How to Detect DNS Changes

Monitor your DNS records and get alerted of any suspicious modifications.

DNS records are the invisible foundation of your online presence. They direct traffic to your servers, route your emails, and validate your SSL certificates. An undetected DNS change can redirect all your traffic to a malicious server, disrupt your emails, or invalidate your HTTPS - all without your main server being affected.

The danger of DNS lies in its discretion. Unlike a server crash, a DNS change can go unnoticed for hours or even days. Your users are redirected elsewhere, your emails stop arriving, but your classic HTTP monitoring detects nothing because it's not watching the right thing.

MoniTao monitors your DNS records continuously and alerts you instantly when changes occur. Whether it's a legitimate migration you forgot about or a DNS hijacking attack, you're informed before damage accumulates.

Signs of an Unwanted DNS Change

Several symptoms can reveal that a DNS change has occurred without your authorization:

  • Site inaccessible or different: Your site works normally from your server, but users see a different page or an error. The DNS points elsewhere.
  • Disappearing emails: Emails sent to your domain no longer reach you. The MX records may have been modified, redirecting your emails to another server.
  • Invalid SSL certificate: Your Let's Encrypt certificate no longer renews because DNS validation fails. Or worse, a fraudulent certificate has been issued for your domain.
  • Phishing complaints: Your customers receive phishing emails "from you", or see fraudulent login pages on your domain. The DNS has been hijacked.

Causes of DNS Changes

A DNS change can have legitimate or malicious origins:

  • Forgotten server migration: You or a colleague migrated to a new server and updated DNS without documenting. The modification is legitimate but not communicated.
  • Registrar account compromise: An attacker gained access to your registrar account (OVH, Gandi, GoDaddy...) and modified your DNS to redirect traffic.
  • Domain expiration: Your domain expired and was grabbed by someone else. The DNS now points to their servers.
  • Man-in-the-middle attack: A DNS hijacking attack redirects your traffic to an attacker-controlled server to steal credentials or inject malicious content.

Manually Check Your DNS

Here's how to quickly diagnose the state of your DNS records:

  1. Use dig or nslookup: Run dig example.com A or nslookup example.com to see the current IP. Compare with your server's expected IP.
  2. Check MX records: Run dig example.com MX to see where your emails are routed. Confirm it's your mail server.
  3. Test from multiple locations: Use tools like whatsmydns.net to check DNS from different countries. Inconsistent results may indicate propagation in progress or an attack.
  4. Check history: Services like SecurityTrails or DNSHistory show the DNS modification history of your domain.

DNS Verification Script

Here's a simple script to check your DNS records:

#!/bin/bash
# Basic DNS verification

DOMAIN="example.com"
EXPECTED_IP="93.184.216.34"

echo "=== DNS Check for $DOMAIN ==="

# Get current IP
CURRENT_IP=$(dig +short $DOMAIN A | head -1)

echo "Expected IP: $EXPECTED_IP"
echo "Current IP: $CURRENT_IP"

if [ "$CURRENT_IP" = "$EXPECTED_IP" ]; then
    echo "✅ DNS OK"
else
    echo "❌ ALERT: DNS modified!"
    echo "IP changed from $EXPECTED_IP to $CURRENT_IP"
fi

# Check MX records
echo ""
echo "=== MX Records ==="
dig +short $DOMAIN MX

# Check nameservers
echo ""
echo "=== Nameservers ==="
dig +short $DOMAIN NS

This script verifies that your domain's IP matches the expected one. With MoniTao, this check is automated and you're alerted instantly when changes occur.

DNS Protection Best Practices

Protect your DNS against unauthorized modifications:

  • Secure your registrar account: Enable two-factor authentication (2FA), use a strong unique password, and regularly verify access. This is your first line of defense.
  • Lock domain transfer: Enable "transfer lock" at your registrar to prevent unauthorized transfer to another registrar.
  • Monitor with MoniTao: Create a DNS monitor for your critical records (A, MX, NS). You'll be alerted as soon as a modification is detected.
  • Document your configurations: Maintain an up-to-date list of all your DNS records and their expected values. Useful for detecting anomalies and for recovery in case of incident.

DNS Security Checklist

  • MoniTao DNS monitor created for main domain
  • A, MX, and NS records monitored
  • Registrar account protected with 2FA
  • Domain transfer lock enabled
  • Registrar contact email up to date and monitored
  • Expected DNS values documentation up to date

Frequently Asked Questions About DNS Monitoring

What's the difference between HTTP and DNS monitoring?

HTTP monitoring checks that your server responds correctly. DNS monitoring checks that domain name records point to the right destination. A site can be DOWN in HTTP but OK in DNS (server crash), or OK in HTTP but compromised in DNS (hijacking).

Does a DNS change immediately affect all users?

No, DNS propagation can take from a few minutes to 48 hours depending on the TTL (Time To Live) configured. During this period, some users will see the old configuration, others the new one.

How to protect my domain against DNS hijacking?

Combine several measures: 2FA on registrar account, transfer lock, MoniTao monitoring for quick detection, and DNSSEC if your registrar supports it.

Can I monitor subdomain DNS?

Yes, create a separate DNS monitor for each critical subdomain (www, mail, api, etc.). Each subdomain can have its own records.

Can MoniTao monitor TXT and CNAME records?

Yes, MoniTao can monitor all types of DNS records: A, AAAA, MX, TXT, CNAME, NS, etc. Configure those that are critical for your infrastructure.

What to do if MoniTao detects an unauthorized DNS change?

Act immediately: log into your registrar to verify, restore correct records if needed, change your passwords, enable 2FA if not done, and investigate the cause.

Protect Your DNS Before It's Too Late

DNS attacks are particularly dangerous because they often go unnoticed. Your server works perfectly, but traffic is redirected elsewhere. Without dedicated monitoring, you only discover the problem when damage is done: stolen data, tarnished reputation, compromised certificates.

MoniTao monitors your DNS records continuously and alerts you instantly when changes occur. Combined with security best practices (2FA, transfer lock), you have solid defense against unauthorized DNS changes. Configure your first DNS monitor in just a few clicks.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing