DNS Monitoring — Detect Record Changes and Hijacking

Why DNS Monitoring Matters

DNS is the foundation of every internet-facing service you operate. When DNS records change unexpectedly — whether from a misconfiguration, an expired registrar account, or an active attack — the impact is immediate and often invisible until users start reporting problems. Your servers are running fine, your application is healthy, but nobody can reach it because DNS is pointing somewhere else.

Traditional uptime monitors miss this. If your website monitor caches DNS resolution, it will keep reporting "up" even after your A record has been hijacked or deleted. Dedicated DNS monitoring queries the records themselves, catching changes that application-layer monitors cannot see.

What You Get with Down Device DNS Monitoring

• Ten record types monitored — A, AAAA, CNAME, MX, TXT, NS, SOA, CAA, SRV, and PTR. Covers everything from address records to mail routing to certificate authorization.
• TTL-normalized change detection — routine TTL adjustments by your DNS provider do not generate noise. Only real record changes alert.
• Subdomain discovery via Certificate Transparency logs — surfaces forgotten staging environments and shadow infrastructure that may be vulnerable to subdomain takeover.
• Nameserver change monitoring at the registrar level — one of the most severe DNS modifications possible, and a primary signal of hijacking.
• Resolution failure alerts — if DNS resolution fails entirely, you know within the check interval, not when customers complain.
• Detailed change history — every change shows the previous and current values, so you can immediately see what changed and decide whether it was authorized.
• Unified dashboard — DNS monitors live alongside SSL, website, mail, and device monitors in one view.

How DNS Monitoring Works

Step 1: Add Your Domain

Enter the domain you want to monitor. Down Device performs an initial query against authoritative nameservers to capture the baseline state of every configured record type.

Step 2: Continuous Comparison

On each check interval, current records are queried and compared against the baseline. Additions, removals, and value modifications are flagged. TTL changes are tracked but do not trigger alerts on their own.

Step 3: Subdomain Discovery

Down Device queries Certificate Transparency logs for subdomains under your apex domain. CT logs are public records of every TLS certificate ever issued, so they reveal subdomains even if they are not in your DNS zone — including staging environments, abandoned services, and shadow IT.

Step 4: Alerting

Changes generate email alerts immediately. The change record shows the field that changed, the previous value, and the new value — everything you need to triage whether it was authorized within seconds.

Record Types Covered

Record	Purpose	Why Monitor It
A / AAAA	IPv4 / IPv6 address	Hijacking redirects all traffic.
CNAME	Domain alias	Common SaaS / CDN integration; broken CNAMEs cascade.
MX	Mail routing	Hijacked MX records intercept all inbound email.
TXT	SPF / DKIM / DMARC / verification	Modifications enable email spoofing or break authentication.
NS	Authoritative nameservers	NS changes hand control of your entire zone.
SOA	Zone metadata	Indicates administrative changes at the DNS provider.
CAA	Certificate authority restrictions	Removal allows unauthorized certificate issuance.
SRV	Service discovery	Used by SIP, XMPP, LDAP, Active Directory.
PTR	Reverse DNS	Mail servers reject mail from IPs without valid PTR.

Who DNS Monitoring Is For

• Security teams who need an audit trail of every DNS change and immediate detection of unauthorized modifications.
• Infrastructure teams managing many domains across multiple environments, where DNS drift is the silent killer of staging-prod parity.
• SaaS providers who depend on customer-configured CNAMEs for vanity domains and cannot afford broken aliases going unnoticed.
• Compliance-driven organizations required to maintain a record of DNS configuration changes (HIPAA, PCI-DSS, SOC 2).

Related Features and Reading

• DNS Monitoring Deep Dive: Record Changes and Subdomain Discovery — technical implementation details.
• SSL Certificate Monitoring — pair DNS monitoring with SSL/TLS expiration checks.
• How Distributed Monitoring Works — how multi-region checks reduce false positives.

Frequently Asked Questions

Which DNS record types does Down Device monitor?

Down Device monitors A, AAAA, CNAME, MX, TXT, NS, SOA, CAA, SRV, and PTR records — covering address records, mail routing, certificate authorization, service discovery, and reverse DNS.

How does Down Device avoid false positive change alerts from TTL adjustments?

TTL values are normalized before comparison. Only meaningful record changes — added, removed, or modified record values — trigger alerts. Routine TTL adjustments by your DNS provider are logged but do not generate alerts.

Can DNS monitoring detect domain hijacking?

Yes. DNS monitoring tracks NS record changes at the registrar level, flags unauthorized A or MX record modifications, and alerts on CAA changes that could allow rogue certificate issuance. These are the primary signals of DNS hijacking attacks.

Does it discover subdomains automatically?

Yes. Down Device queries Certificate Transparency logs to surface subdomains issued certificates under your apex domain. This catches forgotten staging environments, abandoned subdomains, and shadow infrastructure that may be vulnerable to subdomain takeover.

Will Down Device tell me what changed when a record is modified?

Yes. Change history shows the exact previous and current record values. For an A record change, you see the old and new IP addresses. For TXT records, you see exactly which value was modified. This makes investigating whether a change was intentional fast and reliable.