dns record drift monitor

Alerted the moment your DNS shouldn't have changed.

Continuous DNS record monitoring with email + webhook alerts. Watch A, MX, NS, TXT, or CNAME records. AS-aware fingerprinting tolerates anycast IP rotation while catching real DNS changes — the kind that mean a subdomain takeover or a botched zone update.

Start 14-day trial Try the free DNS lookup first3 monitors free, no card required

features

What we watch.

A & AAAA records

IPv4 and IPv6 records. Fingerprinted by ASN (not raw IP) so anycast rotation doesn't false-alert.

NS delegation

Watch parent-zone NS delegation. Useful for catching unauthorised registrar changes — a key subdomain-takeover indicator.

MX records

Mail server changes. Catches when mailflow is silently rerouted.

TXT records

SPF, DKIM, DMARC, domain-verification records. Catches subtle changes that break email or accidentally re-verify a hijacked CNAME.

Configurable resolvers

Default is Cloudflare DoH. Override per monitor if you want to watch what a specific resolver returns (Google, Quad9, etc.).

Resolver-failure tolerant

0-record responses on a non-empty baseline are treated as transient errors, not drift. No alerts on resolver hiccups.

use cases

What this catches.

Subdomain takeover

Stale CNAME pointing at a deprovisioned cloud service → attacker claims the resource → your subdomain serves their content. DNS drift on the CNAME is the early warning.

Registrar compromise

If someone takes over your registrar account, the first sign is usually an NS-record change. The monitor flags it within your check interval.

Botched zone updates

An infra change goes wrong, the zone file has a typo, mailflow breaks. DNS drift catches it the moment propagation completes.

questions

Common questions.

Why DNS monitoring?

Unauthorized DNS changes are how subdomain takeovers happen. They're also how a botched zone-file update takes your mail down for 4 hours. Either way you want to know within minutes, not when a customer reports it. The monitor captures a baseline on first run, then compares every subsequent check against it.

What's 'AS-aware fingerprinting' and why does it matter?

Anycast-hosted domains (Google, Cloudflare, big CDNs) legitimately return a different IP every query — same Autonomous System owner, different /16 block depending on edge routing. Naive DNS monitors flag every query as drift. Ours fingerprints A/AAAA records by their ASN (looked up via ipinfo.io, in-process cached), so anycast rotation is correctly ignored. If records move to a different AS owner (e.g. domain migrated from Google to AWS), the fingerprint changes and you get a real alert.

Which record types are supported?

A, AAAA, MX, TXT, CNAME, NS, SOA. You configure which types to watch per monitor — default is A. NS and MX are good for detecting delegation or mail-server changes; TXT catches SPF / DKIM / verification record edits.

What happens if my upstream resolver is having a bad day?

If a check returns 0 records when the baseline had records, we treat it as state=error (transient resolver issue), not state=critical (real drift). That avoids waking you up because Cloudflare DoH had a bad 5 minutes.

Can I update the baseline if I intentionally change DNS?

Yes. Delete the monitor and re-create against the same hostname; the first check captures a fresh baseline from the new state.

Catch DNS drift before it catches you.

Start monitoring free See pricing