Analyzing internet traffic can seem complicated, but it doesn’t have to be. Within Managed DNS reporting, anyone can become an expert QPS reporting.
There are many different kinds of traffic patterns. But, just like solid and dashed lines on the roadways, each mean something different.
A steady increase in traffic over time, either trending up or down, or daily ebbs and flows, are generally an indication of healthy, legitimate internet traffic. The analysis will get more interesting as we talk about sharp increases and spikes.
Regardless of the number of zones in the account, there is a quick way to see which is causing the increase. First, navigate into the Managed DNS portal, then under View Reports, select Zone Graph. This graph will display the total QPS for all zones in the account, and will look something like the below. In the graph, the purple zone is displaying the highest QPS, leading us to the assumption that this is the query driver for the account, and likely the cause of the increase.
(Tip: Make sure to hover over each zone section to ensure you’re looking at the zone with the highest QPS value.)
Sharp increases are usually not malicious traffic, but instead are the result of some sort of change. A common cause of this is a change to the Time to Live, or TTL within records on the zone. This value, which exists on every DNS record, determines how long a resolver will cache record data. A higher TTL means less queries, and the same is true for the inverse. When making changes to core infrastructure, some users lower record TTLs to ensure a faster propagation time. If you stumble something that looks like the below, before thinking that a malicious IoT device has launched a DDoS against your endpoints, take a quick peek at the zone notes around the time that the increase started. Chances are, someone has made a TTL change on your side.
To narrow in on the increase further, we can check the zone notes for the zone. This can be done by navigating into the zone within the Managed DNS portal, then selecting “View Zone Notes” next to the zone. By lining up the times of the sharp increase and the timestamps in the zone notes, we can see if any changes have been made to the TTL, or if records have been added or consolidated. Any of these changes can result in a sharp increase.
Bad Spike! Get Down!
Spikes are a very different ball game than increases. Generally, a quick, large, spike in QPS is unusual traffic. Malicious spikes in traffic are generally very quick, but managed DNS reporting can help you identify these.
First, we will again want to identify the zone that received the influx of DNS traffic. This is done with the Zone Graph, using the same steps used in the increase section above. Once the zone has been identified, as well as the timeframe, the best way to identify the traffic that caused the spike is to reach out to our Technical Support Team. Simply let them know the zone and timeframe in which you’re seeing the spike on. They will be able to run a detailed report to tell you the exact hostname and record queried, and even the resolver used when solving DNS.
Analyzing traffic can yield more benefits than just understanding a spike in QPS. Knowing query driving zones in your account, as well as the traffic patterns over time, can help a team best plan when to perform maintenance. While regularly analyzing your traffic may not be necessary, when it comes time to look into an increase, or plan the next phase in a migration, understanding how to read QPS graphs can be a lifesaver. With a bit of time and your best Humphrey Bogart investigative skills, any QPS pattern can be analyzed.