Filter Chain Tips and Tricks

Filter Chain Tips and Tricks

Using the NS1 Filter Chain can be daunting at first. This article will help you avoid some of the pitfalls of using Filter Chains and help you to configure your DNS settings to make the best Traffic Management decisions for your business.

Put UP first

One of the most important things you can do is to put the UP filter first. This helps you know what’s working and what’s not. You don’t want to spend resources filtering out answers that are down.

CNAME records can only have one answer

If you have a complicated CNAME record with many different answers for traffic management or loadbalancing, you want to make sure to have your last filter be SELECT_FIRST_N=1. Per RFC, CNAME records can only have one answer. Hint: To test how this will affect you, create a CNAME with multiple answers and then try to resolve the record using the dig tool.

Use Sticky to make things Sticky

If your traffic management needs to send users to the same endpoints consistently, while still sending different users to different endpoints, use STICKY_SHUFFLE. This filter makes it so your end users will always get the same DNS answer allowing them to keep local sessions..

You can only do one FENCE or TARGET operation with one piece of metadata

Our Filter Chain only works with one piece of metadata per Geo filter, meaning you can’t use the same metadata to make decisions with two filters in the same chain. If you want to do coarse fencing or targeting, use the most coarse first, e.g. REGIONAL then COUNTRY. You can also chain together CNAME records to enable finer filtering within the second record.

Filters require certain metadata

Make sure to put the required metadata on your answers so that the filter is able to properly run. GEOTARGET_LATLONG, for example, needs latitude and longitude metadata to be present on your answers to work properly. It cannot use us_state or country metadata to make decisions.

ASN and Prefix Fencing is NOT a substitute for security

While these filters perform well for the vast majority of traffic (if using EDNS Client Subnet or ISP recursive resolvers), evading this block is trivial and your business should be sure to implement more stringent checks.

Request a Demo

Contact Us

Get Pricing