How to Change Nameservers Without Breaking Your Site
Step-by-step guide to safely changing nameservers. Covers pre-migration checklist, TTL management, record verification, monitoring, and rollback strategy.
Last updated: 2026-02-17
Changing nameservers is one of the highest-risk DNS operations you can perform. Get it right and users see zero downtime. Get it wrong and your website, email, and every service on your domain goes dark. The difference between the two outcomes is preparation.
This guide walks through a safe, methodical process for migrating nameservers from one DNS provider to another without disrupting your services.
Why Change Nameservers?
There are several legitimate reasons to switch DNS providers:
- Better performance: Faster DNS resolution reduces page load times globally
- Better features: Advanced record types, DNSSEC support, API access, or traffic management
- Consolidation: Moving all domains to a single provider for easier management
- Cost: Finding a more cost-effective solution for a large domain portfolio
- Reliability: Migrating away from a provider that has experienced outages
Regardless of the reason, the process is the same: replicate all records at the new provider, verify them, then update the nameserver delegation at your registrar.
Pre-Migration Checklist
Before touching anything, complete this checklist:
Export all current DNS records
Download a complete zone file or manually document every record at your current DNS provider. This is your authoritative reference. Miss a single record and the corresponding service breaks after migration.
Identify all subdomains
Check for subdomains that may not be obvious: staging environments, API endpoints, internal tools, marketing landing pages, email-specific subdomains, and CNAME records for third-party services.
Note current TTL values
Record the TTL for each record. You will need to lower them before migration and restore them afterward.
Check for provider-specific features
Some DNS providers offer features that are not standard DNS: URL forwarding, email forwarding, ALIAS/ANAME records, or automatic SSL certificate DNS validation. Identify these and determine how to replicate them at the new provider.
Verify DNSSEC status
If DNSSEC is enabled at your current provider, you need to plan the key rollover carefully. A botched DNSSEC migration can make your domain completely unreachable.
Do not skip the export step
DNS provider dashboards sometimes hide records that were auto-created. Zone file exports capture everything. If your provider does not support zone file exports, manually query every record type (A, AAAA, CNAME, MX, TXT, SRV, CAA, NS) for the root domain and every known subdomain.
The Safe Migration Process
Lower TTLs at the current provider
At least 24-48 hours before the migration, lower all record TTLs to 300 seconds (5 minutes). This ensures that once you switch nameservers, resolvers worldwide will pick up the change quickly. Wait the full duration of the original TTL before proceeding.
Recreate all records at the new provider
Using your exported zone file or documentation, create every record at the new DNS provider. Double-check hostnames, record types, values, and TTL settings. Pay special attention to MX records (priority values) and TXT records (exact string matching).
Verify records at the new provider
Query the new provider's nameservers directly to confirm all records are correct before switching delegation. Use dig @new-ns1.provider.com yourdomain.com A for each record type. Compare the output against your documentation.
Update nameservers at your registrar
Log into your domain registrar and change the nameservers to those provided by your new DNS provider. This is the point of no return — though if you have prepared correctly, it will be uneventful.
Monitor propagation
Watch nameserver propagation using a global DNS checker. NS record changes can take 24-48 hours to fully propagate, though most resolvers will see the change within a few hours.
Verify all services are working
Test your website, email delivery and receiving, API endpoints, and any other DNS-dependent services from multiple locations and networks. Do not rely solely on your own connection.
Restore TTLs to normal values
Once you have confirmed everything is working correctly and propagation is complete, raise TTLs back to their standard values (typically 3600 or 86400 seconds).
Keep the old provider active temporarily
Do not delete records at your old provider for at least 48-72 hours. Some resolvers may still be querying the old nameservers due to cached NS records. Once you are confident the migration is complete, you can deactivate the old zone.
Verifying Records Before the Switch
This is the most critical step and the one most often rushed. Before changing nameservers at your registrar, verify every record by querying the new nameservers directly.
# Find the nameservers for your new provider
# (These are given to you when you create the zone)
# Query A record at the new nameserver
dig @ns1.new-provider.com example.com A +short
# Query MX records
dig @ns1.new-provider.com example.com MX +short
# Query TXT records (SPF)
dig @ns1.new-provider.com example.com TXT +short
# Query DMARC
dig @ns1.new-provider.com _dmarc.example.com TXT +short
# Query subdomains
dig @ns1.new-provider.com www.example.com A +short
dig @ns1.new-provider.com mail.example.com A +short
Compare every result against your exported records. If anything differs, fix it before proceeding.
Monitor Your Migration in Real Time
DNS Monitor tracks your records during nameserver migrations, alerting you to discrepancies between old and new providers so you can catch issues before they affect users.
Handling DNSSEC During Migration
DNSSEC adds cryptographic signatures to your DNS records. Migrating DNSSEC requires careful coordination because the keys change when you switch providers.
| Approach | Complexity | Downtime Risk | Recommended For |
|---|---|---|---|
| Disable DNSSEC before migration | Low | Brief validation gap | Most organizations |
| Double-sign during transition | High | None if done correctly | High-security domains |
| Key rollover at registrar | Medium | Low | Providers that support it |
For most organizations, the safest approach is:
- Remove the DS record from your registrar 24-48 hours before migration
- Wait for the old DS record to expire from caches
- Perform the nameserver migration
- Set up DNSSEC at the new provider
- Add the new DS record at your registrar
Common Mistakes During Nameserver Changes
Forgetting hidden records
Auto-renewal CNAME records for SSL certificates, DKIM records for email, SRV records for chat services, and CAA records for certificate authority authorization are frequently missed during migration.
Not lowering TTLs in advance
If your NS records have a 48-hour TTL and you change nameservers without pre-lowering them, some resolvers will continue querying the old nameservers for up to two days. During that window, any records that differ between old and new providers will cause intermittent issues.
Changing records at both providers simultaneously
During the transition period, some resolvers query the old nameservers and some query the new ones. Both must serve identical records. Do not make changes at the new provider that have not also been applied at the old one until propagation is complete.
Deleting the old zone too early
Once you update nameservers at the registrar, there is still a window where cached NS records point to the old provider. If you delete the zone at the old provider during this window, those queries fail instead of returning valid records.
Rollback Strategy
If something goes wrong after the nameserver change, you need a rollback plan:
- Revert nameservers at the registrar to the original values. This is the fastest fix.
- Verify the old provider still has the zone active. This is why you keep it running for 48-72 hours.
- Investigate and fix the issue at the new provider before attempting the migration again.
Having the old zone intact and the TTLs lowered means a rollback propagates quickly. Without these precautions, a rollback could take days to fully resolve.
Schedule migrations during low-traffic periods
Plan your nameserver change for a low-traffic window and have team members available to monitor. Avoid Friday afternoons, holidays, and peak business hours. A weekday morning when your operations team is fully staffed is ideal.
After the Migration
Once the migration is confirmed complete:
- Restore TTLs to their standard values
- Enable DNSSEC at the new provider if desired
- Update any internal documentation referencing the old DNS provider
- Set up DNS monitoring on the new configuration to catch future issues
- Deactivate the zone at the old provider after the safe window has passed
A nameserver change is a high-stakes operation, but it does not have to be high-risk. Thorough preparation, careful verification, and a solid rollback plan transform a dangerous migration into a routine procedure. Take the time to do it right, and your users will never know it happened.
Never Migrate Blind Again
DNS Monitor provides continuous record verification during and after nameserver migrations. Catch discrepancies immediately and verify propagation across global resolvers.