DNS Analytics

DNS Analytics#

The DNS Analytics tab provides deeper insights into DNS query patterns, trends, and statistics. Perform advanced analysis of DNS behavior, identify patterns, and optimize your DNS infrastructure based on detailed data.

Overview#

While DNS Metrics provides real-time performance monitoring, DNS Analytics offers detailed historical analysis and pattern recognition. Use these insights to understand query behavior, detect anomalies, and make informed optimization decisions.


Getting Started#

Accessing DNS Analytics#

  1. Navigate to Monitoring from the main sidebar
  2. Click the DNS Analytics tab
  3. Analytics load automatically with historical data

Dashboard Components#

The DNS Analytics tab displays:

  • Query pattern analysis
  • Query type distribution
  • Recursive vs. non-recursive queries
  • DNSSEC status and metrics
  • Historical trend charts
  • Detailed statistics tables

Analytics Overview#

Query Pattern Analysis#

Time-Series Trends in DNS Queries

Shows how DNS query volume changes over time:

Chart Types:

  • Line chart: Overall query volume trends
  • Area chart: Stacked query types over time
  • Bar chart: Daily/hourly query distribution

What to Look For:

  • Daily patterns (peaks and valleys)
  • Weekly cycles
  • Seasonal trends
  • Sudden spikes or drops
  • Correlation with events

Example Patterns:

  • Daily: Peak during business hours, low at night
  • Weekly: High weekdays, lower weekends
  • Seasonal: Summer higher, winter lower
  • Event-Based: Spikes around product launches

Query Type Distribution#

Breakdown of Different DNS Record Types

Shows which DNS records are most frequently queried:

Common Record Types:

TypePurposeExpected %
A RecordsIPv4 addresses85-95%
AAAA RecordsIPv6 addresses5-15%
CNAME RecordsAliases0-5%
MX RecordsMail servers0-1%
TXT RecordsText data (SPF, DKIM)0-1%
SRV RecordsService records0-1%
OtherOther types< 1%

Analyzing Distribution:

Normal Distribution:

  • A records dominant (85%+)
  • Small percentage of AAAA
  • Few other types

Unusual Distribution:

  • Unexpected record types appearing
  • AAAA records very low (< 1%)
  • Excessive MX queries
  • Unknown record types

What It Indicates:

  • IPv6 adoption levels
  • Email infrastructure queries
  • Application query patterns
  • Potential misconfiguration

Recursive vs. Non-Recursive Queries#

Query Behavior Patterns

Recursive Queries:

  • Client asks resolver to find full answer
  • Resolver asks authority servers
  • More resource-intensive
  • Client doesn't query authority directly

Non-Recursive Queries:

  • Client asks for specific cached answer
  • Resolver returns what it has
  • Less resource-intensive
  • Faster response possible

Analyzing Your Traffic:

Expected Pattern:

  • Mostly recursive from clients
  • Mix of recursive/non-recursive from resolvers
  • Very few non-recursive from origin

Warning Signs:

  • Excessive non-recursive queries
  • Unusual recursive patterns
  • Queries from unexpected sources
  • Potential DNS amplification attacks

DNSSEC Status#

DNS Security Extensions Monitoring

DNSSEC provides cryptographic authentication for DNS:

Status Indicators:

  • โœ… Enabled & Valid: DNSSEC properly configured
  • โš ๏ธ Enabled & Warning: DNSSEC enabled but issues detected
  • โŒ Disabled: DNSSEC not implemented
  • โš ๏ธ Invalid: DNSSEC validation failing

Metrics Tracked:

  1. DNSSEC Validation Rate

    • Percentage of queries successfully validated
    • Target: 100%
    • Issues indicate misconfiguration
  2. DNSSEC Failures

    • Failed validation attempts
    • Should be zero
    • Indicates potential attacks or configuration errors
  3. DNSSEC Coverage

    • Percentage of zones signed
    • Incomplete coverage creates vulnerabilities
    • Target: 100% of critical zones
  4. Key Rotation Status

    • DNSSEC key age
    • Rotation frequency
    • Expiration tracking

Optimization Tips:

  • Implement DNSSEC for all zones
  • Monitor validation success rate
  • Schedule regular key rotation
  • Update zone files before expiration

Advanced Analysis#

Pattern Recognition#

Identifying Trends in Query Behavior

Steps:

  1. Review the query pattern chart
  2. Identify recurring patterns
  3. Note time-based variations
  4. Document anomalies

Common Patterns:

Time-Based Patterns:

  • Business hours: 2-3x more queries
  • Weekend: 30-40% reduction
  • Midnight to 5am: Lowest volume
  • Holidays: Significant drops

Event-Based Patterns:

  • Marketing campaign: +50% spike
  • Product launch: Sustained increase
  • Maintenance window: Temporary drop
  • Security incident: Sudden change

Anomaly Detection#

Spotting Unusual Query Behavior

Red Flags:

  • Sudden spike > 200% of normal
  • Unexpected query types appearing
  • New geographic sources
  • Recursive query increase
  • Failed DNSSEC validations

Investigation Steps:

  1. Identify exact time of anomaly
  2. Review query sources
  3. Check application changes
  4. Analyze query types
  5. Review security logs

Common Causes:

  • Application misconfiguration
  • DNS caching issues
  • Cache poisoning attempts
  • Distributed DoS attack
  • Misconfigured client

Comparison Analysis#

Comparing Time Periods

How to Compare:

  1. Select two date ranges
  2. Overlay charts
  3. Calculate percentage changes
  4. Identify differences

Metrics to Compare:

  • Total query volume
  • Query type distribution
  • Peak times
  • DNSSEC validation rate
  • Response times

Example Analysis:

  • Week over week: Identify weekly patterns
  • Month over month: Track growth trends
  • Year over year: Seasonal changes
  • Before/after: Impact measurement

Using Analytics for Optimization#

Identify Peak DNS Query Times#

Purpose: Plan maintenance and capacity

Steps:

  1. Review query pattern chart
  2. Identify consistent peak times
  3. Note duration of peaks
  4. Calculate peak load

Uses:

  • Schedule maintenance during low periods
  • Plan capacity expansion
  • Time software updates
  • Allocate resources

Example:

  • Peak: 2-4 PM daily
  • Maintain: 11 PM to 3 AM
  • Capacity needed: 3x average during peak

Understand Query Patterns#

Purpose: Optimize caching and TTL

Analysis:

  1. Review query type distribution
  2. Identify most queried records
  3. Check query frequency
  4. Analyze client behavior

Optimization:

  • Increase TTL for frequently queried records
  • Implement caching for common queries
  • Pre-fetch popular records
  • Load balance based on query patterns

Monitor for Unusual Behavior#

Purpose: Detect attacks and misconfiguration

Watch For:

  • Query patterns changing suddenly
  • New record types appearing
  • Query volume spikes
  • Geographic anomalies
  • Failed DNSSEC validations

Response:

  • Alert on anomalies
  • Investigate causes
  • Block malicious queries
  • Update security rules

Track DNSSEC Effectiveness#

Purpose: Ensure DNS security

Metrics:

  • Validation success rate (target: 100%)
  • Failed validations (target: 0)
  • Key expiration dates
  • Zone coverage percentage

Actions:

  • Schedule key rotation in advance
  • Update expiring keys before deadline
  • Fix validation failures immediately
  • Implement DNSSEC for all zones

Common Scenarios#

Scenario 1: Investigate Query Spike#

Situation: DNS queries suddenly increase

Analysis:

  1. Check query pattern chart
  2. Identify spike timing
  3. Review query type distribution
  4. Check geographic distribution
  5. Review recursive vs. non-recursive split

Root Causes:

  • Cache expiration (TTL expired)
  • Client misconfiguration
  • Application change
  • Increased traffic
  • DNS amplification attack

Resolution:

  1. Verify spike is legitimate
  2. Increase TTL if appropriate
  3. Review client configuration
  4. Monitor for attacks

Scenario 2: Optimize Query Volume#

Situation: Reducing DNS load and costs

Analysis:

  1. Review query pattern chart
  2. Identify peak periods
  3. Check most queried records
  4. Analyze query types

Optimization Steps:

  1. Increase TTL for stable records
  2. Implement caching at application level
  3. Reduce record complexity
  4. Batch queries where possible

Expected Results:

  • 20-40% reduction in queries
  • Faster response times
  • Lower DNS costs

Scenario 3: Monitor DNSSEC Status#

Situation: Ensuring DNS security

Analysis:

  1. Check DNSSEC status indicator
  2. Review validation success rate
  3. Monitor key expiration dates
  4. Track failed validations

Actions:

  1. Schedule key rotation
  2. Monitor expiration dates (30 days before)
  3. Fix validation failures
  4. Implement DNSSEC gradually if not done

Scenario 4: Detect Anomalous Patterns#

Situation: Security threat detection

Analysis:

  1. Review historical patterns
  2. Compare current to baseline
  3. Identify deviations
  4. Analyze query sources

Red Flags:

  • 300%+ spike in specific query type
  • Queries from unusual locations
  • Non-recursive to origin servers
  • Failed DNSSEC on valid zones

Response:

  1. Enable enhanced logging
  2. Review detailed query logs
  3. Block suspicious sources
  4. Alert security team

Best Practices#

Daily Analysis#

  • โœ… Review query pattern chart
  • โœ… Check for anomalies
  • โœ… Monitor DNSSEC status
  • โœ… Note any unusual activity

Weekly Review#

  • โœ… Compare week-over-week changes
  • โœ… Analyze query type trends
  • โœ… Review peak times
  • โœ… Plan optimizations

Monthly Deep Dive#

  • โœ… Month-over-month comparison
  • โœ… Trend analysis
  • โœ… Capacity planning
  • โœ… DNSSEC audit

Quarterly Planning#

  • โœ… Review annual trends
  • โœ… Identify seasonal patterns
  • โœ… Plan infrastructure changes
  • โœ… Update optimization strategy

Troubleshooting#

Analytics Not Displaying#

Problem: Dashboard shows no data

Solutions:

  1. Ensure application has DNS activity
  2. Wait for historical data collection
  3. Check date range selection
  4. Verify DNS configuration
  5. Refresh dashboard

Patterns Unclear#

Problem: Can't identify clear patterns

Solutions:

  1. Expand date range (at least 7 days)
  2. Compare multiple time periods
  3. Check for external events
  4. Filter by specific record type
  5. Contact support

DNSSEC Issues#

Problem: DNSSEC validation failing

Solutions:

  1. Verify DNSSEC keys are valid
  2. Check key expiration dates
  3. Review zone configuration
  4. Test with validation tools
  5. Contact DNS provider

Limits & Considerations#

ItemLimit
Historical DataLast 30-90 days
GranularityHourly/Daily aggregation
Pattern DetectionRequires 7+ days data
Export CapabilityCSV, JSON formats
Real-time Updates15-30 minute delay
Query Types TrackedAll standard types

Related Documentation#