Does using OpenDNS or Google DNS affect anything about security or gaming speed?

49

9

I used to use google DNS and OpenDNS long time ago, didn't notice any improvements. I recently heard a security expert saying that OpenDNS is the best way for malware protection. But found out that this feature isn't free.

I saw a gamer saying that google DNS is faster for regular users and OpenDNS is better for gamers because of lower ping, and all of the bloggers recommend using a DNS service.

My brother noticed that both providers had higher ping on steam than our default DNS provider and he read that DNS won't affect Dota 2 on steam in anyway.

I did my tests, in incognito and flushed DNS after each test, I let speedtest pick the closest DNS. My results are:

enter image description here


enter image description here


enter image description here


All results are similar if not worse than the default DNS, if anything OpenDNS has the lowest ping but by a small margin, if I were to repeat tests that gap would go away.

Does DNS providers really affect speed or security or gaming? Gaming nowadays is mostly on steam, so does it affect steam?

Lynob

Posted 2016-10-03T11:05:37.127

Reputation: 3 254

36Your tests are not fair, your Google test is going to a different server and so you are getting different results. For fairness you need to run the tests against the same server each time. – Mokubai – 2016-10-03T11:23:40.413

3"But found out that this feature isn't free." - it is as far as I can tell from my use of OpenDNS. You can set its "Security" for "Malware/Botnet Protection" and "Phishing Protection" (they may be on by default), and in the "Web Content Filtering" custom settings you can set it to filter "Adware". – Andrew Morton – 2016-10-03T18:04:23.820

9The fact that you are asking this question clearly show that you have no idea what DNS actually is... DNS come into play only when you first connect into the game/at the start of a game when the game has to "allocate" a server for your game and tell your computer how to connect to it, but once it's connected your are done and DNS does not come into play in any way during gaming. – Bakuriu – 2016-10-04T11:07:11.823

3So long as the game holds the socket open, rather than closing after every transaction. I imagine that it they want to prevent lag, they will. But it's a design decision & we can't know which way they decided. Of course, they could just hard code IP addresses and have no DNS at all. – Mawg says reinstate Monica – 2016-10-04T12:41:09.727

What does DNS have to do with speedtest? o.O – Lightness Races with Monica – 2016-10-05T16:44:40.693

Answers

122

DNS has no effect on ping whatsoever. It is nonsense. DNS provides name resolution services and that is it. Nothing more and nothing less.

Your internet connection does not go through the DNS server, nor would routing through it improve your speed as chances are you will be going through several other connections (potentially on the wrong side of the world) before heading back to where you wanted to go. This does not happen normally anyway.

What Google or OpenDNS might provide you is a slightly faster resolution of names to IP address and possibly some level of protection from known malware domain names.

You might get a quicker initial name resolution, especially if your ISP has a small DNS cache and doesn't see requests for that site often, but after the first request both your server and local machine will cache the request meaning that Google or OpenDNS will be slower if there is a large distance between you and their servers. There will be no improvement to ping tests at all except for possibly the initial lookup.


I've said it in a comment above, but your tests are also not fair for the purposes of your testing. Using speedtest is not relevant for testing DNS and the tests you have run are resolving to different servers with different speeds or locations which will unfairly skew your results. If you want to prove that DNS makes no real difference then you need to be selecting the same server each time.

As to why DNS will make no real difference? It is because it is used in the first half-second of your connection to a server (to resolve a name to an address) and maybe if your cache times out then it will use it again. You might save a fragment of a second in getting the IP address of your game or Steam server, but after that the software will always be taking the direct route to the server and the speed will be the same regardless of DNS server used.


Having a fast DNS server can be good if you are browsing websites that are particularly laden with off-site resources such as social media buttons, advertising images and scripts and other resources which all need their locations resolved. This can be particularly annoying to most users as it appears to be the main site being slow when in reality it is the resolution and download of all the "extra" resources that makes the site slow.

Many people may equate this slow resolution of resources as being the sites "ping" being bad, when in all actuality the sites ping is perfectly fine. If the site loads faster with the DNS changed then it is your DNS server that is bad, not the sites speed or ping (latency). These are two very different things.

I've made a quick drawing of what (roughly) happens.

enter image description here

For existing connections and if the name is in your local cache you will see no benefit to changing your DNS. If the names are not in your cache then changing the DNS can make a brief improvement at the start of the connection.

Mokubai

Posted 2016-10-03T11:05:37.127

Reputation: 64 434

9I remember reading an article somewhere. The speed increase of the name resoltion was increased... by the equivalent of 10 seconds over the course of a year. – Keltari – 2016-10-03T11:30:29.547

3A whole 10 seconds a year... – Mokubai – 2016-10-03T11:39:10.687

why people keep recommending the use of google dns or open dns then? especially google dns – Lynob – 2016-10-03T13:37:03.577

15@Lynob Because certain ISPs might have particularly flakey hardware and their DNS servers could be painfully slow, in which case replacing it with another might mean that webpage loading feels faster as the initial "where does this name go to" is improved. For websites with a lot of external links to Facebook and other sites it could actually be an improvement in the short term. Long term though, once you have the addresses resolved there is no overall improvement to the speed of the connection. Effectively people are misreading a long time to resolve a name as being the same as its "ping". – Mokubai – 2016-10-03T14:10:20.103

@Lynob I've updated my answer. Does that help make it clearer? – Mokubai – 2016-10-03T14:45:06.560

1@Lynob The other consequence of flaky ISP hardware is that Google's DNS is likely to have much higher uptime. That's probably not as relevant with most ISPs these days, but it used to be that ISP DNS would go down occasionally, and having 8.8.8.8 as the secondary would ensure that your internet didn't 'stop working'. – sapi – 2016-10-04T05:04:07.367

2Of course, the purpose of Google DNS isn't to be faster. It's to avoid that annoying "this site doesn't exist, here are some ads" page you get when you typo a URL with some DNS providers. – Kevin – 2016-10-04T15:58:56.080

4@Kevin Sorry, the purpose of Google DNS is to gather additional info about user browsing habits and even other services he/she accesses. – Arvo – 2016-10-05T07:07:58.603

2

@Arvo: You may want to review the privacy policy.

– Kevin – 2016-10-05T21:49:09.160

27

Well, other people have pointed out the malware, speed and ping points. I'll talk about the fourth and fifth point, which dns actually very clearly helps: Censorship (and bugs in DNS Servers) and Privacy.

In my case, changing your DNS server allows you to circumvent through the DNS blocks (there are currently 113683 blocked websites in Turkey) and connect to some* blocked websites. Most people here uses a DNS on their computers to be able to connect to the popular blocked sites.

About an issue that might affect everyone, there might be issues with the DNS servers, mostly slow speeds, non-%100 uptime and some sites not having proper DNS records (as a bug). As the first two are mostly mentioned by other answers, I'll talk about the last. This is actually very rare and can be caused by many reasons, however this happened to me once and I'll mostly shortly talk about that case. A site was inaccessible using Google DNS but was fine with any other DNS servers, we got the owners to contact google and the site got working on Google DNS again in a few hours. This is simply an example of how your DNS choice can affect you, even when it doesn't have censorship (or you don't care about your privacy).

Also, your DNS queries can be viewed easily if you get MitM'd or, for example, your company or your ISP is tracking you. While other DNS servers' queries will be visible to them too, most people who uses OpenVPN and similar VPN services route DNS queries to go through the VPN to hide the sites they visit. If you were to use the default DNS' IP address (the one of your ISP or country) in the openvpn config, they'd still be able to see which sites you access, even though you are behind a VPN and route your DNS queries through the VPN.

* Some sites, most notably wikileaks.org, is blocked at IP level and some, most notably i.imgur.com, are blocked at DNS level.

Ave

Posted 2016-10-03T11:05:37.127

Reputation: 523

This was originally a comment but I extended it into an answer. – Ave – 2016-10-03T15:58:07.343

Also, using HTTPS might help when using foreign DNS servers. – David Refoua – 2016-10-05T14:25:38.537

7

@Mokubai's response is fairly correct but for glossing on some details:

In general, when you want to test performance of a given traffic flow, you want to ensure that you're testing the same thing. Ping is an ICMP-based traffic-type. DNS primarily uses UDP (though, there are scenarios - zone transfers and signed queries/responses - where TCP is used.

Further exacerbating the validity problem of using ICMP as your basis for measuring UDP responses is the fact that ICMP responses are frequently given a lower quality of service (QoS) than TCP and UDP are. This is particularly so for large/busy sites - it makes far more sense for site operators to prioritize the traffic-types that they offer services over while de-prioritizing traffic-types that don't directly support that service. This QoSing will adversely impact not only ping but other diagnostic tools like traceroute.

Not directly relevant to DNS, but still worth being aware of if you're doing long-running, network-oriented tasks (you don't just game for a few minutes, here and there, do you): it's also not uncommon for ISPs to mess with speed-testing system. ISPs know that most speed-testing tools only operate for a few tens of seconds to a few minutes (and that most transfers happen within the span of a few minutes). As such, they will tend to implement traffic-shaping algorithms that will make shorter tests not representative of your speeds. That is, flows that are only a few seconds to a few minutes in length will give full bandwidth for the span of the test. If you go to a testing method that's longer-running - say 10+ minutes to a few hours - you may find that your throughput drops over time because one of the links had down-prioritized your traffic.

At any rate, if you want to benchmark DNS, you want to use a tool like dig to do so. dig tests the actual protocols you're interested in and tends to run in a non-caching mode.

ferricoxide

Posted 2016-10-03T11:05:37.127

Reputation: 71

There are scenarios where -- didn't you mean to say TCP here, because it's the exception to the rule that DNS uses UDP? – Ben Voigt – 2016-10-04T15:39:51.343

6

When you visit a domain, be it Google or Steam, your device consults DNS once and keeps the result in cache for a long time (TTL = Time to Live), at least one hour but usually more.

A difference of milliseconds in this single query won't change the latency of an online game.

OpenDNS or Google DNS can determine if a site contains malware or at least if it's suspicious and then they can send you to a warning site where you can decide by yourself if you want to connect to the supposed malicious site,

jcbermu

Posted 2016-10-03T11:05:37.127

Reputation: 15 868

3Facebook has a TTL of 5 minutes, Google has a TTL of 5 minutes, bbc.co.uk has a TTL of 5 minutes. I think small sites may indicate that the results can be cached for a long time, but the big sites now don't want to risk being offline if a site is unavailable and DNS is one way of helping with that – Matthew Steeples – 2016-10-03T16:59:49.870

@MatthewSteeples one millisecond long request every five minutes still won't produce any noticeable lag in online games. – cascer1 – 2016-10-06T07:07:31.473

1@cascer1 I know, I wasn't contesting the online games bit. Unless your game protocol is seriously wrong then you won't be using any DNS once you're connected (as the connections are persistent). I was just pointing out that the first paragraph is entirely wrong. – Matthew Steeples – 2016-10-06T08:38:57.400

6

Once the IP has been resolved, you do not need DNS for connections to the same host (as long as the IP is cached on your system, of course). I believe that speedtest.net only needs DNS when you start the test to resolve the IP of the testing server, after that you ping the server without needing DNS. As such, DNS does not have any influence over the actual connection speed.

I think your speedtest results are within a margin of error of each other, the higher ping on the Google DNS test is probably caused by the fact that you ran the test to another server than your other two tests.

The way OpenDNS protects you against malware is by not resolving known malware domains. It still won't protect you from malware when you can resolve the domain to the IP.

I don't think DNS has any noticeable effect when gaming. The only time you need it is to resolve the IP of a server where you connect using a domain (something like play.example.com), after that most games use the IP to talk to the server directly, circumventing DNS.

cascer1

Posted 2016-10-03T11:05:37.127

Reputation: 1 762

3

I doubt DNS will protect against malware. The only thing OpenDNS can do is stop from malware links from resolving. Because that is the only thing DNS can do, it resolves an name to an IP address.

The only possible explanation is that one DNS server is closer to you hence resulting in lower ping. But once it is resolved it will cache in your system meaning its only 1 time resolution. I also noticed you picked different servers each time you checked your ping. all in all DNS will not affect your speed.

Dylan Rz

Posted 2016-10-03T11:05:37.127

Reputation: 658

So should I stick to opendns or use the default one? – Lynob – 2016-10-03T11:17:23.553

@Lynob That is really up to you. I use google myself. But as I said it doesn't matter whatsoever. – Dylan Rz – 2016-10-03T11:18:05.543

1Another thing to concider is the privacy concerns; whomever is resolving your addresses for you can see the sites you are visiting (if you care). – djsmiley2k TMW – 2016-10-03T11:20:10.280

@Bergi Omg I typed it the other way around my bad. – Dylan Rz – 2016-10-05T12:19:46.177

3

There are certainly more secure ways to configure DNS servers than others. Not all DNS servers support DNSSEC properly, for example, or take other proactive steps to be resistant to DNS-related security vulnerabilities, which google takes extremely seriously.

On the speed side, with all due respect to the other answers, although in theory DNS should have nothing to do with speed, in practice it can have quite a significant, albeit indirect effect. Misconfigured ISP DNS servers are way too common, whether out of incompetence or poor business practices.

If a deprovisioned machine is kept in cache too long, you might be wasting bandwidth trying to connect to a machine that's no longer there. If a service provider spins up new servers to handle peak demand, but your DNS cache isn't caught up, you may not be able to use those new servers that are closer to you or less busy. If your DNS cache is for the west coast and you live on the east coast, your packets might be going cross country for no reason.

At one point, my Netflix and Hulu streaming was so bad during prime time that I considered canceling. Turns out all I needed to do was change my DNS provider.

That being said, the other answers are right for the most part. If your ping is already pretty good, changing DNS is unlikely to make a difference. My issues were I would do a wireshark capture and my Netflix packets were suddenly deciding to come from the other side of the continent, or 50% of my packets were being lost, or something like that. Not minor things like my ping being marginally slower.

Karl Bielefeldt

Posted 2016-10-03T11:05:37.127

Reputation: 1 050

This answer deserves better visibility. Switching my DNS from my ISP (CenturyLink Fiber) to Google DNS solved some serious Netflix/Hulu streaming issues for me as well. Picking the right server to communicate with is very important and Google seems to do a much better job. – Nick Farina – 2018-07-26T17:45:19.490