FAQ Troubleshooting
Please read through this section before contacting us.
- IIJ DNS Platform Service
- FAQs about the Service Specifications
- Q. What kind of service is the DNS Platform Service?
- Q. What is the difference between the premium plan and basic plan?
- Q. Do you have any cache DNS functions?
- Q. Can I register domains?
- Q. What is QPS?
- Q. How do you count QPS?
- Q. What will happen if QPS exceeds the limit in the plan?
- Q. Do you have any ways to check the number of queries in my own domain?
- Q. What is SLA?
- Q. Is IPv6 supported?
- FAQs about Using the Control Panel
- IIJ Managed DNS Service
- FAQs about the Service Specifications
- FAQs about Zone Editing
- Q. I want to make round-robin settings but cannot register multiple records that have the same name.
- Q. When I attempt to set a CNAME that has the same name as the zone name, an error occurs.
- Q. Can I write wildcard records?
- Q. Although I have updated zones through editing records, there are some records that have not been updated.
- Q. Even though I have uploaded the zone file, the file has not been not reflected.
- Q. I manage more than one subdomain with this service. Can I register NS records to be delegated in a batch with the parent domain?
- FAQs about DNSSEC
- FAQs about the Service Specifications
- IIJ DNS Traffic Management Service
- FAQs about monitoring
- Q. Is monitoring only performed on the endpoints used in the rule being applied?
- Q. I have trouble differentiating between Live Status and Ready Status.
- Q. I have monitoring accesses at intervals shorter than the time set as the monitoring interval.
- Q. Please support HTTPS with a shared sorry server.
- Q. How much time lag do we have between the detection and the reflection of a monitoring result?
IIJ DNS Platform Service
FAQs about the Service Specifications
Q. What kind of service is the DNS Platform Service?
It is an integrated authoritative DNS serivce that emphasizes scalability and flexibility with enhanced security. Refer to "Service Overview" for more information.
Q. What is the difference between the premium plan and basic plan?
You can use basic functions with the basic plan. Some functions are enhanced in the premium plan.
| Basic | Premium | Notes | |
|---|---|---|---|
| FAQs common to the Managed DNS Service and DNS Traffic Management Service | |||
| Multi-provider | × | ○ | Use of a group of DNS servers provided by a DNS business operator through an overseas tie-up |
| Anti-DDoS band | Over 1 Tbps | Over 30 Tbps | |
| Multi-factor authentication | ○ | ○ | In addition to two-factor authentication, which is a standard function, you can set various other authentication options if you sign up for them separately with the IIJ ID Service. |
| Approval management | △ | △ | When signed separately for the IIJ ID Service, you can fine-tune your edit and reference role settings for each zone. |
| QPS upper limit | 100 | 200 | With the premium plan, you can add QPS in increments of 100 qps. |
| SLA | × | ○ | |
| Managed DNS Service | |||
| Managed DNS Server | ○ | ○ | A group of DNS servers that can be used as primary and secondary servers |
| Editing DNS records | ○ | ○ | |
| DNS record history management | ○ | ○ | |
| ANAME | ○ | ○ | Registering records equivalent to CNAME to the zone peak |
| DNSSEC | ○ | ○ | You must be able to register DS records with a higher zone. |
| TSIG | ○ | ○ | This setting is also required on your server side. |
| DNS Traffic Management Service | |||
| Weighting load distribution | ○ | ○ | |
| Failovers | ○ | ○ | |
Q. Do you have any cache DNS functions?
No. This service is an authoritative DNS serivce. It does not provide cache functionality.
Q. Can I register domains?
No. This service is an authoritative DNS serivce. It does not provide functions for registering, maintaining, and managing domains. Please use the "Domain Management Service."
Q. What is QPS?
QPS stands for queries per second, and represents the number of DNS queries per second.
Q. How do you count QPS?
We use the 95% rule. Of the average QPS measured at five-minute intervals, the upper-limit QPS is taken by cutting the top 5% monthly. This allows you to limit the billing amount to a certain level even there is a sudden peak, such as when you have suffered a short-term DDoS attack.
Incidentally, when you have multiple management DNS service contracts in a single DNS Platform Service contract, QPS is calculated by adding up the DNS queries for all the contracts.
Q. What will happen if QPS exceeds the limit in the plan?
IIJ will inform you accordingly. IIJ will not put restrictions on your plan immediately after the limit is exceeded.
Q. Do you have any ways to check the number of queries in my own domain?
You can check them in Statistics Information. Because the domains that have queries of more than 100 qps, which is the upper limit for the basic plan, account for less than 1% of all domains, you will hardly ever exceed the upper limit unless you operate an extremely large-scale site.
Q. What is SLA?
SLA stands for service level agreement. This service guarantees SLA only when you have signed up for the premium plan. Refer to "SLA" for more information.
Q. Is IPv6 supported?
Yes. It is supported.
FAQs about Using the Control Panel
Q. I cannot access the control panel with Internet Explorer.
This service does not support Internet Explorer. Please use a browser such as Chrome, Firefox, Edge, or Safari.
Q. I cannot access the control panel from a smartphone.
This service cannot be used from a smartphone. Please access from a PC browser.
Q. I can check the settings but cannot change them.
If you are logged in using an IIJ ID account to which reference role has been assigned but not editing role, you cannot change the settings. Ask your IIJ ID administrator to assign editing role to you.
When the zone proxy function is enabled, you cannot edit zone information on the "Record Management" screen even if you are using an account that has editing role. In this case, edit zone information on your primary name server or disable the zone proxy function.
Q. Descriptions on the screen are written in English.
The control panel will be displayed in English in any of the following cases: when you have logged in using an IIJ ID account and the set language of the IIJ ID account is English, and when you have logged in as an operations manager and a language other than Japanese is set as prioritized in the web browser’s language setting. Switch the language setting to Japanese, and then log in again.
See here for how to change the language setting for the IIJ ID account.
IIJ Managed DNS Service
FAQs about the Service Specifications
Q. Can I use domains that I have registered with other companies, with this service?
Yes. You can use such domains without migrating them if you change the name server (NS) to that specified by this service.
Q. Is DNSSEC supported?
Yes. DNSSEC signing is performed as standard.
Note, however, that to perform DNSSEC validation, you will need to register DS records through your domain registrar. For information on how to register DS records, contact your registrar (designated business operator). If your registrar (designated business operator) is IIJ (if you have signed up for the IIJ Domain Management Service), DS records will be registered automatically.
Q. Can I acquire query logs?
No. We do not provide that service.
Q. What is a Managed DNS Server?
It is a server that accepts DNS queries for this service from the Internet. If you are using the premium plan, DNS servers provided by the partnering DNS provider are also included. You can use a Managed DNS Server as the primary name server or secondary name server, whichever you prefer.
A different Managed DNS Server is assigned for each contracted zone. You can check which Managed DNS Servers are assigned to the contracted zones from the "Zone Information" column on the control panel’s "Record Management" screen. Servers that take on zone transfer and DNS NOTIFY are different to Managed DNS Servers. Note that if you use such servers by linking them to the primary or secondary name server that you have prepared, you will need to configure settings that are different to those for Managed DNS Servers.
Q. What is a zone proxy?
The function that transfers zones from your authority name server to a Managed DNS Server in this service is called zone proxy.
Using this function allows you to operate this service as a secondary name server.
Q. What is Anycast?
It is a technology for dispersing servers that have the same IP address across multiple sites. By dispersing servers around the world, not only will the round-trip delay of packets be shorter, but you will have an advantage in terms of the failure resistance because the servers that could be attacked in a DDoS are diversified and localized.
In addition to Anycast sites provided by IIJ, hundreds of sites provided by business operators with a tie-up arrangement with IIJ’s DNS are available with the premium plan for this service.
FAQs about Zone Editing
Q. I want to make round-robin settings but cannot register multiple records that have the same name.
You cannot register more than one record with the same combination of Name and Type (create two "www.example.jp/A”s and register a value with each of them).
You can register more than one Value for each combination of Name and Type (create one "www.example.jp/A" and register two values with it). Note that there are some record types, such as SOA and CNAME, for which registration of multiple Values is restricted. Refer to "Record Management" for more information.
Q. When I attempt to set a CNAME that has the same name as the zone name, an error occurs.
The DNS specification (rule) prohibits it (which is not a restriction for this service). Please consider using "ANAME" instead.
Q. Can I write wildcard records?
Yes. Specify "*" as Name.
Q. Although I have updated zones through editing records, there are some records that have not been updated.
When more than one person is editing a single zone, clicking Zone Update button will update only the records that you personally have edited. Note that records which have been edited by persons other than you will not be updated.
Q. Even though I have uploaded the zone file, the file has not been not reflected.
Set the serial number of the SOA record to be larger than the current value. Even if it is the same as or smaller than the current value, the zone file will be uploaded successfully. However, the file will not be reflected to the server. You need to take special care when re-uploading a zone file you have downloaded in the past as it is.
Q. I manage more than one subdomain with this service. Can I register NS records to be delegated in a batch with the parent domain?
Yes. You can register NS records at once through the use of a subdomain delegation management menu from the record management function. Refer to "Batch Register Subdomain NS Records" for more information.
FAQs about DNSSEC
Q. What is DNSSEC?
It is a system for preventing DNS responses from being tampered by signing DNS records using public key.
Q. What does the comment "DNSSEC Operations" in Zone Application History mean?
An expiry date has been set to the DNSSEC signature (RRSIG), and you need to update it periodically. In addition, we also increase security further by periodically updating the key (DNSKEY) used for the signature. Although DNSKEY and RRSIG are not displayed on this service’s Record Management screen, they are actually included in a zone as other records. Through such periodic updating of DNSSEC-related records, we record zone update histories with the comment "DNSSEC Operations" for "system" as the operator and Zone Application History with a log type called "Update record."
Q. The status of DNSSEC is always "Enabling" and never changes.
To enable DNSSEC, you need to register information called DS records with a higher name server through the domain registrar (designated business operator). If you use another company's service as a registrar (designated business operator) and use this service only for DNS, you will need to apply for registration of DS records by yourselves. The status of DNSSEC is always "Enabling" and will never change until the registration is complete. If you use the Domain Management Service, you will not have to apply for registration of DS records by yourselves and the registration procedure will be taken care of automatically. Note, however, that it may take a few days until "Enabling" is switched to "Enabled."
In addition, to prevent failure of the validation of DNSSEC signature, the status will not change to "Enabled" unless appropriate reference to DNSSEC-related records such as DNSKEY and RRSIG can be verified. When records are migrated from another company’s service to this service, in most cases the DNSSEC-related records that have been added by this service cannot be reflected onto the migration source's server. As a result, you cannot follow a procedure for migrating the records after the status has changed to "Enabled."
Refer to DNSSEC Management for more information.
Q. What should I do if I have registered incorrect DS records manually?
If you have registered incorrect DS records manually, modify them to correct DS records or delete them. Even if DNSSEC for DPM is attempted to be disabled, it cannot be disabled (because name resolution fails as a result of the failure in signature validation of CDS records to be deleted).
FAQs about the Service Specifications
Q. I get different responses depending on the Managed DNS Server.
To prevent all the servers from entering a response impossible state due to, for example, an attack on an unknown vulnerability, this service uses multiple DNS server implementations to ensure redundancy and diversity. Because of differences in DNS server implementation, Managed DNS Servers may return different responses even if the same DNS query is sent. Such differences fall within the range allowed by the DNS specifications and therefore does not affect your use of Managed DNS Servers.
Q. I cannot get an expected response from an ANY query.
A Managed DNS Server is equipped with RFC8482. Therefore, even if you send an ANY query in anticipation of "every piece of RRset information," such a response will not be returned. Refer to the relevant RFC for more information.
IIJ DNS Traffic Management Service
FAQs about monitoring
Q. Is monitoring only performed on the endpoints used in the rule being applied?
No. Even if endpoints are not used for the rule, as long as monitoring details are linked to them, they will be monitored. Moreover, enabling/disabling monitoring means "Used/Not used to determine Live Status" instead of "Monitor/Not monitor." Therefore, even if it is disabled, monitoring will be performed and notifications will be sent when the monitoring status changes. To stop monitoring endpoints, cancel the link.
Q. I have trouble differentiating between Live Status and Ready Status.
Both Live Status and Ready Status represent the status of, for example, an endpoint, site, or method. While Live Status represents "whether that target is operating properly," Ready Status represents "whether that target is used for DNS response." Both of them take the same value in general because they are linked. However, there are some cases where "Live Status is Up (Operating properly) but Ready Status is Down (Not used for DNS response)," for example, when "Restore Manually" is enabled for endpoints. When "Remove Manually" is enabled, on the other hand, there are cases where "Live Status is Down (Not operating properly) but Ready Status is Up (Used for DNS response)." Also refer to "Traffic Control Statuses."
Q. I have monitoring accesses at intervals shorter than the time set as the monitoring interval.
There are multiple monitoring systems and monitoring sites for each monitoring location, and each of them carries out monitoring independently, so that monitoring can be conducted continuously even during maintenance of our facilities or in case of failure. For this reason, more than one monitoring access is observed at each monitoring interval on the monitoring target host. It therefore seems to users that you have monitoring accesses at intervals shorter than the monitoring interval. However, this is not abnormal.
Q. Please support HTTPS with a shared sorry server.
To support HTTPS, a server certificate with your host name is needed, which necessarily requires individual support of each customer. Therefore, we cannot provide a common server. You are responsible for building and operating such a server by yourselves.
Q. How much time lag do we have between the detection and the reflection of a monitoring result?
We cannot disclose the details, but we have time lag of five minutes or shorter between the detection and the reflection of a monitoring result because processes such as a Down/Up judgment are executed after the judgment result is confirmed at multiple monitoring sites.