GRC freeware how to for DNS BENCHMARKING

7/31/2019 GRC freeware how to for DNS BENCHMARKING

1/16

DNS Benchm ark

Feat u r es & Ope ra t i on W a lk t h r ough Familiarizing yourself with GRC's DNS Benchmark.

DNS Benchm ark

You can't optimize it until you can measure itOur DNS Benchmark utility has been designed, as we design everything, so that theaverage user can just jump in without reading the manual and pretty much figure

it all out for themselves. That is, after all, the whole point and wonderful benefit of agraphical user interface (GUI). So if you are willing to just read the text presented

on the benchmark's various tabbed pages for example, please be sure to read theIntroduction tab's text just once and be su r e to read the Conclusions tab after

the Benchmark is finished you can probably safely ignore the rest of these webpages.

On t he o t he r hand . . . if you have some time to invest, and your goal is to

seriously adopt this powerful tool as a component of your permanent bag of tricks,there are sufficient subtleties and extras hidden inside this quite comprehensive

application that taking some time to make sure you haven't missed anythingimportant might be time well spent.

And, besides . . . you're already here!

Two No t es Abou t Ter m ino logy :

DNS resolving nameservers (the things this utility tests, characterizes, and

benchmarks) are commonly referred to as DNS servers, DNS nameservers, orDNS resolvers, sometimes without the DNS prefix. These pages will continue

this flexible practice, choosing whichever name seems to flow best in the context.

So, when we refer to a DNS server, a nameserver, or a resolver, we always meanthe same thing: an I n t e r ne t DNS r eso lv ing nam eser ve r that responds to andanswers DNS queries at a given IP address.

S y s t e m and Pub l i c Nameservers:

Throughout these pages, and throughout the DNS Benchmark, we use the term S y s t e m nameserver to mean any DNS server that is currently configured for

use by the local system upon which the Benchmark is being run. We use the term Pub l i c to refer to all other nameservers that are not currently configured for

use by the local system.

We also sometimes refer to the system's configured nameservers as local or

locally configured nameservers because they are configured for use by the localmachine even though this usage can be imprecise since such a local nameserverwould usually be located remotely.

The Four Primary Tabs

Page 1 of 16GRC's | DNS Benchmark - Features & Operation Walkthrough

8/11/2012http://www.grc.com/dns/operation.htm


2/16

The entire contents of the Introduction tab should be read topto bottom just once.

For example, it admonishes the benchmark's user (that's you) not to run DNSbenchmarking operations while your network is busy doing anything else . . . such

as downloading a large file. While it can be instructive to do this to see how thingsperform under stress, you at least need to be aware that your results will be

s ign i f i can t l y different than when the Benchmark is used on an idle network. As an

example, the benchmark's measurement of apparent reliability will almost certainly

be quite erroneous (and worrisome) on a network that is busy enough to bedropping some percentage of Internet packets. That won't be the remote DNSserver's fault. But the benchmark has no way of knowing w h y packets were

dropped, only that some were. Knowing why is up to you. For other similarlyimportant points, you should read the Introduction tab's contents at least once.

The Nameserver tab is where most of the action and

excitement happens. The largest portion of this page will bedevoted to describing the many features of this tab, and of its four sub-tabs, in

quite some detail.

While the benchmark is running, and after it has finished, the

Response Time sub-tab on the Nameserver tab provides areal-time bar chart depicting each tested DNS server's performance and reliability

characteristics. All of that data is derived from a statistical database that is being

continually updated, analyzed, and displayed in summary form on this TabularData tab. The Response Time chart gives you a pretty picture, but the Tabular

Data tab provides you with the raw data from which the Response Time chart iscreated (and additional information as well). Al l t im ing v a lues a re in seconds , sot he t h r ee dec im a l d ig i t s o f p r ec i s ion p r ov ide r eso lu t i on o f m i l l i seconds

( t housand t hs o f a second ) .

During the course of the benchmarking, a surprising amount of

information is collected and assembled by this program. Thisincludes details about the environment's current network configuration, how the

currently configured DNS servers are performing, and how they compare withpublicly available alternatives. These various detailed and interacting facts are

distilled into a single coherent series of conclusions which are summarized andpresented in a clear action oriented style on the Conclusions tab. As much fun as

the Response Time tab is to watch whilethe benchmark is running, it's theConclusions tab that most users wind up finding most useful once the Benchmark

is finished.

POWER USER TI P: You can quickly start and stop the benchmarkby clicking on the red GRC G logo at any time. Rather than needing




3/16

Inside the Nameserver Tab

(Note that the specific data shown above will differ for each user.)

The main Nameservers tab contains the four sub-tabs

shown above (Name, Owner, Status and ResponseTime). The IP address and status indicators in the first two

columns are always present, whereas the four sub-tabsdetermine the contents of the chart's third display column.

The Nameserver I P L is t (shown to the left) occupies the first of

the chart's three columns. This column list every DNS resolvingnameserver currently configured for benchmarking. The list's contents

can be altered by the command line during application start-up, by using System

Menu options, or with the Add/Remove dialog that is presented by clicking on theAdd/Remove UI button located directly above the list. Right-clicking the mousewithin the list will also provide a menu of options for managing the current list of

nameservers to be benchmarked.

Unless altered by a command-line option, at start-up the list will initially be filledwith the application's internal list of possibly-useful publicly available alternative

DNS nameservers, as well as with all of the nameservers currently configured foruse by the system. Any changes made to the system's configured nameservers will

be immediately reflected in the list.

The Add / Rem ove Nam ese r ve r s D ialog

The Add/Remove button (above the nameserver IP list)

displays the Edit DNS Server IPs dialog box shown to the left. Itcontains the following features and functions. Although their operation should

probably be clear, some important terms and definitions, explained here, will appearthroughout:

En t e r t he I P t o Add o r Rem ove

Once a valid nameserver IP address has beenentered into the text field, the existing list of

to select the Nameservers tab in order to reveal the Run

Benchmark button, you can simply click the red G logo at anytime to perform the same function.




4/16

nameservers will be checked. If the IP already

exists in the list, the Remove button will be enabled so that the existingresolver can be removed from the list. If the entered IP does not yet exist in the

list, the Add button will be enabled so that this resolver IP can be added to thelist.

Add Syst em 's Nam ese r ve r sThis button immediately adds the nameservers that are currently configured for

use by this system to the list of nameservers being benchmarked. Note that thisis automatically done at the start-up of the Benchmark unless it is inhibited by a

command-line parameter. Therefore, this button can be used at any time torestore the system nameservers, which may have been removed by any means,

to the benchmarking list.

Add De f au l t Nam eser ve r s The Benchmark contains a default built-in internal list of generally useful

publicly available DNS resolving nameservers. This list is updated from time totime in new Benchmark versions, as needed, to keep the Benchmark's built-in list

current, relevant and most useful. The list is designed so that any of them might

be worth considering as alternatives or additions for your system or networkgateway. This button immediately adds all of these nameservers to the

Benchmark's list. Note that as with the System resolvers, all of these built-innameservers are added to the Benchmark's list, by default, at start-up.

Add .I N I f i l e Nam ese r ve r s

Personal lists of additional nameservers can be created for addition or removal toand from the Benchmarks server list. This button prompts for the selection of a

file containing a list of nameservers to be added to the Benchmark's current list.

See the system menu and command-line pages for information about the file'ssimple IP list format.

Rem ove Sys t em 's Nam ese r ve r s

As you can certainly guess, this button performs the reverse function of the Add

System's Nameservers button: It removes any of the system's currentlyconfigured nameservers from the Benchmark's IP server list.

Rem ove De f au l t Nam ese r ve r s

While this button does remove any of the built-in default nameserver IPs from

the benchmarking list, it does n o t remove any that are also currently in use bythe system. So if, for example, the system was configured to use the OpenDNS

nameservers that also occur in the Benchmark's built-in list, this will not removethose from the list.

Rem ove . I N I f i l e Nam eser ve r s

Given an IP list occurring in a file provided by the user, this removes anynameservers occurring in the list that are not also system nameservers.

Rem ove A l l Nam ese r ve r s

This quickly removes all DNS nameservers from the benchmark's list. This is

useful if you wish to only benchmark a few specific nameservers or prior toloading another .INI file.

Save Nam ese r ve r s t o . I N I Fi l e

The list of nameservers currently appearing in the Benchmark's list is written to afile whose name is provided by the user. This will be a simple list of IP addresses

followed by the nameserver's reverse DNS (rDNS) domain name, if any, one perline. For documentation purposes, comments of any kind may later be added




5/16

after each line's IP address. (Only the initial IP address is significant on each

line.)

Rem ove X Dead Nam eservers It may be that some of the nameservers in the application's built-in list will be

dead in one way or another, colored red, and not benchmarked. This button,

when enabled, will show how many dead nameservers are present (16 in thescreen sample above) and will remove them from the active nameserver list

when clicked.

Rem ove Red i r ec t i ng Nam ese r ve r sRedirecting nameservers are those that do not return errors when asked to

lookup an invalid domain name. Instead, they redirect a web browser to another,often commercial marketing, page. Since many experienced users object to such

behavior, the Benchmark identifies and colors these ORANGE (see below)and also offers to delete them all from the benchmark with a single click of this

button.

Rebu i ld Cus tom L is t

The custom Fastest 50 nameserver list can be built or rebuilt at any time by

clicking this button.

The Sor t Fastest F i rs t option determines whether the

nameserver IP list is presented in numerical or best-performance-first order. The option remains unchecked and disabled until the first

performance-measuring benchmark has been started, after which it is enabled and

checked by default so that the fastest nameservers are always sorted to the top ofthe list. You may then uncheck and check this box to switch back and forth between

IP and fastest-first sorting at any time.

The second co lum n o f co lo red do ts , donut s , c i r c les

and arcs provides a quick and comprehensive visualindication of the status of each respective DNS nameserver. Although the various

configurations will likely be a bit overwhelming at first, once you get the hang of

them you'll find that they provide a convenient summary of each resolver'simportant characteristics.

Regardless of its color, a filled-in dot indicates that the server is currently beingused by the system and a hollow (donut) indicates that the server is not currently

being used by the system.

In the two-line sample above, the first line has a filled-in dot meaning that thenameserver at this IP is currently configured for use. The text is also bo ld and the

entire line has a black outline. The second line, with the hollow (donut) is not boldand has no outline because it is not currently being used by this system.

As fo r th e co lo rs o f the I NNER dot s and donu ts . . .

As you might expect, GREEN i s go od , whereas RED and ORANGE are not good




6/16

in different ways:

A g r een se r ve r i s on l i ne, working, responding to DNS queries, and notmisbehaving in any of the several ways the Benchmark detects and determines.

Note that the benchmark is unable to detect and determine whether a server is

usingan t i - spoo f ing coun t e r m easu r es since those, if present, are visible on t he

o t he r s ide of a DNS server, in its subsequent queries out onto the Internet (notin its r eplies to a query ing client). However, GRC has that covered as well withour DNS Spoofability system whichi s able to m ake that determination for you.

A ser ve r i s g i ven a r ed co lo r ed do t o r don u t when it simply refuses to replyto queries. In other words, the server is dead from the standpoint of being a

useful resolver of DNS queries (which is what you really care about here). Itmight be that, depending upon your location or Internet Service Provider (ISP),

some of the generally available public nameservers may be inaccessible to yourcomputer, thus rendering them effectively dead, even though they might be

accessible to other users elsewhere on the Internet.

You will de f in i t e l y want to be certain that if anything is r ed , it is a hollow donut ofred! A filled-in r ed dot would mean that one of the nameservers your system iscurrently configured to use is n o t replying to DNS queries . . . and NOTHING will

slow down a system's Internet access more than waiting for a non-responsive

nameserver to answer DNS queries.

Note that you can get the r ed out by right clicking the mouse anywhere in theserver listing and selecting Remove X dead nameservers from the pop-up menu

(where 'X' will be replaced by the number of currently dead resolvers).

Oran ge co lored server s may be somewhat less desirable to usedepending upon your feelings about the handling of typos and nonexistent

domain names: The Benchmark colors a nameserver

o r angewhen it does not

return an error in response to a query for a non-existent domain name. DNSnameservers are supposed to simply return a Not Found error to indicate that the

requested domain name does not exist. But ISPs and third-party DNS serviceproviders are adopting a new revenue-enhancing trick: Instead of returning an

error, they redirect the user's browser to their own marketing-related search page.

This gives them a way of being helpful and of generating some additionalmarketing and advertising revenue from your typos or bad links by causing you

to confront a page you didn't ask for and probably don't want.

Many people (especially Internet purists) find this sort of thing quite annoying, so

the Benchmark tests for it so that you will be informed. The good news is thatpeople have been annoyed enough to induce most ISPs and providers who do this to

offer the option of turning off this redirection. If your ISP, or a DNS provider you areusing is doing this, you might wish to explore how to turn off the DNS redirection.

Once that is done, you can quickly use this Benchmark to verify that your system's

DNS nameservers are all i n t he g r een and are neither r ed nor o r ange .

And as for t he OUTER ci rc les an d ar cs . . .

The outer circle of the resolver status icon shows what, if any, DNS rebindingattack protection the corresponding nameserver provides to its querying clients.

DNS rebinding attacks utilize DNS to fool a browser's scripting security into




7/16

believing that local resources, such as the user's own computer or router, are

located in the same web domain as the script's source. When this occurs, thebrowser's Same Origin Policy protection is bypassed, giving scripts unrestricted

access to the local resource. This allows scripts to do bad things such as change LANrouter settings or access any resources and computers on the LAN. (That's not

good.)

Security conscious DNS nameservers are able to help block these attacks simply by

never returning IP addresses that fall within the ranges of IP addresses commonlyused with private LAN networks behind a router or the Localhost IP of127.0 .0 .1

which computers use to refer to themselves.

GRC's DNS Benchmark tests each nameserverto determine whether it blocks (filters) the

return of these reserved private IP addresses in both IPv4 and IPv6 formats. At the time

of this feature's release, only the OpenDNSnameservers can be configured to do this, and

then only for IPv4, IPv6 versions of these

queries are still able to sneak through. Since there is never any reason to return aprivate IP address from a public DNS request a l l nam ese r ve r s shou ld b lock t he

r e t u r n o f p r i va t e I P add r esses. Hopefully, more will in the future.

As shown in the nearby diagram, the outer circle is divided into four quadrants with

each quadrant associated with an IP address in non-routable private networks:

An EMPTY arc (see the 127.0.0.1 IP in the sample diagram) indicates that n o

f i l t e r i ng is provided by the nameserver for the associated network IP.

A BLUE ar c (see the 192 and 10 network IPs in the sample diagram) indicates

that filtering i s p r ov ided for e i t he r the IPv4 or IPv6 style address, b u t n o t

b o t h , by the nameserver for the associated network IP.

A GREEN ar c (see the 172 network IP in the sample diagram) indicates thatfiltering is provided for both the IPv4 or IPv6 style address by the nameserver for

the associated network IP.

The best poss ib le p ro t ec t ion is therefore represented by a full, unbroken,g r een ou t e r r i ng signifying that all four network IP ranges are being blocked

in both IPv4 and IPv6 formats. While no nameservers are providing thisprotection at the time of this new feature's release, it is our hope that, with time,

many nameservers will be updated to do so. No new programming is required toprovide this feature. It is simply a matter of updating the nameserver's

configuration file.

Temporary thin black arcs, as shown in the sample to the left, are presented

while the detection of each nameserver's rebinding protection is underway. If

rebinding protection is proven not to be present the temporary arc will beremoved. If either partial or full (both IPv4 and IPv6) protection is confirmed, the

temporary black arc will be permanently replaced by either a thick green or b lue arc for each network range.

NOTE: If you would like to learn more about the consequences and prevention of

DNS Rebinding attacks, this was the topic of our Security Now! podcast #260.During that episode, Leo and I explained the problem and discussed all of the

details of this at some length. The whole story is available for download in

127.0.0.1

192.168.0.1

192.168.0.1

10.0.0.1

192.168.0.1

172.16.0.1




8/16

two .mp3 audio sizes and three styles of textual transcripts.

The First Three Nameserver Sub-Tabs

(The Response Time tab is so brimming with features, goodies, details, tips &tricks, that it requires an entire section all to itself. So we'll look at that one last.)

If you think about it, you'll realize that a DNS Name is an odd thing for aDNS server, itself, to have. Why? Because until you have a DNS server to

perform DNS lookups you wouldn't have any way of using the name to look up the

DNS server's IP address (and, come to think of it, if you could lookup the DNSserver's address, then you wouldn't need to, since you'd apparently already have

DNS services.) So, of course, that's why we configure DNS nameservers by their IPaddresses because until we have the IP address(es) of DNS servers we have no

way of looking up any DNS names.

However, it is convenient for network engineers to give names to the servers they

manage. And it often turns out that the names given by engineers reveal additional

interesting information about the server: what country they're in, the domain nameof their owner, their geographic location, their hierarchy in a ranking (primary,

secondary, etc.) and all sorts of other possibly-interesting tidbits. So, naturally, theName page of the DNS Benchmark brings this information to you, when it exists,

to give you whatever information may be conveyed. More often than not, it's usefulto know, and it might help with any decision you might make about whether or not

to use a particular DNS resolver for your own DNS lookups.

A freely available Internet database, provided by senderbase.org, canbe used to lookup the owners of IP addresses and Internet address

ranges. Although the information is not guaranteed to be complete, nor evencompletely accurate, it generally is, and it's free. Like the reverse DNS name for

servers, shown on the Name tab, we provided it to offer an at a glance referenceto the DNS servers used by the Benchmark.

When the DNS Benchmark is started using its built-in list of

nameservers, or whenever a nameserver IP is added to thebenchmarking list, the Benchmark issues a series of DNS queries to verify the

server's availability and operational condition. As a result of this probing, theStatus tab's display will list each server's status, as follows:

Determining nameserver characteristics...

All nameservers start off with this status. The Benchmark sends each server a

series of specially formed queries to determine and characterize various aspectsof each server's operation that would or could be important to anyone consideringusing the server for their own DNS resolution. Once that process has been

completed the status will change to one of the alternatives below:

DNS services are available and working

When all is well with a DNS server, this is the status that will be shown and most

of the resolvers in the Benchmark's list will have this status. In order to obtainthis status, none of the many other behaviors (shown below) can have been

detected . . .




9/16

Resolves queries and authenticates security

Test DNSSEC Authentication. is an option located on the application's System

Menu. It is disabled by default (not checked) because some DNS serverscompletely collapse and fail when a DNSSEC-enabled query is presented to them.

That's not good, of course, and it might be good to know. Even more importantfor a benchmark is the fact that asking a nameserver to perform DNSSEC

authentication can require additional time, thus affecting the Benchmark's

performance-measuring results. Since DNS Security (DNSSEC) is still more theexception than the rule on the Internet, we decided to leave it disabled by default,but also to definitely make it available.

When this option is enabled, the Benchmark will generate DNSSEC-formatted

queries. Some servers will slow down, others will collapse and fail to reply. Bothresults are interesting and important. After you change the option you will be

prompted and advised to Re-Verify Internet Connectivity to cause theBenchmark to re-characterize all nameservers under the new DNSSEC setting.

Nameserver never replies to bad domains

During our testing of nameserver behavior when deliberately confronted with an

erroneous, undefined domain name (see the three Bad Domain name... statusesbelow), we discovered that some resolvers never replied at all to erroneousnames. This really isn't what you want, since a typo entered into a web browser

will appear to hang while waiting for a reply from such a misbehaviornameserver. So this status advises you that this could happen if you were to

depend upon such a resolver.

Bad domain names are intercepted by provider

This is one of the three status notifications (with the next two below) that would

cause the "Orange" coloration of the server status that was described above.This is a notification that erroneous domain name queries do not return an

error; they redirect the user's browser to an intercept page of some sort. This istypically used for marketing and revenue generation by those providing the

DNS services. It is only a problem if the idea bothers you, and most providersoffer some means of disabling this bad domain name interception.

Bad COM domains are intercepted by provider

Providing a further refinement on the status directly above, some DNS serverswill redirect erroneous queries to any domain name, and some only to selected

types of names. This status indicates that erroneous non-dot COM domainnames are not redirected, but erroneous dot COM domain names are.

Bad WEB domains are intercepted by providerAs one further refinement on erroneous domain name interception, theBenchmark checks whether erroneous w o r l d w i d e w e b domain names

(beginning with www.) are intercepted, whereas erroneous domains notbeginning with www. are not. If only www. names are intercepted, this final

status (of the three) will be returned.

DNS queries are not being answered here

If, after many tries, the IP in question never replies in any way to any test DNS




10/16

queries, its status will finally switch to this. The chart line will also be colored RED,

since this server is certainly unsuitable for use as a DNS server from your location.Note that some ISP's DNS servers are configured for access ONLY from within

their own network, by their own customers. So it's entirely possible, for example,for someone to give you the IP address of their blazingly fast DNS server, but for

it to be inaccessible to you. (And it's also possible for it to be fast for them mostlybecause it's near to them on the Internet. That means that even if you could

access their particular DNS nameserver, it might not be fast for you anyway.)

And, finally, this is also what you would receive if the IP were entered incorrectlyand the Benchmark was sending queries to a dead IP address, or one where no

IP-resolving DNS server was present.

DNS queries are being actively rejected

It is possible for a DNS server to actively refuse to answer a DNS query. One of

the many error codes that can be returned is Query Refused. This error istypically returned when a DNS server exists at the IP being queried, but is

configured to only permit use of its services from a certain subset of the Internet'sIPs, such as those belonging to an ISP's customers.

DNS lookup is not offered by this server

Another variation of a DNS server which is not available or useful for performing

DNS lookups is one that does not offer recursion. Recursion is the term used tomean that the server will, after receiving a query from a client, venture out onto

the Internet on behalf of that client to lookup and find the entire answer. But notall DNS resolvers will do this. Some nameservers will only tell you about the

domains they are configured to know about. They won't go out and do any lookupwork on a client's behalf. Therefore, if the Benchmark detects such a server, it will

flag it with this status, mark it red, and not bother benchmarking it, since it's ofno use to you.

Nameserver returned invalid replies

During our extensive development testing of this Benchmark, we discoverednameservers that are simply broken in one way or another. Some return the

Server Error error condition to report that they know they're broken. Othersapparently attempt to reply but their replies are invalid in significant ways. So, for

whatever the reason, if the replies aren't valid, the Benchmark makes sure you

know with this status.

The Response Time Sub-Tab:

The Response Time sub-tab contains the benchmark's dynamic

performance bar chart which graphically summarizes each DNSserver's performance. The primary features of the chart are detailed in the following

annotated diagram:




11/16

Bargraph Sca l ing : As noted in the annotated

bargraph schematic above, the bargraph's scale isdynamically set during the benchmark's operation.

This will have the effect of causing all bar lengthsto rescale proportionally as the measured

performance of the slowest nameserver is scaled

to keep its longest bar within the bargraph'sextent. As the bargraph's bars are resized, the

underlying scale will follow the changes so thatyou can always relate the bar sizes to their time-delay value.

Although automatic scaling is normally what you'll want, there are times when youmay wish to override the bargraph's automatic accommodation of the slowest

nameserver (having the longest bar). For example, if you wished to comparebargraphs generated from different runs of the Benchmark, having them scaled

identically would make a side-by-side comparison much easier. An option availableon the application's System Menu and also by right-clicking on the bargraph and

selecting from the pop-up menu, will produce the small dialog box shown above-left.With it you can force any bargraph resolution you wish for the bargraph currently

being displayed.

Pow er -User Tip : Some users prefer always locking the bargraph's scaling to afixed value, like 300 milliseconds full scale. If you hold down either of the

keyboard's SHIFT keys while you click the Set Fixed Scale button, the scale youset will be saved into the system's registry and automatically remembered and used

by the Benchmark every time it is run in the future. You may remove that stickysetting by holding down either SHIFT key when clicking on Set Auto Scaling.

W hat is DNS Caching and W hy Does i t

M a t t e r?

The process of resolving a DNS query differs greatly depending upon whether ornot the DNS nameserver being queried already knows the answer. One of the

most important aspects of the Domain Name System (DNS) is the concept ofl oca l cach ing of slowly expiring information. By maintaining a cache (a local




12/16


13/16

up (and the cache thus needs to be refreshed), the client's local resolver must

venture out onto the Internet to query o t h e r DNS nameservers for one or morepieces of information required to assemble the client's answer. Not surprisingly, this

can take significantly more time than simply retrieving the non-expired answer fromthe resolver's own local cache storage.

It's quite possible for your ISP to provide a local DNS resolver that is able to reply

almost instantly to queries for data it has recently cached. But that same resolvercould have a very slow or overloaded & congested connection to the Internet.

That would cause it to be pa in f u l l y s low whenever it needs to assemble an answerto a query it doesn't already have in its local cache. If your Internet wanderings

tend to take you off the beaten path, to domains less travelled, you could findyourself waiting a lot longer for a poorly-connected DNS resolver to obtain those IP

addresses for you (since other users of the same DNS resolver would not havealready asked for the IPs of the same domain names).

This DNS Benchmark separately measures and displays the time required by each

DNS resolver to reach out onto the Internet and obtain an answer that's n o t alreadyin its cache.

The GREEN BA R shows the performance of each DNS resolver when it is forced toask o t h e r Internet nameservers governing popular domains such as Google, Yahoo,

YouTube, Live, Facebook, MSN, MySpace, etc. for t h e i r site's IP addresses.

Sor t ing b y Green This uncached measure of performance is important enoughthat you might wish to view the entire DNS server list sorted by fastest uncached

performance first, rather than fastest cached performance. Options in theBenchmark's System Menu allow the sort order to be changed at will.

PURPLE BAR = Dot Com Domain Name Lookup:In order for a DNS resolver to query the nameservers for the most popular domains

such as Google, Yahoo, and others, the resolver must first know the IP addresses oft hose nameservers. That information is looked up by asking the Dot Com

nameservers for the IP addresses of the domain nameservers. As you mightimagine, speedy and efficient access to the Dot Com nameservers is critically

important too, since everything else depends upon it.

The PURPLE BAR shows the performance of each DNS resolver's queries when theyare forced to go directly to the Dot Com nameservers for the resolution of a

lookup request for a dot COM domain name.

Sim p l i f y t he ba r g r aph by show ing on l y cached r esu l t s :Interesting as the (green and purple bar) uncached results are,

as mentioned above, we believe that the cached results are the most important. Toreflect that, and to allow for a simplification of the bargraph presentation, the Show

Uncached option may be unchecked to remove the two uncached (green andpurple) bars and to rescale the chart as appropriate.

Left and Right Clicking on the Bargraph

D iscoverab le Pow er -User Fea tu res




14/16

The overriding goal for the design of this and all of GRC's software is, first and

foremost, for the software to be truly easy to use. In the case of this Benchmark,you can just start it up and click on the red GRC G logo, and you're running and

watching the results. But there's also m u c h more . . .

We want the software to be useful to a w i d e range of users, casual and

committed alike. So we have incorporated a carefully selected set of power-user

features that are entirely optional. It is not necessary to know about them,understand them or ever use them. But they will serve to give the product much

more depth and range of application.

To accomplish this secondary goal we have made many powerful features

discoverable by the inquisitive user. Just poke around, try things, and you'll findhidden goodies (all of which we w i l l reveal on these pages.) Click on the System

Menu at the application's far upper left, or right-click on the bargraph, and you'll

see what we mean. There's a huge amount of additional power and capability thatyou don't need to worry about, but which can turn the Benchmark into a true

power-user's tool.

LEFT-Cl ick and Drag to in spec t the bargr aph 's exac t t im ing va lu es :

Although the bargraph provides an instantaneous visualdisplay comparison, it doesn't show the underlying

values. The Tabular Data tab does show these exactvalues, but that requires switching away from the

graphical display. Left-clicking and dragging the mousearound the bargraph display will pop-up and display a tracking inspector (see the

sample at the left) which will show the exact performance values of the bars for theserver underneath the inspector.

Note that the pop-up inspector also serves to remind you what the three color bars

represent. Also note that the pop-up inspector will operate upon any of the four sub-tabs of the Nameservers tab.

RI GHT- Cl i c k and r e lease t o d i sp lay a m enu o f pow er - use r f ea t u r es :

Rem ove t h i s nam ese r ve r

This provides a quick and direct way of

removing a single nameserver. Just right-click on the nameserver you wish to

remove and select Remove thisnameserver. You could open the

Add/Remove dialog and manually enterthe IP address to remove, but this is

much faster.

Rem ove X dead nam ese r ve r s It may be that some of the nameservers

in the application's built-in list will bedead in one way or another, colored

red, and therefore not benchmarked. Thismenu item, when enabled, will show how

many dead nameservers are present (16




15/16

in the screen sample here) and will

remove them when selected.

Rem ove s low er nam ese r ve r sThis provides a fast means for dropping any nameservers which are slower than

the nameserver clicked upon. This could be useful for re-testing with fewer

nameservers, which will be faster. Slower is determined by the current sortchoice, cached or uncached, which is also shown and selectable near the bottom

of this menu.

Copy nam eser ve r ' s I PThis quickly copies the IP of the nameserver clicked on to the system's clipboard

in textual format. It could then be pasted into a note or other application.

Set Graph Sca le:XXX m sec/ au t o

This menu item shows both the current full-scale timing value (220 milliseconds(msec) in the sample above) and the current scaling mode, auto or fixed

(manual). If this item is selected the Set Bargraph Scale dialog box mentionedabove will be presented.

Expor t las t resu l t s t o CSV f i le

Once a benchmark test has been run, a spreadsheet of fully detailed results(containing more detail than any other benchmark view) can be exported in CSV

(Comma Separated Value) format. The DNS Benchmark's CSV exportation is fullylanguage localized. It will export using the proper field and numeric separators

for the system's locale. This fixed-format file can be imported into spreadsheets

or processed by automated tools.

Copy A l l as Im age to Cl ipboar d A graphic bitmap image of the current sub-tab (Name, Owner, Status or

Response Time), of the entire benchmark server list, will be copied to the

system's clipboard for subsequent pasting into any other graphic-capableapplication, document, or whatever. Note that this has the same function as the

Copy button at the bottom-left of the Benchmark's window.

Save A l l as I m age to F i le

This saves the same graphic image as the Copy option above, to a graphic filein either (uncompressed) Windows BMP or universal (compressed) PNG format.

The PNG format file will be much smaller.

Sor t by Cached Per fo r m anceShows the current sorting choice and, when selected, sorts by cached

performance first, uncached performance second, and dotcom performance third.

Sor t by Uncached Per fo r m ance

Shows the current sorting choice and, when selected, sorts by uncachedperformance first, cached performance second, and dotcom performance third.

Test DNSSEC Aut hen t i cat io n

DNSSEC is the DNS SECurity standard for securely (cryptographically)authenticating DNS data within the domain name system to prevent alteration

and forgery. Since producing DNSSEC replies takes additional computation time(for the cryptography), benchmarking this aspect of a DNS server's performance

can be crucial. However, at the time of this Benchmark's release, a surprisingnumber of publicly available resolvers catastrophically fail when presented with

valid DNSSEC-enabled queries. Therefore, the Benchmark's use of DNSSEC is

disabled by default. This option enables the Benchmark's use of DNSSEC.




16/16

GRC's DNS Benchmark Pages:

After changing this setting you will be prompted and advised to re-characterize

the nameservers under the new DNSSEC setting by re-verifying Internetconnectivity.

What next?

Most likely, this is the only page you really need to read. Once you have readthrough the content above, you'll have a very good idea of what the Benchmark

does, how it works, and how to use it.

If you're a casual user, just remember to check out the all-important Conclusionstab/page once the benchmark has completed. It will go a long way towards

interpreting your results and help to keep you from missing anything important.

Add i t i ona l Syst em M enu Op t ions :

You should also briefly familiarize yourself with the application's System

Menu. Just click on the application's icon in the upper-left corner of thewindow the next time it's running. You'll find that most of its features

duplicate those you already know because they are also available either on theAdd/Remove nameservers dialog, or on the Nameserver's tab right-click menu. But

you should be aware of their existence.

Using t he Com m and- L ine :

Power-users who wish to alter the application's default start-up behavior or who are

interested in automating the entire DNS Benchmarking process, should also see theCommand-Line Operation Reference page.

The additional pages, whose links are below, provide further detail and backgroundthat may be useful depending upon your needs:

1 DNS Benchmark Introduction

2 Features & Operation Walkthrough

3 System Menu Options & Commands

4 Command-Line Operation Reference

5 Building a Custom Nameserver List

6 DNS Benchmark Resource Files

7 Configuring your DNS Nameservers

8 Benchmark Questions & Answers

9 DNS Benchmark Version History

1 0 Running GRC Apps under WINE

1 1 DNS Spoofability Test Introduction

1 2 Please Send Us Your Feedback

Gibson Research Corporation is owned and operated by Steve Gibson. The contentsof this page are Copyright (c) 2012 Gibson Research Corporation. SpinRite, ShieldsUP,NanoProbe, and any other indicated trademarks are registered trademarks of Gibson

Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.

Last Edit: Oct 02, 2010 at 12:33 (678.87 days ago) Viewed 46 times per day


Date post:	05-Apr-2018
Category:	Documents
Upload:	boris-shaulov
View:	220 times
Download:	0 times

GRC freeware how to for DNS BENCHMARKING

Documents