I’m using DNS Policies to block domains related to ads with Cloudflare Gateway.
I compared Gateway’s DoH resolution time against AdGuard and NextDNS using dnslookup tool from ameshkov on GitHub.
I also measured network latency with ping.
Cloudflare 18.104.22.168 (no filtering)
dnslookup example.com https://22.214.171.124/dns-query 126.96.36.199
Average resolution time is 40ms.
Average network latency is 5.8ms.
Cloudflare Gateway (with filtering, aka DNS policies)
dnslookup example.com https://<custom>.cloudflare-gateway.com/dns-query 188.8.131.52
Average resolution time is 350ms.
Average network latency is 5.1ms.
AdGuard (public server, with filtering):
dnslookup example.com https://dns.adguard.com/dns-query 184.108.40.206
Average resolution time is 80ms.
Average network latency is 17.7ms.
NextDNS (with filtering)
dnslookup example.com https://dns.nextdns.io/<custom> 220.127.116.11
Average resolution time is 45ms.
Average network latency is 5.7ms.
Measured network latencies do not show an important difference.
However, measured DNS resolution time from Cloudflare Gateway is much higher than the others. I guess the filtering engine is the main bottleneck, but why the resolution time is so much higher than the other DNS providers which are also using a filtering engine.
Do other customers from this community are experiencing the same result?
In my testing, comparing
cloudflare-gateway.com showed different results depending on the Gateway firewall policies configuration, using a tool called
resperf to benchmark DNS, and get the average latency in milliseconds (the time between sending the query and receiving a response, excluding connection set-up time, because connections are reused). Pinging
mysubdomain.cloudflare-gateway.com from this system resulted around
rtt min/avg/max/mdev = 2.581/2.895/4.246/0.408 ms. With 3 firewall policies active for a location, the latency was 25 ms. With no policies active for a location, the latency was 17 ms. For
family.cloudflare-dns.com, the latency was 16 ms. For
cloudflare-dns.com, the latency was 9 ms. For
dns.adguard.com, the latency was 19 ms.
This was not a very thorough test, I have for example not yet tested uploading a long allowlist or blocklist to Cloudflare Gateway. The difference that I could measure is much smaller than what you measured (perhaps the connection set-up time makes the difference, and I ignored that).