meaning?

These handful of comments seem to indicate that some provider/outputs somehow are skipped when run remotely?

I cannot seem to replicate this behavior.

Its a local caching dns server/resolver.
systemd-resolved provides the resolver part among other things.
Another one that can provide a dns server and/or resolver, among others, is dnsmasq.

Of course, as with many others - its a tool/component that does certain things.
The most important parts of which you already have in some form or another or else your internet would be observably nonfunctional.
You can read up on these things and make an informed choice about which to use and how to configure them if you are so inclined.

I generally find that systemd-resolved (no extra dhcp or resolver or server) well configured is preferable for most basic home setups. It can optionally be set up to cache dns queries as well.*

* This is exemplified by some of the quoted outputs above and can be seen as 127.0.0.53 with notably low response times - as low as 0 ms, but sometimes a bit higher due to the multiple queries and/or whether the cache was flushed.

That is a very valid point. Since I ran the script remotely, maybe it is not a reflection from my region rather than from the server. Let me download and run it.
No the google and Oracle DNS servers were not skipped. Just that to keep the output brief they were omitted from the post. Maybe I should have posted only the top 5 or 7 or 10. Sorry for causing unnecessary confusion.

I am not comfortable using systemd for dns resolution. As a Init program yes. As a journal/logging mechanism yes. But for others I would like to have a hard look at it.
Thanks for the links I will go through them.

Ah, no worries.
I will note that the term ‘remotely’ is used only in the sense that you are running the script as it is hosted/presented from a remote source. The functions are still run from the origin point of your own system.

What are you using now then I wonder?
I would probably expect it to be systemd-resolved .. some other distros were still pushing openresolv even up til recently but I wouldnt expect it here.
Along with the first questions I would also assume probably not unbound or dnsmasq.

For whatever its worth here is the systemd-resolved wiki too:

I quoted the full set I got, did you scroll in the code box? There are more than the default display in the forum shows.

It means that I like privacy and security. And I hate the spreading of meta-data.
This is why I use my own DNS-resolver, not one of the “evil ones” (almost all DNS-resolvers in the wild sell the metadata or use it for other purposes than providing the service, these often includes the DNS-resolver that the ISP will provide). I have my own DNS-resolver, which itself asks “.” aka the root zone - no funny 3rd party meta-data seller in between. DNS as it used to be.
(O, and I block everything that has another DNS-resolver hardcoded and transfer it to my own, because quite some clients do that nowadays - android and ios come to mind…).

The first request to a domain may sometimes be slower than other “commercial” DNS-resolvers, hence my very positive surprise by the script (and no, I did not use the basic wikipedia.org, that domain is for sure cached…).

Most browsers do it to unless explicitly disabled.

A setting is a completely different kind of beast than hardcoded “fallbacks” to googles DNS (in Android, for example).
But yeah, I am fully aware of this. I deactivate DoH and DoT on each client config that I can get my ahnds on.

A very good question. I am not using the following as they are disabled/unloaded/inactive

  1. dnsmasq.service
  2. systemd-resolved
  3. avahi-dnsconfd.service
  4. rdnnsd.service

openresolv is not installed or configured on my system

So what is being used on my EOS system? There is a file /etc/resolv.conf and that is pointing to some public DNS server.

DoH and DoT, By this are you referring to DNS Over HTTP and DNS over TLS by any chance? Or something else?

Feel free to recommend DNS providers I should add (or remove).

Add Add Mullvad DNS.
AFAIK this is the only audited DNS that I’m aware of. They’ve no logging of DNS requests policy.

EOS default install uses glibc resolver + nss-mds (and NetworkManager)

Will the script ask the user to input any private dns servers they may use that are not known free dns? THAT would be useful for measuring LAN dns against cloud DNS. I know it is only logical that the LAN DNS would be faster however that is NOT always the case.
Mine is probably faster though. Whats interesting about that is I use Quad9 DoT forwarding on my firewall and just cache everything. Works as fast as a local DNS 99.9% of the time with the odd hiccup now and again.


TY for your hard work and efforts. I'll use the script for sure!

Current DNS 192.168.175.1
Avg time: 0.666667 ms

AdGuard 94.140.14.14
Avg time: 19.3333 ms

Dyn/Oracle 216.146.35.35
Avg time: 19.3333 ms

Control-D 76.76.2.2
Avg time: 19.6667 ms

DNSFilter 103.247.36.36
Avg time: 19.6667 ms

Cloudflare 1.1.1.1
Avg time: 20.6667 ms

FlashStart 185.236.104.104
Avg time: 20.6667 ms

Comodo 8.26.56.26
Avg time: 22.3333 ms

SafeDNS 195.46.39.39
Avg time: 22.3333 ms

CleanBrowsing 185.228.168.9
Avg time: 23.3333 ms

UltraDNS/Vercara 64.6.64.6
Avg time: 29 ms

Google 8.8.8.8
Avg time: 31.3333 ms

Level3/Lumen 209.244.0.3
Avg time: 31.6667 ms

Quad9 9.9.9.9
Avg time: 36.6667 ms

NextDNS 45.90.28.105
Avg time: 56.3333 ms

OpenDNS/Cisco 208.67.222.222
Avg time: 58.6667 ms

Gcore 95.85.95.85
Avg time: 78.6667 ms

dns0.eu 193.110.81.0
Avg time: 105 ms