Compare quad9 vs cloudflare in DNS Resolver

chudak · Feb 22, 2019, 2:45 AM

Can someone enlighten me how to interpret this results please

and why i see no data in "DNS Resolver Infrastructure Cache Stats" ?

Thx

chudak · Feb 25, 2019, 12:57 AM

Wow nobody knows this ?

stephenw10 · Feb 25, 2019, 1:37 AM

You are running in forwarding mode so you see far less info there than you would as a caching resolver.

Your RTT to Cloudflare is very bad!

Steve

chudak · Feb 26, 2019, 4:15 AM

@stephenw10
Thx
Wonder what control do I have to improve RTT ?
And how exactly this can be seen by an end user?

stephenw10 · Feb 26, 2019, 2:52 PM

Well in your case that is extreme, 7 seconds! I doubt it's ever using 1.1.1.1 when quad9 return results in 94ms.

That does seem like such a bad result it might just have been an anomaly. Does it still show that?
Same RTT to 1.0.0.1 if you add that? Similar values if you just ping those IPs?

Steve

chudak · Feb 26, 2019, 5:19 PM

@stephenw10

If I use forwarder yes
https://snag.gy/XinCvL.jpg

except seeing high RTT values I don't see any problems.

stephenw10 · Feb 26, 2019, 6:53 PM

Mmm, weird. Try tracerouting to 1.1.1.1. Compare it with 1.0.0.1. I expect those to be similar.

Steve

johnpoz · Feb 26, 2019, 7:32 PM

You understand that what your doing there with all those different forwarders is horrible setup right? If your going to forward, then you need to forward to NS that return the same results.

You have filtering NS and non filtering NS listed. So while 1 might block www.baddomain.tld - the other one wont.. So you have no idea what your client is going to get or which one will be asked.

If you want to use a filtering dns like quad 9, then do so - but don't also list google dns as one of the NS you forward too, since they do not filter..

chudak · Feb 26, 2019, 8:53 PM

@stephenw10 said in Compare quad9 vs cloudflare in DNS Resolver:

1.1.1.1.

@johnpoz

Hmm I actually thought that 1.1.1.1, 8.8.8.8 and 8.8.8.8 all do filtering. Enabled 1.1.1.1 only for now.

https://snag.gy/bhOJ2s.jpg

It seems that sometimes it's fast and sometime is not.

Here are tracerouts :

traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 40 byte packets
1 lo0.bras1.snfcca14.sonic.net (50.0.79.96) 1.017 ms 0.917 ms 0.353 ms
2 0.ae10.cr2.colaca01.sonic.net (142.254.59.149) 17.276 ms 21.567 ms 21.981 ms
3 0.ae0.cr3.colaca01.sonic.net (198.27.244.130) 508.156 ms 444.347 ms 429.213 ms
4 * 0.ae0.cr2.lsatca11.sonic.net (50.0.79.174) 4708.927 ms *
5 50.ae4.gw.pao1.sonic.net (50.0.2.5) 1.906 ms 1.960 ms 1.702 ms
6 206.41.106.62 (206.41.106.62) 13.022 ms 6.051 ms 10.537 ms
7 one.one.one.one (1.1.1.1) 4.370 ms 4.123 ms 4.224 ms

traceroute 1.0.0.1
traceroute to 1.0.0.1 (1.0.0.1), 64 hops max, 40 byte packets
1 lo0.bras1.snfcca14.sonic.net (50.0.79.96) 1.213 ms 0.994 ms 0.423 ms
2 0.ae10.cr2.colaca01.sonic.net (142.254.59.149) 12.407 ms 21.631 ms 21.147 ms
3 0.ae0.cr3.colaca01.sonic.net (198.27.244.130) 55.187 ms 116.384 ms 21.967 ms
4 0.ae0.cr2.lsatca11.sonic.net (50.0.79.174) 4625.031 ms * *
5 50.ae4.gw.pao1.sonic.net (50.0.2.5) 1.797 ms 1.972 ms 1.983 ms
6 206.41.106.62 (206.41.106.62) 9.973 ms 5.269 ms 5.514 ms
7 one.one.one.one (1.0.0.1) 4.162 ms 4.074 ms 4.393 ms

johnpoz · Feb 26, 2019, 8:58 PM

https://developers.google.com/speed/public-dns/faq#filter
No. Google Public DNS is purely a DNS resolution and caching server; it does not perform any blocking or filtering of any kind, except that it may not resolve certain domains in extraordinary cases if we believe this is necessary to protect Google’s users from security threats.

Cloudflare is not suppose to be doing any filtering either - but quad 9 does.

chudak · Feb 26, 2019, 8:59 PM

@johnpoz

Copy thx !