The document outlines best practices for DNS monitoring using ThousandEyes, a network intelligence platform. It emphasizes the importance of tracking DNS record configurations, server availability, and potential vulnerabilities such as DDoS attacks. Recommendations include setting up various DNS tests and alerts to ensure optimal performance and validation of DNS records.

1. Best Practices for
DNS Monitoring
Nick Kephart, Director of Product Marketing

2. 1
Network Intelligence Keeps Your Business Running
ThousandEyes is a network intelligence platform that delivers
visibility into every network your organization relies on.
Established and
backed by
network experts
Relied on for
critical operations by
leading enterprises
Recognized as
an innovative
new approach

3. 2
Why Monitor DNS
Record
Misconfiguration
Server or
Network Failure
Vendor
Availability
DNSSEC
Expiration Cache PoisoningDDoS Attacks

4. 3
Confirm and alert on record mappings for internal and
external addresses
DNS Monitoring Use Cases
Track queries from root servers to authoritative servers
Query Trace
Record Accuracy
Server Availability
DNSSEC Validation
Validate DNSSEC keychain
Monitor authoritative and caching servers
GSLB and Anycast
Troubleshoot load balanced DNS using alerts and path
visualization

5. 4
ThousandEyes Approach to DNS Monitoring
• ns
• @
• +trace
• +dnssec
• +norec
• Authoritative
and caching
server network
• Routing metrics
DIG-like Features And Correlation
• Store, save,
share,
baseline, alert
With Analysis
Enterprise
Vendor

6. 5
How to Deploy DNS Tests
Consumers
Internet
DNS Hosting
Provider
Enterprise Branch
Enterprise Data
Center
3
Local
caching
server
2
1
Enterprise
Agent
Cloud Agent
Authoritative
Server Authoritative
Server
TLD
Server
DNS
Server
DNS
Trace
DNS
Server

7. 6
q Set up DNS Server tests for
critical services and records
q Alert on record mappings
q Use Path Viz to see network
connectivity, GSLB and Anycast
q Troubleshoot local caching
servers with DNS Server tests
q Use Recursive Queries option
Best Practices
q Set up DNS Trace tests for major
domains, sub-domains
q Ensure DNS hierarchy is working as
expected, check for hijacks
q Review your DNS TTLs
q Balance server load with propagation
time; vary by record type
q Be prepared for a DDoS
q Diversify networks or vendors where
you host DNS

8. Demo

9. 8
Choose DNS
test type
Domain
and record
Views included
in the test
Auto-lookup
authoritative
servers
Add a New DNS Test

10. 9
DNS Server Monitoring
Availability and
resolution time
By authoritative
servers
Performance
over 30 days
Save or share
data

11. 10
DNS Record Details
See mappings and
resolution time for Tokyo
Select a specific agent
(Tokyo)

12. 11
DNS Domain Trace Monitoring
Record
availability,
average queries
and query time
Detailed traces
Performance
over 30 days

13. 12
DNS Detailed Traces
Unsuccessful trace
Successful trace
d-root à pac1.nipr.mil à ns02.army.mil

14. 13
DNSSEC Monitoring
DNSSEC validation
percentage
DNSSEC trace
details

15. 14
DNSSEC Details
Keychain trust tree
DNSSEC keys

16. 15
DNS Alerting
Alert on resolution time,
mappings, error details
Alert to email or API

17. See what you’re missing.
Watch the webinar
www.thousandeyes.com/webinars/dns