WTF is NS1? It’s DNS, DDI, and maybe other TLAs

NS1 EC-1 Part 2: Product development and roadmap

“We are not a DNS company, despite the name, and despite everything we’re talking about,” NS1 founder and CEO Kris Beevers says.

That might sound counter-intuitive, given that the company’s flagship product offering is literally called Managed DNS. The issue and the challenge NS1 actually solves today goes much deeper, and by positioning itself as being about more than DNS, the company helps to differentiate itself against what is, by any measure, a very commoditized technology.

Across its product portfolio, NS1 leverages data and injects software-defined intelligence, automation and real-time decisioning policy to steer and optimize traffic at the DNS layer.

NS1 looks at DNS differently from the competition: It doesn’t consider it as just a conduit to connect traffic; instead, DNS is treated as a routing system that can direct traffic very effectively.

Across its product portfolio, NS1 leverages data and injects software-defined intelligence, automation and real-time decisioning policy to steer and optimize traffic at the DNS layer, Beevers says. It does all this by a core technology known as the filter chain, and it is foundational to NS1’s current success.

In the first part of this EC-1, I spoke about how Beevers wrote 22 lines of code to sketch out that filter chain technology, bringing NS1 to life. I will now look at how the company has expanded beyond DNS into what’s known as DDI, a key technology stack for managing internal networks within companies. We’ll also talk about NS1’s open-source efforts, and why experimentation remains a bedrock principle of the company’s engineering culture.

Managing external traffic: DNS and active traffic management

“Something that I will say very often to our team and to our customers in the market is, we’re not here to make DNS better; we’re not here to make DDI better, which is another realm that we play in now,” Beevers said. “We’re here to turn those technologies into leverage to solve much bigger problems that equate to connecting applications with an audience more effectively, at better scale, driving better performance and experiences with security and reliability.”

The first set of services that NS1 developed face outward, meaning that they help organizations with traffic that comes from outside their own networks, such as a reader visiting techcrunch.com or a viewer turning on Netflix. Those services include Managed DNS, which provides a globally distributed DNS service, and Dedicated DNS, which offers a redundant, secondary network for DNS.

DNS’ core function of connecting IP addresses to domain names is critical to the day-to-day operation of the internet. It has long been thought of as a networking concern that is managed and operated by networking professionals who typically focus on ensuring that traffic gets to where it needs to go.

Image Credits: Yuichiro Chino / Getty Images

NS1’s filter chain technology takes DNS further. It integrates rules into DNS queries so that it can take different factors into account to help optimize the best way to deliver a given query. Gartner analyst Gregg Siegfried feels it provides a real point of innovation.

“Normally, you think about a DNS query very much like a database lookup,” Siegfried said. That is, when a user or an endpoint requests a given domain, the DNS system looks up the DNS record, which then in turn identifies where the traffic should go.

“The filter chain is something that allows you to add some conditional logic in that lookup — and at scale,” Siegfried said. “That’s a very, very powerful capability, whether you use it for global load balancing, geofencing or georouting. It’s what caught my eye from the beginning about NS1.”

This is useful in many cases. For instance, many countries today have decreed that data from their citizens should only be served from data centers located domestically. NS1’s filter chain could be set up to direct queries from such countries to data centers located locally, ensuring that a company meets its governance requirements.

Another example would be a filter chain designed to prioritize premium customers over free customers for a SaaS tool at times of high network congestion.

While the filter chain is the technological core of NS1, it’s not a product itself. Rather, it is the foundation upon which the company has built its commercial services.

One of the key lessons learned from the DynDNS outage in 2016, which we talked about in part one of this EC-1, was the need for companies to have redundant DNS providers. NS1’s Dedicated DNS is an entirely different network for DNS, designed to add just that sort of redundancy to this layer of the tech stack. The thinking is that for organizations that want highly resilient DNS operations, they can deploy both Managed DNS and Dedicated DNS from NS1 and be assured of resilience and redundancy, without having to engage with another vendor.

To capture a share of the global market, NS1 has also set up a dedicated Managed DNS for China service, which is built to help organizations optimize traffic inside the country.

The most performance-sensitive customers, however, need a product even more advanced. Internet congestion can change rapidly, and a high-quality and reliable route a few milliseconds ago might suddenly become impassable. That might not matter in the realm of video streaming, where an annoying buffering hiccup can be alleviated relatively quickly, but it could have life-or-death implications in applications like healthcare, self-driving cars and drone piloting.

For these customers, NS1 has developed a product it calls Pulsar. This service provides granular, data-driven steering of traffic for applications. It can also answer questions like: “What is the response time for a user on Verizon’s wireless network in New York right now?” or “What was the response time to Amazon’s East Coast data center over the last five seconds?”

Pulsar Active Traffic Steering works with a variety of mechanisms, including using data provided by the customer with beacons that NS1 calls real user metrics. These beacons are enabled when organizations embed a piece of JavaScript in their website code that sends back telemetry data. Pulsar can integrate NS1’s data set with the telemetry data from a customer’s beacons to pinpoint specific problems and shape traffic accordingly.

In short, across all of its DNS offerings targeting external traffic, NS1 is doing a lot more than providing basic DNS services that simply look up addresses in DNS records and forward traffic to a destination.

Managing internal traffic as NS1 moves into enterprise DDI

The internet has expanded exponentially over the past couple of decades, and that holds true for internal networks within enterprises as well. Some organizations have tens of thousands of employees and even more devices, all connected to a corporate network.

In the enterprise world, the acronym DDI represents three technologies — DNS, DHCP and IPAM. Enterprise networks need to provide private IP addresses, which is what a DHCP (Dynamic Host Control Protocol) server does.

Image Credits: Yuichiro Chino / Getty Images

Such networks also have to connect to internal named resources as well as have a corporate DNS to enable address lookups both internally and externally. Finally, enterprises have to manage all their addresses with an IP Address Management system (IPAM). Thus, DDI forms the foundation of the modern IT stack within an enterprise.

The DDI market is often a different buyer within an organization than website or application DNS. DDI is often deployed inside of an organization’s firewall, which is intended to be a perimeter protecting what goes on within the enterprise from the outside world.

To expand its addressable market, NS1 entered the DDI space in May 2019 under a product rubric it dubs “cloud-native network services.” It was a bold new front for the company, but it wasn’t an immediate success.

According to NS1 COO Brian Zeman, who was hired in 2018 after sales and leadership roles at digital infrastructure management vendor SevOne and risk management company Prevalent, NS1 entered the DDI space a little too early.

“We were able to build a pretty great go-to-market early, and then we had to spend some time educating and figuring out which verticals we should speak with first,” Zeman said. “Now that’s all caught up, but I wish we could have waited a few months to build out our channel. It’s paying dividends now, but I would probably have waited a few months to invest there.”

Beevers has a different view on the foray: “Did we enter the DDI market too early? I’m going to give an unequivocal ‘no,’ because I’m a startup guy, right? The way startups work is, you get out there, engage with the market, put your technology and your ideas in contact with the market, get visibility and then iterate based on what you find.”

However, Beevers did admit that the company initially attempted to address the market in its entirety, ranging from stodgy enterprises to forward-leaning Silicon Valley firms, which just didn’t work.

“The only time we’ve ever done the wrong thing in any market — and DDI is a good example here for us — is in trying to play too much to folks who don’t really want to change,” Beevers said.

NS1 soon corrected course on DDI and figured out its path to market, which included a key sales partner. In June 2020, NS1 inked a major partnership with Cisco, bringing its DDI solution to Cisco’s Global Price List.

Image Credits: GABRIEL BOUYS/AFP / Getty Images

That lets Cisco and its partners easily sell and integrate NS1’s products with Cisco’s technologies. With enterprise software sales, the channel is a cornerstone of success, often as much or even more so than direct sales.

Zeman sees DDI as the second core market for NS1 after Managed DNS. The vision is to consider the two products as flip sides of the same coin, connecting internal and external traffic to the edge. From there, NS1 can build new products that leverage the underlying infrastructure it has already sold to its customers.

DDI and its prospects are also high on the list of priorities for NS1’s chief product officer, David Coffey. He feels the movement into DDI is about leveraging what makes NS1’s Managed DNS platform effective and applying that behind the firewall.

Modern corporate enterprise infrastructure has changed in recent years and increasingly uses container, microservices and Kubernetes-type deployments, where IP addresses are ephemeral and there is constant movement and rebalancing.

With a strong engineering and product management background, including stints at Forcepoint, McAfee and Intel, Coffey is all for automation. “Companies achieve global scale on the back of automation,” he says. “Our DDI’s software-first, API-driven approach — as well as our integrations — allows you to achieve global scale and the dynamic that you want from your automation, and the capability to understand what’s going on.”

VPN traffic steering and new product development

As part of NS1’s ongoing partnership with Cisco, it has also built a VPN traffic-steering service launched around the time the partnership was announced in 2020.

A virtual private network (VPN) is an encrypted data tunnel that enables users or employees to securely access corporate resources remotely. NS1’s VPN Traffic Steering service helps companies route traffic across a global network of VPN gateways.

Demand for VPN services surged after the pandemic hit in early 2020 and organizations had to move to working remotely, and NS1 moved quickly to build its own VPN service.

It didn’t have to do all that much, though, as most of the building blocks were already in place. “It is a very natural use case of our existing Managed DNS technology and steering,” Beevers said. “It’s just a simple slot-in-place that leverages the fact that DNS is everywhere.” This is exactly the kind of experimentation and product iteration that Beevers continues to want to inculcate in the company’s culture.

From a go-to-market operations perspective, as NS1 looks to continue to foray beyond Managed DNS and DDI, Zeman has a pair of connected “North Stars”: applications and audiences. “Where’s the audience, and how do I connect it to the application,” Zeman said.

Zeman expects the position of those North Stars to shift in the coming years as different market demands emerge. For example, the need for VPN traffic steering to address audience and application needs spiked during the pandemic, which helped to drive the growth of that service.

One thing is for sure: The internet isn’t getting used any less, and that means there are strong secular tailwinds for NS1 as it continues to iterate on its current products and enter new markets.

Research, open source and experimentation with NS1 Labs

Unsatisfied with its commercial ventures, NS1 is also keen to experiment in open source as well. As a company built iteratively by an engineer, NS1 has a focus on helping developers and DevOps teams. It ties together its experiments and open-source efforts under the auspices of NS1 Labs.

Open-source projects created, led or sponsored by NS1 don’t necessarily imply a path to some form of commercial service, according to multiple NS1 executives, including Beevers. While such projects might not always connect to commercial services, they often are the result of internal efforts within NS1 and help to build useful utilities that its customers — and everyone else — can benefit from.

Helping to lead NS1 Labs is Shannon Weyrick, who currently holds the title of VP Research in the Office of the CTO, though that’s not the first (and likely not the last) title he’ll have at NS1. Weyrick was the first employee to join NS1 after its three co-founders, back in March 2014. Over the last seven years he has been a software architect, director of Engineering, director of Technology, and VP of Architecture. Weyrick had previously worked at Internap from 2012 to 2013 and met Beevers there after the Voxel acquisition.

At a high level, NS1 Labs has created projects to solve specific needs that emerged in its own operations — be it observability, testing or policy development.

For example, the Flamethrower testing utility, publicly released in April 2019, was started as a way to test the resilience of the core NS1 DNS server after a rewrite. The PktVisor (pronounced “packet visor”) observability tool, released in October 2020, was built after NS1 experienced its first distributed denial of service (DDoS) attack and realized it needed more visibility into its network operations.

Weyrick’s team is now building a new tool known as Orb that builds on the data PktVisor can observe, enabling users to set traffic policies based on data.

Not all of NS1’s open-source efforts are homegrown, though. The newest effort to join the NS1 Labs roster is the open-source DDI project known as Netbox, originally created by developer Jeremy Stretch when he was working at cloud startup DigitalOcean. NS1 hired Stretch in April 2021 and he is now helping support the ongoing development of Netbox.

Netbox has a large and growing community of users and with the support of NS1, Beevers is hopeful it will grow even further. It’s not entirely clear (yet) how or if NS1 will build a commercially supported set of services for Netbox, but Beevers certainly hinted at it potentially happening.

As far as what’s next for NS1’s open-source and experimental efforts, it’s all about thinking about the next “moonshot,” Weyrick says.

When looking forward, NS1 is looking toward the horizon, but it’s not a uniform horizon from a single perspective. Weyrick explained that the first horizon, NS1’s commitments to current customers, is what most of the company is focused on. The company sees two more horizons — horizon two might be a year or two out and a third horizon might be three to five years from now.

“In the office of the CTO we’ve carved out specific time to think about horizons two and three and where things can go,” Weyrick said.

Before NS1 can get to those other horizons though, it has to face a competitive market that has no shortage of rival vendors. In the third part of this EC-1, I analyze the landscape that NS1 operates in and how the company positions itself and competes for market share.


NS1 EC-1 Table of Contents

Also check out other EC-1s on Extra Crunch.