# developer tools# website monitoring
How to Monitor Nameserver Changes Across Client Domains
A nameserver change is the most impactful DNS change possible. It doesn't change one record — it changes who controls all records. When a domain's nameservers are changed without authorisation, whoever controls the new nameservers controls every aspect of that domain: where the website points, where email goes, what SSL certificates can be issued.
For agencies managing multiple client domains, or businesses with a portfolio of domains, unauthorised nameserver changes are a serious threat — and one of the hardest to detect quickly without purpose-built monitoring.
Why Nameserver Changes Are High-Risk Events
Unlike changing an A record (which affects one IP), changing nameservers hands over the entire DNS zone. An attacker who successfully changes your nameservers can:
- Point your domain to a phishing site
- Intercept email by changing MX records
- Issue fraudulent SSL certificates by passing CA domain validation
- Take down every service associated with your domain simultaneously
Real-world domain hijacking attacks almost always involve a nameserver change — the attacker gains access to the registrar account, changes the nameservers, and takes control of everything from one action. See how to prevent domain hijacking with registrar security for the defensive measures.
Detecting Nameserver Changes
Manual Check
# Check current nameservers
dig yourdomain.com NS +short
# Check what TLD registry shows (authoritative source)
whois yourdomain.com | grep -i "name server"
The WHOIS record is the authoritative source — it shows what nameservers the registry has on file, which is what the global DNS system uses.
Automated Monitoring Script
For teams managing multiple domains, a simple monitoring script can track nameserver changes:
#!/bin/bash
# check-nameservers.sh
DOMAINS=("domain1.com" "domain2.com" "client-domain.co.uk")
NS_RECORDS_FILE="/var/monitoring/ns-baseline.txt"
for domain in "${DOMAINS[@]}"; do
current_ns=$(dig "$domain" NS +short | sort | tr '\n' ',')
stored_ns=$(grep "^$domain:" "$NS_RECORDS_FILE" | cut -d: -f2)
if [ "$current_ns" != "$stored_ns" ]; then
echo "ALERT: Nameserver change detected for $domain"
echo " Was: $stored_ns"
echo " Now: $current_ns"
# Send alert — email, Slack webhook, etc.
fi
done
Run this via cron every 15 minutes. The first run establishes baselines; subsequent runs compare against them.
API-Based Monitoring
For larger portfolios, use DNS API queries rather than shell commands:
import dns.resolver
import json
import requests
DOMAINS = ['domain1.com', 'domain2.com', 'client-domain.co.uk']
def get_nameservers(domain):
try:
answers = dns.resolver.resolve(domain, 'NS')
return sorted([str(r) for r in answers])
except Exception as e:
return [f'error: {str(e)}']
def check_nameserver_changes(baseline_file):
with open(baseline_file) as f:
baseline = json.load(f)
alerts = []
for domain in DOMAINS:
current = get_nameservers(domain)
stored = baseline.get(domain, [])
if current != stored:
alerts.append({
'domain': domain,
'previous': stored,
'current': current,
})
baseline[domain] = current
with open(baseline_file, 'w') as f:
json.dump(baseline, f, indent=2)
return alerts
What to Do When You Detect a Change
If you authorised the change: Update your baseline and document the migration. This is expected during planned nameserver migrations (see how to change nameservers without downtime).
If you didn't authorise the change:
- Don't panic — act fast. Domain hijacking becomes catastrophic over time as the attacker embeds their configuration.
- Log into your registrar immediately and check whether nameservers can be changed back.
- Enable registrar lock if it isn't on (see registrar lock vs transfer lock) — this prevents further changes.
- Contact your registrar's security team — most have emergency procedures for hijacking incidents.
- Notify affected parties — if client domains are affected, inform them immediately.
Monitoring at Scale With Domain Monitor
For agencies managing many client domains, manual monitoring scripts are fragile — they require maintenance, server uptime, and someone to respond to alerts at 2am.
Domain Monitor monitors DNS records including nameservers across all your domains from a managed platform. When a nameserver changes on any monitored domain, you're alerted immediately — without maintaining your own monitoring infrastructure. Create a free account and add all your client domains.
See how to monitor MX, SPF, DKIM, and DMARC records for monitoring the email-related DNS records that are equally critical to protect.
Also in This Series
- Nameservers vs DNS Records: What's the Difference?
- How to Change Nameservers Without Downtime
- DNSSEC Explained for Website Owners
- CAA Records Explained and Why They Matter for SSL
- Registrar Lock vs Transfer Lock: What's the Difference?
- How to Prevent Domain Hijacking With Registrar Security
- Why DNS Works in One Location but Fails in Another
More posts
Wildcard vs SAN vs Single-Domain SSL Certificates: Which Do You Need?
Wildcard, SAN (multi-domain), and single-domain SSL certificates cover different use cases. Here's a clear comparison to help you pick the right type — and avoid paying for coverage you don't need.
Read moreWhy DNS Works in One Location but Fails in Another
DNS resolves correctly from your office but fails for users in other countries or on different ISPs. Here's why geographic DNS inconsistency happens and how to diagnose which layer is causing it.
Read moreRegistrar Lock vs Transfer Lock: What's the Difference?
Registrar lock and transfer lock are often confused — and disabling the wrong one leaves your domain vulnerable. Here's a clear breakdown of what each does and when to use them.
Read moreSubscribe to our PRO plan.
Looking to monitor your website and domains? Join our platform and start today.