Best Practices
DNS modes
Mode |
Recommended flags |
Purpose |
|---|---|---|
Quick Run |
|
Fast feedback, spot checks |
Balanced Run |
|
Daily runs |
Thorough Run |
|
Provider evaluation |
Debug Mode |
|
Diagnosing resolver issues |
HTTP modes
Mode |
Recommended flags |
Purpose |
|---|---|---|
Quick Run |
|
Fast feedback |
Thorough Run |
|
Detailed benchmarking |
Debug Mode |
|
Diagnosing endpoint issues |
API Testing |
|
Validate responses |
Statistical accuracy
Run
--iterations 3or more for stable mean/median figures.Use
--warmup-fastwhen testing DoH or DoT to absorb the TLS handshake overhead before timing starts.On mobile or hotspot connections, expect 2–5× higher variance than on wired Ethernet. Compare median latency, not average.
Comparing encrypted vs plain DNS
Do not compare latency numbers from a plain UDP run directly with a DoH or DoT run — they measure different things. Run separate benchmarks and compare the two results side-by-side.
DNSSEC tips
Only ~33% of common domains are DNSSEC-signed.
Add
--domainscontaining known DNSSEC-signed domains when testing--dnssec-validate(e.g.cloudflare.com,quad9.net).DNSSEC_FAILEDon unsigned domains is expected, not a resolver failure.
Output management
Use
--quietin CI / cron jobs to suppress progress bars.Use
--output /path/with/datestampin cron jobs for automatic log rotation.Use
--jsonalongside--formats csv,excelfor both human-readable and machine-readable outputs from a single run.
Large-scale testing
For 1000+ DNS queries, keep
--max-concurrentat 50 or below to avoid triggering rate-limiting on public resolvers.Plain UDP DNS queries are visible to network observers. Use
--dohor--dotwhen testing from untrusted networks.