- Status
Is Adguard DNS fast? I'm interested. I'm using Yandex DNS and I wonder how switching to Adguard DNS would impact performance.I am using Adguard DNS (Beta) so far so good. Adguard DNS offers not only security but also does blocking of Ads and Trackers as a bonus feature. Since the service is in Beta stage at the moment some may face issues.
Adguard DNS SERVERS:
Default
Use these servers to block ads, trackers and phishing websites.
176.103.130.130
176.103.130.131
Family Protection
"Default" + blocking adult websites.
176.103.130.132
176.103.130.134
A useful program! mines Google DNS which its fastest for me...I use DnsJumper. I use whichever is the fastest
I use this: GRC's | DNS Nameserver Performance Benchmark
It will find DNS servers closest to me and then run a benchmark to compare their speeds. I pick the two fastest on the list and test them with the spoofability test:
GRC | DNS Nameserver Spoofability Test
Once they do well and they are fast, I add them to the config file of my local resolver Deadwood DNS. I found that there are servers that are actually faster than running my own recursion so why not use those instead and have my local resolver cache the results? That way I get the best of both worlds. The cache is instant and if it's not in cache, let another computer somewhere else look it up for me at a much faster speed than my computer. The best thing is that I am finally being pointed at the correct CDNs.
It will find DNS servers closest to me and then run a benchmark to compare their speeds. I pick the two fastest on the list and test them with the spoofability test:
GRC | DNS Nameserver Spoofability Test
Once they do well and they are fast, I add them to the config file of my local resolver Deadwood DNS. I found that there are servers that are actually faster than running my own recursion so why not use those instead and have my local resolver cache the results? That way I get the best of both worlds. The cache is instant and if it's not in cache, let another computer somewhere else look it up for me at a much faster speed than my computer. The best thing is that I am finally being pointed at the correct CDNs.
I use Norton DNS although they are not the fastest
it gives you the best malware and phishing protection and more importantly, coinmining protection, which is not seen in other DNS services, like Quad9
I don't like my ISP DNS because they are indeed very fast with local websites but slower than google DNS for foreign websites, and they have higher chance of DNS disconnection/maintainance
I used to use 8.8.8.8 and 208.67.222.222 together. When google DNS server fails, openDNS will takeover so I never get disconnected
it gives you the best malware and phishing protection and more importantly, coinmining protection, which is not seen in other DNS services, like Quad9
I don't like my ISP DNS because they are indeed very fast with local websites but slower than google DNS for foreign websites, and they have higher chance of DNS disconnection/maintainance
I used to use 8.8.8.8 and 208.67.222.222 together. When google DNS server fails, openDNS will takeover so I never get disconnected
Note, that Adguard does not have its own DNS servers, it routes through whichever are the closest, like Yandex, Google, OpenDNS, etc. So the speed is comparable.
EDIT: I have recently started to use UltraDNS Family (Level 3 servers) in Windows and I also use OpenDNS Family via browser's dnscrypt.
Last edited:
Since I haven't tried Yandex DNS unable to give a comparison. To give you a rough idea about its performance I felt Adguard DNS almost as fast as NortonDNS but lags behind GoogleDNS slightly. Performance of a DNS service varies from location though. Its recommended to try out each DNS services and settle on the best one you like.
the DNS speed varies from day to night also
some DNSes can perform really well in the morning but in the afternoon of the same day, they may fall to the mid table. It happens to me everytime
some DNSes can perform really well in the morning but in the afternoon of the same day, they may fall to the mid table. It happens to me everytime
This is true, After trying out various privacy & no logging DNS server's, trying to get the speed to match close to a well known, logging DNS server's speed. The sweet spot for me since I run various security set-up's depending on what I am doing, I force all my client's to request look-ups from the router so it can build a local cache of my most visited site's(such as this one). My router request its look-ups from tenta OpenNIC name resolver's.
Initially after changing from DNS.WATCH to Tenta OpenNIC I noticed a huge increase in latency loading page's I normally visit as my router was trying to resolve the names with its new name revolver's. After maybe 4-6hr's of browsing and junk, my page loading speed as least for the website's I normally visit is roughly about what it was before changing the DNS to Tenta.
I work in networking & security and as you said it is scarily creepy what some fundamental internet component's can be used for if abused. blocking miner's, script's, approving page element's, blocking ad's, etc also helped in speeding up the page load times since the encryption and security method's I use also cut my performance by a decent amount.
It depends on where your DNS is cached and how much is cached. Many routers don't offer any significant DNS caching - I've seen some with 12 or less entries but most seem to be higher, I've seen them range from 100-2000 entries but rarely do they cap off DNSMasq maximum. I am a firm advocate of disabling Windows DNS Caching so having a snappy forwarder is important.
DNSMasq has a hard coded maximum of 10,000 DNS cache entries, which Pi-Hole uses and defaults it to the maximum cache. So after 24 hours of use it will speed resolution even on one of the slower, privacy forwarders. So provided your caching of forwards is sufficient, a slower DNS resolution won't be a bit impact after it develops it's cache.
DNSMasq has a hard coded maximum of 10,000 DNS cache entries, which Pi-Hole uses and defaults it to the maximum cache. So after 24 hours of use it will speed resolution even on one of the slower, privacy forwarders. So provided your caching of forwards is sufficient, a slower DNS resolution won't be a bit impact after it develops it's cache.
Many ISP's now do this. Also remember the CIA front NebuAD which a lot of ISPs implemented to spy on their customers. Then there are their hosted mirrors of GoogleDNS, Paxfire Redirects, NX redirects on bad domains. Some ISP's still have old Paxfire DNS MiTM gear from 2012-2014 range still in operation. Paxfire was basically another Intelligence front in Reston VA that made MiTM appliances to capture data/intel on ISP customers.
Many ISP's use L7 DPI inspection and redirect DNS unless you encrypt it. Run a trace and you might find your GoogleDNS resolving to just a couple hops off your gateway. That's a L7 DPI grab of your DNS resolver. Then you have clever firms directing non-DNS traffic over DNS to bypass your inspection, content filters and IPS. Malformed DNS is usually how it is found.
Evasion is becoming much harder as DNS is very ripe for spying and essentially gives up everything you do.
VPN's tend to work pretty well.
Encryption of DNS can sometimes work.
Another common method is to use IPTABLES and redirect your DNS over Port 54 rather than the normal Port 53 of DNS, thus bypassing any monitoring/MiTM activity of your ISP (or others). (but this can get ugly, really fast, unless you know what you are doing)
Bottom line for me.. I do DNS traffic inspection at the L7 level to look for anomalies and use Pi-Hole for local resolution and caching.. Anything else is troublesome and at times, problematic. Unfortunately DNS security is an incredibly neglected thing these days. Most firewall/UTM don't even inspect DNS traffic.
Obviously. VPN is the best possible option. I do have a couple of them. But I only use them as a last resort.
I don't know what other "magic" my ISP have. Any VPN will cause massive slowdown of my internet speed.
DNSCrypt-proxy works wonder for me so far. And I think I'll settle with it until it stopped working.
@Slyguy
Two I like to use;
Fortinet Secure DNS (malware/phishing/malvertising/botnet blocking)
208.91.112.53
208.91.112.52
You can add Fortinet DNS to your list of secure, malware blocking dns. Anyone can use it, you don't need a Fortigate appliance to use it.
Hey do you know if Fortinet supports DNSSEC, and also if they log DNS queries? Do they use Anycast like Google? Thanks for the info.
Fortinet Secure DNS (malware/phishing/malvertising/botnet blocking)
208.91.112.53
208.91.112.52
You can add Fortinet DNS to your list of secure, malware blocking dns. Anyone can use it, you don't need a Fortigate appliance to use it.
Hey do you know if Fortinet supports DNSSEC, and also if they log DNS queries? Do they use Anycast like Google? Thanks for the info.
DNS Google
I’m using 9.9.9.9 Cisco dns server it never fails to me
- Status
