SamKnows is now part of Cisco | Learn more

DNS

This test measures the time taken to resolve a DNS query against a target DNS server, over UDP, DNS-over-HTTPS or DNS-over-TLS. The test can be configured with the following:

  • The hostname to resolve
  • The query type ('A', 'AAAA', 'NS', 'CNAME', 'MX', 'TXT', 'PTR')
  • An optional query class (typically 'IN')
  • An optional IP transport to use (IPv4, IPv6 or automatic)
  • An optional DNS server to use (can be specified manually, otherwise the DNS server supplied by DHCP will be used)
  • An optional DNS-over-HTTPS endpoint to make the query against
  • An optional DNS-over-TLS endpoint to make the query against
  • An optional timeout in seconds (defaults to 3 seconds)
  • An optional number of retransmissions when timeouts occur (defaults to 3)

The test will place a recursive DNS query (with the RD bit set) to the DNS server specified. The typical deployment configuration for this test involves querying one or more common hostnames, such as google.com and facebook.com, which increases the likelihood of the DNS server having these items in their caches already.

Whilst the test can be forced to target specific DNS servers, the most common deployment model is to let the DNS client determine its recursive resolver automatically from DHCP. This can lead to issues when users have configured custom DNS servers, overriding the ISP-provided defaults, but this is typically only seen on a very small fraction of users. Moreover, the DNS server that was used for the query is captured in the results, so such cases can be filtered out afterwards if desired.

The DNS test supports carrying out measurements using the DNS-over-HTTPS standard (commonly abbreviated to "DoH"). This has been validated against the public DoH resolvers from Google and Cloudflare. When carrying out a measurement over DoH, the DNS resolution time recorded is taken from the point that the HTTP/2 request is sent to the DoH to the point the reply is received (i.e. the DoH connection is established first, and this is not recorded as a part of the DNS resolution time, but it is recorded separately).

Another DNS lookup mechanism that is supported is the DNS over TLS (DoT). It wraps DNS queries and answers via the Transport Layer Security (TLS) protocol. It is also supported by Google and Cloudflare. Similar to DoH, server connection establishment and lookup time is measured separately.

A timeout of 3 seconds is applied to the DNS queries. Any tests that do not receive a response within this time, or receive a failed response (such as NXDOMAIN or SERVFAIL response codes) will be marked as failed. When no response is received, retransmissions may occur for a configurable number of attempts, defaulting to 3 attempts. Additionally, if DoH is in use and the client cannot connect to the DoH resolver for any reason, then the test will also be marked as a failure.

The DNS resolution test records the following values:

  • A success/failure status, and a failure reason if applicable.
  • The DNS resolution time (if successful). Note that this excludes DoH/DoT setup time, if the query is made over DoH/DoT.
  • The resolved record (e.g. an IPv4 address if the query was for an A record).
  • The DoH server hostname resolution time, TCP connection time and SSL handshake time.

Example

When Facebook went down for 6 hours in 2021 it create a ripple effect that cause a surge in hundreds of millions, if not billions, of people trying to reach offline sites causes a massive spike in DNS queries. The impact of that increased load can be seen clearly in the chart, where SamKnows data shows major sites such as Google, the BBC and YouTube were taking much longer to resolve DNS queries than normal. Read more about it in our Spotlight article - Just How Fragile is the Internet?

Chart showing a huge spike in global DNS resolution time caused by a Facebook outage