Have you ever logged into the control panel and seen a big spike in your query usage?
You’re not alone. These spikes can have many causes, many of which are easily fixed by tweaking a few DNS record configurations.
But how do you go about finding the cause of the spike?
Your DNS provider will most likely give you a log of recent query traffic for your domain. However, the output is a raw text file that is difficult to decipher and usually covers a limited time frame.
That might be enough for some people, but we went the extra mile and created a free query analytics service for our users.
We believe that your query traffic data should be easy to understand and free to access.
Our DNS Analytics service makes it easy to pinpoint the causes of query spikes and abnormalities by turning your query logs into charts and interactive maps.
The app gives you the information you need about your domains and records so that you can go back to the control panel and make the necessary changes to reduce your query load.
How to Troubleshoot Query Spikes with Analytics
There are two ways to see where traffic surges are coming from.
You can use the Real-Time Logging feature in DNS Analytics to see minute long query logs from one location in our network. You can also filter the data by record type, source IP, location, or view your query traffic on an interactive map.
First, you need to login to the DNS Analytics service. Just use the same username and password you use to access the control panel.
You’ll see an overview of your query usage for the last week and a table of your domains. Click on the desired domain and you’ll see a similar page, but with weekly totals for that domain as well as a map that shows query totals by location. Each location is a point of presence (PoP) in our network.
Click the play button next to the desired location. In this case, we are seeing a lot of traffic from the Hong Kong PoP, so we would click that play button.
Now click the play button to start a minute long query log.
Switch to the “Top” view in order to filter the data.
We recommend that you filter the queries by record type. This will give you an idea of what records you may need to tweak, like increasing the TTL for records you don’t change as often.
The longer the TTL, the long resolving nameservers will cache that record, and the less often users will hit your authoritative nameservers (us).
Option two, you can use the Real-Time Stats (RTS) tool in the control panel. You can access RTS by going to Managed DNS and click on any domain, and then click the Real-Time Stats button at the top of the page.
You’ll first see a graph that shows your query traffic by location.
You need to switch from filtering by location to filter by Record Type and Record Name. Uncheck the Location box and check the boxes for Record Type and Record Name. This way you can see the query counts over time for each record.
If you switch to Tabular (table) view, you’ll see a list of your records with their query counts. This is also a great way to find unused records that you may want to clean up.
Good job, you made it this far. But what if you filter your query traffic for record name or type and see a lot of queries for NXDomain?
NXDomain is the response you get when you query for a hostname that doesn’t exist with a domain. It essentially drops the request and it will appear to the user that the domain does not exist.
This can happen if someone incorrectly enters a hostname for your domain, like wwww.example.com. You can’t waste time entering all the possible typos. Instead, just create a wildcard record.
Wildcard records act as a sort of “catch-all” for any hostnames that you haven’t configured for your domain.
We recommend that you set the TTL for all wildcards records to be pretty high since you will rarely ever change them. This one tweak could drastically cut down on your monthly queries.
The Quad-A Problem
What you may also see is a lot of requests for AAAA (Quad-A) records that are getting dropped because you don’t have AAAA records configured. AAAA records are used exclusively with IPv6 addresses (read more about them here).
IPv6 is a new kind of IP address that is a more complex than a traditional IPv4 address. Instead of just using numbers, an IPv6 address includes characters which allows for billions more possible addresses.
Ask your hosting provider if they offer IPv6 addresses. It’s easy to switch and will save you from future headaches when you are looking at your query traffic.
If you are reluctant to switch over to IPv6, you can just create a wildcard record and point it to your root (or wherever you want). However, in some
When you filter your queries by location, you may see traffic coming from regions or countries that you don’t want to access your domains. Unfortunately, DNS Made Easy doesn’t offer the functionality to block traffic by location… but our new product Constellix does!
If you are worried about getting query overages due to surges from unwanted regions, we recommend using IP Filters. These filters can be applied to your normal DNS records, but drop any traffic that matches the filter and return NXDomain.
Essentially, your domain doesn’t exist for any users that you specify. This is a quick and easy way to block potentially malicious sources or attackers.
Also published on Medium.