Date post: | 05-Apr-2018 |
Category: |
Documents |
Upload: | boris-shaulov |
View: | 220 times |
Download: | 0 times |
of 16
7/31/2019 GRC freeware how to for DNS BENCHMARKING
1/16
DNS Benchm ark
Feat u r es & Ope ra t i on W a lk t h r ough Familiarizing yourself with GRC's DNS Benchmark.
DNS Benchm ark
You can't optimize it until you can measure itOur DNS Benchmark utility has been designed, as we design everything, so that theaverage user can just jump in without reading the manual and pretty much figure
it all out for themselves. That is, after all, the whole point and wonderful benefit of agraphical user interface (GUI). So if you are willing to just read the text presented
on the benchmark's various tabbed pages for example, please be sure to read theIntroduction tab's text just once and be su r e to read the Conclusions tab after
the Benchmark is finished you can probably safely ignore the rest of these webpages.
On t he o t he r hand . . . if you have some time to invest, and your goal is to
seriously adopt this powerful tool as a component of your permanent bag of tricks,there are sufficient subtleties and extras hidden inside this quite comprehensive
application that taking some time to make sure you haven't missed anythingimportant might be time well spent.
And, besides . . . you're already here!
Two No t es Abou t Ter m ino logy :
DNS resolving nameservers (the things this utility tests, characterizes, and
benchmarks) are commonly referred to as DNS servers, DNS nameservers, orDNS resolvers, sometimes without the DNS prefix. These pages will continue
this flexible practice, choosing whichever name seems to flow best in the context.
So, when we refer to a DNS server, a nameserver, or a resolver, we always meanthe same thing: an I n t e r ne t DNS r eso lv ing nam eser ve r that responds to andanswers DNS queries at a given IP address.
S y s t e m and Pub l i c Nameservers:
Throughout these pages, and throughout the DNS Benchmark, we use the term S y s t e m nameserver to mean any DNS server that is currently configured for
use by the local system upon which the Benchmark is being run. We use the term Pub l i c to refer to all other nameservers that are not currently configured for
use by the local system.
We also sometimes refer to the system's configured nameservers as local or
locally configured nameservers because they are configured for use by the localmachine even though this usage can be imprecise since such a local nameserverwould usually be located remotely.
The Four Primary Tabs
Page 1 of 16GRC's | DNS Benchmark - Features & Operation Walkthrough
8/11/2012http://www.grc.com/dns/operation.htm
7/31/2019 GRC freeware how to for DNS BENCHMARKING
2/16
The entire contents of the Introduction tab should be read topto bottom just once.
For example, it admonishes the benchmark's user (that's you) not to run DNSbenchmarking operations while your network is busy doing anything else . . . such
as downloading a large file. While it can be instructive to do this to see how thingsperform under stress, you at least need to be aware that your results will be
s ign i f i can t l y different than when the Benchmark is used on an idle network. As an
example, the benchmark's measurement of apparent reliability will almost certainly
be quite erroneous (and worrisome) on a network that is busy enough to bedropping some percentage of Internet packets. That won't be the remote DNSserver's fault. But the benchmark has no way of knowing w h y packets were
dropped, only that some were. Knowing why is up to you. For other similarlyimportant points, you should read the Introduction tab's contents at least once.
The Nameserver tab is where most of the action and
excitement happens. The largest portion of this page will bedevoted to describing the many features of this tab, and of its four sub-tabs, in
quite some detail.
While the benchmark is running, and after it has finished, the
Response Time sub-tab on the Nameserver tab provides areal-time bar chart depicting each tested DNS server's performance and reliability
characteristics. All of that data is derived from a statistical database that is being
continually updated, analyzed, and displayed in summary form on this TabularData tab. The Response Time chart gives you a pretty picture, but the Tabular
Data tab provides you with the raw data from which the Response Time chart iscreated (and additional information as well). Al l t im ing v a lues a re in seconds , sot he t h r ee dec im a l d ig i t s o f p r ec i s ion p r ov ide r eso lu t i on o f m i l l i seconds
( t housand t hs o f a second ) .
During the course of the benchmarking, a surprising amount of
information is collected and assembled by this program. Thisincludes details about the environment's current network configuration, how the
currently configured DNS servers are performing, and how they compare withpublicly available alternatives. These various detailed and interacting facts are
distilled into a single coherent series of conclusions which are summarized andpresented in a clear action oriented style on the Conclusions tab. As much fun as
the Response Time tab is to watch whilethe benchmark is running, it's theConclusions tab that most users wind up finding most useful once the Benchmark
is finished.
POWER USER TI P: You can quickly start and stop the benchmarkby clicking on the red GRC G logo at any time. Rather than needing
Page 2 of 16GRC's | DNS Benchmark - Features & Operation Walkthrough
8/11/2012http://www.grc.com/dns/operation.htm
7/31/2019 GRC freeware how to for DNS BENCHMARKING
3/16
Inside the Nameserver Tab
(Note that the specific data shown above will differ for each user.)
The main Nameservers tab contains the four sub-tabs
shown above (Name, Owner, Status and ResponseTime). The IP address and status indicators in the first two
columns are always present, whereas the four sub-tabsdetermine the contents of the chart's third display column.
The Nameserver I P L is t (shown to the left) occupies the first of
the chart's three columns. This column list every DNS resolvingnameserver currently configured for benchmarking. The list's contents
can be altered by the command line during application start-up, by using System
Menu options, or with the Add/Remove dialog that is presented by clicking on theAdd/Remove UI button located directly above the list. Right-clicking the mousewithin the list will also provide a menu of options for managing the current list of
nameservers to be benchmarked.
Unless altered by a command-line option, at start-up the list will initially be filledwith the application's internal list of possibly-useful publicly available alternative
DNS nameservers, as well as with all of the nameservers currently configured foruse by the system. Any changes made to the system's configured nameservers will
be immediately reflected in the list.
The Add / Rem ove Nam ese r ve r s D ialog
The Add/Remove button (above the nameserver IP list)
displays the Edit DNS Server IPs dialog box shown to the left. Itcontains the following features and functions. Although their operation should
probably be clear, some important terms and definitions, explained here, will appearthroughout:
En t e r t he I P t o Add o r Rem ove
Once a valid nameserver IP address has beenentered into the text field, the existing list of
to select the Nameservers tab in order to reveal the Run
Benchmark button, you can simply click the red G logo at anytime to perform the same function.
Page 3 of 16GRC's | DNS Benchmark - Features & Operation Walkthrough
8/11/2012http://www.grc.com/dns/operation.htm
7/31/2019 GRC freeware how to for DNS BENCHMARKING
4/16
nameservers will be checked. If the IP already
exists in the list, the Remove button will be enabled so that the existingresolver can be removed from the list. If the entered IP does not yet exist in the
list, the Add button will be enabled so that this resolver IP can be added to thelist.
Add Syst em 's Nam ese r ve r sThis button immediately adds the nameservers that are currently configured for
use by this system to the list of nameservers being benchmarked. Note that thisis automatically done at the start-up of the Benchmark unless it is inhibited by a
command-line parameter. Therefore, this button can be used at any time torestore the system nameservers, which may have been removed by any means,
to the benchmarking list.
Add De f au l t Nam eser ve r s The Benchmark contains a default built-in internal list of generally useful
publicly available DNS resolving nameservers. This list is updated from time totime in new Benchmark versions, as needed, to keep the Benchmark's built-in list
current, relevant and most useful. The list is designed so that any of them might
be worth considering as alternatives or additions for your system or networkgateway. This button immediately adds all of these nameservers to the
Benchmark's list. Note that as with the System resolvers, all of these built-innameservers are added to the Benchmark's list, by default, at start-up.
Add .I N I f i l e Nam ese r ve r s
Personal lists of additional nameservers can be created for addition or removal toand from the Benchmarks server list. This button prompts for the selection of a
file containing a list of nameservers to be added to the Benchmark's current list.
See the system menu and command-line pages for information about the file'ssimple IP list format.
Rem ove Sys t em 's Nam ese r ve r s
As you can certainly guess, this button performs the reverse function of the Add
System's Nameservers button: It removes any of the system's currentlyconfigured nameservers from the Benchmark's IP server list.
Rem ove De f au l t Nam ese r ve r s
While this button does remove any of the built-in default nameserver IPs from
the benchmarking list, it does n o t remove any that are also currently in use bythe system. So if, for example, the system was configured to use the OpenDNS
nameservers that also occur in the Benchmark's built-in list, this will not removethose from the list.
Rem ove . I N I f i l e Nam eser ve r s
Given an IP list occurring in a file provided by the user, this removes anynameservers occurring in the list that are not also system nameservers.
Rem ove A l l Nam ese r ve r s
This quickly removes all DNS nameservers from the benchmark's list. This is
useful if you wish to only benchmark a few specific nameservers or prior toloading another .INI file.
Save Nam ese r ve r s t o . I N I Fi l e
The list of nameservers currently appearing in the Benchmark's list is written to afile whose name is provided by the user. This will be a simple list of IP addresses
followed by the nameserver's reverse DNS (rDNS) domain name, if any, one perline. For documentation purposes, comments of any kind may later be added
Page 4 of 16GRC's | DNS Benchmark - Features & Operation Walkthrough
8/11/2012http://www.grc.com/dns/operation.htm
7/31/2019 GRC freeware how to for DNS BENCHMARKING
5/16
after each line's IP address. (Only the initial IP address is significant on each
line.)
Rem ove X Dead Nam eservers It may be that some of the nameservers in the application's built-in list will be
dead in one way or another, colored red, and not benchmarked. This button,
when enabled, will show how many dead nameservers are present (16 in thescreen sample above) and will remove them from the active nameserver list
when clicked.
Rem ove Red i r ec t i ng Nam ese r ve r sRedirecting nameservers are those that do not return errors when asked to
lookup an invalid domain name. Instead, they redirect a web browser to another,often commercial marketing, page. Since many experienced users object to such
behavior, the Benchmark identifies and colors these ORANGE (see below)and also offers to delete them all from the benchmark with a single click of this
button.
Rebu i ld Cus tom L is t
The custom Fastest 50 nameserver list can be built or rebuilt at any time by
clicking this button.
The Sor t Fastest F i rs t option determines whether the
nameserver IP list is presented in numerical or best-performance-first order. The option remains unchecked and disabled until the first
performance-measuring benchmark has been started, after which it is enabled and
checked by default so that the fastest nameservers are always sorted to the top ofthe list. You may then uncheck and check this box to switch back and forth between
IP and fastest-first sorting at any time.
The second co lum n o f co lo red do ts , donut s , c i r c les
and arcs provides a quick and comprehensive visualindication of the status of each respective DNS nameserver. Although the various
configurations will likely be a bit overwhelming at first, once you get the hang of
them you'll find that they provide a convenient summary of each resolver'simportant characteristics.
Regardless of its color, a filled-in dot indicates that the server is currently beingused by the system and a hollow (donut) indicates that the server is not currently
being used by the system.
In the two-line sample above, the first line has a filled-in dot meaning that thenameserver at this IP is currently configured for use. The text is also bo ld and the
entire line has a black outline. The second line, with the hollow (donut) is not boldand has no outline because it is not currently being used by this system.
As fo r th e co lo rs o f the I NNER dot s and donu ts . . .
As you might expect, GREEN i s go od , whereas RED and ORANGE are not good
Page 5 of 16GRC's | DNS Benchmark - Features & Operation Walkthrough
8/11/2012http://www.grc.com/dns/operation.htm
7/31/2019 GRC freeware how to for DNS BENCHMARKING
6/16
in different ways:
A g r een se r ve r i s on l i ne, working, responding to DNS queries, and notmisbehaving in any of the several ways the Benchmark detects and determines.
Note that the benchmark is unable to detect and determine whether a server is
usingan t i - spoo f ing coun t e r m easu r es since those, if present, are visible on t he
o t he r s ide of a DNS server, in its subsequent queries out onto the Internet (notin its r eplies to a query ing client). However, GRC has that covered as well withour DNS Spoofability system whichi s able to m ake that determination for you.
A ser ve r i s g i ven a r ed co lo r ed do t o r don u t when it simply refuses to replyto queries. In other words, the server is dead from the standpoint of being a
useful resolver of DNS queries (which is what you really care about here). Itmight be that, depending upon your location or Internet Service Provider (ISP),
some of the generally available public nameservers may be inaccessible to yourcomputer, thus rendering them effectively dead, even though they might be
accessible to other users elsewhere on the Internet.
You will de f in i t e l y want to be certain that if anything is r ed , it is a hollow donut ofred! A filled-in r ed dot would mean that one of the nameservers your system iscurrently configured to use is n o t replying to DNS queries . . . and NOTHING will
slow down a system's Internet access more than waiting for a non-responsive
nameserver to answer DNS queries.
Note that you can get the r ed out by right clicking the mouse anywhere in theserver listing and selecting Remove X dead nameservers from the pop-up menu
(where 'X' will be replaced by the number of currently dead resolvers).
Oran ge co lored server s may be somewhat less desirable to usedepending upon your feelings about the handling of typos and nonexistent
domain names: The Benchmark colors a nameserver
o r angewhen it does not
return an error in response to a query for a non-existent domain name. DNSnameservers are supposed to simply return a Not Found error to indicate that the
requested domain name does not exist. But ISPs and third-party DNS serviceproviders are adopting a new revenue-enhancing trick: Instead of returning an
error, they redirect the user's browser to their own marketing-related search page.
This gives them a way of being helpful and of generating some additionalmarketing and advertising revenue from your typos or bad links by causing you
to confront a page you didn't ask for and probably don't want.
Many people (especially Internet purists) find this sort of thing quite annoying, so
the Benchmark tests for it so that you will be informed. The good news is thatpeople have been annoyed enough to induce most ISPs and providers who do this to
offer the option of turning off this redirection. If your ISP, or a DNS provider you areusing is doing this, you might wish to explore how to turn off the DNS redirection.
Once that is done, you can quickly use this Benchmark to verify that your system's
DNS nameservers are all i n t he g r een and are neither r ed nor o r ange .
And as for t he OUTER ci rc les an d ar cs . . .
The outer circle of the resolver status icon shows what, if any, DNS rebindingattack protection the corresponding nameserver provides to its querying clients.
DNS rebinding attacks utilize DNS to fool a browser's scripting security into
Page 6 of 16GRC's | DNS Benchmark - Features & Operation Walkthrough
8/11/2012http://www.grc.com/dns/operation.htm
7/31/2019 GRC freeware how to for DNS BENCHMARKING
7/16
believing that local resources, such as the user's own computer or router, are
located in the same web domain as the script's source. When this occurs, thebrowser's Same Origin Policy protection is bypassed, giving scripts unrestricted
access to the local resource. This allows scripts to do bad things such as change LANrouter settings or access any resources and computers on the LAN. (That's not
good.)
Security conscious DNS nameservers are able to help block these attacks simply by
never returning IP addresses that fall within the ranges of IP addresses commonlyused with private LAN networks behind a router or the Localhost IP of127.0 .0 .1
which computers use to refer to themselves.
GRC's DNS Benchmark tests each nameserverto determine whether it blocks (filters) the
return of these reserved private IP addresses in both IPv4 and IPv6 formats. At the time
of this feature's release, only the OpenDNSnameservers can be configured to do this, and
then only for IPv4, IPv6 versions of these
queries are still able to sneak through. Since there is never any reason to return aprivate IP address from a public DNS request a l l nam ese r ve r s shou ld b lock t he
r e t u r n o f p r i va t e I P add r esses. Hopefully, more will in the future.
As shown in the nearby diagram, the outer circle is divided into four quadrants with
each quadrant associated with an IP address in non-routable private networks:
An EMPTY arc (see the 127.0.0.1 IP in the sample diagram) indicates that n o
f i l t e r i ng is provided by the nameserver for the associated network IP.
A BLUE ar c (see the 192 and 10 network IPs in the sample diagram) indicates
that filtering i s p r ov ided for e i t he r the IPv4 or IPv6 style address, b u t n o t
b o t h , by the nameserver for the associated network IP.
A GREEN ar c (see the 172 network IP in the sample diagram) indicates thatfiltering is provided for both the IPv4 or IPv6 style address by the nameserver for
the associated network IP.
The best poss ib le p ro t ec t ion is therefore represented by a full, unbroken,g r een ou t e r r i ng signifying that all four network IP ranges are being blocked
in both IPv4 and IPv6 formats. While no nameservers are providing thisprotection at the time of this new feature's release, it is our hope that, with time,
many nameservers will be updated to do so. No new programming is required toprovide this feature. It is simply a matter of updating the nameserver's
configuration file.
Temporary thin black arcs, as shown in the sample to the left, are presented
while the detection of each nameserver's rebinding protection is underway. If
rebinding protection is proven not to be present the temporary arc will beremoved. If either partial or full (both IPv4 and IPv6) protection is confirmed, the
temporary black arc will be permanently replaced by either a thick green or b lue arc for each network range.
NOTE: If you would like to learn more about the consequences and prevention of
DNS Rebinding attacks, this was the topic of our Security Now! podcast #260.During that episode, Leo and I explained the problem and discussed all of the
details of this at some length. The whole story is available for download in
127.0.0.1
192.168.0.1
192.168.0.1
10.0.0.1
192.168.0.1
172.16.0.1
Page 7 of 16GRC's | DNS Benchmark - Features & Operation Walkthrough
8/11/2012http://www.grc.com/dns/operation.htm
7/31/2019 GRC freeware how to for DNS BENCHMARKING
8/16
two .mp3 audio sizes and three styles of textual transcripts.
The First Three Nameserver Sub-Tabs
(The Response Time tab is so brimming with features, goodies, details, tips &tricks, that it requires an entire section all to itself. So we'll look at that one last.)
If you think about it, you'll realize that a DNS Name is an odd thing for aDNS server, itself, to have. Why? Because until you have a DNS server to
perform DNS lookups you wouldn't have any way of using the name to look up the
DNS server's IP address (and, come to think of it, if you could lookup the DNSserver's address, then you wouldn't need to, since you'd apparently already have
DNS services.) So, of course, that's why we configure DNS nameservers by their IPaddresses because until we have the IP address(es) of DNS servers we have no
way of looking up any DNS names.
However, it is convenient for network engineers to give names to the servers they
manage. And it often turns out that the names given by engineers reveal additional
interesting information about the server: what country they're in, the domain nameof their owner, their geographic location, their hierarchy in a ranking (primary,
secondary, etc.) and all sorts of other possibly-interesting tidbits. So, naturally, theName page of the DNS Benchmark brings this information to you, when it exists,
to give you whatever information may be conveyed. More often than not, it's usefulto know, and it might help with any decision you might make about whether or not
to use a particular DNS resolver for your own DNS lookups.
A freely available Internet database, provided by senderbase.org, canbe used to lookup the owners of IP addresses and Internet address
ranges. Although the information is not guaranteed to be complete, nor evencompletely accurate, it generally is, and it's free. Like the reverse DNS name for
servers, shown on the Name tab, we provided it to offer an at a glance referenceto the DNS servers used by the Benchmark.
When the DNS Benchmark is started using its built-in list of
nameservers, or whenever a nameserver IP is added to thebenchmarking list, the Benchmark issues a series of DNS queries to verify the
server's availability and operational condition. As a result of this probing, theStatus tab's display will list each server's status, as follows:
Determining nameserver characteristics...
All nameservers start off with this status. The Benchmark sends each server a
series of specially formed queries to determine and characterize various aspectsof each server's operation that would or could be important to anyone consideringusing the server for their own DNS resolution. Once that process has been
completed the status will change to one of the alternatives below:
DNS services are available and working
When all is well with a DNS server, this is the status that will be shown and most
of the resolvers in the Benchmark's list will have this status. In order to obtainthis status, none of the many other behaviors (shown below) can have been
detected . . .
Page 8 of 16GRC's | DNS Benchmark - Features & Operation Walkthrough
8/11/2012http://www.grc.com/dns/operation.htm
7/31/2019 GRC freeware how to for DNS BENCHMARKING
9/16
Resolves queries and authenticates security
Test DNSSEC Authentication. is an option located on the application's System
Menu. It is disabled by default (not checked) because some DNS serverscompletely collapse and fail when a DNSSEC-enabled query is presented to them.
That's not good, of course, and it might be good to know. Even more importantfor a benchmark is the fact that asking a nameserver to perform DNSSEC
authentication can require additional time, thus affecting the Benchmark's
performance-measuring results. Since DNS Security (DNSSEC) is still more theexception than the rule on the Internet, we decided to leave it disabled by default,but also to definitely make it available.
When this option is enabled, the Benchmark will generate DNSSEC-formatted
queries. Some servers will slow down, others will collapse and fail to reply. Bothresults are interesting and important. After you change the option you will be
prompted and advised to Re-Verify Internet Connectivity to cause theBenchmark to re-characterize all nameservers under the new DNSSEC setting.
Nameserver never replies to bad domains
During our testing of nameserver behavior when deliberately confronted with an
erroneous, undefined domain name (see the three Bad Domain name... statusesbelow), we discovered that some resolvers never replied at all to erroneousnames. This really isn't what you want, since a typo entered into a web browser
will appear to hang while waiting for a reply from such a misbehaviornameserver. So this status advises you that this could happen if you were to
depend upon such a resolver.
Bad domain names are intercepted by provider
This is one of the three status notifications (with the next two below) that would
cause the "Orange" coloration of the server status that was described above.This is a notification that erroneous domain name queries do not return an
error; they redirect the user's browser to an intercept page of some sort. This istypically used for marketing and revenue generation by those providing the
DNS services. It is only a problem if the idea bothers you, and most providersoffer some means of disabling this bad domain name interception.
Bad COM domains are intercepted by provider
Providing a further refinement on the status directly above, some DNS serverswill redirect erroneous queries to any domain name, and some only to selected
types of names. This status indicates that erroneous non-dot COM domainnames are not redirected, but erroneous dot COM domain names are.
Bad WEB domains are intercepted by providerAs one further refinement on erroneous domain name interception, theBenchmark checks whether erroneous w o r l d w i d e w e b domain names
(beginning with www.) are intercepted, whereas erroneous domains notbeginning with www. are not. If only www. names are intercepted, this final
status (of the three) will be returned.
DNS queries are not being answered here
If, after many tries, the IP in question never replies in any way to any test DNS
Page 9 of 16GRC's | DNS Benchmark - Features & Operation Walkthrough
8/11/2012http://www.grc.com/dns/operation.htm
7/31/2019 GRC freeware how to for DNS BENCHMARKING
10/16
queries, its status will finally switch to this. The chart line will also be colored RED,
since this server is certainly unsuitable for use as a DNS server from your location.Note that some ISP's DNS servers are configured for access ONLY from within
their own network, by their own customers. So it's entirely possible, for example,for someone to give you the IP address of their blazingly fast DNS server, but for
it to be inaccessible to you. (And it's also possible for it to be fast for them mostlybecause it's near to them on the Internet. That means that even if you could
access their particular DNS nameserver, it might not be fast for you anyway.)
And, finally, this is also what you would receive if the IP were entered incorrectlyand the Benchmark was sending queries to a dead IP address, or one where no
IP-resolving DNS server was present.
DNS queries are being actively rejected
It is possible for a DNS server to actively refuse to answer a DNS query. One of
the many error codes that can be returned is Query Refused. This error istypically returned when a DNS server exists at the IP being queried, but is
configured to only permit use of its services from a certain subset of the Internet'sIPs, such as those belonging to an ISP's customers.
DNS lookup is not offered by this server
Another variation of a DNS server which is not available or useful for performing
DNS lookups is one that does not offer recursion. Recursion is the term used tomean that the server will, after receiving a query from a client, venture out onto
the Internet on behalf of that client to lookup and find the entire answer. But notall DNS resolvers will do this. Some nameservers will only tell you about the
domains they are configured to know about. They won't go out and do any lookupwork on a client's behalf. Therefore, if the Benchmark detects such a server, it will
flag it with this status, mark it red, and not bother benchmarking it, since it's ofno use to you.
Nameserver returned invalid replies
During our extensive development testing of this Benchmark, we discoverednameservers that are simply broken in one way or another. Some return the
Server Error error condition to report that they know they're broken. Othersapparently attempt to reply but their replies are invalid in significant ways. So, for
whatever the reason, if the replies aren't valid, the Benchmark makes sure you
know with this status.
The Response Time Sub-Tab:
The Response Time sub-tab contains the benchmark's dynamic
performance bar chart which graphically summarizes each DNSserver's performance. The primary features of the chart are detailed in the following
annotated diagram:
Page 10 of 16GRC's | DNS Benchmark - Features & Operation Walkthrough
8/11/2012http://www.grc.com/dns/operation.htm
7/31/2019 GRC freeware how to for DNS BENCHMARKING
11/16
Bargraph Sca l ing : As noted in the annotated
bargraph schematic above, the bargraph's scale isdynamically set during the benchmark's operation.
This will have the effect of causing all bar lengthsto rescale proportionally as the measured
performance of the slowest nameserver is scaled
to keep its longest bar within the bargraph'sextent. As the bargraph's bars are resized, the
underlying scale will follow the changes so thatyou can always relate the bar sizes to their time-delay value.
Although automatic scaling is normally what you'll want, there are times when youmay wish to override the bargraph's automatic accommodation of the slowest
nameserver (having the longest bar). For example, if you wished to comparebargraphs generated from different runs of the Benchmark, having them scaled
identically would make a side-by-side comparison much easier. An option availableon the application's System Menu and also by right-clicking on the bargraph and
selecting from the pop-up menu, will produce the small dialog box shown above-left.With it you can force any bargraph resolution you wish for the bargraph currently
being displayed.
Pow er -User Tip : Some users prefer always locking the bargraph's scaling to afixed value, like 300 milliseconds full scale. If you hold down either of the
keyboard's SHIFT keys while you click the Set Fixed Scale button, the scale youset will be saved into the system's registry and automatically remembered and used
by the Benchmark every time it is run in the future. You may remove that stickysetting by holding down either SHIFT key when clicking on Set Auto Scaling.
W hat is DNS Caching and W hy Does i t
M a t t e r?
The process of resolving a DNS query differs greatly depending upon whether ornot the DNS nameserver being queried already knows the answer. One of the
most important aspects of the Domain Name System (DNS) is the concept ofl oca l cach ing of slowly expiring information. By maintaining a cache (a local
Page 11 of 16GRC's | DNS Benchmark - Features & Operation Walkthrough
8/11/2012http://www.grc.com/dns/operation.htm
7/31/2019 GRC freeware how to for DNS BENCHMARKING
12/16
7/31/2019 GRC freeware how to for DNS BENCHMARKING
13/16
up (and the cache thus needs to be refreshed), the client's local resolver must
venture out onto the Internet to query o t h e r DNS nameservers for one or morepieces of information required to assemble the client's answer. Not surprisingly, this
can take significantly more time than simply retrieving the non-expired answer fromthe resolver's own local cache storage.
It's quite possible for your ISP to provide a local DNS resolver that is able to reply
almost instantly to queries for data it has recently cached. But that same resolvercould have a very slow or overloaded & congested connection to the Internet.
That would cause it to be pa in f u l l y s low whenever it needs to assemble an answerto a query it doesn't already have in its local cache. If your Internet wanderings
tend to take you off the beaten path, to domains less travelled, you could findyourself waiting a lot longer for a poorly-connected DNS resolver to obtain those IP
addresses for you (since other users of the same DNS resolver would not havealready asked for the IPs of the same domain names).
This DNS Benchmark separately measures and displays the time required by each
DNS resolver to reach out onto the Internet and obtain an answer that's n o t alreadyin its cache.
The GREEN BA R shows the performance of each DNS resolver when it is forced toask o t h e r Internet nameservers governing popular domains such as Google, Yahoo,
YouTube, Live, Facebook, MSN, MySpace, etc. for t h e i r site's IP addresses.
Sor t ing b y Green This uncached measure of performance is important enoughthat you might wish to view the entire DNS server list sorted by fastest uncached
performance first, rather than fastest cached performance. Options in theBenchmark's System Menu allow the sort order to be changed at will.
PURPLE BAR = Dot Com Domain Name Lookup:In order for a DNS resolver to query the nameservers for the most popular domains
such as Google, Yahoo, and others, the resolver must first know the IP addresses oft hose nameservers. That information is looked up by asking the Dot Com
nameservers for the IP addresses of the domain nameservers. As you mightimagine, speedy and efficient access to the Dot Com nameservers is critically
important too, since everything else depends upon it.
The PURPLE BAR shows the performance of each DNS resolver's queries when theyare forced to go directly to the Dot Com nameservers for the resolution of a
lookup request for a dot COM domain name.
Sim p l i f y t he ba r g r aph by show ing on l y cached r esu l t s :Interesting as the (green and purple bar) uncached results are,
as mentioned above, we believe that the cached results are the most important. Toreflect that, and to allow for a simplification of the bargraph presentation, the Show
Uncached option may be unchecked to remove the two uncached (green andpurple) bars and to rescale the chart as appropriate.
Left and Right Clicking on the Bargraph
D iscoverab le Pow er -User Fea tu res
Page 13 of 16GRC's | DNS Benchmark - Features & Operation Walkthrough
8/11/2012http://www.grc.com/dns/operation.htm
7/31/2019 GRC freeware how to for DNS BENCHMARKING
14/16
The overriding goal for the design of this and all of GRC's software is, first and
foremost, for the software to be truly easy to use. In the case of this Benchmark,you can just start it up and click on the red GRC G logo, and you're running and
watching the results. But there's also m u c h more . . .
We want the software to be useful to a w i d e range of users, casual and
committed alike. So we have incorporated a carefully selected set of power-user
features that are entirely optional. It is not necessary to know about them,understand them or ever use them. But they will serve to give the product much
more depth and range of application.
To accomplish this secondary goal we have made many powerful features
discoverable by the inquisitive user. Just poke around, try things, and you'll findhidden goodies (all of which we w i l l reveal on these pages.) Click on the System
Menu at the application's far upper left, or right-click on the bargraph, and you'll
see what we mean. There's a huge amount of additional power and capability thatyou don't need to worry about, but which can turn the Benchmark into a true
power-user's tool.
LEFT-Cl ick and Drag to in spec t the bargr aph 's exac t t im ing va lu es :
Although the bargraph provides an instantaneous visualdisplay comparison, it doesn't show the underlying
values. The Tabular Data tab does show these exactvalues, but that requires switching away from the
graphical display. Left-clicking and dragging the mousearound the bargraph display will pop-up and display a tracking inspector (see the
sample at the left) which will show the exact performance values of the bars for theserver underneath the inspector.
Note that the pop-up inspector also serves to remind you what the three color bars
represent. Also note that the pop-up inspector will operate upon any of the four sub-tabs of the Nameservers tab.
RI GHT- Cl i c k and r e lease t o d i sp lay a m enu o f pow er - use r f ea t u r es :
Rem ove t h i s nam ese r ve r
This provides a quick and direct way of
removing a single nameserver. Just right-click on the nameserver you wish to
remove and select Remove thisnameserver. You could open the
Add/Remove dialog and manually enterthe IP address to remove, but this is
much faster.
Rem ove X dead nam ese r ve r s It may be that some of the nameservers
in the application's built-in list will bedead in one way or another, colored
red, and therefore not benchmarked. Thismenu item, when enabled, will show how
many dead nameservers are present (16
Page 14 of 16GRC's | DNS Benchmark - Features & Operation Walkthrough
8/11/2012http://www.grc.com/dns/operation.htm
7/31/2019 GRC freeware how to for DNS BENCHMARKING
15/16
in the screen sample here) and will
remove them when selected.
Rem ove s low er nam ese r ve r sThis provides a fast means for dropping any nameservers which are slower than
the nameserver clicked upon. This could be useful for re-testing with fewer
nameservers, which will be faster. Slower is determined by the current sortchoice, cached or uncached, which is also shown and selectable near the bottom
of this menu.
Copy nam eser ve r ' s I PThis quickly copies the IP of the nameserver clicked on to the system's clipboard
in textual format. It could then be pasted into a note or other application.
Set Graph Sca le:XXX m sec/ au t o
This menu item shows both the current full-scale timing value (220 milliseconds(msec) in the sample above) and the current scaling mode, auto or fixed
(manual). If this item is selected the Set Bargraph Scale dialog box mentionedabove will be presented.
Expor t las t resu l t s t o CSV f i le
Once a benchmark test has been run, a spreadsheet of fully detailed results(containing more detail than any other benchmark view) can be exported in CSV
(Comma Separated Value) format. The DNS Benchmark's CSV exportation is fullylanguage localized. It will export using the proper field and numeric separators
for the system's locale. This fixed-format file can be imported into spreadsheets
or processed by automated tools.
Copy A l l as Im age to Cl ipboar d A graphic bitmap image of the current sub-tab (Name, Owner, Status or
Response Time), of the entire benchmark server list, will be copied to the
system's clipboard for subsequent pasting into any other graphic-capableapplication, document, or whatever. Note that this has the same function as the
Copy button at the bottom-left of the Benchmark's window.
Save A l l as I m age to F i le
This saves the same graphic image as the Copy option above, to a graphic filein either (uncompressed) Windows BMP or universal (compressed) PNG format.
The PNG format file will be much smaller.
Sor t by Cached Per fo r m anceShows the current sorting choice and, when selected, sorts by cached
performance first, uncached performance second, and dotcom performance third.
Sor t by Uncached Per fo r m ance
Shows the current sorting choice and, when selected, sorts by uncachedperformance first, cached performance second, and dotcom performance third.
Test DNSSEC Aut hen t i cat io n
DNSSEC is the DNS SECurity standard for securely (cryptographically)authenticating DNS data within the domain name system to prevent alteration
and forgery. Since producing DNSSEC replies takes additional computation time(for the cryptography), benchmarking this aspect of a DNS server's performance
can be crucial. However, at the time of this Benchmark's release, a surprisingnumber of publicly available resolvers catastrophically fail when presented with
valid DNSSEC-enabled queries. Therefore, the Benchmark's use of DNSSEC is
disabled by default. This option enables the Benchmark's use of DNSSEC.
Page 15 of 16GRC's | DNS Benchmark - Features & Operation Walkthrough
8/11/2012http://www.grc.com/dns/operation.htm
7/31/2019 GRC freeware how to for DNS BENCHMARKING
16/16
GRC's DNS Benchmark Pages:
After changing this setting you will be prompted and advised to re-characterize
the nameservers under the new DNSSEC setting by re-verifying Internetconnectivity.
What next?
Most likely, this is the only page you really need to read. Once you have readthrough the content above, you'll have a very good idea of what the Benchmark
does, how it works, and how to use it.
If you're a casual user, just remember to check out the all-important Conclusionstab/page once the benchmark has completed. It will go a long way towards
interpreting your results and help to keep you from missing anything important.
Add i t i ona l Syst em M enu Op t ions :
You should also briefly familiarize yourself with the application's System
Menu. Just click on the application's icon in the upper-left corner of thewindow the next time it's running. You'll find that most of its features
duplicate those you already know because they are also available either on theAdd/Remove nameservers dialog, or on the Nameserver's tab right-click menu. But
you should be aware of their existence.
Using t he Com m and- L ine :
Power-users who wish to alter the application's default start-up behavior or who are
interested in automating the entire DNS Benchmarking process, should also see theCommand-Line Operation Reference page.
The additional pages, whose links are below, provide further detail and backgroundthat may be useful depending upon your needs:
1 DNS Benchmark Introduction
2 Features & Operation Walkthrough
3 System Menu Options & Commands
4 Command-Line Operation Reference
5 Building a Custom Nameserver List
6 DNS Benchmark Resource Files
7 Configuring your DNS Nameservers
8 Benchmark Questions & Answers
9 DNS Benchmark Version History
1 0 Running GRC Apps under WINE
1 1 DNS Spoofability Test Introduction
1 2 Please Send Us Your Feedback
Gibson Research Corporation is owned and operated by Steve Gibson. The contentsof this page are Copyright (c) 2012 Gibson Research Corporation. SpinRite, ShieldsUP,NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Last Edit: Oct 02, 2010 at 12:33 (678.87 days ago) Viewed 46 times per day
Page 16 of 16GRC's | DNS Benchmark - Features & Operation Walkthrough