Understanding DNS Traffic

How do I identify a DNS attack?
 How can I reduce my query usage?
 Where is my traffic coming from?

If you manage your domain’s DNS, you’ve most likely asked one of these questions before. Many providers offer query visualization tools that allow you to monitor your query usage over a period of time. In the DNS Made Easy control panel you can view your recent usage on the left-hand side of your dashboard. This is a quick way to check for any obvious changes in traffic.

For most providers, the buck usually stops here. If you use DNS Made Easy, we offer you a much more detailed view through our new tool, Real-Time Statistics (RTS for short). In this post, we are going to use RTS to answer all three of the most commonly asked questions about DNS traffic.

rts gif

No set up is required, and RTS is free to use for all membership levels. You can filter your query data by:

  • Location
  • Record type
  • Domain
  • Time-frame

What a DNS Attack Looks Like

Our team mitigates DNS-based attacks regularly for our clients. The type of attack we see most often is called a Distributed Denial of Service attack, or DDoS for short. This kind of attack floods a domain with queries until the website’s DNS server(s) slow to a crawl or crash under the weight of the traffic.

november attack on DNS made easy

This screen shows a very large attack that DNS Made Easy mitigated for a client back in November. The attack reached its peak in under 30 minutes, targeting multiple regions. The attack (from all locations combined) peaked at over 400 million QPS (queries per second). To put this in perspective, DNS Made Easy manages roughly the same amount of QPS across all 900,000 domains.

Above is a screenshot from one of our clients who saw an unnatural spike in traffic, which was quickly absorbed by our network and regular traffic returned soon after.

Unfortunately, DDoS attacks are the most difficult to anticipate as they come on very suddenly, overwhelming servers in just a matter of minutes. If you see an unusual spike in traffic, continue to monitor incoming queries as this could be a sign of an impending attack.

How to Decrease Your Queries

There are a few quick ways to cut down your query usage by simply tweaking settings in your records. The best way is to increase the TTL (Time to Live) of your records. TTL’s determine how long resolving name servers will cache your DNS information. The longer the TTL, the more often a resolving name server will answer your queries, and the less often your DNS provider (authoritative server) will.

For a quick review of the difference between a resolving and an authoritative name server, check out this post.

Where Your Traffic is Coming From

We briefly discussed earlier that you can filter your traffic based on location, record type, time frame, and domain. The most commonly used filter is by location. This was the filter we used in the screens we showed you earlier. This is a great way to quickly view where in the world your traffic is coming from.

You can also combine filters to see what records are being used the most at each location.

If you filter by location, record, and select AAAA records, you can see how many of your queries are coming in over IPv6.

Your Turn

When you begin analyzing traffic for your own site, keep in mind that you may have to wait a few days (or more) for RTS to gather enough query data to be able to analyze anything. As you can see in the screen below of a domain that has only been live for a few hours, it’s not enough information to be able to deduce anything significant.

real time stats

Over time you will start to notice small fluctuations in traffic. These are normal and are usually dependent on the time of day, the day of the week, or location. In the screenshot below, you can see how some locations seem to have erratic traffic patterns, while others (Frankfurt) seem to be more regular.

rts frankfurt

Let’s say we wanted to take a closer look at the traffic in Frankfurt, where we are seeing the most queries per second. Click on the purple line in the chart or in the legend below it. You will not be able to see the queries from Frankfurt, exclusively. You can also change the filter to view record types or record names.

RTS roll up location

In this screen, we can see that Frankfurt is experiencing normal traffic patterns. We can deduce that the increase in traffic in Frankfurt is most likely not the result of an attack.

Show Us Your Charts!

Tweet us @DNSMadeEasy with your own query usage using RTS or any other traffic monitoring tool.

Originally published at DNS Made Easy News.