DNS monitor is a subscription based service that continuously monitor and validate the data integrity of the domain content as well as the availability of its name servers.

The monitoring service runs at a 5 minute interval from a minimum of three geographically separated monitoring locations where a number of DNS queries are performed. The queries are primarily but not exclusively directed to the authoritative name servers of the domain and are crafted to collect vital data for assessment.

The integrity of the zone content and the availability of the DNS Servers are paramount and are monitored closely. Failure of either could very well affect the credibility of the entire organisation. Integrity and Availability are compiled and weighted check results presented on the monitoring dashboard and are included in all our subscriptions.

The integrity checks are designed to discover any modification to the zone content, which could indicate a security breach or a possible DNS hijacking. 

A selected number of the checks performed at every interval are tasked with validating query results with values stored in our configuration database. These database values are treated as non-volatile and are set when each check is initially configured and can only be altered upon the administrators request.

Certain resource records in a zone are rarely subject to change as they are part of the DNS infrastructure and the overall domain configuration. If these records are modified the monitoring system will trigger an event.

Host resource records configured by the administrator are also validated at every check interval the same way the infrastructure records are. These resource records are prioritised by the system since they may have a direct effect on traffic routes. An altered host record will automatically trigger an error event. Read the full article.

The DNS servers configured to serve your domain must be able to respond to DNS queries for that domain at all times.

A number of checks performed at each interval are designed to monitor the availability of the DNS servers responsible for your domain. The DNS servers must be able to respond over both the UDP as well as the TCP protocol in order to work properly. The absolute majority of the queries directed to the DNS servers utilises UDP which check also have the highest impact on the over-all Availability result.

Different DNS resolvers handle failover from unresponsive DNS servers differently which have an effect on the response time noticeable on interactive sessions. To get full points on availability every name servers must respond to both types of queries without any time-outs.

The monitoring system also test if the MX resource records (if present) can resolve to make sure that emails reach your domain. Read the full article.

Use the 14 day trial period to test our monitoring service without any commitments.

During the trial period you can configure up to three domains and switch back and forth between our Free, Basic and Premium services.

The monitoring service cover, apart from from the all-important areas of integrity and availability, also the aspects of configuration security and name server performance.

These checks are exclusive to our premium domain subscriptions.

Security

We all know that threat actors harvest any information they can to aid them in preparation for attacks.

Poorly configured DNS servers can provide a threat actor with valuable information and, in worst case provide such information that the DNS itself is put in jeopardy.

  • Certain DNS queries can reveal both operating system and DNS software versions providing the hacker with plenty of ammunition to attack the DNS server itself.
  • By not restricting zone transfers an attacker can dump the content of the zone allowing the attacker a "map" of the organisations Internet infrastructure. This in turn can very well be the final piece of the puzzle to start an attack.
  • Running an open resolver on an authoritative name server opens up for resolver based attacks like DNS cache poisoning.

Even though some of this information can be figured out anyway by a medium advanced adversary there are no reasons to give it up for free. These configuration flaws can easily be found by rudimentary DNS queries and could have profound implications. The monitoring system checks for these configuration flaws and report them on the dashboard.

Performance

An authoritative DNS server should always be able to rapidly respond to queries.

The authoritative name server have the zone data loaded in RAM which guarantees the same rapid local responses for any zone record. Slow DNS responses can depend on a number of reasons.

At each check interval the monitoring system measures response times from each location. The result is displayed on the dashboard for every name server IP address including an average response time from the last configuration. This response time measurement is performed from all configured monitor locations.

The response time checks are executed directly at each authoritative DNS servers respective IP address eliminating cached responses from resolvers. Response times may vary between different locations depending on network latency and how the DNS infrastructure is set up for the domain.

Note: Since the response time checks are executed remotely the checks can only produce an indicative result. To get a more definite result measurements have to be carried out from the name servers local LAN.

Features

The feature rich monitoring service is designed to detect anomalies, problems, misconfigurations and errors for DNS systems and domain operations.

Simple setup and configuration

Enter the domain name you want to monitor and the configuration engine will only need a few seconds to locate the necessary information and set up the service. Once the configuration is completed you can easily opt to change or add monitoring locations, add host names to monitor and configure alert levels.
No software agent installation is required and no configuration have to be changed. We rely on the DNS protocol to perform all monitoring tasks. All checks but one use regular but specific DNS queries to collect the necessary information.

User-friendly monitoring dashboard

The web interface is easy to use and navigate with clear and logical menus options. The monitoring results are presented in our comprehensible dashboard. With two drill-down levels from the default view the results are easy to follow and react upon.

You can easily turn on and off individual checks and even pause monitoring actions for individual name servers which can come in handy during planned service windows to avoid unnecessary alerts.

Packaged knowledge

Our ever growing knowledge base contains a compilation of tips and tricks, articles and instructions on many DNS related subjects. Troubleshooting techniques and in most cases error correction hints for almost every check result can be found here as well as detailed instructions of how to operate the DNSmonitor dashboard.

Scalability

It doesn't matter if you operate a few or hundreds of domains, our service will scale to your operational needs. Free, Basic and Premium domain subscriptions can easily coexist on our plattform.

Severity levels

The DNS monitoring system utilise the following severity levels, colors and symbols to display monitoring events.

INFO

Informational message indicating that no anomalies have been detected.

WARNING

A WARNING severity is issued when a check discover some degradation of the checked item or if the failure has a low impact on the overall performance. A WARNING severity should be addressed by an operator but does usually not require immediate attention.

ERROR

An ERROR severity indicate that a checked item is unresponsive or return an unexpected value. An ERROR severity indicate that system performance and/or quality is impaired or seriously degraded and should hastily be addressed by the operator.

CRITICAL

A CRITICAL severity indicate that major parts of the monitored service is unresponsive and are unable to operate properly. A CRITICAL severity require immediate attention by the operator to restore system operation.

UNKNOWN

The UNKNOWN severity appear when a check is unable to perform or if it receives an unexpected response which lacks enough information to decide if the checked item works or not.

Alerts

The DNS monitoring service can be configured to forward alerts through our PagerDuty integration (require an active PD account).

The alerts are configured individually per domain. For each domain you can configure the severity level you would like the service to forward the alert. The severity level can be set separately for both Integrity and Availability.

GUI tour

Klick on the thumbnails below to take a virtual tour through our user interface.

8

Locations

7

Countries

3

Continents

To optimise the monitoring experience and to let the customer make informed decisions every domain and DNS server is monitored from a minimum of three locations.

Much like the GPS, which require three satellites to triangulate a position, our monitoring service is based on the same principal. With three or more locations from where the service is running, you can easily find out if any discovered problem is local or global.

Once the initial setup is completed you can relocate the three default monitoring locations and add additional locations to better reflect your customer demography.

Standards & compliance

IANA RFC compliance

With more than 200 published RFC's that directly or indirectly are linked to the DNS protocol you'd expect that every angle of the protocol would be covered. That is unfortunately not the case. Too many "should's" and too few "must's" has left vendors with a bit too much leeway when writing DNS code. We primarily use BIND and NSD as our main test-beds during development and trying our best to take in account that we can get different results from other vendors.

Since the service expects a rather strict set of responses for certain queries there might emerge a few false positives or false negatives during a check run. Please report this to us and we will do our best to solve it!

IPv4 and IPv6 support

As stated previously we at DNSmonitor are great supporters of IPv6. The decreasing numbers of available IPv4 addresses forces organisations to adapt to the new standard and the number of IPv6 installations show a slow but steady growth. Our monitoring platform supports of IPv4 and IPv6 both.