High DNS filtering latency with Cloudflare Gateway

Zero Trust Gateway
1

I’m using DNS Policies to block domains related to ads with Cloudflare Gateway.

I compared Gateway’s DoH resolution time against AdGuard and NextDNS using dnslookup tool from ameshkov on GitHub.

I also measured network latency with ping.

Cloudflare 1.1.1.1 (no filtering)

dnslookup example.com https://1.1.1.1/dns-query 1.1.1.1

Average resolution time is 40ms.
Average network latency is 5.8ms.

Cloudflare Gateway (with filtering, aka DNS policies)

dnslookup example.com https://<custom>.cloudflare-gateway.com/dns-query 162.159.36.20

Average resolution time is 350ms.
Average network latency is 5.1ms.

AdGuard (public server, with filtering):

dnslookup example.com https://dns.adguard.com/dns-query 94.140.15.15

Average resolution time is 80ms.
Average network latency is 17.7ms.

NextDNS (with filtering)

dnslookup example.com https://dns.nextdns.io/<custom> 193.168.204.73

Average resolution time is 45ms.
Average network latency is 5.7ms.

Measured network latencies do not show an important difference.

However, measured DNS resolution time from Cloudflare Gateway is much higher than the others. I guess the filtering engine is the main bottleneck, but why the resolution time is so much higher than the other DNS providers which are also using a filtering engine.

Do other customers from this community are experiencing the same result?

1 Like
4

In my testing, comparing https://family.cloudflare-dns.com/dns-query with cloudflare-gateway.com showed different results depending on the Gateway firewall policies configuration, using a tool called resperf to benchmark DNS, and get the average latency in milliseconds (the time between sending the query and receiving a response, excluding connection set-up time, because connections are reused). Pinging family.cloudflare-dns.com and mysubdomain.cloudflare-gateway.com from this system resulted around rtt min/avg/max/mdev = 2.581/2.895/4.246/0.408 ms. With 3 firewall policies active for a location, the latency was 25 ms. With no policies active for a location, the latency was 17 ms. For family.cloudflare-dns.com, the latency was 16 ms. For cloudflare-dns.com, the latency was 9 ms. For dns.adguard.com, the latency was 19 ms.

This was not a very thorough test, I have for example not yet tested uploading a long allowlist or blocklist to Cloudflare Gateway. The difference that I could measure is much smaller than what you measured (perhaps the connection set-up time makes the difference, and I ignored that).

5

Whats going on here?