Note
NS1 DNS Insights is available to purchase for all NS1 Managed DNS and NS1 Dedicated DNS customers. Contact your NS1 Customer Success Manager or complete a contact form here.
NS1's DNS Insights solution provides a powerful set of network observability tools designed to better understand DNS traffic and events within your NS1 Managed DNS and Dedicated DNS networks. It uses lightweight, actionable data feeds to provide a granular view of performance, trends, and anomalies — giving you the insight necessary to improve system performance and security while reducing operational costs. Data is delivered as a targeted data feed without the need to collect, store, and analyze terabytes of data.
Powered by Orb™, an open-source project by NS1 Labs, DNS Insights leverages the unique perspective of your DNS data to:
Detect potentially malicious activity, such as a DDoS attack or malicious probing, so you can take the proper precautions to protect your infrastructure.
Identify misconfigurations that might expose sensitive information, increase costs, or negatively impact performance. For example, TTLs may be too low for high-volume domain names, generating substantial traffic volumes. Or, as another example, employee laptops may be querying for internal host names over the internet, potentially exposing sensitive information, reducing performance, and increasing DNS costs.
Analyze geographic traffic patterns to better architect your application delivery system and refine Filter Chain configurations.
Determine the source of unexpected query spikes.
Every minute, a fleet of DNS Insights agents deployed on PoPs across your Managed and Dedicated networks (on or adjacent to each DNS server) analyze and push data to your time-series database (TSDB). You can view this data using Grafana or your preferred visualization tool.
Collected metrics include the total number of DNS queries, queries per second (QPS), and "top 10" data like GeoIP locations, top ASNs, and more. Refer to this article for a complete list of metrics analyzed by the DNS Insights agents.
NS1 provides you with Grafana dashboard templates that are optimized for analyzing DNS Insights data. Alternatively, you can use your preferred visualization tools to create dashboards.
A data sink refers to a single integration between the DNS Insights agents and your TSDB. You can have multiple data sinks, each corresponding to a single TSDB. During intial setup, you will create a data sink containing the credentials for your Prometheus (or Prometheus-compatible)database. This information is passed securely to NS1 who will complete the data sink configuration.
A policy is a set of rules determining which data is collected and processed by the DNS Insights agents. By default, all DNS Insights customers have access to the following predefined policies:
MDNSi-{customerID}-All - Processes all DNS queries received at NS1's Managed DNS PoPs for all zones configured in your account
DDNSi-All - Processes all DNS queries received at each of your Dedicated DNS servers. Only available to customers with Dedicated DNS.
Additionally, each customer can request additional custom policies to be configured by the NS1 team as specified in your contract. For example, you can request a policy to collect data related to the following:
a specific query name,
a specific domain name suffix,
a list of query names or suffixes,
a specific response code (e.g., NXD),
responses with an empty answer (as in, no answer responses), or
combinations of the above.
When viewing data in the Grafana dashboard, you will select a policy that filters the data shown based on the defined parameters and configuration settings.
Note
LEVEL OF ACCESS REQUIRED FOR NS1
Prometheus: Orb requires the necessary credentials to perform remote_write operations on the target time series database instance. If you’re using Grafana Cloud, this would be a Grafana Cloud API key with the MetricsPublisher role. This role only provides permission to send log and metric data to Grafana Cloud.
HOW NS1 WILL USE THIS CREDENTIAL
The system will use the access to send data from the DNS Insights service.
DISCLAIMER TEXT
Customers (i) must not provide any greater level of access than described for this feature and (ii) must ensure that no additional data is contained in the environments accessible using the provided credentials than what is required to enable this feature. Customers should review the terms of their agreements with third-party cloud providers that will transmit data to NS1 or receive data from NS1 using this feature to determine whether such third party will impose any fees for the use, transmission, storage, and/or export of such data. NS1 disclaims any and all liability resulting from the provision of credentials to NS1, NS1’s storage of such credentials, and/or the use of such credentials by NS1, including, without limitation, any fees imposed on a Customer’s account with any third party resulting from use of this feature.
Each DNS Insights agent collects data from the NS1 DNS servers, including DNS metrics (layer 5+) and network-related metrics (layers 3 and 4). The agents send the data to the TSDB every 60 seconds before clearing and restarting. You can view this minute-by-minute breakdown in the line charts but note that other data shown (such as lists, counts, and pie charts) display data according to the overall time range selected at the top (right) of the page. Refer to this article for a list of metrics collected by the DNS Insights agents.
Each DNS Insights agent in your network sends a time series data stream to your TSDB. For Dedicated DNS networks, the combined rate at which all agents send data is estimated to be between 1,000 to 1,250 metric series per minute.* This rate is 10,000 to 13,000 metric series per minute for Managed DNS networks. If you are using Grafana Cloud, note that the Grafana Cloud platform uses “active series” to calculate metrics for billing purposes. To estimate the active series billing metric, add the total number of metric series per minute for all policies and multiply by three. For example, if you have one Dedicated DNS policy (at a rate of 1,250 metric series per minute) and one Managed DNS policy (at a rate of 13,000 metric series per minute), then the active series metric used by Grafana Cloud for billing purposes is estimated to be 42,750 — that is, (1,250 + 13,000) x 3 = 42,750. Refer to Grafana documentation for details regarding their billing calculation process.
*The estimated data rate for Dedicated DNS networks (1,250 metric series per minute) is based on a five-PoP deployment (as in, five agents). If your Dedicated network contains more than five PoPs, add 250 to the total rate for each additional agent. In other words, if your Dedicated network contains six PoPs, for example, you would use an estimated rate of 1,500 in your calculations.
If you already purchased DNS Insights, refer to Instructions: Implementing DNS Insights to get started.