DNS Monitoring: Catch Hijacks and Misconfigurations Before Users Notice
Panos Michalopoulos
Founder & CEO
DNS is the foundation of the internet, and it is also one of the most neglected layers in most monitoring setups. When your DNS is misconfigured, your website is unreachable — but your HTTP monitor reports "connection timeout" instead of telling you the real problem. When your DNS records are hijacked, your users are silently redirected to a malicious server, and nothing in your application logs looks wrong. DNS monitoring closes these blind spots.
Why DNS Monitoring Matters
Every interaction a user has with your service begins with a DNS lookup. Before the browser can connect to your server, it must resolve your domain name to an IP address. If that resolution fails, is slow, or returns the wrong address, nothing else matters — your perfectly healthy server is invisible to the world.
DNS failures are particularly dangerous because they are silent. Your server keeps running, your application keeps logging, your database keeps accepting connections. Everything looks fine from the inside. But from the outside, users see "This site can't be reached" or, worse, they reach a completely different server controlled by an attacker.
Types of DNS Failures
DNS hijacking. An attacker gains control of your domain's DNS records — through registrar compromise, BGP hijacking, or cache poisoning — and redirects your traffic to their server. They can serve a phishing page that looks identical to yours, intercept credentials, or distribute malware. DNS monitoring that validates expected record values catches this immediately.
Propagation failures. You update a DNS record (for example, pointing your domain to a new server during a migration), and the change propagates through some resolvers but not others. Some users reach the new server, some reach the old one, and some get NXDOMAIN errors. Without monitoring from multiple perspectives, you cannot see the full picture.
TTL problems. A low TTL means DNS resolvers re-query frequently, which ensures changes propagate fast but increases DNS lookup latency. A high TTL reduces latency but means changes take hours or days to propagate. Monitoring DNS resolution times helps you find the right balance.
Record misconfigurations. A typo in an MX record means your company stops receiving email. A missing SPF or DKIM TXT record means your outbound email goes to spam. A wrong CNAME breaks your CDN. These are trivially easy mistakes to make and fiendishly hard to notice without monitoring.
Types of DNS Records to Monitor
Different record types serve different purposes, and each has its own failure modes:
- A and AAAA records — map your domain to an IPv4 or IPv6 address. Monitor these to detect hijacking, accidental changes, and infrastructure migrations that did not fully propagate.
- MX records — determine where your email is delivered. An incorrect MX record means you lose incoming email. Monitor these especially if you use a third-party email service like Google Workspace or Microsoft 365.
- CNAME records — alias one domain to another, commonly used for CDN and load balancer integration. A broken CNAME breaks everything behind it.
- TXT records — hold SPF, DKIM, DMARC, and domain verification data. Changes to TXT records can break email deliverability or revoke your verification with third-party services.
- NS records — define which nameservers are authoritative for your domain. If these change without your knowledge, someone may have compromised your domain registrar.
Monitorion DNS Check Features
Monitorion's DNS monitor goes beyond simple resolution checks. Here is what it offers:
Expected value validation. Specify the value you expect a DNS record to return — for example, your A record should resolve to 203.0.113.50. If it ever resolves to a different IP, the monitor triggers immediately. This is the core defense against DNS hijacking and accidental misconfigurations.
Custom nameserver queries. By default, Monitorion queries public resolvers. But you can configure it to query specific nameservers — your registrar's nameservers, Google's 8.8.8.8, Cloudflare's 1.1.1.1, or your internal DNS servers. This lets you verify that records are consistent across different resolvers and catch propagation issues.
Record type selection. Choose which record type to query: A, AAAA, MX, CNAME, TXT, NS, SOA, or any other standard type. Monitor multiple record types for the same domain by creating separate monitors — one for your A record, one for MX, one for TXT.
Change detection. Even if you do not know what value to expect, Monitorion detects when a record changes. It stores the last-known value and alerts you when it differs. This is useful for monitoring third-party domains (CDN providers, SaaS platforms) where you do not control the records but need to know when they change.
Resolution time tracking. Monitorion measures how long DNS resolution takes and tracks it over time. A sudden increase in DNS resolution time can indicate nameserver performance issues, DDoS attacks against your DNS provider, or routing problems.
Real-World Scenarios
Scenario 1: Registrar compromise. An attacker gains access to your domain registrar account and changes your NS records to point to their nameservers. They then create A records pointing to their server. Monitorion's NS record monitor detects the nameserver change and alerts you within minutes — before the attacker can use the redirected domain for phishing.
Scenario 2: Cloud migration gone wrong. You migrate from AWS to GCP and update your A record from the old IP to the new one. The update propagates on your local resolver, so your tests pass. But Cloudflare's resolver has cached the old record with a long TTL. Monitorion, checking from multiple perspectives, shows that some resolvers still return the old IP and alerts you to the inconsistency.
Scenario 3: Email delivery failure. A team member accidentally deletes a TXT record while updating SPF configuration. Your outbound email starts landing in spam folders, but nobody notices for three days because the email "still sends." Monitorion's TXT record monitor with expected-value validation detects the missing SPF record immediately.
Scenario 4: CDN provider changes. Your CDN provider migrates their infrastructure and changes the IP addresses behind your CNAME record. The change is expected from their side but not from yours. Monitorion's change-detection alert notifies you, so you can verify the new IPs are legitimate and update your documentation.
Setting Up DNS Monitoring in Monitorion
DNS monitoring is available on all paid plans. Configuration is straightforward:
- Step 1: Enter the domain to monitor (e.g.,
monitorion.com). - Step 2: Select the record type (A, AAAA, MX, CNAME, TXT, NS).
- Step 3: Optionally set the expected value. If left blank, Monitorion uses change-detection mode.
- Step 4: Optionally specify a custom nameserver to query.
- Step 5: Configure your check interval and alert channels.
For comprehensive DNS protection, we recommend at minimum three monitors per critical domain: one for the A record (or CNAME if you use a CDN), one for MX records, and one for TXT records covering SPF and DKIM. Add NS record monitoring if your domain is high-value or a target for registrar-level attacks.
DNS is the invisible layer that holds everything together. When it breaks, everything breaks — but nothing tells you why. DNS monitoring makes the invisible visible.
Enjoyed this post?
Get monitoring tips and product updates delivered to your inbox.