How Does the New Google DNS Perform? (and Why?)

Tarinth writes "Google just announced its new Google DNS platform. Many have viewed this as a move to increase ad revenue, or maybe capture more data. This article explores those questions, as well as the actual benchmarking results for Google DNS — showing that it is faster than many, but not nearly as fast as many others." We also recently discussed security implications of the Google Public DNS.

My Testing Results

[Anonymous Coward]

Resolve www.yahoo.com

local.isp 12msec
4.2.2.2 30msec
208.67.222.222 55msec
8.8.8.8 57msec

Re:Pointless hype

[omnichad]

They have two IP's - 8.8.4.4. So even if one IP fails to route to any anycast destination at all, they still have a backup.

My own more detailed analysis

[bramp]

I ran my own set of experiments benchmarking both Google DNS and OpenDNS as well as two UK ISPs. I showed more detailed results, and infer some information about how these systems are run. http://bramp.net/blog/google-dns-benchmarked [bramp.net]

Re:Pointless hype

[suso]

I did say I sympathize with him. My wife is from Uzbekistan and I have some friends from other countries and who visit other countries, I know its hard. I'm not calling him specifically a fool, but I'm using strong wording because I'm hoping that people will read my warning so that they will understand that Google DNS is not a solution for security and privacy.

Re:Pointless hype

[Anonymous Coward]

If your ISP is like mine, they break basic DNS functionality. Instead of a correct could not find error, they serve up a page of badvertising. If you opt out of that, they serve up a page that says that it could not find, not returning the real error. If you have your iPhone connected to your home wifi, and you attempt to use the google app on your phone, it breaks the search results page...

ALL of these annoyances are fixed with gDNS.

Re:Pointless hype

[omnichad]

I agree, but I switched anyway, just because Level3's aren't explicitly public. They plan to start locking down their DNS. I'd rather set it and forget it now. I can live with 20ms extra delay. It's still faster than my ISP.

Re:My Testing Results

[Anonymous Coward]

It's also likely to be in Google's cache. However, your location relative to a Google datacenter factors into that time as well. The idea is that through proactive caching of popular domains, the total time for a DNS query against a Google DNS server should be no greater than the latency between your machine and that server. If that latency is greater than what you see between your computer and your ISP's DNS server, using Google won't help your performance. It will however respond as a DNS server should (ie. not send you to some ISP search page).

Your ISP doesn't do proactive caching of domains, so there's a chance that although you are closer to your ISP's server than to Google's, Google might still return faster even with round-trip latency than your ISP if the ISP doesn't have the domain in it's cache and needs to do a recursive lookup for the query. You're banking on the hope that Google's audience is larger than your ISP's and therefore has a wider range of cached domains it's system.

Re:Pointless hype

[TheRaven64]

Spoofing DNS is trivial. It's connectionless, and you don't even need to block the reply, you just need to respond faster than the other party and the client will, in most cases, ignore the second reply. Any last-mile provider can do it with very little infrastructure investment (it's a trivial routing rule to redirect any UDP packets on the DNS ports to a government server, it doesn't need deep packet inspection). If a government asks them to then it's much cheaper to comply than to fight it.

Re:Pointless hype

[mzs]

Google is using anycast for their DNS servers. There are not just two machines at 8.8.8.8 and 8.8.4.4 as the sole DNS servers. You get a relatively close-by server. This is a tried and true technique for DNS. In fact there is a technical feature about the google approach that is neat. It is likely that google is using many of the same servers it is for search for the DNS servers as well. They are running the caching DNS at each facility, such that if one server at the facility gets a record, then any other DNS server at that facility uses that response. That is one cool way to limit the delays for someone else making a DNS request. I've not seen that mentioned much before, and that is neat. I wish slashdot comments about stories that are trying to be technical would have technical comments on them near the beginning, instead of rehashing of all this privacy stuff, for a third or fourth story.

Another approach that was mentioned a lot before is that after the DNS server provides a response, the server checks to see if time is running-out regarding the TTL. If it is and has not expired yet, it asks again and pretends that the TTL counter has begun again. This again is trying to limit a DNS delay for some poor schmuck.

Another technical detail I have not seen mentioned much is that google DNS servers are returning largely authoritive answers only, often in cases where other DNS servers do not. For example, look-up a private IPv4 such as 192.168.1.1 with google's servers and some others. Others typically return non-authoritive responses, say to RFC1918.private.net. There is a lot of subtly misconfigured software-out there, hopefully this will bring it to the fore front about dealing with non-authoritive answers more carefully.

As to regarding the performance of google DNS, from a few locations for me, seems very fast. Is faster (much) than AT&T, bit slower than comcast, bit slower than work, comparison with OpenDNS is in the noise. What is more important is that they treat all records correctly, so for example kx509 _kca._udp.REALM style SRV records are handled unlike the DNS servers from some ISPs which seem to think that DNS is only for A records.

Another interesting feature is that google DNS is playing tricks with case in DNS queries and replies as yet another stop-gap-measure against DNS cache poisoning attacks. That's clever, I believe it was proposed before, but bind folks presented some issues and left it at that.

Re:Pointless hype

[drinkypoo]

Could you give me an example of an "Internet-based DNS" that isn't also "cloud-based"?

DNS servers are just DNS servers. There's a pool of them that handle requests to a given server. If google Public DNS is implemented like other Google services, your queries will be handled by whichever google node is nearby, idle, and knows the address you're requesting. This seems robust than the way even the existing root servers are implemented. Google has more sites than almost anyone else non-government (there are a few notable exceptions, but none of them have an architecture like google's) and is continually opening more.

Re:Pointless hype

[thisnamestoolong]

How are we going to organize a boycott? How many nerds do you think really care enough about these issues? Do you really think Comcast is going to see 14 nerds out in front of their building and go OH NOES WE NEED TO CHANGE OUR WAYS? My options are Comcast or dial-up. As I need (not want, need) high speed Internet access to fulfill my work responsibilities, my options are Comcast, or move.

Re:Pointless hype

[Sleepy]

>Then you are a fool. This is exactly what I mean by trusting your ISP. I sympathize with you and your situation (and I understand that it happens), but all your country has to do is implement some system that will change the UDP packets coming from Google DNS to change the answers, thus accomplishing the same censorship. The more people who use Google DNS, the more likely a country or ISP is to do this.

A non-sequitur. More people using Google DNS or any other DNS resolver does NOT make it more likely that a country or corporation can impose censorship.

In your previous statement you even hint that you know this - you suggest that a country could "change the UDP packets coming from Google DNS to change the answers", but why would a country target JUST GOOGLE DNS for censorship?

If you took 30 seconds to Google the world's best known DNS censorship project (http://www.google.com/search?q=great+firewall+of+china) you would know that China does not target *specific* DNS resolvers (such as you suggest might be done with "Google DNS"). No, China hijacks ALL port 53 traffic which should be obvious then that the DNS provider is 100% irrelevant.

In fact, a third party DNS provider is MORE likely to offer DNS resolver service on a non-standard DNS port, thus becoming an ANTI-censorship tool that China can not defeat (not without blocking or filtering ALL ports which kills their Internet entirely).

You should be careful about calling someone else a "fool", when speaking of topics on which you have your facts wrong.

Re:Most ISP's DNS servers are broken.

[Shawndeisi]

If you're using a *nix box somewhere on your devel network, "dig +trace host.domain.tld" is a beautiful thing as you'll avoid the cache (and therefore any potentially broken caching nameserver behavior) as all the nameservers you hit will be authoritative. You can see if it truly has propagated, which you can't do with a simple nslookup due to negative caching if your first lookup wasn't successful. Right now you could have a negative record cached for the TTL in the SOA and would have to wait until it expires before you see the live record, while it was already live for everyone else. You'll also be able to devel your app faster because you won't hit the caching server until it's live. There may be an equivalent flag on nslookup but I haven't found it after a few minutes of poking around.

What about using your own?

[Anonymous Coward]

I don't know how difficult is to setup on Windows world, but on Linux/Unix world is fairly simple (In Ubuntu, 1 apt-get and modify your dns server to localhost).
You will not benefit from the cache of others, but the hit ratio appart of the big ones must be very low anyway. Better roll your own cache with your own browsing habits.
What's the problem with that?

Re:Pointless hype

[ckaminski]

That's not Billion, that's 3.1 TRILLION dollars - almost a 3rd of the US GDP.

For the newbs:

1000 Thousand
1000000 Million
1000000000 Billion
1000000000000 Trillion
- - - - - - - -
315569260,000 Trillions!!

The Reason Google is doing This.

[Anonymous Coward]

I just want to point out the obvious reason google is doing this and hoping you will switch DNS to them.
Facts:
1. Some ISP's return advertisments when you enter a domain that does not exists.
2. Google makes money from online advertising.
3. There is a specific number of dollars advertisers are willing to budget each year.

Given the above, it seems clear that google is attempting to remove the advertising dollars spent on domain-misses. By doing so, there is more money spent on other channels of online advertising. Google will likely pick up the majority of that money since they offer one of the best suites for online advertising.

The ability for a user to get more accurate DNS results... is the cookie that google is holding out in order to get you to switch.

Also note: about once per year my ISP goes down due to DNS not working. I can get to internet sites via their IP number, but name resolution does not work. The next time this occurs, I will be switching to 8.8.8.8 until my local ISP gets their DNS fixed. I may or may not switch back after that.

Good luck google ;-)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Multiple, parallel, DNS server settings?

[gzipped_tar]

Use dnsmasq on your localhost.

From man page:

--all-servers
By default, when dnsmasq has more than one upstream server
available, it will send queries to just one server. Setting this
flag forces dnsmasq to send all queries to all available
servers. The reply from the server which answers first will be
returned to the original requestor.