Upcoming Maintenance

We’re going to migrate DNS Check’s website to new hardware on Thursday, October 13th starting at 12:00 am UTC. We anticipate that this migration will cause 5-10 minutes of downtime for our website.

If you’re using our API for DNS record monitoring, then we recommend scheduling a maintenance window within your monitoring system which covers this window.

Feel free to contact us if you have any questions.

Continue reading Upcoming Maintenance »

Wildcard DNS Record Monitoring

Wildcard DNS records are used to serve requests for otherwise non-existent domain names.

For example, the following DNS zone file excerpt contains two non-wildcard A records along with a wildcard record:

; Name            Record Type     IP Address
example.com.      A               1.2.3.4
www.example.com.  A               1.2.3.4
*.example.com.    A               5.6.7.8

If you look up the www.example.com A record in the above recordset, you’ll receive a response of 1.2.3.4, since explicit records take precedence over wildcard records. If you look up the foo.example.com DNS record, you’ll receive a response of 5.6.7.8, since there is only a wildcard record for foo.example.com.

Wildcard DNS records are handy, but how do you monitor them? Two options come to mind:

The Classic Approach

Until recently, we would have recommended picking a couple random records which match the wildcard expression, and which you’re unlikely to ever create non-wildcard records for, then monitor them. For example, you could verify that the following records exist as a proxy for the *.example.com DNS record shown above:

; Name              Record Type     IP Address
foo.example.com.    A               5.6.7.8
bar.example.com.    A               5.6.7.8

The above approach works, but:

  1. It’s not obvious from looking at what’s being monitored that the two records are proxies for a wildcard record. I like my monitoring systems to be stupid-simple, so that if I get paged at 2 am, I’ll be able to easily tell in my half-asleep state what the problem is.
  2. You’re at the mercy of randomly selected records continuing to exist only as wildcard records.
  3. It’s more work to setup than the next option.

Check Wildcard DNS Records Directly

We recently added a feature to DNS Check which enables you to monitor wildcard DNS records directly. To use this feature, just enter the wildcard record’s name as it would appear in the zone file, including its asterisk (*):

New Wildcard DNS Record Form

In order to comply with RFC 4592, we support wildcards in the leftmost portion of the domain. So for example, you can use this feature to monitor *.example.com or *.foo.example.com, but not foo.*.example.com. This is similar to BIND’s treatment of wildcard records.

Here’s how this works behind the scenes once the monitored record is created:

Each time DNS Check tests a wildcard record, it generates a random 20-character string, then inserts it in place of the wildcard. For example, *.example.com may be replaced with jcjmwpdddykdmafpltbj.example.com. A new random string gets generated for each check, so if somehow a random sequence which is actually used by a non-wildcard record gets generated for one check, a different sequence will be generated for the next check.

We’ve added wildcard support to all of our supported DNS record types, including A, AAAA, CNAME, MX and NS records.

I hope this feature helps you to improve your DNS record monitoring. If aren’t already using DNS Check, please feel free to sign up for an account. Having an account enables you to import your entire zone file, then get notified automatically if any of your DNS records stop returning the value(s) that your zone file says they should. You can also individually add or edit DNS records that you wish to monitor.

Continue reading Wildcard DNS Record Monitoring »

Announcing DNS Check / Basecamp 3 Integration

DNS Check / Basecamp 3 Integration

We’re excited to announce that we’ve integrated DNS Check with Basecamp 3. This integration enables you to receive notifications in the Basecamp Campfire chat of your choice each time a DNS record transitions between passing and failing:

Example DNS Check Campfire Chat reporting on a DNS record that started failing, then passing

Integrating your DNS Check account with Basecamp 3 is simple, and only takes about a minute. See the DNS Check / Basecamp 3 integration Guide to get started.

Interested in trying out DNS Check’s DNS monitoring service, and our integration with Basecamp 3? Sign up for a free DNS Check account. Free accounts can monitor up to 10 DNS records and have no expiration date. You’re welcome to use your free account for as long as you like.

You can upgrade to a professional DNS Check account at any time to monitor additional DNS records, and enable advanced features, like the ability to query custom name servers, and monitor DNS load balancers.

Continue reading Announcing DNS Check / Basecamp 3 Integration »

DNS CNAME Load Balancer Monitoring

We’ve added CNAME DNS load balancer monitoring to DNS Check.

DNS load balancers distribute load for performance and/or redundancy purposes.

You can also use DNS Check to monitor A record and AAAA record based load balancers:

Check CNAME load balancer with DNS Check

Each load balancer check can be configured with up to ten IP addresses or CNAME records.

DNS load balancer monitoring is available for paid accounts only.

You can find more details on DNS load balancers, including information on how to monitor them on our Check DNS Load Balancer Records page.

Continue reading DNS CNAME Load Balancer Monitoring »

SPF Record Monitoring

We’ve added SPF resource record monitoring to DNS Check.

SPF records are used to control which IP addresses and services are authorized to send email for a domain name.

SPF records are unusual in that they can actually be published using either of the following resource record types:

  • TXT resource records - these are general purpose DNS records that map a domain to a string of text. These have a number of uses including SPF, DKIM and DMARC authentication.
  • SPF resource records - these are specialized DNS records that map a domain to a string of text for the purposes of SPF authentication

DNS Check has supported monitoring TXT resource records since June 2015, so technically, you could use our service to monitor SPF records that were published using TXT resource records before today. What we added in today was support for checking SPF resource records:

SPF Record Check

The historic recommendation was to publish SPF records using both the TXT and SPF resource record types. This has changed. RFC 72089 states that SPF records must be published as TXT resource records only.

We recommend following RFC 72089, and replacing your SPF resource records with TXT resource records. That said, you may have reasons for not making the switch immediately, so we support monitoring both resource record types.

You can find more information on SPF records, including information on how to monitor them on our Check DNS SPF Records page.

Continue reading SPF Record Monitoring »

Internationalized Domain Name (IDN) Monitoring with DNS Check and Punycode

We’ve added support for monitoring Internationalized Domain Names (IDNs) using DNS Check.

The DNS protocol uses ASCII characters to represent domain names. That works fine for domains which only contain English alphabet characters, but leaves many other languages short-changed.

Internationalized Domain Names (IDN) address this shortcoming by encoding non-ASCII characters. Punycode is used to encode Unicode characters into ASCII representations. For example, domaiñ.com contains a non-ASCII ñ character, so Punycode translates it to xn--domai-sta.com.

Modern web browsers usually perform the Punycode translation for you behind the scenes. Similarly, DNS Check will automatically apply Punycode encoding for you as you add domains using non-ASCII characters. Of if you’ve also encoded your domains, you can enter them in that format.

After each international domain is entered into DNS Check, it’s displayed using Punycode encoding. We’re doing this to reduce ambiguity, since different Unicode characters can look very similar to one another, or even to plain ASCII characters.

Continue reading Internationalized Domain Name (IDN) Monitoring with DNS Check and Punycode »

DNS Load Balancer Monitoring

We’ve added DNS load balancer monitoring to DNS Check.

DNS load balancers are used to distribute load for performance and/or redundancy purposes.

You can use DNS Check to monitor both A record and AAAA record based load balancers:

DNS Load Balancer Check

Each load balancer check can be configured with up to ten IP addresses.

DNS load balancer monitoring is available for paid accounts only.

You can find more details on DNS load balancers, including information on how to monitor them on our Check DNS Load Balancer Records page.

Continue reading DNS Load Balancer Monitoring »

Check Multiple DNS Name Servers

Paid DNS Check accounts have the ability to monitor custom name servers. Up to this point, each DNS record group has been limited to a single custom name server. This has meant that if you wanted to monitor multiple name servers, you would have to create a DNS record group for each.

Today we’ve increased the number of custom name servers that a DNS record group can have from 1 to 10.

What should a DNS monitoring service do when it’s configured to check multiple name servers, and provide a single pass/fail result? Here’s what we came up with:

  1. When multiple custom name servers are specified, DNS Check will randomize the order, then query them one by one until it receives a result. If the first response contains the expected record, the check passes. If the first response contains an error, or a different record than what was expected, the check fails.

  2. If a query receives no response within 5 seconds, then DNS Check will query the next name server in its randomized list. Note that we may adjust this timeout, or make it configurable in the future. 5 seconds is a long time to have to wait for a response to a DNS query.

    This means that if one of your name servers stops responding to queries entirely, DNS Check will move onto the next name server, and will not alert you about the issue unless it’s unable to communicate with any of your custom name servers.

    If you wish to be notified if any one of your name servers aren’t reachable, then you should continue to specify a single name server per DNS record group.

We’re excited to make this new functionality available, and are already thinking of ways to improve it. For example, we may make the 5 second query timeout mentioned above configurable, or add in an option to check all name servers, and report on issues encountered with any of them.

Feel free to send in a feature request if you have any suggestions for improvement.

Continue reading Check Multiple DNS Name Servers »

DNS ServFail Errors

DNS record lookups can fail for a number of reasons, the most common of which is due what’s called a “ServFail” error.

ServFail errors occur when there’s an error communicating with a DNS server. This could have a number of causes, including an error on the DNS server itself, or a temporary networking issue.

Fortunately, most domains use multiple authoritative DNS servers, so if there is a short-lived ServFail issue on one name server which doesn’t impact the others, DNS lookups should still work. That said, if a name server has chronic ServFail issues, we recommend investigating why. ServFail errors happen, but should be rare.

ServFail Errors and DNS Record Monitoring

Many of our customers use DNS Check to notify them via an email, page or chat bot when a monitored DNS record starts failing. Some of these customers want to be notified if there’s any kind of issue, but others would rather not be about ServFail issues, unless they persist.

Last year we introduced a feature for suppressing isolated ServFail notifications. This took the form of an account wide setting which when toggled on, suppressed notifications for ServFail errors unless two or more occurred in a row:

Suppress first ServFail notification

This feature was introduced to cut down on false positives. At the time, 57% of errors being reported were of the “ServFail” variety. The majority of these ServFail errors were resolved 5 minutes later, when the DNS record in question was next checked.

This feature had the desired impact. The number of ServFail related notifications plummeted, and for most users, the issue of ServFail related false positives disappeared.

Unfortunately, this didn’t completely resolve the situation for some customers who have DNS providers with… less than stellar uptime. I won’t call out specific DNS providers in this blog post, but there is a definite pattern in terms of which DNS providers have frequent ServFail errors.

Our Updated ServFail Notification Suppression Feature

To address this issue (on the DNS monitoring side, at least), we’ve replaced our old “Suppress first ServFail notification” setting with a new setting which allows you to suppress notifications for anywhere from 0 to 10 consecutive ServFail errors:

Suppress ServFail notifications

This setting has a default value of “1”, and can be adjusted from your Notification Settings page. I recommend keeping the default value in most situations, and adjusting it upward only as needed.

This setting does not have any impact on notifications for other types of lookup failures, such as the wrong value being returned for a DNS record. As long as you have notifications enabled, you’ll receive a notification the first time a non-ServFail error occurs.

Continue reading DNS ServFail Errors »

ALIAS and ANAME Record Monitoring

We’ve added ALIAS record monitoring to DNS Check.

An ALIAS record maps one DNS record to another of the same type. For example, you might use an ALIAS record to make the widgets.com A record resolve to the same IP address as the www.widgets.com A record:

ALIAS Record Check

ALIAS records have some similar use cases to CNAME records, with a few important differences:

  1. ALIAS records can be used for a domain’s APEX, or root. CNAME records cannot.

  2. ALIAS records require a single DNS lookup. CNAME records might require multiple lookups.

  3. ALIAS records apply to a single DNS record type. CNAME records apply to all record types.

  4. ALIAS records are non-standard records that are only supported by some DNS providers, like Amazon Route 53 and DNSimple. Some other DNS providers, like DNS Made Easy and easyDNS offer similar functionality using what they refer to as ANAME records. CNAME records, by contrast are a standard DNS record type supported by most DNS providers.

You can find more details on ALIAS records, including information on how to monitor them on our Check DNS ALIAS Records page.

We hope you find the ability to check ALIAS and ANAME records useful. Please feel free to contact us if you have any questions.

If you haven’t tried DNS Check yet, please sign up for a free account. Free accounts can check and monitor up to 10 DNS records at a time. If you’d like to check more than 10 DNS records, then you can upgrade to a paid account at any time. We’d love to earn your business.

Continue reading ALIAS and ANAME Record Monitoring »

Subscribe via RSS