Using the DNS Insights dashboard

Use the DNS Insights dashboard to monitor DNS traffic activity across your Managed DNS and Dedicated DNS networks. You can analyze DNS query trends, investigate DNS response behavior, identify unusual traffic patterns, and review traffic activity across domains, resolvers, geolocations, and NS1 Connect points of presence (PoPs).

The dashboard displays DNS traffic metrics as charts and tables. You can expand charts, switch between chart and table views, download chart data, and apply filters such as data sets, time, and PoPs to investigate DNS traffic activity. The dashboard is organized into overview, requester details, and threat analysis to help you monitor and investigate different types of DNS traffic activity.

Note: DNS Insights dashboard visualizations are based on the configured NS1 Connect data sets and might differ from the DNS traffic data used for billing.

Using the dashboard filters

Data sets
Choose between the default NS1 Connect data sets to investigate unusual DNS traffic activity, monitor DNS traffic patterns, or analyze more granular DNS traffic metrics. For additional custom data sets for advanced troubleshooting or monitoring use cases, contact IBM support.
Time

Set a custom date and time range or choose from the predefined options to analyze DNS traffic trends during specific query reporting periods.

Note: The DNS Insights dashboard does not refresh automatically in real time. If the selected time range is one hour or less, refresh the page to view the latest aggregated DNS traffic data.
Points of presence (PoPs)
Select one or more PoPs to investigate DNS traffic activity routed through NS1 Connect points of presence. Each PoP is identified by an International Air Transport Association (IATA) code. For example, dal04 represents a PoP in Dallas.

Understanding DNS Insights dashboard

Overview

Use the overview section to monitor the overall health and DNS traffic activity across your network. You can use the overview section to validate DNS response behavior, monitor DNS query trends, ensure that your domains and DNS configurations are functioning correctly, and identify unusual DNS traffic activity.

For example, you are monitoring DNS traffic activity across your network to ensure that your domains are reachable, DNS queries are receiving expected responses, and there are no unusual spikes in DNS query activity. You can use the following charts to monitor DNS traffic activity across your network:

  • DNS queries to monitor DNS query volume trends across the selected reporting period.

  • Response/error codes to review DNS response behavior and identify unusual NXDOMAIN, SERVFAIL, REFUSED, or NOERROR responses.

  • Requested query types to analyze DNS traffic activity across query record types.

  • Top domains - 2 levels and Top domains - 3 levels to monitor the most active queried domains across your network.

  • DNS details to review DNS query activity across your network.

  • DNS response code details to analyze the top queried domains associated with DNS response codes such as NXDOMAIN, NOERROR and NODATA, REFUSED, and SERVFAIL.

While monitoring DNS traffic activity, if you notice an unusual spike in DNS queries for one of your domains, such as example.com, you can use the same charts and tables to understand it. You can adjust filters such as time, data sets, and PoPs for a more granular view of the traffic activity, query types, DNS response codes or select specific queried domains in the charts to further narrow the unusual traffic activity. You can further investigate this in the requester details and, if necessary, the threat analysis page.

Note: If you require additional custom data sets for a specific use case or require more granular DNS traffic analysis, contact IBM support.

Requester details

Use the requester details section to investigate where DNS traffic originates from across your network. You can identify where DNS traffic originates from, analyze requester distribution patterns, investigate DNS traffic distribution across NS1 Connect PoPs, and further narrow unusual DNS traffic activity identified in the overview section.

For example, while you are investigating an unusual spike in DNS queries for example.com from the overview section, you want to identify where the traffic is originating from and whether the traffic activity is expected. You can use the following charts and tables to narrow down DNS traffic activity by requester:

  • Analyze DNS traffic distribution across ASNs, geolocations, and NS1 Connect PoPs.

  • Investigate DNS traffic activity from specific IPv4 and IPv6 subnets.

  • Identify the top requesters generating DNS queries across the selected time.

  • Analyze EDNS Client Subnet (ECS) traffic activity by ASN, geolocation, and subnet. ECS provides additional client location and subnet information in DNS queries to help analyze where DNS traffic originates. For more information, see EDNS Client Subnet (ECS) extension.

  • Narrow DNS traffic activity to specific networks or geographic locations for troubleshooting or threat investigation.

By analyzing these charts and tables, you can determine whether the spike is caused by expected traffic growth, internal DNS misconfigurations, or potentially suspicious activity. For example, a spike in DNS queries might originate from one of your office locations, or resolvers because of a misconfigured device or another internal network device. Identifying and correcting these issues can help ensure that your domains remain reachable and DNS traffic is routed as expected. If the traffic appears suspicious, you can continue investigating it in the threat analysis section.

Note: If you require additional custom data sets for a specific use case or require more granular DNS traffic analysis, contact IBM support.

Threat analysis

Use the threat analysis section to analyze DNS query distribution across queried domains (QNames), resolvers, and PoPs to help detect potentially malicious DNS traffic activity, such as distributed denial-of-service (DDoS) attacks, DNS flooding, probing activity, or unusually distributed query behavior.

To help interpret the threat analysis metrics, note that unique refers to the number of different or distinct values observed during the selected time. For example, 10,000 queries for the same domain count as one unique QName, while 10,000 queries for different domains count as 10,000 unique QNames. Similarly, repeated queries from the same resolver count as one unique resolver, while queries from many different resolvers increase the unique resolver count.

  • Analyze the unique QName average status bar, which shows the average number of different queried domains during the selected time. The status colour helps you identify whether the number of unique queried domains is within a normal range or unusually high.

  • Analyze the unique resolver average status bar, which shows the average number of different resolvers during the selected time. A higher-than-usual number of unique resolvers can indicate DNS traffic originating from a broader range of resolver sources than expected.

  • Use the unique QNames by PoP chart to identify which NS1 Connect PoPs receive queries for the highest number of different queried domains. You can filter the chart by one or more PoPs to compare DNS query distribution across locations.

  • Use the unique resolvers by PoP chart to identify which NS1 Connect PoPs receive DNS traffic from the highest number of different resolver sources. You can filter the chart by one or more PoPs to compare resolver distribution across locations.

By analyzing these charts, you can better understand DNS traffic distribution and identify unusual traffic patterns that might require further investigation. These insights can help you proactively monitor DNS traffic activity and protect your infrastructure against potential attacks.

Note: If you require additional custom data sets for a specific use case or require more granular DNS traffic analysis, contact IBM support.