Ever notice those blips in your DNS usage? It's normal to have some variation, but if things suddenly skyrocket, it's time
to track down the cause. NS1 Connect's Data Sets can help!
For most customers, DNS query volume is consistent over time. It’s rare to see huge variations month over month,
unless you introduce a new product, or are part of a large event (e.g., streaming providers during the World Cup).
However, if you can’t associate the increase to an event like this, you are left wondering what happened.
The Data Sets feature of NS1 Connect can help.
The Power of Data Sets
The first thing you’ll want to do is identify the DNS records that received increased queries as compared to previous
billing periods. To do this, navigate to the Reports/Data Sets page in NS1 Connect and create a new report that shows
the number of queries for each record over the last 3 billing periods. The following image illustrates how to generate
this report.
After the report is completed, you can load the file into Excel (or your favorite spreadsheet) and, hopefully, identify the
cause of the increase traffic. The most common causes for an increase are a malicious attack or a change to your DNS
configuration. Let’s take each of these one by one.
Malicious Attack
An increase in Non-existent domain (NXD) responses is a common symptom of unexpected traffic caused by a DDoS
attack. Attackers send millions or billions of queries to random names under your main domain name. Lets take a look at
a sample report to illustrate this point:
In this report we can see that NXDOMAIN queries to Example.com and Example.net spiked in March. This most likely
signals some sort of attack or one-time event. NS1 offers DDoS spike protection insurance to avoid overage charges
from these types of events.
DNS Configuration Change
The Time to Live (TTL) parameter associated with each DNS record tells recursive DNS resolvers how long to cache DNS
responses. It’s common to decrease the TTL setting when planning to make network changes so that the old IP address
will be flushed from resolver caches more quickly and the new IP address will take effect. This has the side effect of
increasing DNS queries as Resolvers don’t hold the answer as long and thus must refresh their cache more often. After
the network change is complete, you would normally change the TTL to the original value, but sometimes this step is
missed.
The following report illustrates what you’ll see. In this case, the A record for www.example.com received over an order
of magnitude more queries in March than in February. As these are not NXD queries, it’s unlikely it was an attack,
although that’s still a possibly. Instead, if you see this pattern, I’d recommend that you check the TTL of records, like
www.example.com, that saw an increase in queries.
Conclusion
The Data Sets feature in NS1 Connect puts you in the driver's seat of your DNS traffic analysis. No more surprises, no
more scrambling to explain those usage spikes. With a few clicks, you can pinpoint the cause and take the necessary
actions – whether it's tweaking your configurations or bolstering your defenses. That's what having complete visibility is
all about.
#TechnicalBlog