Home / Blogs

How to Take a Proactive Approach to DNS Health

Because DNS is such an omnipresent part of modern networking, it’s easy to assume that functional DNS infrastructure can be left running with minimal adjustments and only needs to be investigated in the event of a malfunction. Yet there are small telltale signs that precede DNS issues—and knowing what they are can help to prevent disruption before it happens.

Networking teams now have access to technology that can provide granular analysis of DNS as needed, enabling a proactive approach to DNS health that detects and fixes problems before causing dreaded downtime. Here are five tips for maximizing DNS performance and what to do in the event that you do find warning signs.

1. Establish What “Normal” Means for Your DNS Servers

There’s no specific amount of DNS traffic that indicates something needs to be addressed. Rather, you can find issues by determining your infrastructure’s specific baseline traffic and then finding anomalies.

Start with obtaining DNS statistics by season and by region, so you have enough context to know whether a trend is abnormal. Also, be sure not to overlook calls to API endpoints, image resources, and other potential destinations that are regularly active but that users are not directly calling. And take the time to establish the average resolver cardinality, or how many resolvers typically query your zones.

From there, you can assess potential threats. If there is a huge spike in DNS queries globally, the chances are high that it’s a DDoS attack. If the spike is more localized, it’s more likely to be an error originating from a specific server in that region. A sudden increase in cardinality is likely a sign of a botnet attack.

2. Find Risks with NXDOMAIN

If you observe an NXDOMAIN response, it means that the DNS record being queried simply doesn’t exist. Typos when entering URLs are inevitable, so some number of NXDOMAIN responses are unavoidable. In fact, according to recent research, about 10% of DNS queries result in an NXDOMAIN response. For an individual company, it’s no concern if that value is 6% or lower. A greater percentage of NXDOMAIN responses should be investigated, especially above 10%.

When trying to identify the source of NXDOMAIN errors, the biggest factors to check are intensity, timing, and geography. If the number of errors is increasing slowly over time, this points to a long-standing issue that is increasing in frequency alongside the overall popularity of your site. On the other hand, a sudden spike in errors implies a new issue has just been created.

Cyclical spikes suggest a repeated and likely automated process. This could be the result of some kind of malicious automation, but it could also be the result of some kind of internal testing. If the queries are coming from a location where your company has employees, at a time when you know employees are active, it’s worth reaching out to make sure those employees are aware of the NXDOMAIN responses they’re generating.

3. SERVFAILs Speak to Alias Record Problems

SERVFAIL errors indicate that the DNS server isn’t able to provide an answer. In practice, this is often tied to alias servers (also known as Apex Alias, CNAME Flattening, or Aname servers), which associate your domain with alternate domain names. Advanced DNS analytics tools will allow you to determine which domain names are returning higher error rates, pointing to the source of the SERVFAIL.

Once you find the source of an error, there are a few possible solutions. It may be the result of a simple typo, which is an easy fix. Alternatively, another vendor or business unit you worked with may have changed its structure, so the domain name is no longer accurate.

4. NOERROR NODATA Necessitates IPv6

Support In order to address the possibility of running out of IP addresses, the Internet Engineering Task Force (IETF) introduced IPv6 in 2012, which boasted an address format four times longer than those associated with the older IPv4 protocol. A decade on, many companies still exclusively focus on the older IPv4, balking at the logistical complexity of supporting IPv# 6. Yet failing to update is now causing its own set of problems.

If your DNS systems are returning NOERROR NODATA results (which is to say, the answer flag is returned as “0”), it indicates that your system was able to find a DNS record, but it wasn’t the right kind. This is likely the result of the query looking for an IPv6 address when you only had an IPv4 address on hand. In order to resolve these issues, you’ll need to create an IPv6 address for your site and create an AAAA record (in addition to the A record already used for IPv4).

5. Look for New Opportunities for Growth

Of course, many errors are a result of misconfigurations or potential attacks, but a few can point the way for future growth. For example, if there are domains commonly associated with NXDOMAIN errors, you may consider whether these are domains you would actually want to use. If you own restaurants.com and see a large number of errors where people are requesting records from burgers.restaurants.com, this may point you toward an indication of where to expand your online presence.

Knowing what to extract from DNS data and how to take action completely changes the game for networking teams. Continually maintaining and monitoring DNS activity should become a way of life, rather than an emergency response. Capitalizing on DNS data reduces errors, improves efficiency, and provides the insight needed to better satisfy users’ needs.

By Terry Bernstein, Senior Director of Product Management at NS1, an IBM Company

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign


Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign