DNS (Domain Name System)
monitoring is an automated way of checking whether a domain name is being
correctly translated to a corresponding IP address. When a DNS server doesn't
respond or when the searched domain doesn’t return the right IP address, the DNS
monitoring spots the issue and alerts the right person on the development team.
In this article, you will learn the following:
What is DNS monitoring and how does it work.
How to look up DNS records of a specific domain.
What are the most used DNS servers and what records they store.
Why use DNS monitoring.
What are the benefits and drawbacks of using DNS monitoring.
How to set up basic DNS monitoring.
How does DNS monitoring work?
The DNS monitoring process works by sending automated requests to the desired
DNS server and checking the results for a specific domain name. The most
common use case is querying the DNS server with a URL and checking the returned
IP address returned in the A Record or AAAA Record.
The desired response for those queries is the correct IP address corresponding
to the used URL. For example, when checking the URL google.com, we are looking
for a response that includes IP 184.108.40.206.
When the correct IP is received no further action is taken and the monitoring
continues. When a different one is returned, the monitor starts what is called a
DNS incident and starts alerting according to the on-call calendar.
How to look up DNS records of a specific domain?
To check a DNS server for specific domain records you can use the
DNS checker tool. In the
results look for the record type you are interested in (see the example below).
🗃 What are the most used DNS servers?
There are several providers of DNS servers, the most commonly used are:
DNS servers store much more than just domain to IP translations. The most commonly used DNS records are:
A record (Address record) - Specifies the IP (IPv4) of your domain, such as 220.127.116.11. It's important to monitor that the record matches the IP and vice versa. Non-matching data can signify an error or spoofing attack.
AAAA record (IPv6 address record) - Specifies the IPv6 of your domain, like 2606:4700:3108::ac42:285e. It should be also checked regularly that it matches the records.
CNAME record (Canonical name record) - Specifies the aliases on the given domain. Monitoring CNAME records ensures that users are directed to the correct site.
MX record (Mail exchange record) - Provides information about your mail server. Monitoring the MX record informs you when the mail communication gets interrupted.
NS record (Nameserver record) - Provides information about which nameserver should be used by the resolver for the domain. It can also include backup nameservers in case of a failure of the primary server.
SOA record (Start of authority) - Provides a serial number that is updated at every DNS record adjustment. With every change 1 is added to the serial number. Monitoring the SOA record helps to monitor for any unwanted DNS changes.
TXT record (Text record) - Holds information about domain’s ownership, such as contact person information, phone numbers, etc.
What is a DNS incident?
A DNS incident is a period of time during which a given DNS is unavailable or
returns incorrect records.
A DNS incident can be also a situation where the request sent by the monitor
doesn’t receive a response in a given time frame. The request timeout can be
anywhere from 5 seconds to 1 minute, depending on the priority of the monitor.
How to receive DNS incident alerts?
After an incident is spotted by the DNS monitor it needs to be communicated to
the service admins. This process is called incident alerting or on-call
alerting. This is because, in case of an incident,
the person from a team who is currently on-call (has scheduled duty) receives
the incident alert.
The most common types of getting alerted by a DNS monitor include automated
phone calls, SMS, Slack, and Microsoft Teams messages. Ways of alerting depend
on factors like the importance of the monitored service, time of the day, and
Process after receiving an alert? The DNS incident resolution process
After an alert is received it should be acknowledged immediately. If the alert
is not acknowledged in a specified time frame (usually 3 minutes), the person
next in line on the on-call duty is alerted. This process could continue further
until the whole team is alerted. The best practice however is to have the
on-call schedule set up in a way that the first team member is always ready to
solve incoming incidents.
Once the incident is acknowledged the escalation process is paused and the team
can fully focus on solving it. The speed by which an alert is acknowledged is
called Time to acknowledge (TTA). Its average from different incidents called
Mean Time to Acknowledge (MTTA) is a widely used incident management
The next steps in the incident resolution process are individual to different
teams and apps. For larger teams, they can include collaborations between a few
developers or even teams of developers, delegations of incidents to dedicated
team members, and more. There are some best practices that should be used by all
teams managing incidents. These include incident communication (both internal
and external) and incident post-mortems.
Why use DNS monitoring?
Monitoring of DNS increases your service reliability and security. It is very
efficient in the detection of some common hacker attacks. There are two
well-known attacks, which can be detected by DNS monitoring:
DDoS attack — DDoS (Distributed Denial of Service) is an attack, where a
lot of computers across the world generate a large amount of request to a
specific internet service (in our case, requests to a specific DNS server).
The DNS is congested with fake requests and real users cannot use it. DNS
monitoring can detects DNS unavailability or unacceptable response time.
DNS poisoning — Is an attack where hackers falsify DNS records related to
your domain. They can't directly change the DNS records of your domain. But
there are advanced attacks, which allow that user browser receives a fake
(poisoned) response. You can monitor the content of the DNS response and check
if it is correct.
What are the main benefits and drawbacks of DNS monitoring?
Automated with regular frequency: DNS monitoring can run every minute,
every hour, 24 hours a day, 7 days a week, the whole year. It’s a fully
automated script and once set it needs little to no maintenance, while still
providing the same valuable information.
Simple to set up and use: DNS monitoring can be set up in minutes while
providing the availability information right from the start.
Global testing: It allows for testing from different endpoints around the
world. This allows distinguishing regional errors from incidents affecting all
users and allows for optimization for a global audience.
Limited incident cause reporting: DNS monitoring lacks the information
that could answer why any issues happened. Since it only monitors the final
output and not the actual workings of the DNS settings. To get better idea
about the root cause, application performance management (APM) or a
log management tool needs to be used.
Where does DNS monitoring fit in the synthetic monitoring setup?
DNS monitoring is one of the more advanced synthetic
monitoring options. It’s commonly used by
advanced users as a tool for monitoring potential hacker attacks.
When setting up a DNS monitoring tool it might be useful
to also explore other advanced monitoring options like
API or TCP/UDP port monitoring.
How to start DNS monitoring in 2 minutes with Better Uptime?
Better Uptime is an infrastructure monitoring
tool that offers reliable DNS monitoring. Here is how to get notified whenever a
Cloudflare DNS server doesn’t return 18.104.22.168 IP for google.com query.