Website unavailability, connections issues, and slow response time can be attributed to incorrect DNS configuration. You can exactly pinpoint it’s a DNS configuration issue when you’re unable to access a website using it’s DNS name, for example, www.wsj.com On the other hand, if you know this site’s IP address, accessing it may be faster because the need for having a DNS resolution or DNS lookup can be avoided. This way your browser will directly establish a connection with the server where the site is hosted.
In case you run into a scenario where your site doesn’t load, you can investigate if it’s an issue related to DNS configuration using just 6 simple automated tests.
1. DNS Delegation
The first test is to ensure there is proper domain delegation. What the DNS does with delegation is that it ensures the name server (.com) matches to the correct zone (wsj.com). The DNS server will delegate the request to the name server and will first find a parent name server and list down the associated child name servers and its IP addresses respectively. The name servers will then indicate wsj.com name servers are part of the wsj.com domain. If this step is successful, your DNS delegation is configured correctly. DNS delegation can fail when a name server is unable to find the correct zone or domain.
2. Name Server
After DNS delegation lists down all the available name servers for that zone, it is the name server’s responsibility to handle or provide responses to queries from the directory service. For example, if a name server ns2.wsj.com does not respond to queries over TCP, then the name server fails fetching that specific query. This is because the name server is incorrectly set up or due to misconfigured filtering in a firewall. On the other hand, to correctly configure it, you will have to mandatorily include TCP for the DNS to fetch queries.
When performing DNS check, the Start of Authority (SOA) records are requested for every server that are part of your domain. These records have serial numbers used for consistency checks and having these serial numbers also ensure that the name servers have correct information. Issues with the serial numbers can occur when SOA records aren’t updated within a zone. This results in problems during zone transfer. If this test doesn’t fail, then all your SOA records are consistent among all name servers.
4. Start of Authority (SOA)
Every domain must have a Start of Authority (SOA) record to know if the name server is delegated as the parent name server. If the name server wsj.com is delegated to another DNS server, you must include an SOA record for the name server wsj.com in your DNS records. The SOA records usually consists of:
- Primary server name for the domain
- Name server details which will respond authoritatively for the domain
- Email details of the admin responsible for the zone for addressing problems
- Time-to-live (TTL) values that shows time duration that the record may be cached
- Expiration of zone data when it becomes no longer authoritative
Ensure there is connectivity between the name server and domain so that websites are available for end-users. Latency issues within the network and packet loss can affect DNS connectivity which will show failure in this step. Get details related to the name server connectivity and zone connectivity to check for configuration issues.
DNS security extensions are deployed in every step of the DNS lookup. Having DNSSEC at every level ensures that vulnerabilities are reduced and thereby keeping the internet infrastructure secure. Not configuring the DNS security extensions will only make your websites prone for DDoS attacks.
About the Author:
Karthik Ramchandran is a Sr. Product Marketing Specialist at SolarWinds working with systems management product portfolio. Outside of work you can find Karthik tinkering around with his road bike and looking at every opportunity to go on a long distance bike ride or is engrossed watching cooking shows or sports on TV.