|
Because DNS is such an omnipresent part of modern networking, it’s easy to assume that functional DNS infrastructure can be left running with minimal adjustments and only needs to be investigated in the event of a malfunction. Yet there are small telltale signs that precede DNS issues—and knowing what they are can help to prevent disruption before it happens.
Networking teams now have access to technology that can provide granular analysis of DNS as needed, enabling a proactive approach to DNS health that detects and fixes problems before causing dreaded downtime. Here are five tips for maximizing DNS performance and what to do in the event that you do find warning signs.
There’s no specific amount of DNS traffic that indicates something needs to be addressed. Rather, you can find issues by determining your infrastructure’s specific baseline traffic and then finding anomalies.
Start with obtaining DNS statistics by season and by region, so you have enough context to know whether a trend is abnormal. Also, be sure not to overlook calls to API endpoints, image resources, and other potential destinations that are regularly active but that users are not directly calling. And take the time to establish the average resolver cardinality, or how many resolvers typically query your zones.
From there, you can assess potential threats. If there is a huge spike in DNS queries globally, the chances are high that it’s a DDoS attack. If the spike is more localized, it’s more likely to be an error originating from a specific server in that region. A sudden increase in cardinality is likely a sign of a botnet attack.
If you observe an NXDOMAIN response, it means that the DNS record being queried simply doesn’t exist. Typos when entering URLs are inevitable, so some number of NXDOMAIN responses are unavoidable. In fact, according to recent research, about 10% of DNS queries result in an NXDOMAIN response. For an individual company, it’s no concern if that value is 6% or lower. A greater percentage of NXDOMAIN responses should be investigated, especially above 10%.
When trying to identify the source of NXDOMAIN errors, the biggest factors to check are intensity, timing, and geography. If the number of errors is increasing slowly over time, this points to a long-standing issue that is increasing in frequency alongside the overall popularity of your site. On the other hand, a sudden spike in errors implies a new issue has just been created.
Cyclical spikes suggest a repeated and likely automated process. This could be the result of some kind of malicious automation, but it could also be the result of some kind of internal testing. If the queries are coming from a location where your company has employees, at a time when you know employees are active, it’s worth reaching out to make sure those employees are aware of the NXDOMAIN responses they’re generating.
SERVFAIL errors indicate that the DNS server isn’t able to provide an answer. In practice, this is often tied to alias servers (also known as Apex Alias, CNAME Flattening, or Aname servers), which associate your domain with alternate domain names. Advanced DNS analytics tools will allow you to determine which domain names are returning higher error rates, pointing to the source of the SERVFAIL.
Once you find the source of an error, there are a few possible solutions. It may be the result of a simple typo, which is an easy fix. Alternatively, another vendor or business unit you worked with may have changed its structure, so the domain name is no longer accurate.
Support In order to address the possibility of running out of IP addresses, the Internet Engineering Task Force (IETF) introduced IPv6 in 2012, which boasted an address format four times longer than those associated with the older IPv4 protocol. A decade on, many companies still exclusively focus on the older IPv4, balking at the logistical complexity of supporting IPv# 6. Yet failing to update is now causing its own set of problems.
If your DNS systems are returning NOERROR NODATA results (which is to say, the answer flag is returned as “0”), it indicates that your system was able to find a DNS record, but it wasn’t the right kind. This is likely the result of the query looking for an IPv6 address when you only had an IPv4 address on hand. In order to resolve these issues, you’ll need to create an IPv6 address for your site and create an AAAA record (in addition to the A record already used for IPv4).
Of course, many errors are a result of misconfigurations or potential attacks, but a few can point the way for future growth. For example, if there are domains commonly associated with NXDOMAIN errors, you may consider whether these are domains you would actually want to use. If you own restaurants.com and see a large number of errors where people are requesting records from burgers.restaurants.com, this may point you toward an indication of where to expand your online presence.
Knowing what to extract from DNS data and how to take action completely changes the game for networking teams. Continually maintaining and monitoring DNS activity should become a way of life, rather than an emergency response. Capitalizing on DNS data reduces errors, improves efficiency, and provides the insight needed to better satisfy users’ needs.
Sponsored byVerisign
Sponsored byVerisign
Sponsored byRadix
Sponsored byIPv4.Global
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byWhoisXML API