List of collected metrics
Each DNS Insights agent collects a variety of data from the NS1 DNS servers, including DNS metrics (layer 5+) and network-related metrics (layers 3 and 4). The agents send the data to the TSDB every 60 seconds before clearing and starting again. You can view this minute-by-minute breakdown in the line charts, but note that other data shown (such as lists, counts, and pie charts) display data according to the overall time range selected at the top (right) of the page.
DNS metrics
The table below provides a list of DNS metrics collected and visible using the DNS Insights dashboards. Note that the metrics shown in the dashboard are based on the selected policy and time range. Each of these metrics is collected and reported every minute by every agent.
| Metric | Description |
|---|---|
dns_wire_packets_queries |
# DNS queries
Total number of DNS packets identified as queries. |
dns_wire_packets_replies |
# DNS replies
Total number of DNS packets identified as DNS replies (responses). |
dns_wire_packets_udp |
# DNS wire packets over UDP
Total number of DNS packets received using UDP transport. |
dns_wire_packets_tcp |
# DNS wire packets over TCP
Total number of DNS packets received using TCP transport. |
dns_wire_packets_ipv4 |
# DNS wire packets over IPv4
Total number of DNS packets received using IPv4 addresses. |
dns_wire_packets_ipv6 |
# DNS wire packets over IPv6
Total number of DNS packets received using IPv6 addresses. |
dns_wire_packets_nxdomain |
# DNS wire packets flagged as NXDOMAIN
Total number of DNS response packets flagged as “reply with response code NXDOMAIN”. |
dns_wire_packets_refused |
# DNS wire packets flagged as REFUSED
Total number of DNS response packets flagged as “reply with response code REFUSED”. |
dns_wire_packets_srvfail |
# DNS wire packets flagged as SRVFAIL
Total number of DNS response packets flagged as “reply with response code SRVFAIL”. |
dns_wire_packets_noerror |
# DNS wire packets flagged as NOERROR
Total number of DNS response packets flagged as “reply with response code NOERROR”. |
dns_wire_packets_nodata |
# DNS wire packets flagged as NOERROR (and not data in the response)
Total number of DNS response packets flagged as “reply with response code NOERROR” and no data in the response (NODATA). |
dns_top_refused |
# DNS wire packets flagged as REFUSED
Number of DNS response packets for the specified QName with the response code “REFUSED”. |
dns_cardinality_qname |
# Unique QNames (ingress and egress)
Total number of unique QNames in queries and responses. |
dns_top_qname2 |
Top QNames (depth of 2 labels)
Ordered list of top 10 QNames (summarized based on domain, and TLD; e.g., example.com) arranged from highest to lowest packet count. |
dns_top_qname3 |
Top QNames (depth of 3 labels)
Ordered list of top 10 QNames (including subdomains; e.g., sub.example.com) arranged from highest to lowest packet count. |
dns_top_geo_loc_ecs |
Top ECS GeoIP locations
Ordered list of the top 10 ECS-based geographic location codes arranged from highest to lowest packet count. |
dns_top_asn_ecs |
Top ECS ASNs
Ordered list of the top 10 ECS-based Autonomous System Numbers (ASNs) arranged from highest to lowest packet count. |
dns_top_qtype |
Top QTypes
Ordered list of the top 10 query types (QTypes) — that is, the top 10 record types queried. |
dns_top_query_ecs |
Top EDNS client subnets
Ordered list of the top 10 IPv4 subnets in /24 notation (e.g., 192.168.2.0) based on the total number of packets observed. |
dns_top_rcode |
Top RCODEs
Ordered list of the top 10 response codes observed. |
dns_rates_total |
Rate of all DNS packets (packets per second)
Rate of DNS packets in packets per second (pps) for the 0.5, 0.9, 0.95, and 0.99 quantiles. |
dns_top_nodata |
Top QNames with response code NOERROR and no data (NODATA)
Ordered list of QNames by the number of DNS packets observed with response code NOERROR and no data in the reply (NODATA). |
dns_top_nxdomain |
Top QNames with response code NXDOMAIN
Ordered list of QNames by the number of DNS packets observed with response code NXDOMAIN. |
dns_top_srvfail |
Top QNames with response code SRVFAIL
Ordered list of QNames by the number of DNS packets observed with response code SRVFAIL. |
dns_wire_packets_events |
# DNS packets
Total number of DNS packets sent to the DNS handler before filtering. |
dns_wire_packets_query |
# DNS packets flagged as a query
Total number of DNS packets identified as DNS queries. |
dns_wire_packets_query_ecs |
# DNS packets with ECS option enabled
Number of DNS packets observed with the EDNS client subnet (ECS) option enabled. |
Network metrics
The list below represents the network-related metrics (layers 3 and 4) captured within the DNS Insights dashboard.
| Metric | Description |
|---|---|
packets_cardinality_src_ips_in |
# Unique source IPs
Number of unique source IP addresses (for both IPv4 and IPv6). |
packets_cardinality_dst_ips_out |
# Unique destination IPs
Number of unique destination IP addresses (for both IPv4 and IPv6). |
packets_events |
# Packets sent
Number of packets sent to the network handler before filtered by the selected policy. |
packets_top_geoLoc |
Top GeoIP locations
Ordered list of the top geographic location codes of the source and destination IP addresses in the observed DNS packets, arranged from highest to lowest network packet count. |
packets_top_ASN |
Top ASNs
Ordered list of the top Autonomous System Numbers (ASNs) of the source and destination IP addresses in the observed DNS packets, arranged from highest to lowest network packet count. |
packets_top_ipv4 |
Top IPv4 addresses
Ordered list of the top 10 IPv4 addresses observed, arranged from highest to lowest network packet count. |
packets_top_ipv6 |
Top IPv6 addresses
Ordered list of the top 10 IPv6 addresses observed arranged from highest to lowest network packet count. |
packets_udp |
# UDP packets
Number of UDP network packets observed within 60 seconds. |
packets_tcp |
# TCP packets
Number of TCP network packets observed within 60 seconds. |
packets_ipv4 |
# IPv4 packets
Number of IPv4 network packets observed within 60 seconds. |
packets_ipv6 |
# IPv6 packets
Number of IPv6 network packets observed within 60 seconds. |
packets_in |
# Ingress packets
Number of ingress (inbound) network packets ( IPv4 and IPv6) observed within 60 seconds. |
packets_out |
# Egress packets
Number of egress (outbound) network packets (IPv4 and IPv6) observed within 60 seconds. |
packets_deep_samples |
# Packets sampled for deep inspection
Total number of network packets (IPv4 and IPv6) analyzed for deep inspection. Under high traffic volume, the NS1 agents will sample packets for deep inspection to avoid running behind. As it does, this metric will begin to drop to a value lower than the packets_total above. |
packets_rates_pps_in |
Rate of ingress packets (packets per second)
Rate of ingress network packets in packets per second (pps) for the 0.5, 0.9, 0.95, and 0.99 quantiles. |
packets_rates_pps_out |
Rate of egress packets (packets per second)
Rate of egress network packets in packets per second (pps) for the 0.5, 0.9, 0.95, and 0.99 quantiles. |
packets_rates_pps_total |
Rate of all packets (packets per second)
Rate of all network packets, in packets per second, for the 0.5, 0.9, 0.95, and 0.99 quantiles. |
packets_rates_bytes_in |
Rate of ingress packets (bytes per second)
Rate of ingress network packets in bytes per second for the 0.5, 0.9, 0.95, and 0.99 quantiles. |
packets_rates_bytes_out |
Rate of egress packets (bytes per second)
Rate of egress network packets in bytes per second for the 0.5, 0.9, 0.95, and 0.99 quantiles. |