Neustar grew out of Lockheed Martin and has been working with DNS for over two decades. The company runs both public and premium recursive DNS services. UltraDNS Public is the name of the freely accessible service, while UltraDNS Firewall is its premium cloud-based sibling. We’ll review the public service as the company doesn’t offer a trial for evaluating its premium offering.
The service provider claims its network of more than 30 DNS nodes spread across six continents are capable of handling more than 100 million queries a second for a total of over 9 trillion queries every day. These DNS nodes are co-located with Neustar’s authoritative and top-level-domain servers, which the company claims helps lower latency and results in almost instant cache updates for the zones hosted by Neustar.
Neustar's UltraDNS Public offers multiple blocking levels that range from no filtering to security threats, and family protection. Its threat protection filtering blocks malicious domains that are known to host or propagate malware, ransomware, spyware, and phishing attacks. On top of that, there’s the family secure protection that helps shield children from accidentally accessing mature content such as pornography, and violence.
One difference between the two is that while the threat protection filtering will display a warning against certain malicious sites, it does give you the option to continue on to them. However, the family secure filtering is more severe and will simply refuse to connect to the offending website.
Unlike some of its peers, Neustar doesn’t publish a list of sources from where it gathers the information to block malicious domains. You do however get the option to dispute a miscategorized domain from the block page itself.
UltraDNS supports both IPv4 and IPv6 networks. However there is no indication that the service supports the DNS64 mechanism, so you can’t use it for translating IPv4 addresses on IPv6-only networks.
Privacy and Security
In terms of security, the service includes DNS security extensions (DNSSEC) checks. However, unlike many of its peers, Neustar is still evaluating the use of DNS-over-HTTPS (DoH), which is why UltraDNS doesn’t offer this popular privacy protocol. Furthermore, the service doesn’t support the DNS-over-TLS (DoT) protocol as well.
The service claims it uses this information to improve its service and to identify and mitigate malicious and fraudulent activity, but such level of tracking wouldn’t sit down well with privacy advocates. Furthermore, there are no details on how long this information is retained, so we can assume these logs are retained forever.
Use and Performance
Like mentioned earlier, UltraDNS Public offers three levels of filtering. There’s the unfiltered service (220.127.116.11,18.104.22.168), the threat protection filtering (22.214.171.124,126.96.36.199), and the family secure filtering (188.8.131.52,184.108.40.206), which also enforces the threat protection blocks as well.
As always, when switching DNS services, make sure you make the change in both the router as well as the individual devices in your network. This helps ensure you continue using your DNS service of choice even when connected to untrusted networks like in a cafe or library.
In terms of performance, as per DNSperf.com, in the month of August 2020, Neustar’s unfiltered DNS service came in at the sixth spot with a worldwide average query speed of 34.48ms. It fared slightly better in Europe with an average query speed of 20.66ms, which netted it the fifth spot. The service performed the best in North America with an average of 17.02ms, and South America was its worst with 105.12ms.
To gauge the real performance of the service, you should use the DNS Performance Test script, which queries many of the popular public DNS services from your location. It’s a simple bash script that you can run even from within Windows using the WSL compatibility layer. The results of this script will reflect the true performance of the service since they are run from your computer over your Internet connection.
Many public DNS services, with the exception of some like Google Public DNS, support multiple filtering levels. For instance, there’s Quad9 that runs two (one with no filtering and another that filters malicious domain). Quad9 is run by a non-profit entity and outscores UltraDNS as it takes quite a few steps to protect the privacy of its users. It doesn’t log any data and allows users to use both DoH and DoT protocols in addition to DNSCrypt. However, the one area Quad9 trails behind UltraDNS is performance, with the latter averaging a good 10ms faster than the former across Europe as per DNSperf.com.
Like SafeDNS, Neustar’s public DNS service also hasn’t kept up with the times. The service doesn’t encrypt DNS traffic and its policy of collecting and retaining user data doesn’t inspire much confidence. There are far better options that offer much better security and privacy and can also trump UltraDNS Public in terms of performance as well.
- We've featured the best VPN.