When It Comes to DNS, Trust but Verify

If you’re reading this article, you can thank a DNS provider. While most end users couldn’t tell you what DNS stands for, the domain name service is one of the core functions that keeps the internet running. DNS is so fundamental to everything that happens online, yet people rarely think about it—even people who provide digital products and services. That is, until something goes wrong, and at that point, you realize just how essential fast and reliable it is to your business.

Just ask the companies who saw their websites and applications go down across much of North America and Europe in 2016. Dyn, one of the world’s leading DNS providers, got hit with a massive distributed denial-of-service (DDoS) attack, and some of the biggest web properties—including Amazon, Twitter, Spotify and Airbnb—were suddenly inaccessible to millions of users.

The fact that we rarely have to think about DNS providers suggests they’re doing a pretty good job. But that doesn’t mean you should just assume that’s the case. DNS is far too important to be complacent; if digital services matter to your users and your business, take a “trust but verify” approach with your providers.

Why DNS Matters

DNS is the internet’s address system—the foundational technology that translates URLs typed into a browser into IP addresses so that users can get to the site they’re looking for. The concept is straightforward, but the mechanics get quite complicated and a lot can go wrong. When it does, users can find your site and services lagging or altogether unreachable. In the worst cases (e.g. your DNS gets compromised), users could even be redirected to a malicious site.

Given the complexity of DNS resolution, most companies use third-party managed services rather than try to handle it themselves. In fact, many companies now use multiple services for redundancy—an important failsafe to keep sites running should the primary provider have an outage. Even then, you still need to account for risks. Most DNS providers, for example, use AnyCast systems, with points of presence (PoPs) deployed around the world. This allows them to resolve DNS addresses very quickly for users, usually within milliseconds, regardless of where they’re located. However, taking this approach also means you’re at risk of a micro-outage (i.e. an outage isolated to a specific geographic region or ISP) should a PoP go down in that region.

Keeping Tabs on DNS Performance

Given the importance of maintaining fast and reliable DNS resolution, companies work with their DNS providers under service level agreements (SLAs) that guarantee baseline latency and availability. How do you know your provider is actually living up to that SLA? More importantly, how will you know if your DNS service is experiencing an outage or other issue?

You don’t want to just take your provider’s word that everything is going great—or worse, wait for your users to tell you there’s a problem. Instead, DNS monitoring should be part of your overall web and digital experience monitoring (DEM) strategy.

To get the visibility you need in DNS performance, bear in mind the following four principles:

    1. Make sure you’re getting the full picture. Since most DNS providers have global footprints, you’ll also want to monitor globally: that’s the only way to know whether a micro-outage is affecting users in a given location. Make sure you’re monitoring across multiple vantage points: broadband ISP, backbone, last mile, wireless and cloud.
    2. Don’t rely exclusively on user monitoring. Real user monitoring (RUM) is an important part of the overall monitoring strategy, but when it comes to DNS, it’s not enough. RUM won’t tell you, for example, why users in a specific location can’t reach your site because it relies on the users actually reaching the site to collect data. However, synthetic monitoring can because it simulates real user journeys. By using synthetic monitoring across all the key geographies where your users reside, you can quickly identify problems anywhere along the DNS resolution chain. Synthetic monitoring also allows you to review the database records used by the DNS servers, so if there is an issue, you can quickly and conclusively diagnose the cause.
    3. Don’t use the same cloud provider for both DNS and monitoring. These days, you can run pretty much any application through one of the big public cloud providers. That convenience can work against you when it comes to DNS monitoring. Think about it: If you’re using a cloud-based DNS service such as Amazon Route 53 and the service you’re using to monitor DNS also runs out of Amazon’s cloud, what is that service actually monitoring? Most likely, it’s pinging DNS servers located in the same data center, connected over the same network, where the latency and reliability will look as close to perfect as you can get. But your users don’t live in that data center. Make sure your synthetic monitoring crosses internet links and geographic distances, just as a user would. At the very least, make sure your monitoring runs out of a cloud different from your DNS service.
    4. Don’t rely on monitoring HTTP URLs: You can infer some performance metrics by monitoring HTTP URLs, but you really shouldn’t. Yes, you’ll see “end-to-end” DNS performance, but those metrics will also include the performance of third-party DNS resolvers, authoritative name servers and the operating system of the requesting machine itself. All of these obscure what you can learn about your DNS provider’s infrastructure and service, which are what you actually care about.

Monitor What Matters

Keeping an eye on your DNS provider does require some sophisticated monitoring capabilities. After all, tracing queries through the complex web of hierarchies, servers, network links and third-party services can become almost as complicated as running DNS services themselves. Fortunately, there are powerful tools out there to help you do it. Indeed, DNS monitoring should be a big part of any web or DEM solution and any business’s monitoring strategy.

You won’t get a second chance to make a first impression. Your website and online services should instantly resolve for every user who tries to reach them, no matter where they are. By keeping a close eye on your DNS providers, you can make sure your users never have to think about DNS—which is exactly how it should be.

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Dritan Suljoti

Dritan Suljoti is Chief Product Officer and Co-Founder at Catchpoint. Drit leads Catchpoint’s engineering and product teams, applying a passion for building innovative technology and more than ten years’ experience leading research and development at Google and DoubleClick to continually improve Catchpoint’s solutions from a user’s point of view. An expert in digital advertising technology and marketplace dynamics, Drit holds three industry patents. He earned an MBA in operations management and marketing from Baruch College.

dritan-suljoti has 1 posts and counting.See all posts by dritan-suljoti