Note
DNS Insights is available to purchase for all NS1 Managed and Dedicated DNS customers. Contact your NS1 Customer Success Manager or complete a contact form here for more information.
NS1's DNS Insights solution provides a powerful set of network observability tools designed to give you a deeper understanding of DNS traffic and events within your NS1 Managed DNS and Dedicated DNS networks. It uses lightweight, actionable data feeds to provide a granular view of performance, trends, and anomalies — giving you the insight necessary to improve system performance and security while reducing operational costs. Data is delivered as a targeted data feed without the need to collect, store, and analyze terabytes of data.
Powered by Orb™, an open-source project by NS1 Labs, DNS Insights leverages the unique perspective of your DNS data to:
Detect potentially malicious activity, such as a DDoS attack or malicious probing, so you can take the proper precautions to protect your infrastructure.
Identify misconfigurations that might expose sensitive information, increase costs, or negatively impact performance. For example, TTLs may be too low for high-volume domain names, generating huge traffic volumes. Or, as another example, employee laptops may be querying for internal host names over the internet, potentially exposing sensitive information, reducing performance and increasing DNS costs.
Analyze geographic traffic patterns to better architect your application delivery system and refine Filter Chain configurations.
Determine the source of unexpected query spikes.
Every minute, a fleet of DNS Insights agents deployed on PoPs across your Managed and Dedicated networks (on or adjacent to each DNS server) analyze and push data to your time-series database (TSDB). You can view this data using Grafana or your preferred visualization tool.
Collected metrics include the total number of DNS queries, queries per second (QPS), and "top 10" data like GeoIP locations, top ASNs, and more. Refer to this article for a complete list of metrics analyzed by the DNS Insights agents.
NS1 provides you with Grafana dashboard templates that are optimized for analyzing DNS Insights data. Alternatively, you can use your preferred visualization tools to create dashboards.
A data sink refers to a single integration between the DNS Insights agents and your TSDB. You can have multiple data sinks, each corresponding to a single TSDB. During intial setup, you will create a data sink containing the credentials for your Prometheus (or Prometheus-compatible)database. This information is passed securely to NS1 who will complete the data sink configuration.
A policy is a set of rules determining which data is collected and processed by the DNS Insights agents. By default, all DNS Insights customers have access to the following predefined policies:
MDNSi-{customerID}-All - Processes all DNS queries received at NS1's Managed DNS PoPs for all zones configured in your account
DDNSi-All - Processes all DNS queries received at each of your Dedicated DNS servers. Only available to customers with Dedicated DNS.
Additionally, each customer can request additional custom policies to be configured by the NS1 team as specified in your contract. For example, you can request a policy to collect data related to the following:
a specific query name,
a specific domain name suffix,
a list of query names or suffixes,
a specific response code (e.g., NXD),
responses with an empty answer (as in, no answer responses), or
combinations of the above.
When viewing data in the Grafana dashboard, you will select a policy that filters the data shown based on the defined parameters and configuration settings.
Each DNS Insights agent collects various data from the NS1 DNS servers, including DNS metrics (layer 5+) and network-related metrics (layers 3 and 4). The agents send the data to the TSDB every 60 seconds before clearing and starting again. You can view this minute-by-minute breakdown in the line charts, but note that other data shown (such as lists, counts, and pie charts) display data according to the overall time range selected at the top (right) of the page. Refer to this article for a list of metrics collected by the DNS Insights agents.
Each DNS Insights agent in your network sends a time series data stream to your TSDB. For Dedicated DNS networks, the combined rate at which data is sent by all agents is estimated to be between 1,000 to 1,250 metric series per minute.* For Managed DNS networks, this rate is 10,000 to 13,000 metric series per minute. If you are using Grafana Cloud, note that the Grafana Cloud platform uses “active series” to calculate metrics for billing purposes. To estimate the active series billing metric, add the total number of metric series per minute for all policies and multiply by three. For example, if you have one Dedicated DNS policy (at a rate of 1,250 metric series per minute) and one Managed DNS policy (at a rate of 13,000 metric series per minute), then the active series metric used by Grafana Cloud for billing purposes is estimated to be 42,750 — that is, (1,250 + 13,000) x 3 = 42,750. Refer to Grafana documentation for details regarding their billing calculation process.
*The estimated data rate for Dedicated DNS networks (1,250 metric series per minute) is based on a five-PoP deployment (as in, five agents). If your Dedicated network contains more than five PoPs, add 250 to the total rate for each additional agent. In other words, if your Dedicated network contains six PoPs, for example, you would use an estimated rate of 1,500 in your calculations.
Note
Before you begin, you must contact NS1 to enable DNS Insights on your account.
During initial implementation, you will create a data sink containing the credentials for the TSDB to which DNS Insights agents will push data. NS1 will use this information to complete the data sink configuration.
If using Grafana for data visualization, you can load the Grafana dashboard provided by NS1 to view DNS Insights data. Alternatively, you can configure your dashboards using your preferred data visualization tools.
Option 1: Grafana Cloud (via Prometheus data source)
Option 2: Grafana Enterprise Stack (via Prometheus data source)
Option 3: Grafana and Prometheus (open-source)
Option 4: Other TSDB that supports Prometheus "remote write" (connected to your preferred data visualization tool)
Implementation details may vary depending on the option you choose.
Warning
If using a TSDB other than Prometheus via Grafana Cloud, open-source versions of Grafana, or Grafana Enterprise, you will need to develop your dashboard and analytical tools. NS1’s ability to support you may be limited.
Before you begin, consider the following:
You must have a Prometheus or Prometheus-compatible TSDB which supports “remote write” functionality.
If using Grafana as your data visualization tool, you must add Prometheus to the appropriate Grafana stack.
NS1 DNS Insights supports basic authentication for connections to Prometheus instances. When configuring the integration, you will enter the relevant Prometheus API credentials to enable data pushing from NS1 agents to your TSDB. If you are using a TSDB other than Prometheus, you must work directly with NS1 to determine which credentials are required for implementation.
Follow the instructions below to configure the DNS Insights integration to begin pushing data to your TSDB and then importing the dashboard(s) to view the collected data in Grafana.
Note
The instructions below reflect the implementation process for Grafana Cloud customers utilizing the built-in Prometheus TSDB. Instructions will vary for those using Grafana Enterprise, open-sourced versions of Grafana and Prometheus, or another TSDB.
Note
Skip this step if you already configured the Prometheus "remote write" endpoint. Upon creating an account, Grafana will walk you through the creation of a stack, including the Prometheus remote write endpoint, so you may already have one.
-
Log into the Grafana Labs portal.
-
Click an existing stack (or click + Add Stack to create a new stack) on the left sidebar to view and manage the applications within your Grafana stack.
-
Next to the Prometheus application card, click Send Metrics.
The Prometheus instance configuration page displays the URL for the remote write endpoint and your Prometheus username (instance ID).
Note
Note the name of this Prometheus data source at the top of the page. You must select it when importing the DNS Insights dashboard.
-
Scroll down to "Password/API key" and click Generate now.
-
In the "Create an API key" window, enter an API key name (e.g., "ns1_dns_insights_push").
Under "Role," select MetricsPublisher.
-
Click Create API key, and then record the autogenerated API key secret. You must apply this token on the NS1 platform during the initial configuration.
Click Close.
Scroll down to the "Sending Metrics" section. Copy the code under "Prometheus remote_write Configuration" and save the code snippet. The code includes the credentials necessary for NS1 to configure DNS Insights in the next step.
Using the information gathered in the previous step, create a new data sink via the NS1 portal or API. This information is then passed securely to the NS1 team to complete the configuration and to start pushing data from the agents to your TSDB.
Note
Grafana users must provide NS1 with the username (instance ID), password (API key), and the remote write endpoint URL for the relevant Prometheus instance. If you are using a TSDB other than Prometheus, work with the NS1 team directly to identify the necessary credentials for setup.
Follow the steps below to add the DNS Insights integration (effectively, sharing your credentials with NS1 so that we can complete the configuration) via the NS1 portal.
-
Log into the NS1 portal (https://my.nsone.net) and navigate to DNS > DNS Insights.
-
In the "Add integration" dialog box, enter the following information:
Next to Name, enter a name for the integration (for your internal reference only).
Under Integration type, select DNS Insights from the drop-down.
Under DNS Insights credentials, under Sink type, select Prometheus from the drop-down.
Enter your Username / instance ID for the Prometheus instance within your Grafana stack.
Enter the Password / API key for your Prometheus instance configured in Step 1.
Click Add integration.
A green banner indicates the integration was created successfully and your credentials have been shared with the NS1 team.
NS1 will configure your data sink and the relevant policies with this information. Typically, this takes up to one business day. Once complete, you will receive an email from NS1 customer support.
Run the PUT request below to create the DNS Insights integration (effectively, sharing your credentials with NS1 so that we can complete the configuration) via the NS1 API. Note that you must include a valid NS1 API key in the request header.
curl -X PUT -H "X-NSONE-Key: $NSONE_API_KEY" -d ' { "name": "string", "backend": "prometheus", "description": "string", "config": { "remote_host": "example.com", "username": "string", "password": "string" } }' https://api.nsone.net/v1/insights/sinks
Request body parameters:
name string |
(Required) Name of this data sink for internal reference |
description string |
A description of this data sink for internal reference. |
backend string (enum) |
(Required) Indicates the TSDB to which the DNS Insights agents will send data. Currently, the only supported value is "prometheus". |
config object |
(Required) Object containing details and credentials for your TSDB. |
remote_host string |
(Required) URL for the Prometheus remote host to which DNS Insights agents will send metrics. |
username string |
(Required) Your Prometheus username. |
password string |
(Required) A valid API key to access your Prometheus database. If using Grafana, note that the API key must have the “MetricsPublisher” role enabled. |
Follow the steps below to import the DNS Insights dashboard provided by NS1 into your Grafana application.
Note
The screenshots below are of the Grafana Cloud portal; however, the import process is similar for Grafana Enterprise and open-source users.
-
Log into the Grafana Cloud portal or your hosted Grafana instance.
-
Click the + (add) icon from the toolbar on the left and select the Import option.
-
Under "Import via grafana.com," enter the dashboard ID for the relevant DNS Insights dashboard.
Enter 17170 for the primary DNS Insights dashboard, which includes all general, DNS-related metrics.
Enter 17171 for the DNS Insights dashboard, which focuses on DNS metrics related to detecting DDOS attacks.
Click Load.
Under Theranos Query Frontend, select the name of the relevant Prometheus data source from the drop-down menu. This is the Prometheus data source for which you generated an API key in step 1.
Click Import.
The imported dashboard appears.