DNS Tests
Last updated
Last updated
DNS Server tests provide record validation and service performance metrics. Upon selecting a specific domain and the servers to be queried, agents will run DNS and network layer performance metrics for all targeted servers. Complete information is available in Using the DNS Server View.
Alert on incorrect DNS Record Mapping.
Measure DNS nameserver performance and availability.
Monitor network performance between agents and target servers.
Compare DNS results and performance from around the globe.
Verify GSLB and GeoDNS performance.
The below example depicts an iterative query made to authoritative servers for google.com:
Other included tests:
BGP test
Agent-to-server test
Large DNS zones are divided into various smaller child zones with each child zone having dedicated authoritative DNS servers. When a DNS request is made the parent zone will refer the request to authoritative DNS server in the child zone. In this scenario ensuring DNS requests are correctly pointed to authoritative servers by a parent server and also the authoritative server being correctly configured to assert authority becomes crucial. The DNS Trace test helps validate this critical delegation. A DNS Trace test will verify delegations from each parent zone to child zone.
Verify the delegation of DNS records are being performed between parent and child zones as expected.
Observe the DNS hierarchy of a target domain from various vantage points.
Below is the test validating a record for thousandeyes.com.
During a DNS trace test, it is possible that a non-authoritative answer is received from a server in the path. The explanation below provides further details on what is happening and why.
Normally, a failed DNS Trace test terminates with the following error:
For example:
This error is returned when:
an answer has not been received, and
no further referral data exists.
To successfully terminate a trace requires that the Answer section has one or more non-CNAME records, and the Authoritative Answer (AA) flag in the DNS header is set. Normally, when we have an answer, the answer comes from an authoritative nameserver which will set the AA flag. So, what happens when an answer is received, but it’s from an unconfirmed source?
We have observed that the Answer section can be populated by non-authoritative nameservers (spoofed or otherwise) without AA being set. In that situation, a different error message is returned. Whenever there is a non-zero Answer section that does not contain either a CNAME, or a record matching the type of the target record, you’ll see an error message similar to the following example:
DNSSEC tests verify the digital signature of DNS resource records and hence validate the authenticity of resource records according to Domain Name System Security Extensions. A DNSSEC test adds security validation to a DNS trace test and complements it.
Verify valid DNS signatures are being sent out along with DNS records.
Validate DNS records based in DNSSEC.
Observe the DNSSEC Trust Chain and Data Chain.
Below is a sample DNSSEC test to A record for dnssec-tools.org.