UPDATE: Thanks to comments from readers we have found that the pattern does not exactly match the GCD triangle for some values of the number of cells and rows: this possibly makes it a more interesting finding. Join the discussion in the Telegram group as well – details below) .
Early this year a software engineer, Shaun Gilchrist, reached out to me after reading a blog post of mine from many years ago, about my informal search for hidden patterns in the prime numbers.
The Ulam Spiral revealed non-random patterns, but they didn’t quite match up. Both Shaun and I had long felt there was a better way to wrap the primes that would reveal a deeper structure.
Shaun explained that he had developed a new algorithm (he calls it “Parallax Compression”) for wrapping the primes on a plane, and visualizing their distribution, inspired by the Ulam Spiral. Here is a more robust Github version of the code in a Mathematica notebook if you want to explore it yourself (note: Thanks to Stephen Wolfram for taking a look at the Mathematica code and advising us in January, when we were wondering whether this might break crypto and needed advice; the answer is no, it doesn’t break crypto, but Mathematica is pretty great!).
After his initial discovery, Shaun searched the Web for anyone else who was thinking this way and that led him to my blog post, and to me.
Shaun’s algorithm reveals an interesting non-random, fractal-like pattern in the distribution of primes, that to our knowledge, has never been seen before.
It makes it possible to easily see where there are regions of prime and non-prime numbers, anywhere on the number line, at any level of scale.
When one looks at a visualization of this pattern, it appears reminiscent of runes, Mayan glyphs, tapestries, and hieroglyphics. If you look at it for a moment or two you will see there are several levels of nested geometric shapes within it that appear to have a kind of fractal symmetry:
A cell is colored black if there is at least 1 prime number within it, and red if there are no primes within it.
Here, the width of a cell, n, is 100, so each cell represents 100 integers in the sequence, and the pattern holds for 100 rows.
Initially we found that this pattern matches a known numerical sequence,OEIS A054521 — and it recurs for other even values of n, so it is self-similar at various levels of scale.
For example, If n = 50, then each cell represents 50 integers, and the pattern holds for 50 rows. If n = 200 then each cell represents 200 integers, and pattern holds for 200 rows.
Here is an animation (Thanks to Ian Rust) that shows the pattern approaching the GCD sequence pattern, as the values of n increase.
However, some readers noted today in the thread on Hacker News that GCD doesn’t hold for all values of n.
For example, for odd values of n we see a different pattern that is also rather interesting. Here is n = 99:
Like the GCD pattern we see for even values of n, the odd valued n pattern also recurs for different sized odd values of n. This means that this pattern is not simply the GCD sequence — there are variances that we don’t understand yet.
This algorithm also reveals sequences (that we call “runs”) of primes and non-primes along various axes that might be useful for predicting prime and non-prime regions.
After Shaun reached out to me with his discovery, we spent many sleepless days and nights collaborating to see if there were even deeper patterns behind this new visualization and eventually we made a little progress finding at least one known sequence that generated the pattern for even values of n, without needing any primality testing. But as noted above, it doesn’t hold for all values of n, and we have not done a formal proof nor have we tested a large set of values of n and compared results.
We’re not exactly sure what this all means yet — it might not mean much — it might just be a pretty visualization — but it’s interesting enough (to us at least) that we decided eventually to make this public so that others could help us explore it further, in case there is something more to this.
Perhaps this is a topographical map of the distribution of the prime numbers? Perhaps this might be useful in number theory, or in some area of science? The self-similarity at various levels of scale, and the fact that it isn’t fully described for all values of n by a known sequence means there may still be more to understand about this.
In general, finding any kind of non-random pattern in the distribution of primes is potentially interesting. Are there connections between this and other research findings, such as this recent article we found on aperiodic order in the primes?
We don’t know yet, but we are curious to find out. We are not mathematicians, but hopefully some mathematicians reading this will take it further than we can.
We hope you enjoy this, and if you make further progress on this, or find anything that may be connected, please let us know. (You can discuss it with us, and others who are interested, on this Telegram group).
Reference:
An attempt by the U.S. National Security Agency (NSA) to set two types of encryption as global standards suffered a major setback on Tuesday, after online security experts from countries including U.S. allies voted against the plan, for use on the “internet of things.”
A source at an International Organization for Standardization (ISO) meeting of expert delegations in Wuhan, China, told WikiTribune that the U.S. delegation, including NSA officials, refused to provide the standard level of technical information to proceed.
The vote is the latest setback for the NSA’s plan, which was pruned in September after ISO delegates expressed distrust and concerns that the U.S. agency could be promoting encryption technology it knew how to break, rather than the most secure.
The ISO sets agreed standards for a wide range of products, services, and measurements in almost every industry including technology, manufacturing, food, agriculture, and health. The body has been looking into adopting recommended encryption technology to improve security in devices that make up the “internet of things.” These include household items such as smart speakers, fridges, lighting and heating systems, and wearable technology.
The NSA has been pushing for these encryption tools to get a seal of approval from the ISO so they will become approved by the National Institute for Standards and Technology (NIST), and become standard for all U.S. government departments and related companies, said the source.
Agreeing to adopt ‘Simon’ and ‘Speck’ as standard block cipher algorithms would have made these part of the recommended encryption technology for a huge range of products.
The NSA had originally been promoting a broader range of encryption technologies, but during a three-year dispute behind closed doors, delegates from other countries expressed concern over the NSA’s motives. Several cited information leaked by Edward Snowden, which showed the agency had previously planned to manipulate standards and promote technology it could penetrate, as a source of distrust, according to documents seen by Reuters.
Two delegates told WikiTribune that the opposition to adding these algorithms was led by Dr. Tomer Ashur from KU Leuven University, representing the Belgian delegation and it was supported by a large group of countries.
Many crypto experts both within and outside ISO had concerns about the security of the algorithms,” said Ashur. “The NSA tried to remain as obscure as it could about certain design decisions and parameter choices they have made. As this is out of line with what is perceived as best practices of cipher design, this alarmed some of the delegates, including myself.”
Specific requests for more detailed information were met with obfuscation, said Ashur.
“I can’t speak for the other delegates but I believe it was these concerns together with the adversarial and aggressive behavior of the NSA that eventually led them to support the cancellation of the project,” he said.
Israeli delegate Orr Dunkelman told Reuters he did not trust the U.S. designers following the September meetings.
“There are quite a lot of people in NSA who think their job is to subvert standards,” said Dunkelman. “My job is to secure standards.”
The NSA said Simon and Speck were developed to protect U.S. government equipment without requiring a lot of processing power, and firmly believes they are secure.
The NSA has a history (Atlas Obscura) of trying to create “backdoors” in software so it can access data. Documents leaked by Snowden also showed the NSA has made extensive efforts to break encryption tools, and insert vulnerabilities into encryption systems. The Dual EC, a standardized algorithm championed by the NSA, was withdrawn in 2014 due to wide public criticism.
According to WikiTribune’s source, experts in the delegations have clashed over recent weeks and the NSA has not provided the technical detail on the algorithms that is usual for these processes. The U.S. delegation’s refusal to provide a “convincing design rationale is a main concern for many countries,” the source said.
What are Simon and Speck?
Created by the NSA in 2013, Simon and Speck are families of lightweight block ciphers, meaning they’re cryptographic algorithms tailored for low-resource devices, such as limited memory and power. Though both algorithms are versatile in hardware and software, Simon is optimal in hardware while Speck is optimal in software. Detailed information about the Simon and Speck families is compiled by the NSA Cybersecurity in it’s official GitHub repository.
- Simon = hardware
- Speck = software
In 2014, Simon and Speck were proposed to be included (IACR paper) in the ISO standard that specifies the requirements for lightweight cryptography and suitable block ciphers. Published 2012, this standard already covers two lightweight block ciphers, Present and Clefia. Furthermore, there are two “Proposed Draft Amendments” recordedwithout any content information. They might concern the proposed NSA block ciphers.
Another relevant standard specifies the security and privacy aspects of Service Level Agreements (SLA) for cloud services with the “cryptography component” as a central part. According to a notice ofPrismacloud, this standard was the theme in Wuhan, April 16-20, where the Working Groups of the responsible SO/IEC JTC 1/SC 27 held their 26th meeting. This meeting is not listed in the ISO meeting calendar.
According to the NSA, the aim of Simon and Speck is to secure applications in constrained, or specialized, environments, largely to prepare for the era of the internet of things. The basic idea is to design algorithms that are flexible and simple enough to be performed just about anywhere.
What is unusual about Simon and Speck is that the NSA had a four-year delay in publishing the ciphers with a security analysis and a description of the design decisions, which are considered mandatory best practices.
https://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0
A group of researchers released a paper today that describes a new class of serious vulnerabilities in PGP (including GPG), the most popular email encryption standard. The new paper includes a proof-of-concept exploit that can allow an attacker to use the victim’s own email client to decrypt previously acquired messages and return the decrypted content to the attacker without alerting the victim. The proof of concept is only one implementation of this new type of attack, and variants may follow in the coming days.
Because of the straightforward nature of the proof of concept, the severity of these security vulnerabilities, the range of email clients and plugins affected, and the high level of protection that PGP users need and expect, EFF is advising PGP users to pause in their use of the tool and seek other modes of secure end-to-end communication for now.
Because we are awaiting the response from the security community of the flaws highlighted in the paper, we recommend that for now you uninstall or disable your PGP email plug-in. These steps are intended as a temporary, conservative stopgap until the immediate risk of the exploit has passed and been mitigated against by the wider community. There may be simpler mitigations available soon, as vendors and commentators develop narrower solutions, but this is the safest stance to take for now. Because sending PGP-encrypted emails to an unpatched client will create adverse ecosystem incentives to open incoming emails, any of which could be maliciously crafted to expose ciphertext to attackers.
While you may not be directly affected, the other participants in your encrypted conversations are likely to be. For this attack, it isn’t important whether the sender or the receiver of the original secret message is targeted. This is because a PGP message is encrypted to both of their keys.
At EFF, we have relied on PGP extensively both internally and to secure much of our external-facing email communications. Because of the severity of the vulnerabilities disclosed today, we are temporarily dialing down our use of PGP for both internal and external email.
Our recommendations may change as new information becomes available, and we will update this post when that happens.
How The Vulnerabilities Work
PGP, which stands for “Pretty Good Privacy,” was first released nearly 27 years ago by Phil Zimmermann. Extraordinarily innovative for the time, PGP transformed the level of privacy protection available for digital communications, and has provided tech-savvy users with the ability to encrypt files and send secure email to people they’ve never met. Its strong security has protected the messages of journalists, whistleblowers, dissidents, and human rights defenders for decades. While PGP is now a privately-owned tool, an open source implementation called GNU Privacy Guard (GPG) has been widely adopted by the security community in a number of contexts, and is described in the OpenPGP Internet standards document.
The paper describes a series of vulnerabilities that all have in common their ability to expose email contents to an attacker when the target opens a maliciously crafted email sent to them by the attacker. In these attacks, the attacker has obtained a copy of an encrypted message, but was unable to decrypt it.
The first attack is a “direct exfiltration” attack that is caused by the details of how mail clients choose to display HTML to the user. The attacker crafts a message that includes the old encrypted message. The new message is constructed in such a way that the mail software displays the entire decrypted message—including the captured ciphertext—as unencrypted text. Then the email client’s HTML parser immediately sends or “exfiltrates” the decrypted message to a server that the attacker controls.
The second attack abuses the underspecification of certain details in the OpenPGP standard to exfiltrate email contents to the attacker by modifying a previously captured ciphertext. Here are some technical details of the vulnerability, in plain-as-possible language:
When you encrypt a message to someone else, it scrambles the information into “ciphertext” such that only the recipient can transform it back into readable “plaintext.” But with some encryption algorithms, an attacker can modify the ciphertext, and the rest of the message will still decrypt back into the correct plaintext. This property is called malleability. This means that they can change the message that you read, even if they can’t read it themselves.
To address the problem of malleability, modern encryption algorithms add mechanisms to ensure integrity, or the property that assures the recipient that the message hasn’t been tampered with. But the OpenPGP standard says that it’s ok to send a message that doesn’t come with an integrity check. And worse, even if the message does come with an integrity check, there are known ways to strip off that check. Plus, the standard doesn’t say what to do when the check fails, so some email clients just tell you that the check failed, but show you the message anyway.
The second vulnerability takes advantage of the combination of OpenPGP’s lack of mandatory integrity verification combined with the HTML parsers built into mail software. Without integrity verification in the client, the attacker can modify captured ciphertexts in such a way that as soon as the mail software displays the modified message in decrypted form, the email client’s HTML parser immediately sends or “exfiltrates” the decrypted message to a server that the attacker controls. For proper security, the software should never display the plaintext form of a ciphertext if the integrity check does not check out. Since the OpenPGP standard did not specify what to do if the integrity check does not check out, some software incorrectly displays the message anyway, enabling this attack.
This means that not only can attackers get access to the contents of your encrypted messages the second you open an email, but they can also use these techniques to get access to the contents of any encrypted message that you have ever sent, as long as they have a copy of the ciphertext.
What’s Being Done to Fix this Vulnerability
It’s possible to fix the specific exploits that allow messages to be exfiltrated: namely, do better than the standard says by not rendering messages if their integrity checks don’t check out. Updating the protocol and patching vulnerable software applications would address this specific issue.
Fixing this entirely is going to take time. Some software patches have already begun rolling out, but it will be some time before every user of every affected software is up-to-date, and even longer before the standards are updated. Right now, information security researchers and the coders of OpenPGP-based systems are poring over the research paper to determine the scope of the flaw.
We are in an uncertain state, where it is hard to promise the level of protection users can expect of PGP without giving a fast-changing and increasingly complex set of instructions and warnings. PGP usage was always complicated and error-prone; with this new vulnerability, it is currently almost impossible to give simple, reliable instructions on how to use it with modern email clients.
It is also hard to tell people to move off using PGP in email permanently. There is no other email encryption tool that has the adoption levels, multiple implementations, and open standards support that would allow us to recommend it as a complete replacement for PGP. (S/MIME, the leading alternative, suffers from the same problems and is more vulnerable to the attacks described in the paper.) There are, however, other end-to-end secure messaging tools that provide similar levels of security: for instance, Signal. If you need to communicate securely during this period of uncertainty, we recommend you consider these alternatives.
We Need To Be Better Than Pretty Good
The flaw that the researchers exploited in PGP was known for many years as a theoretical weakness in the standard—one of many initially minor problems with PGP that have grown in significance over its long life.
You can expect a heated debate over the future of PGP, strong encryption, and even the long-term viability of email. Many will use today’s revelations as an opportunity to highlight PGP’s numerous issues with usability and complexity, and demand better. They’re not wrong: our digital world needs a well-supported, independent, rock-solid public key encryption tool now more than ever. Meanwhile, the same targeted populations who really need strong privacy protection will be waiting for the steps they can take to use email securely once again.
We’re taking this latest announcement as a wake-up call to everyone in the infosec and digital rights communities: not to pile on recriminations or criticisms of PGP and its dedicated, tireless, and largely unfunded developers and supporters, but to unite and work together to re-forge what it means to be the best privacy tool for the 21st century. While EFF is dialing down our use of PGP for the time being (and recommend you do so too) we’re going to double-down on supporting independent, strong encryption—whether that comes from a renewed PGP, or from integrating and adapting the new generation of strong encryption tools for general purpose use. We’re also going to keep up our work improving the general security of the email ecosystem with initiatives like STARTTLS Everywhere.
PGP in its current form has served us well, but “pretty good privacy” is no longer enough. We all need to work on really good privacy, right now.
EFF’s recommendations: Disable or uninstall PGP email plugins for now. Do not decrypt encrypted PGP messages that you receive. Instead, use non-email based messaging platforms, like Signal, for your encrypted messaging needs. Use offline tools to decrypt PGP messages you have received in the past. Check for updates at our Surveillance Self-Defense site regarding client updates and improved secure messaging systems.
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2938033
Abstract
The widespread use of encryption has triggered a new step in many criminal investigations: The encryption workaround. We define an encryption workaround as any lawful government effort to reveal unencrypted plaintext of a target’s data that has been concealed by encryption. This Article provides an overview of encryption workarounds. It begins with a taxonomy of the different ways investigators might try to bypass encryption schemes. We classify six kinds of workarounds: find the key, guess the key, compel the key, exploit a flaw in the encryption software, access plaintext while the device is in use, and locate another plaintext copy. For each approach, we consider the practical, technological, and legal hurdles raised by its use.
The remainder of this Article develops lessons about encryption workarounds and the broader public debate about encryption in criminal investigations. First, encryption workarounds are inherently probabilistic. None work every time, and none can be categorically ruled out every time. Second, the different resources required for different workarounds will have significant distributional effects on law enforcement. Some techniques are inexpensive and can be used often by many law enforcement agencies; some are sophisticated or expensive and likely to be used rarely and only by a few. Third, the scope of legal authority to compel third-party assistance will be a continuing challenge. And fourth, the law governing encryption workarounds remains uncertain and underdeveloped. Whether encryption will be a game changer or a speed bump depends on both technological change and the resolution of important legal questions that currently remain unanswered.
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2938033
Whole drive encryption only protects a hard drive that is powered off.
The laptop was encrypted when shut down, but decrypted when
in use.110 To capitalize on this, the FBI sent two plainclothes agents into the
library posing as a couple.111 While standing next to Ulbricht, the two agents
began a loud fight, which distracted Ulbricht and allowed one of the agents to
grab the laptop while it was open.112 That agent turned it over to a third officer
who immediately began to search the device while Ulbricht was placed under
arrest.113 The ruse enabled the FBI to bypass Ulbricht’s whole-disk encryption by
taking it from his hands.11
Web founder Tim Berners-Lee is one of the privacy advocates behind a newly launched service that combines social media, cloud storage, person-to-person, and group communications for privacy-conscious users.
The so-called MeWe private communications network spun out of online privacy company Sgrouples — founded by online privacy advocate Mark Weinstein — doesn’t own, track, or share, information its members provide or share among one another. MeWe encrypts personally identifiable information and most of its communication is SSL-encrypted, and the platform was built with Scala and LISP.
MeWe follows a string of other privacy-oriented services, including secure mobile messaging service Wickr and Silent Circle, which offers private and secure voice, video, text, and file transfer services on mobile devices. The prospect of “leave no trace” communications has become more attractive to some more privacy-concerned users given the large amounts of data gathered by sites such as Facebook and Google, and especially in the wake of the NSA leaks exposing the agency’s controversial online surveillance programs.
Weinstein describes the typical MeWe user like this: “I have social network fatigue. I want a global communications network where I can stay in touch with family, friends, and co-workers. But this is not another social media” platform, he says. “It’s a private communication network… and we don’t track” users or their activity, he says.
“So when it comes to security, the first line is that we are not storing or aggregating or analyzing member data,” he says. “And you can’t post to the whole MeWe world — only to your [designated] MeWe world.”
Weinstein declined to provide data on membership thus far. MeWe is free and comes with (for free) a personal news feed, voice integration, detailed permission controls, 8 GB of storage, and it also runs on Android and iOS, as well as desktop machines.
How will MeWe make money? With optional services you can add such as its extra data storage option (up to 500GB) and picture printing via Walgreens, for instance. On tap is a MeWe app store, and eventually, a subscription-based enterprise version.
And for those users who just aren’t ready to break ties with traditional social media, MeWe has an option to also post to their Facebook, LinkedIn, Twitter, and other social media accounts.
“The original idea of the Web was that it should be a collaborative space where you can communicate through sharing information, MeWe advisor, Berners-Lee said in a statement. “The power to abuse the open Internet has become so tempting both for government and big companies. MeWe gives the power of the Internet back to the people with a platform built for collaboration and privacy.”
Reference:
Cloudflare, a well-known Internet performance and security company, announced the launch of 1.1.1.1—world’s fastest and privacy-focused secure DNS service that not only speeds up your internet connection but also makes it harder for ISPs to track your web history.
Domain Name System (DNS) resolver, or recursive DNS server, is an essential part of the internet that matches up human-readable web addresses with their actual location on the internet, called IP addresses.
For example, when you try to open a website, say thehackernews.com, your DNS looks up for the IP address linked to this domain name and load the site.
But if you use Cloudflare new 1.1.1.1 DNS service, your computer/smartphone/tablet will start resolving domain names within a blazing-fast speed of 14.8 milliseconds—that’s over 28% faster than others, like OpenDNS (20.6ms) and Google (34.7ms).
Even if you are visiting websites over HTTPS, DNS resolvers log every site you visit, making your ISP or 3rd-party DNS services know about everything you do on the Internet.
“That means, by default, your ISP, every wifi network you’ve connected to, and your mobile network provider have a list of every site you’ve visited while using them,” the company says.
However, Cloudflare has changed this game with its new free DNS service, which it claims, will be “the Internet’s fastest, privacy-first consumer DNS service,” promising to prevent ISPs from easily tracking your web browsing history.
Cloudflare public DNS resolvers, 1.1.1.1 and 1.0.0.1 (as alternate DNS server for redundancy), support both DNS-over-TLS and DNS-over-HTTPS to ensure maximum privacy.
How to Change DNS Settings to Boost Internet Speed
For Mac PCs:
- Open System Preferences.
- Search for DNS Servers and tap it.
- Click the + button to add a DNS Server and enter 1.1.1.1 and 1.0.0.1 (for redundancy).
- Click Ok and then Apply.
For Windows Computers:
- Tap Start and then click on Control Panel.
- Click on Network and Internet, and then tap Change Adapter Settings.
- Right-click on the Wi-Fi network you are connected to, then click Properties.
- Select Internet Protocol Version 4 and click Properties, and then write down any existing DNS server entries for future reference.
- Now tap Use The Following DNS Server Addresses, and replace those addresses with the 1.1.1.1 DNS addresses: For IPv4: 1.1.1.1 and 1.0.0.1; and For IPv6: 2606:4700:4700::1111 and 2606:4700:4700::1001
- Click OK, then Close, and Restart your browser.
For Android Devices:
- Connect to your preferred WiFi network.
- Enter your router’s gateway IP address in your browser. Fill in your username and password, if asked.
- In your router’s configuration page, locate the DNS server settings, and enter any existing DNS server entries for future reference.
- Replace those addresses with the 1.1.1.1 DNS addresses: For IPv4: 1.1.1.1 and 1.0.0.1, and For IPv6: 2606:4700:4700::1111 and 2606:4700:4700::1001
- Save your settings, then restart your browser.
For iOS Devices (iPhone/iPad):
- From your iPhone’s home screen, open Settings.
- Open Wi-Fi and then your preferred network in the list.
- Tap Configure DNS, and then click on Manual.
- If there are any existing entries, tap the – button, and Delete next to each one.
- Now, add 1.1.1.1 and 1.0.0.1 (as alternate DNS server for redundancy) to the DNS address.
- Now, tap the Save button on the top right.
Reference:
A couple of months ago I did a performance comparison between some of the top free DNS Resolvers available. It was just after Quad9 had launched and I was trying to decide which one to use and recommend to families and friends. Google, OpenDNS, Quad9, .. some many options… I love options …
And things just got better. CloudFlare, one of the companies that know the most about Internet performance recently launched their own free DNS resolver. It supports DNS over TLS and DNS over HTTPS by default, which makes it even more interesting.
Now we have an even more interesting playing field: Google’s 8.8.8.8, Quad9’s 9.9.9.9 and CloudFlare’s 1.1.1.1 , in addittion to OpenDNS’s 208.67.222.222 and a few other niche providers as options for us to use.
Providers Tested
Let’s compare them and see how fast they are from across the world. Those were the top 8 free DNS providers that we chose to evaluate:
- Google 8.8.8.8: Private and unfiltered. Most popular option.
- CloudFlare 1.1.1.1: Private and unfiltered. New player.
- Quad9 9.9.9.9: Private and security aware. New player that blocks access to malicious domains.
- OpenDNS 208.67.222.222: Old player that blocks malicious domains and offers the option to block adult content.
- Norton DNS 199.85.126.20: Old player that blocks malicious domains and is integrated with their Antivirus.
- CleanBrowsing 185.228.168.168: Private and security aware. New player that blocks access to adult content.
- Yandex DNS 77.88.8.7: Old player that blocks malicious domains. Very popular in Russia.
- Comodo DNS 8.26.56.26: Old player that blocks malicious domains.
That’s a quick feature breakdown between them regarding their privacy options:
The Privacy option above is based on the providers promise to do not log or share your DNS requests.
Locations
We ran our tests from 18 locations from around the globe. We used mostly VPS providers + some broadband locations to try to query their DNS from as many places as we could. It will tell us how well connected they are, where their datacenters are located and how close someone’s experience in that area will be. Locations chosen:
- North America: San Diego, Los Angeles, New York, Toronto, Montreal, Atlanta, Dallas, Fremont, San Francisco
- Europe: London, Paris, Amsterdam, Frankfurt
- Asia: Tokyo, Singapore, Bangalore (India), Sydney, Brisbane (Australia)
- South America: Sao Paulo
Update: there is this tool that you can run from your own location to compare the performance of these providers. I tested it myself and worked pretty well. Try it out and let me know the results from your city/ISP, and I will update this post.
Results Summary
Our test was very simple and we performed 70 DNS lookups throughout the course of an hour for different popular domains (google, facebook, twitter, gmail, etc). We averaged all the requests per location to get an overall performance indicator per DNS resolver.
TLDR / Summary
- All providers (except Yandex) performed very well in North America and Europe. They all had under 15ms response time across the US, Canada and Europe, which is amazing. In reality, you can choose any one of them and do not notice the few msec of latency difference. However, Asia and South America made the difference in the overall averages (and finding the winner) as some of the providers are not well connected there.
- CloudFlare was the fastest DNS for 72% of all the locations. It had an amazing low average of 4.98 ms across the globe.
- Google and Quad9 were close for second and third respectively. Quad9 was faster than Google in North America and Europe, but under performed in Asia / South America.
- CloudFlare has a strong presence everywhere. While Google and Quad9 had some high response times from some locations, CloudFlare performed well from everywhere.
- Yandex is only for Russia. It doesn’t leverage Anycast like the other providers, and was very slow from everywhere.
- CleanBrowsing was the fastest provider offering adult (porn) content filtering.
- We know we can’t compare these providers 1 to 1, as they all have special features that can add some latency (Quad9 and Comodo blocks access to malicious domains, for example). Take the results as is.
Global Average
#1 CloudFlare: 4.98 ms
#2 Google: 16.44 ms
#3 Quad9: 18.25 ms
#4 CleanBrowsing: 19.14 ms
#5 Norton: 34.75 ms
#6 OpenDNS: 46.51 ms
#7 Comodo: 71.90
#8 Yandex: 169.91
North America Average
#1 CloudFlare: 3.93 ms
#2 Quad9: 7.21 ms
#3 Norton: 8.32 ms
#4 Google: 8.53 ms
#5 CleanBrowsing: 11.83 ms
#6 OpenDNS: 14.66 ms
#7 Comodo: 25.91 ms
#8 Yandex: 119.09 ms
Europe Average
#1 CloudFlare: 2.96
#2 Quad9: 4.35
#3 CleanBrowsing: 5.74
#4 Google: 7.17
#5 OpenDNS: 8.99
#6 Norton: 10.35
#7 Comodo: 13.06
#8 Yandex: 35.74
Results Data
USA, NewYork
#1 Quad9 1.50 ms
#2 CloudFlare 1.57 ms
#4 Norton_DNS 7.28 ms
#5 Google_DNS 7.71 ms
#6 OpenDNS 9.71 ms
#6 CleanBrowsing 10.85 ms
#7 Comodo_DNS 12.00 ms
#8 Yandex_DNS 108.14 ms
USA, San Diego
#1 CloudFlare 8.57 ms
#2 Norton_DNS 9.00 ms
#3 Google_DNS 14.28 ms
#4 CleanBrowsing 19.28 ms
#5 OpenDNS 19.42 ms
#6 Quad9 19.42 ms
#7 Comodo_DNS 40.00 ms
#8 Yandex_DNS 193.57 ms
Canada, Toronto
#1 CloudFlare 3.42 ms
#2 Google_DNS 9.42 ms
#3 Norton_DNS 13.00 ms
#4 CleanBrowsing 13.71 ms
#5 Quad9 15.28 ms
#6 OpenDNS 17.85 ms
#7 Comodo_DNS 21.71 ms
#8 Yandex_DNS 124.14 ms
Canada, Montreal
#1 CleanBrowsing 15.28 ms
#2 Google_DNS 16.71 ms
#3 CloudFlare 17.00 ms
#4 Quad9 17.71 ms
#5 OpenDNS 23.42 ms
#6 Norton_DNS 25.71 ms
#7 Comodo_DNS 84.28 ms
#8 Yandex_DNS 118.85 ms
USA, Atlanta
#1 Quad9 1.71 ms
#2 CloudFlare 1.85 ms
#3 Google_DNS 4.14 ms
#4 CleanBrowsing 15.42 ms
#5 Norton_DNS 17.00 ms
#6 OpenDNS 17.14 ms
#7 Comodo_DNS 18.57 ms
#8 Yandex_DNS 127.57 ms
USA, Dallas
#1 CloudFlare 2.10 ms
#2 Norton_DNS 3.14 ms
#3 Quad9 3.42 ms
#4 OpenDNS 6.71 ms
#5 Google_DNS 7.14 ms
#6 CleanBrowsing 10.85 ms
#7 Comodo_DNS 38.42 ms
#8 Yandex_DNS 153.28 ms
USA, Fremont
#1 CloudFlare 2.00 ms
#2 Norton_DNS 6.14 ms
#3 Quad9 11.00 ms
#4 CleanBrowsing 11.85 ms
#5 Google_DNS 13.71 ms
#6 Comodo_DNS 22.00 ms
#7 OpenDNS 24.42 ms
#8 Yandex_DNS 185.00 ms
USA, San Francisco
#1 Norton_DNS 2.00 ms
#2 Quad9 2.14 ms
#3 CloudFlare 2.85 ms
#4 Google_DNS 12.28 ms
#5 CleanBrowsing 21.14 ms
#6 Comodo_DNS 22.14 ms
#7 OpenDNS 28.00 ms
#8 Yandex_DNS 180.42 ms
UK, London
#1 CloudFlare 1.14 ms
#2 Quad9 1.85 ms
#3 CleanBrowsing 2.00 ms
#4 Norton_DNS 6.57 ms
#5 Google_DNS 7.71 ms
#6 Comodo_DNS 9.85 ms
#7 OpenDNS 9.85 ms
#8 Yandex_DNS 35.57 ms
France, Paris
#1 CloudFlare 5.14 ms
#2 Comodo_DNS 10.00 ms
#3 Google_DNS 10.14 ms
#4 Quad9 12.71 ms
#5 OpenDNS 13.57 ms
#7 CleanBrowsing 14.85 ms
#6 Norton_DNS 23.85 ms
#8 Yandex_DNS 38.14 ms
NL, Amsterdam
#1 CloudFlare 1.14 ms
#2 CleanBrowsing 1.14 ms
#3 Quad9 1.71 ms
#4 Google_DNS 2.71 ms
#5 OpenDNS 4.42 ms
#6 Norton_DNS 9.85 ms
#7 Comodo_DNS 12.85 ms
#8 Yandex_DNS 40.42 ms
Germany, Frankfurt
#1 Norton_DNS 1.14 ms
#2 Quad9 1.14 ms
#3 CloudFlare 4.42 ms
#4 CleanBrowsing 5.00 ms
#5 Google_DNS 8.14 ms
#6 OpenDNS 8.14 ms
#7 Comodo_DNS 19.57 ms
#8 Yandex_DNS 28.85 ms
Japan, Tokyo
#1 CloudFlare 2.00 ms
#2 CleanBrowsing 2.14 ms
#3 Norton_DNS 6.14 ms
#4 Google_DNS 17.28 ms
#5 Quad9 40.57 ms
#6 Comodo_DNS 124.14 ms
#7 OpenDNS 125.71 ms
#8 Yandex_DNS 283.00 ms
Singapore
#1 CloudFlare 1.14 ms
#2 Google_DNS 2.00 ms
#3 Quad9 2.14 ms
#4 CleanBrowsing 2.28 ms
#5 OpenDNS 28.14 ms
#6 Norton_DNS 34.14 ms
#7 Comodo_DNS 203.71 ms
#8 Yandex_DNS 343.00 ms
India, Bang
#1 CloudFlare 7.42 ms
#2 Norton_DNS 21.28 ms
#3 Quad9 38.85 ms
#4 Google_DNS 40.71 ms
#5 OpenDNS 59.42 ms
#6 CleanBrowsing 138.71 ms
#7 Comodo_DNS 150.57 ms
#8 Yandex_DNS 171.57 ms
Australia, Sydney
#1 CloudFlare 22.28 ms
#2 Quad9 25.00 ms
#3 Google_DNS 26.14 ms
#4 CleanBrowsing 34.57 ms
#5 OpenDNS 37.85 ms
#6 Norton_DNS 164.57 ms
#7 Comodo_DNS 186.28 ms
#8 Yandex_DNS 352.14 ms
Australia, Brisbane
#1 CloudFlare 3.00 ms
#2 CleanBrowsing 13.57 ms
#3 Quad9 17.71 ms
#4 Google_DNS 66.14 ms
#5 Norton_DNS 160.14 ms
#6 Comodo_DNS 188.28 ms
#7 OpenDNS 190.28 ms
#8 Yandex_DNS 336.71 ms
Brasil, Sao Paulo
#1 CloudFlare 2.71 ms
#2 CleanBrowsing 12.00 ms
#3 Google_DNS 29.71 ms
#4 Norton_DNS 114.71 ms
#5 Quad9 114.71 ms
#6 Comodo_DNS 129.85 ms
#7 OpenDNS 213.14 ms
#8 Yandex_DNS 238.14 ms
Powershell allows us to create snippets that can be accessed via the ISE.
Step 1 – Access the ISE
ISE > Run as admin
Step 2 – Create a new Snippet
This snippet is to list the processes, sorted in alphabetical order. The command is entered on a single line. We use “new-isesnippet” to create the snippet, followed by a Title and Description. Lastly in the Text section we put the powershell command.
new-isesnippet
-Title GetProcesses
-Description GetProcesses
-Text ‘Get-Process | sort’
This roughly translates as
-
new-isesnippet : Create a new snippet
-
–Title : Set the Title to be “Get Processes”
-
-Description : Set the Description to be “Get Processes”
-
-Text : Text is where we add the commands that will do the actual work. The command syntax=
Get-Process | sort
Step 3 – Right click in ISE window > Start Snippets (or Control J)
Browse to “Get Processes” Snippet.
Press the Green Arrow to RUN the snippet.
The ISE code window will now return all the processes, sorted into alphabetical order.
How easy was that!
Step 4 – Sort Services by Status
This snippet will list all services, and their status. Stopped services will be listed alphabetically first, and running services next.
Get-Service | Sort-Object status
Run
Step 5 – Locate only running or stopped services.
Get-Service | Where-Object status -eq running
Get-Service | Where-Object status -eq stopped
We can enter commands directly into powershell, or use the ISE, which is an updated version of notepad or Notepad++. The ISE allows us to store multiple commands which form a script.
For instance if we wanted to create a script to list all running services on the computer.
Step 1 – Open the ISE in Windows 10
Start > search for ISE > right click > Run as Admin
Get-Service | Where-Object status -eq running
File > Save As
*Tip – make a “BATCH” folder to store all your scripts in one location, eg C:\BATCH.
Then run or press F5 to run the script.
Step 2 – Create a file of Running Services – use Transcript
There may come a time, when having all the running services listed in a file would be much easier, and for this use, the transcript command. Transcript records everything that happens when the script runs, and saves this to a file, that will list all the running services.
Start-Transcript
Get-Service | Where-Object status -eq running
Stop-Transcript
File > Save As > Run or F5 to run script
This saves the running services to a file, saved in your documents folders.
Browse to this file and open it using Notepad – and this will contain all your running services. This is very useful.
Step 3 – Find Services that are stopped using Transcript
Use Transcript to record stopped services.
Step 4 – List the processes using the CPU
Start-Transcript
Get-Process | Sort-Object cpu -Descending
Stop-Transcript
Step 5 – List processes in Descending order
Start-Transcript
Get-Process | Sort-Object -Descending
Stop-Transcript
Step 6 – List processes in Alphabetical order
Start-Transcript
Get-Process | Sort-Object
Stop-Transcript
Step 7 – Autosave a script to a c:\BATCH directory, adding the .ps1 file extension
psedit $profile
This will return the profile (login script) edits we made to change the prompt.
function prompt { ‘ [localhost] ‘ }
Next, we add to the script.
This will create a function, that will allow our profile login script to automatically save to the c:\BATCH directory using the “save-script” command in the ISE. We would type in save-script xyz, and the script automatically adds the .ps1 extension.
function prompt { ‘ [localhost] ‘ }
function Save-Script{
param(
$ScriptName,
$Path = ‘C:\BATCH\’
)
$ScriptPath = Join-Path $Path “$ScriptName.ps1”
$psISE.CurrentFile.SaveAs($ScriptPath, [System.Text.Encoding]::UTF8)
}
Save-Script TopCPU
Next, we list the files in the C:\BATCH directory, to check the file has been saved.
dir C:\BATCH
and you should see a file there called TopCPU.ps1.
Conclusion
- The file was saved automatically to the C:\BATCH directory, with the .ps1 extension.
- The script will automatically tell us which processes are using CPU resources.
When we first use Powershell, the execution policy will probably not allow us to run or write scripts.
Step 1 – PowerShell > Run as admin
Step 2 – Get-ExecutionPolicy
This will probably state “restricted”.
Step 3 – Set-ExecutionPolicy remotesigned > Yes
Step 4 – Create a Unique Profile for yourself
In the old days, system administrators used “login scrips” so that the environment was set up as soon as a user logged on.
In Powershell we can create and then edit a profile, which acts like a login script.
Create a New-Item profile:
PS C:\> New-Item -Item file -Path $profile -Force
To launch a new tab to enter in scripting commands to edit your profie
PS C:\> psedit $profile
This will launch a new ISE tab, for your profile. Next, we change the prompt to state “localhost”, to show that you are working on the local PC.
Press the green run butto or F5 to see the change to your prompt. Each time you press enter, the prompt will remind you that you are working on the local host.
