DNS Tests
Last updated
Last updated
DNS Server tests provide record validation and service performance metrics. Upon selecting a specific domain and the servers to be queried, agents will run DNS and network layer performance metrics for all targeted servers. Complete information is available in Using the DNS Server View.
Alert on incorrect DNS Record Mapping.
Measure DNS nameserver performance and availability.
Monitor network performance between agents and target servers.
Compare DNS results and performance from around the globe.
Verify GSLB and GeoDNS performance.
The below example depicts an iterative query made to authoritative servers for google.com:
Other included tests:
BGP test
Agent-to-server test
Large DNS zones are divided into various smaller child zones with each child zone having dedicated authoritative DNS servers. When a DNS request is made the parent zone will refer the request to authoritative DNS server in the child zone. In this scenario ensuring DNS requests are correctly pointed to authoritative servers by a parent server and also the authoritative server being correctly configured to assert authority becomes crucial. The DNS Trace test helps validate this critical delegation. A DNS Trace test will verify delegations from each parent zone to child zone.
Verify the delegation of DNS records are being performed between parent and child zones as expected.
Observe the DNS hierarchy of a target domain from various vantage points.
Below is the test validating a record for thousandeyes.com.
During a DNS trace test, it is possible that a non-authoritative answer is received from a server in the path. The explanation below provides further details on what is happening and why.
Normally, a failed DNS Trace test terminates with the following error:
For example:
This error is returned when:
an answer has not been received, and
no further referral data exists.
To successfully terminate a trace requires that the Answer section has one or more non-CNAME records, and the Authoritative Answer (AA) flag in the DNS header is set. Normally, when we have an answer, the answer comes from an authoritative nameserver which will set the AA flag. So, what happens when an answer is received, but it’s from an unconfirmed source?
We have observed that the Answer section can be populated by non-authoritative nameservers (spoofed or otherwise) without AA being set. In that situation, a different error message is returned. Whenever there is a non-zero Answer section that does not contain either a CNAME, or a record matching the type of the target record, you’ll see an error message similar to the following example:
DNSSEC tests verify the digital signature of DNS resource records and hence validate the authenticity of resource records according to Domain Name System Security Extensions. A DNSSEC test adds security validation to a DNS trace test and complements it.
Verify valid DNS signatures are being sent out along with DNS records.
Validate DNS records based in DNSSEC.
Observe the DNSSEC Trust Chain and Data Chain.
Below is a sample DNSSEC test to A record for dnssec-tools.org.
Test Type: DNS trace, DNS server, or DNSSEC.
Test Name: This optional parameter gives the test a human-readable label. When no test name is provided in this field, the value in the Domain field is used as the test name. A test name cannot exceed 255 characters.
Domain: Three fields.
Domain name, entered in the format google.com
. Do not enter a full URL, just the domain name itself.
Record class in the test query. Choose either IN or CH. (DNS server tests only)
Record type.
For example, choose AAAA to resolve a domain name which corresponds to an IPv6 address.
For PTR records the domain must be presented in its PTR record form. For example, the IP address 72.181.106.171 would need to be entered into the domain field in the form 171.106.181.72.in-addr.arpa
. Note: Only /32 PTR lookups are supported.
Interval: How frequently this test will be run.
Agents: This drop-down lists the ThousandEyes Cloud Agents and (optionally) Enterprise Agents agents that are available to your account. Select one or more agents to assign them to this test.
DNS Servers (DNS server only): The DNS servers that are queried for the domain name in the Domain field. Click the Lookup Servers button to automatically populate the DNS Servers field with the authoritative name servers for the domain name in the Domain field. Note that the Lookup Servers button won't work if you specify a URL. You must specify a domain name.
Alerts: When the Enable box is checked, the alert rules selected in drop-down list will be active for the test. You can select alert rules with the drop-down list, and create, modify and delete alert rules with the Edit Alert Rules link.
Advanced Settings (DNS server only): Provides configuration of an associated Network test for the target server(s), per the Network Test Advanced Settings tab, and provides the Send Recursive Queries check box to request recursive queries be sent to the target server(s). The default is to send queries without recursion.
DNS Domain Trace and DNSSEC tests return a map of locations showing availability by location for the DNS record requested, returning the average query time.
DNS server tests query the authoritative nameservers from each location, showing availability and resolution time by location. In addition to these metrics, network measurements can be enabled on DNS server tests, which provides access to network measurement details (and outputs) against each authoritative nameserver specified in the test.