How to Monitor Nameserver Changes Across Client Domains

A nameserver change is the most impactful DNS change possible. It doesn't change one record — it changes who controls all records. When a domain's nameservers are changed without authorisation, whoever controls the new nameservers controls every aspect of that domain: where the website points, where email goes, what SSL certificates can be issued.

For agencies managing multiple client domains, or businesses with a portfolio of domains, unauthorised nameserver changes are a serious threat — and one of the hardest to detect quickly without purpose-built monitoring.

Why Nameserver Changes Are High-Risk Events

Unlike changing an A record (which affects one IP), changing nameservers hands over the entire DNS zone. An attacker who successfully changes your nameservers can:

• Point your domain to a phishing site
• Intercept email by changing MX records
• Issue fraudulent SSL certificates by passing CA domain validation
• Take down every service associated with your domain simultaneously

Real-world domain hijacking attacks almost always involve a nameserver change — the attacker gains access to the registrar account, changes the nameservers, and takes control of everything from one action. See how to prevent domain hijacking with registrar security for the defensive measures.

Detecting Nameserver Changes

Manual Check

# Check current nameservers
dig yourdomain.com NS +short

# Check what TLD registry shows (authoritative source)
whois yourdomain.com | grep -i "name server"

The WHOIS record is the authoritative source — it shows what nameservers the registry has on file, which is what the global DNS system uses.

Automated Monitoring Script

For teams managing multiple domains, a simple monitoring script can track nameserver changes:

#!/bin/bash
# check-nameservers.sh
DOMAINS=("domain1.com" "domain2.com" "client-domain.co.uk")
NS_RECORDS_FILE="/var/monitoring/ns-baseline.txt"

for domain in "${DOMAINS[@]}"; do
    current_ns=$(dig "$domain" NS +short | sort | tr '\n' ',')
    stored_ns=$(grep "^$domain:" "$NS_RECORDS_FILE" | cut -d: -f2)

    if [ "$current_ns" != "$stored_ns" ]; then
        echo "ALERT: Nameserver change detected for $domain"
        echo "  Was: $stored_ns"
        echo "  Now: $current_ns"
        # Send alert — email, Slack webhook, etc.
    fi
done

Run this via cron every 15 minutes. The first run establishes baselines; subsequent runs compare against them.

API-Based Monitoring

For larger portfolios, use DNS API queries rather than shell commands:

import dns.resolver
import json
import requests

DOMAINS = ['domain1.com', 'domain2.com', 'client-domain.co.uk']

def get_nameservers(domain):
    try:
        answers = dns.resolver.resolve(domain, 'NS')
        return sorted([str(r) for r in answers])
    except Exception as e:
        return [f'error: {str(e)}']

def check_nameserver_changes(baseline_file):
    with open(baseline_file) as f:
        baseline = json.load(f)

    alerts = []
    for domain in DOMAINS:
        current = get_nameservers(domain)
        stored = baseline.get(domain, [])

        if current != stored:
            alerts.append({
                'domain': domain,
                'previous': stored,
                'current': current,
            })
            baseline[domain] = current

    with open(baseline_file, 'w') as f:
        json.dump(baseline, f, indent=2)

    return alerts

What to Do When You Detect a Change

If you authorised the change: Update your baseline and document the migration. This is expected during planned nameserver migrations (see how to change nameservers without downtime).

If you didn't authorise the change:

1. Don't panic — act fast. Domain hijacking becomes catastrophic over time as the attacker embeds their configuration.
2. Log into your registrar immediately and check whether nameservers can be changed back.
3. Enable registrar lock if it isn't on (see registrar lock vs transfer lock) — this prevents further changes.
4. Contact your registrar's security team — most have emergency procedures for hijacking incidents.
5. Notify affected parties — if client domains are affected, inform them immediately.

Monitoring at Scale With Domain Monitor

For agencies managing many client domains, manual monitoring scripts are fragile — they require maintenance, server uptime, and someone to respond to alerts at 2am.

Domain Monitor monitors DNS records including nameservers across all your domains from a managed platform. When a nameserver changes on any monitored domain, you're alerted immediately — without maintaining your own monitoring infrastructure. Create a free account and add all your client domains.

See how to monitor MX, SPF, DKIM, and DMARC records for monitoring the email-related DNS records that are equally critical to protect.

Also in This Series

• Nameservers vs DNS Records: What's the Difference?
• How to Change Nameservers Without Downtime
• DNSSEC Explained for Website Owners
• CAA Records Explained and Why They Matter for SSL
• Registrar Lock vs Transfer Lock: What's the Difference?
• How to Prevent Domain Hijacking With Registrar Security
• Why DNS Works in One Location but Fails in Another