As IT Operations teams are well aware, DNS issues can mean big problems. SaaS applications rely on successful DNS resolution to connect users to the correct servers. If there are delays or failures with that DNS resolution, users may experience downtime or poor performance. To assure quality user experiences and protect your brand reputation, your ITOps team needs to be able to quickly spot and mitigate any DNS issues.
However, without robust DNS performance visibility, it’s challenging to know what piece of the very complex puzzle is causing a problem. That’s why monitoring and tracing DNS hierarchy performance is crucial for helping maintain the reliability, security, and performance of your DNS services.
The ThousandEyes DNS trace test, a synthetic test that validates the full DNS hierarchy for a specified DNS domain, offers ITOps teams a valuable resource in these efforts to deliver quality digital experiences. This test can help detect latency issues, misconfigurations, or failures in DNS records (e.g., CNAME, A, MX) that could disrupt access to your critical business applications.
Read on to learn more about DNS trace tests, or if you’re ready to get started, skip ahead to the step-by-step configuration instructions:
Benefits of DNS Trace Tests
DNS trace tests offer three key benefits:
1. Optimizing Performance
Measuring DNS lookup times and their contribution to application load times can ultimately help enterprises choose faster, more reliable DNS services.
For example, enterprises relying on multiple DNS providers (e.g., cloud-based, ISP, internal DNS resolvers) must ensure compliance with any defined service-level agreement (SLAs), including those between the enterprise and their service provider and for their own internal service performance. ThousandEyes’ DNS assurance provides historical performance data to validate whether DNS resolution times are meeting business SLAs.
With regards to continuous optimization goals, DNS resolution should be tuned to redirect users to the content server offering the best performance, whether this means to the nearest SaaS server or to the server where relevant content is cached. This helps ensure geographically optimized application performance. By identifying misrouted DNS requests, ITOps teams can work to improve existing load balancing strategies, resulting in better user experiences.
2. Supporting Security Efforts
ThousandEyes DNS visibility and its DNS trace tests also offer important security benefits. The ongoing monitoring provided by a DNS trace can detect things such as DNS hijacking or unauthorized DNS changes, which can signal attempted phishing attacks or even malware infiltration. DNS trace tests can help identify suspicious or high-latency queries, assisting with uncovering potential distributed denial-of-service (DDoS) attacks targeting DNS servers. The ThousandEyes DNS server test is also a powerful tool for diagnosing these types of reachability issues.
3. Understanding Dependencies
Let’s not forget the complexity of application dependencies in today’s SaaS applications. These applications commonly rely on many third-party services like CDNs, APIs, and cloud hosting services—each with its own DNS resolution path. Tracing dependencies can give enterprises a deeper understanding of how external providers are impacting the overall performance and reliability of their SaaS stack.
How DNS Trace Tests Work
ThousandEyes DNS trace tests validate the full DNS hierarchy including root name server, top-level domain (TLD), and authoritative name server. By tracing DNS queries across the hierarchy (root, TLD, and authoritative name servers), IT teams can pinpoint bottlenecks, propagation delays, or DNS provider issues. DNS trace tests, combined with ThousandEyes web-layer tests, network tests, and DNS server tests, can provide a multi-layered view. This combination of layered visibility helps distinguish whether an issue stems from a DNS resolution failure or another source, such as a network problem or an issue with the SaaS provider’s infrastructure.
ThousandEyes DNS trace tests collect a variety of useful datapoints and metrics, including:
- Availability
- Final Query Time
- Mappings
- Failed Queries vs. Total Queries
- Final Server Queried

Let’s briefly walk through each of these metrics and the benefits provided.
Availability measures whether the DNS resolution process is successful and if a domain is reachable. This is your first watermark to gauge the ongoing performance of your DNS services. The Availability measurement helps ensure that the SaaS applications are accessible and detects downtime due to DNS failures. This metric can be used to quickly identify sporadic failures and to assess trends in availability issues that could indicate misconfigurations or provider outages.
Final Query Time refers to the total time taken to resolve the domain name (i.e., from the initial query to receiving the final response from the authoritative name server). This metric can help diagnose latency issues in DNS resolution that may affect SaaS application load times, such as detecting performance degradations from slow recursive resolvers or issues with the authoritative name servers themselves. This information can be used to guide optimizations, such as switching to a faster DNS provider or using local caching to speed up lookups.
Mappings refers to the address returned, for example, the DNS A record for a CNAME record query (e.g., login.mso.msidentity.com) or the IP address of an A record query. Verifying that the correct address was returned helps prevent issues with DNS misconfigurations.
This data can also help detect unauthorized DNS changes that could indicate DNS hijacking or man-in-the-middle attacks. These datapoints are therefore useful in validating that SaaS applications are resolving to your expected infrastructure and not to an incorrect or outdated IP or CNAME record.
Failed Queries represent the total number of failed DNS resolution attempts, and can be compared with the baseline of the Total Queries metric. This data point identifies trends in potential DNS outages, misconfigurations, or service disruptions.
For example, this metric helps detect problems like network congestion or attack patterns such as those seen with DNS amplification DDoS attacks, and ultimately alerts IT teams to possible ISP or resolver failures affecting your users.
Final Server Queried is a useful data point that indicates the last authoritative DNS server that responded to the query (e.g., ns4-38.azure-dns.info). Knowing this information helps teams identify whether queries are being routed to the expected authoritative server, confirming correct DNS delegation.
For example, the Final Server Queried metric can be used to:
- Detect failover scenarios, helping ensure that redundant name servers are properly handling your requests
- Help diagnose propagation issues if queries are not resolving from expected servers
Real-world Use Cases
There are two high-level use cases where you’ll find DNS trace tests especially helpful:
1. When you own the target domain and want to validate that it’s working properly.
2. When you’re an enterprise and want to test that a domain works from your own campus or data center, as a reference to your ThousandEyes internal DNS server tests. For example, you want to know if microsoft.com works from your data center. In using a 1:1 mapping of 1) DNS server test for the SaaS or other public FQDN plus 2) DNS trace test for the SaaS or other public domain, this combined view can provide a detailed DNS perspective from each given location for which you’re responsible.
DNS trace tests find the authoritative name servers for you. As a result, these tests are particularly important if you are using third-party DNS services, when you are outsourcing the hosting of DNS, its maintenance, and capabilities to a vendor.
These tests can provide useful functions such as DNS naming hierarchy monitoring or CNAME trace monitoring. The latter is particularly helpful, given that tools such as the dig +trace utility do not follow CNAMEs.
DNS trace tests can also be used to perform root domain monitoring, providing detailed metrics for the performance of root servers. This insight might come in handy when gauging performance to root servers from specific geographic locations or providers, for example.

How To Get Started With DNS Trace Tests
Configuring a DNS trace test is quite simple. Follow these six quick steps:
1. Enter a target domain name. This should reflect the domain of the service being monitored, e.g., thousandeyes.com. Trailing dots are acceptable. To query the root, use a single “.” in the Domain field. (Tip: We recommend creating a DNS trace test for every ThousandEyes web-layer test for your business-critical applications and their DNS domains.)

2. Select a record type that’s appropriate for the service being monitored, e.g., MX for an SMTP service. See the dropdown list next to the Domain field for the full menu of supported record types.
3. Determine the testing interval. The default is two minutes. Tests with one or two-minute intervals provide a useful granularity and continuous baselining for identifying problems and trends. Alternatively, users can create time interval tests matching the record’s time to live (TTL), for example, using a five-minute interval test for a record with a TTL of five minutes.
4. Select the agents that will run this test.
5. Verify alerting and alert rules. The defaults are often sufficient to start with, but it’s also helpful to configure to notify when domain records return an unexpected IP address not mapped to a list of predetermined IPs, as this may indicate a record misconfiguration, server misconfiguration, DNS cache poisoning, or a DNS hijack.
6. Lastly, select a transport. Users have the option of querying using UDP or TCP transports. Note that UDP is the default. For large DNS responses, utilize TCP tests to avoid truncated DNS response handling. If there are firewall concerns about TCP/53 being permitted, UDP tests should be used as UDP/53 is often permitted across enterprise networks even in scenarios where TCP/53 is not.

Assuring Digital Experiences With Enhanced DNS Monitoring
DNS monitoring is critical to a well-constructed digital assurance strategy. ThousandEyes offers a full suite of assurance services, including robust DNS monitoring. Our DNS trace tests are a critical component of these DNS monitoring resources. They can be used for any DNS domain you own as well as any domains your broader enterprise uses and associated digital services, allowing you to assess whether the services will function at your various campus and data center locations.
To learn more, see our DNS trace test and DNS Domain Trace view documentation. And to explore how you can retrieve ThousandEyes DNS trace information via our API, see our API documentation.