A DNS monitoring guide: What it is and how to do it

The Domain Name System, or DNS, underpins every service that connects to the giant network that we call the internet. It's the service that translates the human-readable google.com to a machine-readable 74.125.200.105. This way, users can have an easy-to-remember URL instead of a hard-to-remember IP address to access your website. Think of DNS as the giant internet-scale directory that maps the human-readable address to the machine-readable address. As you can imagine, the DNS service plays a vital role in connecting users to their favorite websites. Any disruption in this service would cause your website to be inaccessible to your customers and users. This is where DNS monitoring services come in.

In this post, we'll learn about tools you can use to make sure your DNS service is configured correctly and providing uninterrupted service to your visitors. We'll also be briefly looking at modern-day threats faced by a DNS service; after all, forewarned is forearmed.

If you need a quick primer on DNS services, you can go through this introduction (https://www.zoho.com/mail/glossary/what-is-dns.html). Let's start by learning a little bit more about DNS monitoring.

What is DNS monitoring?

DNS monitoring is the act of observing and managing the services offered by your DNS provider for availability and correctness. Regardless of the size of your organization, DNS monitoring tools should help you with the following key elements:

What is DNS monitoring? Fig 1. What is DNS monitoring?
  • Constant DNS monitoring: Monitoring continuously is key to identifying system availability—even better if you can do this from multiple geolocations.
  • Alerting and reporting: Early warning is critical in a developing situation. If you're aware of a problem developing, you can take additional measures to mitigate any damages.
  • Issue identification: Disruptions can happen for many reasons, so it's vital to identify the nature of the disruption.

Let's get into each of these segments a little bit more.

Constant DNS monitoring

Constant monitoring is your first line of defense. DNS tools carry out this monitoring by requesting your website's DNS information at regular intervals. The more often they can do this, the better. Another important factor to consider is the ability to add multiple geolocations from which to check your DNS records. This is to avoid the "works on my computer" meme—because it's possible that your DNS might only be working correctly for a particular subset of networks in certain locations. The reasons for this could range from cache issues to propagation problems. Regardless of the root cause, it would be very hard to identify the problem without monitoring from multiple geolocations.

Alerting and reporting

Next up is alerting. Whenever something does go wrong, you need to know about it right away. Whatever service you end up going with, make sure that you're satisfied with the alerting methods that it supports, be it email, SMS, or push notifications. A secondary aspect of knowing when things go wrong is to keep track of all of this information in a report. This reporting data can be useful when you want to evaluate the performance of your DNS provider. This is especially true if you're a large corporation that has a service-level agreement (SLA) with the DNS provider.

Issue identification

Assuming things have gone completely wrong with your DNS service, you need a way to identify the scope of the error and try to resolve it. This is where the dashboards and the issue identification functionality come in. The monitoring tool should tell you at a glance how many regions are affected, what's likely the nature of the outage, and whether the situation is improving, degrading, or staying the same.

Why is DNS monitoring important?

According to this IDC 2021 Global DNS Threat Report, 87% of organizations they interviewed suffered at least one attack on their DNS services. Additionally, 76% suffered from downtime in their cloud and/or in-house services. And the average cost of an attack is estimated at USD 950,000 in 2021, up 3% from 2020.

Why is DNS security important? Fig 2. Why is DNS security important?

As you can see, these attacks can be costly for your organization. And keep in mind that this is an ever-shifting landscape. As defenders scramble to introduce more secure and robust solutions, attackers will use every tool available at hand to find a way through. In order to keep up with this, it's vital that the tooling on your side is complete and acts as an early-warning system whenever something seems to be going wrong.

Typical DNS attacks and errors

How does a DNS monitoring service help you deal with DNS attacks and errors? For one thing, the monitoring tool can instantly alert you if your DNS records have changed without your knowledge. Your monitoring solution can also highlight any errors in your DNS configuration if it's not set up correctly or requires further attention. Now let's look at some common DNS attacks and errors that your DNS monitoring tool might help you with.

DNS cache poisoning

DNS cache poisoning occurs when a malicious actor injects information into the DNS cache. This causes DNS queries to return the injected information, which might cause the browser to redirect the user to incorrect or harmful websites. Going back to the directory analogy, if the directory entry for google.com points to the IP of a malicious website that's made to look like Google's homepage, that's going to be a problem. This incorrect information remains in the DNS cache until the time to live (TTL) expires or until the incorrect record is manually removed.

DNS Cache poisoning Fig 3. DNS Cache poisoning

To trigger this vulnerability, an attacker impersonates a DNS nameserver and responds with false information to a request that a DNS resolver makes of a legitimate DNS nameserver. The attacker has a very short time to return with the faked response and must guess (or know beforehand) multiple pieces of pertinent information. This is a known weakness in DNS and is being addressed in the DNS Security Extensions update. DNS cache poisoning is also called DNS spoofing.

Domain hijacking

This type of attack occurs when malicious actors make changes to your DNS or domain registrar without your authorization. These types of attacks redirect traffic away from your website and onto other malicious websites. Attackers can use this method to steal the personal data of your customers or cause massive damage to your brand.

Domain hijacking Fig 4. Domain hijacking

Misconfigured DNS records

DNS configuration options come in many sizes and shapes. They also differ depending on which DNS provider you use. Sometimes, you're not even able to use your preferred DNS provider because your root domain isn't supported by that provider. Alternatively, you might have to cede control of your domain to an external service to be managed on your behalf.

Setting up DNS records can, and sometimes does, go wrong. When this happens, it helps to have the DNS monitoring tool break down what's happening with your domain and DNS records. From being able to see which records have propagated across the internet to seeing which geolocation is serving outdated records, the monitoring tool is your first step to debugging the issue.

Wrapping up

As we saw in this post, DNS is a critical part of all internet infrastructure. It should be a first-class citizen in your monitoring strategy. You should evaluate your organization's needs and pick a DNS monitoring solution that meets all of them.

Regardless of the DNS monitoring solution you choose, make sure to stay current on the developments in the DNS space. You should take care to upgrade your systems to use new tools like DNSSEC and DNS over TLS/HTTPS. These will go a long way in providing more security for your DNS services. It's an ongoing battle to stay secure, but with the right tools, it doesn't have to be hard.

Author Bio

This post was written by John Pereira. John is a technology enthusiast who's passionate about his work and all forms of technology. With over 15 years in the technology space, his area of expertise lies in API and large scale web application development, and its related constellation of technologies and processes.