If it’s fast DNS response you’re after, choosing Google or its big-brand rivals might not always offer the snappiest performance according to figures compiled by the German Webxtrakt Project.

The project monitors the response times from a range of free Domain Name System (DNS) services on a daily basis, plotting them on a graph that uncovers a surprising degree of variation.

internet modem

According to the stats, the current best performer by some distance is US-based Hurricane Electric with an average response time of 21ms, with DNS provider Dyn, filtering provider SafeDNS and Cisco’s OpenDNS among a group a bit further back in the 30ms to 40-something range.

VeriSign came in further down at just under 50ms with Google’s public DNS unexpectedly weak at 63ms.

Are these numbers meaningful?

The methodology used by Webxtrakt has possible limitations. The first is that it is carried out from Germany and the results might not accord to the experiences of users in other parts of the world. On balance, we’d say this is a minor issue; some of the weaker performers are global firms such as Google while the best is based in California, which means that location seems to be secondary.  

It is also based on querying only certain country code top-level domains (ccTLDs) - .de, .nl, .ru, .eu, .fr, .it, .pl, .ca, .ch, .es, .be, .se, .at, .cz, .pt, .no, in other words there are no .com domains nor even .uk.

Again this is probably not that important. Because of the way DNS works it’s unlikely that any of these providers would serve better or worse response times for .de than for .uk.

As for the time period, the graph refreshes on a daily basis but Techworld monitoring over a period of weeks backed up its rough ranking (tracking over longer time periods is coming soon). Google was consistently further down the performance table.

However, according to Christian Lund who runs the project, the point of measuring DNS turned out to be something subtler users should pay attention to.

“What was interesting for us as well was the consistency of the various DNSes, some are extremely stable while others fluctuate during the day. “

That will be noticed by a web user. At one point in the day, DNS response times might be fine while at another a delay could be noticeable. Most users would have no way of tying such fluctuations to DNS, however, and would probably blame the applications or contention on the internet service itself.

The good news is that these public DNS services are, unbeknownst to most people, now legion. Nobody can complain that they don’t have a choice when it comes to DNS.

Privacy and security – DNS over https

A word of warning. When it comes to DNS, the fact that a service is free or even fast isn’t the only consideration to take into account. Privacy also matters.

Some of the services on the list give free DNS resolution in return for a degree of monitoring, anonymous data they can make money from in the strange economy of an Internet few really understand. This is one reason why there are so many services in the market all of a sudden. The only way to gauge the extent of data gathering is to study a service's terms and conditions very closely.

Earlier this year, we delved into these issues in a separate feature on sister title Computerworld.

Read next: The DNSSEC master key securing DNS is about to change. Should we be worried?

The ease of monitoring is down to the fact that DNS queries travel over UDP/TCP and are not encrypted. If they were, vanilla DNS wouldn’t work. What about the https? It’s easy to assume that because https connections are secured with SSL or TLS that the domains visited are secret. This isn’t the case, again because it would break the DNS system which has to be able to see a domain in order to start resolving it.

Partial solutions to this have been suggested, including Google’s own https over DNS project that secures DNS queries as an extension to the DNSSEC system. This is more about anti-spoofing and would not shield domains from surveillance.

Note: DNS settings can be set from the client device (i.e. a Windows, Mac or Linux PC) or set for all users through the network router.