Where do DNS queries come from?
There seems to be some mystery about where DNS queries come from. This article will attempt to explain the source of your DNS queries.
DNS queries can be generated from many sources: website visitors, website crawlers, email, server monitoring, and so on.
Many people compare the results of their website analytics software to their DNS queries. As a general rule, this doesn’t provide a very good picture of DNS traffic. The reason is fairly simple: analytics systems generally report only on human website traffic. There’s a lot of non-human website traffic out there too (think Googlebot and its kin). There’s also a lot of non-web traffic.
Let’s break out the general categories of traffic.
1. Human website traffic
This is at least strongly related to website analytics. However, even then there is often a difference due to TTLs (time-to-live—the maximum cache time of a DNS record), asset hosts, and other things.
2. Non-human website traffic
This includes search engine crawlers (Googlebot, msnbot, etc.), malware crawlers (such as those that search for email addresses or comment forms to spam), and other automated traffic. A brand new domain that has never been registered before will generally not have a lot of this. However, an old domain (even if you just acquired it) may have significant traffic in this category.
3. Inbound email
Every attempt to send email to email@example.com will generate at least one DNS query. If you haven’t configured any email servers (MX records), it will often generate 2 or 3 DNS queries.
4. Outbound email
This might be surprising, but outbound email (email with yourdomain.com in the From line or anywhere else) often generates DNS queries. These can be confirmation of a reverse DNS lookup, SPF or domainkey records, sender validation, or other things yet.
If spammers use your domain in a fake From address (aka joe-jobbing), which is fairly common, that will also generate these types of queries. You can often mitigate this by using a strong SPF record. That is, an SPF record that ends in “-all”. If you decide to add such a record, please make sure you fully understand the implications of strong SPF records first.
5. Server monitoring
This could technically overlap with many of the above categories, but it deserves its own mention. Server monitoring checks (ping, HTTP, SMTP, etc.) are frequently not counted in any of the above categories because they are non-human connections, and often incomplete. For example, an SMTP check might only initiate contact with the email server, not actually send an email, usually causing it to be missed in any email stats.
Monitoring systems typically run 24 hours a day, so the DNS queries add up. Some monitoring platforms also intentionally avoid using cached DNS records, which can cause even more DNS queries.
The above list is not exhaustive—there are probably an infinite number of ways to generate DNS queries. However, even within the scope of the above, it’s not uncommon to see tens or hundreds of thousands of unexpected monthly DNS queries. In extreme cases, it can be even higher.