Introduction to DNS Insights

DNS Insights is the advanced DNS observability solution powered by IBM® NS1 Connect®.

DNS Insights is available if you have a paid plan with the DNS Insights add-on feature.

DNS Insights provides a powerful set of network observability tools designed to better understand DNS traffic and events within your NS1 Connect Managed DNS and Dedicated DNS networks. DNS Insights uses lightweight, actionable data feeds to provide a granular view of performance, trends, and anomalies. With this information, you can improve system performance and security while reducing operational costs. Data is delivered as a targeted data feed without the need to collect, store, and analyze terabytes of data.

DNS Insights leverages the unique perspective of your DNS data to:

  • Detect potentially malicious activity, such as a DDoS attack or malicious probing, so you can take the proper precautions to protect your infrastructure
  • Identify misconfigurations that might expose sensitive information, increase costs, or negatively impact performance. For example, TTLs may be too low for high-volume domain names, generating substantial traffic volumes. Or, as another example, employee laptops may be querying for internal host names over the internet, potentially exposing sensitive information, reducing performance, and increasing DNS costs.
  • Analyze geographic traffic patterns to better architect your application delivery system and refine Filter Chain configurations
  • Determine the source of unexpected query spikes

Solution overview

Every minute, a fleet of DNS Insights agents deployed on PoPs across your Managed DNS and Dedicated DNS networks (on or adjacent to each DNS server) analyze and push data to your time-series database (TSDB). In NS1 Connect, you can use either Prometheus or OpenTelemetry (OTel) to transmit telemetry data to your TSDB.

Collected metrics include the total number of DNS queries, queries per second (QPS), and top 10 data like GeoIP locations, top ASNs, and more. Refer to List of collected metrics for a complete list of metrics analyzed by the DNS Insights agents.

You can view this data using Grafana or your preferred visualization tool. NS1 Connect provides you with Grafana dashboard templates that are optimized for analyzing DNS Insights data. Alternatively, you can use your preferred visualization tools to create dashboards.

Data sinks

A data sink refers to a single integration between the DNS Insights agents and your TSDB. You can have multiple data sinks, each corresponding to a single TSDB. As part of the implementation, you create a data sink containing the credentials for your TSDB. This information is passed securely to IBM support staff who will complete the data sink configuration.

Policies

A policy is a set of rules determining which data is collected and processed by the DNS Insights agents. By default, all DNS Insights customers have access to the following predefined policies:

MDNSi-{customerID}-All
Processes all DNS queries received at NS1 Connect's Managed DNS PoPs for all zones configured in your account.
DDNSi-All
Processes all DNS queries received at each of your Dedicated DNS servers. This is only available to customers with Dedicated DNS.

Additionally, each customer can request additional custom policies to be configured by the IBM support staff as specified in your contract. For example, you can request a policy to collect data related to the following:

  • A specific query name
  • A specific domain name suffix
  • A list of query names or suffixes
  • A specific response code (for example, NXD)
  • Responses with an empty answer (as in, no answer responses)
  • Combinations of the above

When viewing data in the Grafana dashboard, you select a policy that filters the data shown based on the defined parameters and configuration settings.

Note: LEVEL OF ACCESS REQUIRED FOR IBM

DNS Insights requires the necessary credentials to perform remote_write operations on the target time series database instance. If you’re using Grafana Cloud, this would be a Grafana Cloud API key with the MetricsPublisher role. This role only provides permission to send log and metric data to Grafana Cloud.

HOW IBM WILL USE THIS CREDENTIAL

The system will use the access to send data from the DNS Insights service.

DISCLAIMER TEXT

Customers (i) must not provide any greater level of access than described for this feature and (ii) must ensure that no additional data is contained in the environments accessible using the provided credentials than what is required to enable this feature. Customers should review the terms of their agreements with third-party cloud providers that will transmit data to IBM or receive data from IBM using this feature to determine whether such third party will impose any fees for the use, transmission, storage, and/or export of such data. IBM disclaims any and all liability resulting from the provision of credentials to IBM, IBM’s storage of such credentials, and/or the use of such credentials by IBM, including, without limitation, any fees imposed on a Customer’s account with any third party resulting from use of this feature.

Metrics

Each DNS Insights agent collects data from the NS1 Connect DNS servers, including DNS metrics (layer 5+) and network-related metrics (layers 3 and 4). The agents send the data to the TSDB every 60 seconds before clearing and restarting. You can view this minute-by-minute breakdown in the line charts but note that other data shown (such as lists, counts, and pie charts) display data according to the overall time range selected at the top (right) of the page. Refer to List of collected metrics for a list of metrics collected by the DNS Insights agents.

Each DNS Insights agent in your network sends a time series data stream to your TSDB. For Dedicated DNS networks, the combined rate at which all agents send data is estimated to be between 1,000 to 1,250 metric series per minute.* This rate is 10,000 to 13,000 metric series per minute for Managed DNS networks. If you are using Grafana Cloud, note that the Grafana Cloud platform uses active series to calculate metrics for billing purposes. To estimate the active series billing metric, add the total number of metric series per minute for all policies and multiply by three. For example, if you have one Dedicated DNS policy (at a rate of 1,250 metric series per minute) and one Managed DNS policy (at a rate of 13,000 metric series per minute), then the active series metric used by Grafana Cloud for billing purposes is estimated to be 42,750 — that is, (1,250 + 13,000) x 3 = 42,750. Refer to Grafana documentation for details regarding their billing calculation process.

*The estimated data rate for Dedicated DNS networks (1,250 metric series per minute) is based on a five-PoP deployment (as in, five agents). If your Dedicated DNS network contains more than five PoPs, add 250 to the total rate for each additional agent. In other words, if your Dedicated DNS network contains six PoPs, for example, you would use an estimated rate of 1,500 in your calculations.

Next steps

If you already purchased DNS Insights, refer to Implementing DNS Insights to get started.