The DNS (Domain Name System), which has been defined in detail in the RFC #1034 and 1035, is key to the good performance of TCP/IP networks. It works in a hierarchical way; This means that if one of the DNS servers is misconfigured or compromised, all the network, which relies on it, is also impacted.Although the DNS protocol is quite simple, it generates a significant number of issues: configuration issues, which affect the performance of the network as well as security issues, which jeopardize the network integrity.
The purpose of this article is to cover the main configuration issues you may encounter with DNS when it comes to network performance.
The DNS server(s) need to have a very high availability to resolve all the names into IP addresses that are necessary to good function of applications on the network. An overloaded DNS server will take some time to respond to a name request and will slow down all applications that have no DNS data in their cache. An analysis of the DNS flows on the network will reveal some DNS performance misfunctions like:
1- High DNS resolution times
If we can observe that the mean time between the client request (which is trying to resolve www.google.com into an IP address) is significantly higher than the average (on a LAN it should remain close to 1 ms), it means that the DNS server has an issue with regards to the caching of DNS names. The cache system makes it possible to resolve a name without requesting the DNS server, which has authority for the DNS zone, the IP address corresponding to the name. Hence, if the response time is high, first the application will be slow from the user’s point of view, and secondly it will incude an unnecessary consumption of bandwidth. This bandwidth will be wasted both on the LAN and on the Internet link (if we make the hypothesis that the authority server sits on the Internet). If we consider the case of a fairly large organisation, the bandwidth used by the DNS traffic will not be negligeable and will represent an additional charge.
2- Hosts generating abnormal query volumes
If we establish the top hosts making DNS requests, it will be possible to pinpoint misconfigured clients not keeping in a local cache the DNS server responses; this approach makes it possible to distinguish between an issue coming from the user’s workstation and one coming from the general function of the network. Please note that hosts making a very high volume of DNS requests may correspond to a malicious behaviour; for example, some malwares try to establish connections to Internet by resolving domain names and sometimes the DNS protocol is used in cover channels to escape information.
3- Hosts generating high error volumes
We can also ask for the top hosts receiving most DNS error messages (non existing hosts, etc.). This will also put the light on misconfigured stations, generating an unnecessary traffic and lowering the overall network performance.
4- Updates between primary and secondary DNS servers
By analyzing the traffic coming from the DNS server, we can also verify that the update between primary and secondary DNS servers corresponds to our request. To do this, we need to identify the AXFR and IXFR transactions towards its Autorithy server. If these updates occur too often (and therefore generate an unnecessary traffic), we can conclude that there is an issue. If the bandwidth used is too large, it means that our DNS server requests a full zone transfer (AXFR) when an iterative transfer (IXFR) would have been more adequate. If this is the case, then the network administrator can take some easy steps to improve his network’s performance.