How to Monitor DNS Records for Unexpected Changes

DNS records are a high-value target. A single unauthorized change to an A record can redirect your entire website to an attacker's server. A modified MX record can silently intercept all your email. And because DNS changes propagate globally, the blast radius is enormous.

Monitoring your DNS records for unexpected changes is not optional. It is a core part of domain security and operational reliability. This guide covers what to watch for, how to set up monitoring, and what to do when you detect an unauthorized change.

Why DNS Monitoring Matters

Most organizations only check their DNS when something breaks. By that point, the damage is done. A hijacked A record means your users have been visiting a phishing site. A changed MX record means someone has been reading your email. A deleted TXT record means your email authentication is broken and spam is being sent from your domain.

DNS monitoring closes the gap between when a change happens and when you find out about it. The goal is detection in minutes, not days.

DNS changes are silent by default

DNS has no built-in notification system. Your registrar will not email you when a record changes. Your DNS provider's dashboard will not send an alert. Without active monitoring, unauthorized changes go unnoticed until users report problems.

What DNS Changes to Monitor

Not all record types carry the same risk. Prioritize monitoring based on impact.

Critical Records

A and AAAA Records

Control where your domain points. An unauthorized change redirects all web traffic. Monitor these for every domain and critical subdomain.

NS Records

Determine who controls your DNS zone. If an attacker changes your NS records, they control every other record. This is the highest-impact change possible.

MX Records

Control email routing. Changed MX records allow email interception. Monitor these for every domain that sends or receives email.

Important Records

TXT Records (SPF, DKIM, DMARC)

Protect against email spoofing. If these are removed or weakened, attackers can send email that appears to come from your domain.

CNAME Records

Alias subdomains to other hostnames. Subdomain takeover attacks exploit dangling CNAMEs pointing to deprovisioned services.

SOA Records

Contain zone metadata including serial numbers. Changes here can indicate zone transfers or unauthorized modifications.

Manual Monitoring Approaches

If you are just getting started, manual monitoring is better than no monitoring at all.

Scheduled dig Checks

Create a simple script that runs dig queries on a schedule and compares results against a known-good baseline:

# Save current A record for comparison
dig example.com A +short > /tmp/dns-baseline-a.txt

# Later, compare against baseline
dig example.com A +short | diff /tmp/dns-baseline-a.txt -

You can run this via cron on a Linux server or as a scheduled task on Windows. If the diff produces output, the record has changed.

Spreadsheet Tracking

For smaller domain portfolios, a spreadsheet listing all records with their expected values works as a manual audit tool. Check each record weekly or monthly against the live DNS data.

Limitations of Manual Monitoring

Manual approaches have significant drawbacks:

Slow detection: You only find changes at your next check interval
Human error: Easy to miss a record or misread output
No off-hours coverage: Nobody is checking at 3 AM
Does not scale: Impractical for more than a handful of domains

Automated DNS Monitoring

Automated monitoring solves every limitation of manual checks. A monitoring service queries your records at regular intervals from multiple global locations and alerts you immediately when something changes.

Detect DNS Changes in Minutes

DNS Monitor watches your critical records around the clock and sends instant alerts when any record changes unexpectedly.

What to Look for in a DNS Monitoring Tool

Feature	Why It Matters	Priority
Multi-location checks	Detects localized changes and propagation issues	Essential
All record type support	Monitors A, AAAA, MX, NS, TXT, CNAME, SOA	Essential
Instant alerting	Email, Slack, or webhook notifications on change	Essential
Change history	Audit trail of what changed and when	High
Baseline snapshots	Compares current state against known-good config	High
Multi-domain support	Monitors entire portfolio from one dashboard	Medium

Setting Up Effective DNS Monitoring

Inventory your domains and subdomains

List every domain and subdomain your organization uses. Include production, staging, internal tools, and marketing subdomains. Do not forget domains that only handle email.

Document the expected state

For each domain, record the expected values for all critical record types: A, AAAA, MX, NS, TXT, and CNAME. This becomes your baseline for comparison.

Configure monitoring for critical records

Set up automated monitoring for A, NS, and MX records on all production domains first. These are the highest-impact records.

Add TXT and CNAME monitoring

Extend monitoring to TXT records (especially SPF, DKIM, and DMARC) and CNAME records for subdomains that point to third-party services.

Set up alerting channels

Configure alerts to go to the right people. Security-sensitive changes (NS, A) should page on-call staff. Less critical changes (TXT additions) can go to a Slack channel.

Test your alerting

Make a deliberate, controlled change to a non-critical record to confirm that alerts fire correctly and reach the right recipients.

Responding to Unexpected DNS Changes

When your monitoring detects an unauthorized change, time is critical. Follow this response process:

Immediate Actions

Verify the alert is real: Query the record yourself from multiple resolvers to confirm the change
Check your DNS provider's audit log: Determine if someone on your team made the change intentionally
Assess the impact: Is traffic being redirected? Is email being intercepted? Is a service broken?

If the Change Is Unauthorized

Revert the record immediately to its correct value at your DNS provider
Rotate credentials for your DNS provider account and registrar account
Enable two-factor authentication if it was not already active
Check for other changes: An attacker who changed one record may have changed others
Review registrar-level settings: Confirm the domain lock is enabled and contact information is correct
Notify affected parties: If user data may have been compromised, follow your incident response process

Enable registrar lock

Most registrars offer a domain lock feature that prevents unauthorized transfers and nameserver changes. Enable this on every domain you own. It adds one more layer an attacker must bypass.

Real-World DNS Attack Scenarios

Understanding attack patterns helps you configure monitoring effectively:

Domain hijacking via registrar compromise: Attacker gains access to your registrar account and changes NS records, taking full control of your DNS zone
DNS cache poisoning: Attacker injects false records into a resolver's cache, redirecting queries without changing your authoritative records
Subdomain takeover: A CNAME record points to a deprovisioned cloud resource (like an old Azure or Heroku app). An attacker claims that resource and serves content on your subdomain
MX record hijacking: Attacker changes MX records to route email through their servers, capturing sensitive communications
BGP hijacking affecting DNS: Attacker reroutes traffic to your nameservers at the network level, serving false responses to queries

Each of these scenarios is detectable through DNS monitoring, assuming you are checking from multiple locations and comparing against a known-good baseline.

DNS monitoring is one of the highest-value security investments you can make for your domain portfolio. The cost of not monitoring is measured in compromised accounts, stolen data, and damaged reputation. Set up automated monitoring now, before you need it.

Monitor Your DNS Records 24/7

DNS Monitor provides continuous global monitoring with instant change alerts, giving you the visibility you need to protect your domains.