DNS security monitoring dashboard showing nameserver change alert MX record modification and suspicious CNAME changes
# website monitoring

DNS Security Monitoring: What to Watch For

DNS monitoring is usually framed as a reliability concern — catch the misconfigured record before it breaks your site. But DNS is also one of the most valuable security signals you have. Attackers who compromise a domain or hijack traffic almost always leave a DNS fingerprint. Monitoring DNS changes gives you a detection layer that sits upstream of your application stack.

Why DNS Is a Security Signal

DNS changes that aren't planned by your team are rarely benign. The DNS layer is involved in:

  • Domain hijacking — attackers change nameservers to redirect all traffic
  • MX hijacking — redirecting email to intercept communications
  • Subdomain takeover — dangling CNAME records being claimed by attackers
  • BGP hijacking — traffic interception that may involve DNS manipulation
  • Phishing infrastructure — attackers registering lookalike domains that reference yours

Most of these attacks have observable DNS characteristics. Monitoring for them is the first line of detection.

Nameserver Changes: The Highest-Priority Signal

A nameserver (NS record) change means control of your entire DNS zone has potentially shifted. If your nameservers change without your authorisation, an attacker may control where all traffic for your domain goes.

What to watch:

  • Any change to your NS records
  • Nameservers changing to an unfamiliar provider
  • Multiple NS records being added (an attacker adding their own)

Nameserver change monitoring should alert immediately — within minutes — on any NS record modification. This is not an alert that can wait for a daily digest.

MX Record Changes: Email Interception Risk

Your MX records control where email for your domain is delivered. An attacker who changes your MX records can redirect all inbound email — including password reset messages, authentication codes, and sensitive communications — to their own mail server.

What to watch:

  • MX records pointing to unrecognised mail servers
  • Priority changes that elevate an attacker's server above your legitimate mail server
  • MX records being deleted (causes email delivery failures)
  • Changes to SPF records that would allow a new sender to send as your domain

See how to monitor MX, SPF, DKIM, and DMARC for monitoring your full email authentication stack.

CNAME Records: Subdomain Takeover Indicators

CNAME records that point to external services are subdomain takeover risks when those services are decommissioned but the DNS record remains. Monitoring for CNAME changes helps in two ways:

  1. Detecting new dangling CNAMEs — when you decommission a service but forget to remove the DNS record, the CNAME now points to a claimable resource
  2. Detecting exploitation — if an attacker claims a service and the CNAME now resolves to their IP, a DNS change alert fires

See what is a subdomain takeover for the full attack pattern.

A Record Changes: Traffic Redirection

An A record change shifts where your domain resolves to at the IP level. Legitimate causes include server migrations, CDN changes, and infrastructure updates. Illegitimate causes include:

  • Domain hijacking where the attacker points your domain to their server
  • BGP hijacking where DNS responses are manipulated to return attacker-controlled IPs
  • Compromised DNS provider credentials allowing unauthorised record edits

What to watch:

  • A record changes that you didn't plan
  • Multiple A records being added (could indicate load balancing or could indicate an attacker inserting themselves)
  • A record changes coinciding with nameserver changes (strong hijacking indicator)

TXT Record Changes: SPF and DKIM Manipulation

TXT records carry SPF, DKIM, and DMARC policies. An attacker who can modify TXT records can:

  • Add themselves as an authorised sender in your SPF record
  • Remove DMARC policies that would cause their spoofed emails to be rejected
  • Add verification records for services they control (Google Workspace, Microsoft 365) to legitimise attacker-controlled email infrastructure

How to Implement DNS Security Monitoring

Baseline: Record your current DNS state for all zones. Any deviation from baseline is worth investigating.

Alert on: All record type changes — NS, MX, A, AAAA, CNAME, TXT. Alert immediately for NS changes; alert within minutes for all others.

Review cadence: Beyond automated alerts, conduct a manual DNS audit quarterly. See how to audit your DNS records for security issues.

Complement with DNSSEC: DNSSEC adds cryptographic verification that DNS responses haven't been tampered with in transit.

Domain Monitor monitors all DNS record types and alerts immediately on any change. Create a free account.

More posts

What Is a Subdomain Takeover and How to Prevent It

A subdomain takeover lets an attacker claim your subdomain by exploiting dangling DNS records. Learn how it happens, real-world examples, and how DNS monitoring detects it.

Read more
What Is Mean Time to Detect (MTTD)?

Mean time to detect (MTTD) measures how long it takes to discover an incident after it starts. Reducing MTTD is one of the highest-leverage improvements in reliability engineering.

Read more
What Is Black Box Monitoring?

Black box monitoring tests your systems from the outside, the way users experience them — without access to internal code or infrastructure. Learn how it works and when to use it.

Read more

Subscribe to our PRO plan.

Looking to monitor your website and domains? Join our platform and start today.

View pricing & plans