NS1’s primary DNS Insights dashboard template for Grafana (ID = 17170) provides an overview of your DNS network, including the number of PoPs, average queries per second (QPS), and other DNS traffic details.
The information displayed in the dashboard is filtered based on the policy you select (top left). You can also select from the list of agents corresponding roughly to each PoP. NS1 Managed DNS users can choose one or both anycast stripes per PoP. Each Managed DNS PoP is split into two separate anycast stripes to improve resiliency.
Each DNS Insights agent collects data and sends it to the TSDB every 60 seconds before clearing the data and starting again. You can view this minute-by-minute breakdown in the line charts, but note that other data shown (such as lists, counts, and pie charts) display data according to the overall time range selected at the top (right) of the page.
The first section provides an overview of the collected data based on the selected policy and other filter options. It presents the total number of reporting PoPs, the total number of packets processed, traffic distribution data (by PoP), average QPS, and the total number of queries within the specified time range.
The next section, DNS Details, presents the most active domains against your endpoints based on QPS, as well as the top error and response codes and top query types (i.e., types of records queried). Note that the time series charts include a “Count” value which is the number of data points in the chart for that item. For example, a count of 61 indicates the data point appeared 61 times (i.e., once per minute within the 1-hour time range).
Under DNS Top Domains, you can find a detailed list of top domains and subdomains by packet count.
The DNS Response Code Details section details the top 10 domain names to receive each response code (on one or more agents) within one minute over the entire reporting period.
Note
Some of the data sets displayed in the dashboard provide additional filters to reorganize the data for that particular data set. For example, in the screenshot above, you can click the filter next to “QNAME” to view an alphabetical list of the top 10 domains or click the filter next to “Total Responses” to arrange the list by the number of responses received. The individual data set filters do not impact any other data set presented in the dashboard.
Under DNS Traffic Details, you can view four graphs: (1) DNS queries & responses, (2) L3/L4 network protocols, (3) Top response / error codes, and (4) top requested query types (that is, record types).
The DNS Resolvers Details section provides information about the source of the DNS queries based on the source IP address. You can view the top IPv4 and IPv6 addresses, top geolocations, and the top ASNs. It’s important to note that the charts display only the top 10 IP addresses, geolocations, and ASNs observed within one minute by each agent.
Similarly, the next section, EDNS Client Subnet (ECS) Details provides information about the source of the top DNS queries based on the IP subnet embedded in the ECS portion of the DNS packet. Refer to this article for details.
Finally, the DNS Source Details section includes time series charts offering an alternative view of the same information presented in the previous two sections.
Hover over the charts to view a detailed breakdown of the data shown.
Additionally, NS1 offers a secondary Grafana dashboard template (ID = 17171) which highlights metrics that help detect DDoS attacks.