IBM NS1 Connect

 View Only

Unexpected query usage? Use NS1 Connect datasets feature to find the root cause.

By Terry Bernstein posted Tue April 02, 2024 09:43 AM


Ever notice those blips in your DNS usage? It's normal to have some variation, but if things suddenly skyrocket, it's time
to track down the cause. NS1 Connect's Data Sets can help!

For most customers, DNS query volume is consistent over time. It’s rare to see huge variations month over month,
unless you introduce a new product, or are part of a large event (e.g., streaming providers during the World Cup).
However, if you can’t associate the increase to an event like this, you are left wondering what happened.

The Data Sets feature of NS1 Connect can help.

The Power of Data Sets

The first thing you’ll want to do is identify the DNS records that received increased queries as compared to previous
billing periods. To do this, navigate to the Reports/Data Sets page in NS1 Connect and create a new report that shows
the number of queries for each record over the last 3 billing periods. The following image illustrates how to generate
this report.

After the report is completed, you can load the file into Excel (or your favorite spreadsheet) and, hopefully, identify the
cause of the increase traffic. The most common causes for an increase are a malicious attack or a change to your DNS
configuration. Let’s take each of these one by one.

Malicious Attack

An increase in Non-existent domain (NXD) responses is a common symptom of unexpected traffic caused by a DDoS
attack. Attackers send millions or billions of queries to random names under your main domain name. Lets take a look at
a sample report to illustrate this point:

In this report we can see that NXDOMAIN queries to and spiked in March. This most likely
signals some sort of attack or one-time event. NS1 offers DDoS spike protection insurance to avoid overage charges
from these types of events.

DNS Configuration Change

The Time to Live (TTL) parameter associated with each DNS record tells recursive DNS resolvers how long to cache DNS
responses. It’s common to decrease the TTL setting when planning to make network changes so that the old IP address
will be flushed from resolver caches more quickly and the new IP address will take effect. This has the side effect of
increasing DNS queries as Resolvers don’t hold the answer as long and thus must refresh their cache more often. After
the network change is complete, you would normally change the TTL to the original value, but sometimes this step is

The following report illustrates what you’ll see. In this case, the A record for received over an order
of magnitude more queries in March than in February. As these are not NXD queries, it’s unlikely it was an attack,
although that’s still a possibly. Instead, if you see this pattern, I’d recommend that you check the TTL of records, like, that saw an increase in queries.


The Data Sets feature in NS1 Connect puts you in the driver's seat of your DNS traffic analysis. No more surprises, no
more scrambling to explain those usage spikes. With a few clicks, you can pinpoint the cause and take the necessary
actions – whether it's tweaking your configurations or bolstering your defenses. That's what having complete visibility is
all about.