i kept seeing "just use 1.1.1.1" and "switch to quad9 for security" in every networking thread, and nobody ever showed numbers. so i wrote a powershell script that actually benchmarks all of them on my machine and picks one based on weighted scoring.
repo: https://github.com/TiltedLunar123/DNS-Benchmark
the problem
my ISP's default DNS resolves twitter.com in ~38ms. cloudflare claims sub-15ms globally. is that real from comcast in metro detroit at 11pm? i had no idea. every "best DNS" article is the same five recommendations with no measurements behind them.
the existing tools i tried either:
- only test latency (ignores reliability, ignores DNSSEC support)
- need GUI clicks (i wanted something i could run from a script on a fresh windows install)
- pick winners with no visible methodology
so i built one.
what it does
it pulls the active network adapter, runs queries against 17 public resolvers across 10 test domains, scores them, and offers to apply the winner. with a backup so you don't brick your DNS at 2am.
the 17 providers cover the main families: cloudflare (three variants including malware and family filtering), google, quad9 (filtered + unfiltered), opendns, adguard, comodo, cleanbrowsing, mullvad, control d, neustar, level3. enough to actually represent the space, not just three vendors.
the scoring choice that took me too long
i kept flip-flopping on weights. first attempt was pure latency. then i ran it a few times and noticed quad9 would win one run, cloudflare the next, depending on which domain happened to be hot in cache. so consistency had to matter.
settled on:
- speed 40%
- reliability 25% (% of queries that actually resolved without timeout)
- security 25% (DNSSEC support, malware blocking, no logging claims)
- consistency 10% (low jitter across runs)
the security score is partially hardcoded from each provider's published policy, which i'm not thrilled about. i don't have a great way to verify "no logging" claims from a script. open to suggestions there.
the install line
irm https://raw.githubusercontent.com/TiltedLunar123/DNS-Benchmark/master/install.ps1 | iex
yes, irm | iex is the powershell equivalent of curl | bash and yes you should read the script before running it. the install.ps1 is under 100 lines. takes about 30 seconds to skim.
sample output
results come back as letter grades, A+ through F, with the top 3 starred. cloudflare 1.1.1.1 won on my home connection but quad9 came within 2ms and scored higher on security weighting. it was closer than the internet would have you believe.
what's broken
- it assumes you have admin. if you don't, it fails late instead of checking up front. fixing.
- the 10 test domains are hardcoded. should probably read from a config file or accept a
-Domainsparam. - no ipv6 support yet. on the list.
- jitter analysis uses standard deviation which is fine for normal cases but gets weird when a provider has one big outlier query. probably should use median absolute deviation.
flags supported: -TestCount, -SkipApply, -Report (markdown out), -Restore (back to your previous DNS if the new one feels wrong).
the thing i actually learned
the "best DNS" depends way more on your geographic distance to the resolver's anycast nodes than on the brand. mullvad scored surprisingly high for me, probably because their detroit-area peering is good. i would never have guessed that without measuring.
if you run it on your network and get a different winner, that's the point.
repo's MIT, PRs welcome, especially anyone who knows the right way to verify logging policies from a script. https://github.com/TiltedLunar123/DNS-Benchmark
Top comments (0)