DNS Query Analytics

Originally featured in Forbes

If you want to see how your domain name system (DNS) records are being used or troubleshoot an influx of queries, what would you do? Most likely, you would contact your managed DNS provider and request backlogs of query data. Then what? You’re not going to sift through hundreds of lines of source IP addresses and timestamps. Depending on the domain, some will get hundreds or even thousands of queries a minute.

This is what DNS analytics have been for roughly 30 years — until now. Modern technology has turned these messy backlogs into valuable information about how your DNS infrastructure is used and what you can do to improve it.

How DNS Works

Let’s pause for a minute for a quick refresher on how the DNS works. The DNS is, in essence, the phone book of the internet because it maps a domain name, like example.com, to an IP address, like Every time someone enters a domain into their browser, it requires a DNS lookup to find the associated IP address. This is called a query, which is the building block of DNS analytics.

As we saw earlier, domains receive a lot of queries. Most domains will answer a couple million queries each month. Every one of those queries has dozens of data points each, such as the network they used to get to that domain, where they are coming from, etc. All of this data needs to be stored, aggregated, filtered and presented in a way that actually makes sense to someone. Otherwise, it’s like trying to find the lady in the red dress in the Matrix code.

The Big Data Revolution

Web service providers have finally begun to tackle DNS query logs by leveraging big data technologies like Cassandra and Scala. DNS analytics dashboards have even become an industry standard among managed DNS providers, mainly because clients want to know how their DNS resources are being used so they can reduce costs or improve performance.

DNS analytics can show you exactly which records (by type or name) are being queried the most. If you see a record being queried a lot by one source IP address, it could be a system misconfiguration. These dashboards can also be used to identify and even predict DNS-based attacks, like distributed denial of service (DDoS) attacks.

DNS analytics can be used for so much more than account usage audits. Each query packs valuable information about where it came from, what network is used, IP version and how long it took to get to the nameservers. This may not sound like much, but this is real user information you can actually use to improve routing accuracy and even reduce resolution times.

The Future Of DNS Analytics

Are you starting to see where this is going? This technology has opened the door for the next generation of managed DNS. We can take the information we’ve learned from our query analytics and use it to fine tune our network configurations. You can segment portions of your traffic by location or internet service provider (ISP) and point them to go to different IP addresses. You can use this same segmentation to deliver personalized experiences depending on user attributes.

This is all happening right now — so where are we headed in the future? Automation. Just like every other industry, we’re expecting to see query analytics being used to proactively update DNS configurations to adapt to influxes, attacks and even network outages.

Some providers are even talking about using historical query data to detect anomalies in traffic and make intelligent routing decisions to avoid resource exhaustion.

The next year will be a crucial opportunity for managed DNS providers to introduce new ways to leverage query analytics — or else get left in the dust.

First Steps

DNS analytics are simple to implement into your existing network management strategy. Make sure you are using a managed DNS provider (or two if you are using secondary DNS) that offers query analytics. Make a habit of regularly checking query patterns to establish a baseline. You’ll need to have an idea of what regular traffic looks like so you can detect anomalies later. If possible, download your query data for historical comparison. Lastly, conduct regular audits of your domains. Look for spikes in record usage, unnatural query request loads and where traffic is coming from. This data could be invaluable to your business and could possibly be used to detect the early warning signs of an attack or a costly network misconfiguration.

Also published on Medium.