The invisible layer that controls everything
When someone types your domain name into a browser, the first thing that happens is a DNS lookup. Before any web server responds, before any page renders, before any content loads — the browser asks the Domain Name System: "Where is this website?"
The DNS system returns an IP address. The browser connects to that IP address. Your website appears.
If the DNS system returns the wrong IP address, the browser connects to the wrong server. Your website does not appear. If the DNS system returns nothing, the browser has nowhere to go. Your domain is dead.
This is the invisible layer that almost nobody monitors — and when it breaks, it takes everything else with it.
What DNS records are and what each one does
DNS records are entries in your domain's configuration that tell the internet where to send traffic. Each record type serves a different purpose. Here are the ones that matter for your website and business.
A record — where your website lives
The A record maps your domain name to an IPv4 address. When someone visits yourdomain.com, the A record tells their browser which server to connect to. If this record is wrong, your website is unreachable.
Example: yourdomain.com → 203.0.113.50
The AAAA record does the same thing for IPv6 addresses. If you support IPv6, both need to be correct.
CNAME record — aliases and subdomains
A CNAME record points one domain name to another domain name. This is commonly used for subdomains like www.yourdomain.com pointing to yourdomain.com, or blog.yourdomain.com pointing to your blog hosting provider.
If a CNAME record is deleted or changed, the subdomain stops working. If you use a CDN like Cloudflare, your CNAME records often point to the CDN's edge servers. A misconfigured CNAME can bypass your CDN entirely, exposing your origin server.
MX record — where your email goes
MX (Mail Exchange) records tell email servers where to deliver mail for your domain. If your MX records are wrong, emails sent to you@yourdomain.com go nowhere — or worse, they go to a server controlled by someone else.
This is one of the most dangerous DNS failures because it is completely silent. You do not get an error. You just stop receiving emails. Senders do not get a bounce message either — their email is "delivered" to whatever server the MX record points to.
TXT record — email authentication and verification
TXT records store text data for various purposes. The most important ones for your business are:
- SPF — tells email servers which IPs are authorised to send email from your domain. A broken SPF record means your legitimate emails land in spam.
- DKIM — a cryptographic signature that proves your emails were sent by you. If the DKIM TXT record is deleted, email authentication fails.
- DMARC — a policy that tells receiving servers what to do with emails that fail SPF or DKIM. Without it, phishing emails from your domain are harder to detect.
The Google Workspace documentation explains SPF, DKIM, and DMARC setup in detail. A single character wrong in any of these records breaks your email deliverability.
NS record — who controls your DNS
NS (Name Server) records determine which DNS servers are authoritative for your domain. If someone changes your NS records, they control your entire domain. They can change any record, point your website anywhere, intercept your email, and even issue SSL certificates for your domain.
NS record changes are the most dangerous DNS change and are a hallmark of domain hijacking attacks.
What can go wrong with DNS — and it goes wrong more often than you think
Accidental changes during migration
The most common DNS failure is human error during a server migration, hosting change, or CDN setup. You update one record and accidentally delete another. You change the A record to the new server but forget to update the subdomain CNAMEs. You switch email providers and the old MX records linger.
Because DNS propagation takes up to 48 hours, you might not notice the problem immediately. Your local DNS resolver still has the old records cached, so everything looks fine from your computer. Meanwhile, visitors in other regions are seeing errors or landing on the wrong server.
Domain registrar account compromise
If an attacker gains access to your domain registrar account — through a phished password, a brute force attack, or a social engineering call to the registrar — they can change any DNS record instantly. This is called DNS hijacking.
In 2019, a campaign called Sea Turtle targeted organisations by hijacking their DNS records, redirecting traffic to attacker-controlled servers, and intercepting credentials. The attacks were effective because DNS changes are silent — the victims did not know their records had changed until the damage was done.
DNS provider outage
Your DNS provider is a single point of failure. If their servers go down, your domain does not resolve. The most famous example was the 2016 Dyn attack where a DDoS attack against a major DNS provider made Twitter, Netflix, Reddit, and hundreds of other sites unreachable for hours — even though their servers were running perfectly. The DNS layer was the single point of failure.
TTL misconfiguration
TTL (Time to Live) determines how long DNS resolvers cache your records. A low TTL (like 300 seconds) means changes propagate quickly but puts more load on your DNS servers. A high TTL (like 86400 seconds) means records are cached for a day — great for performance, terrible if you need to make an emergency change and it takes 24 hours to take effect.
A common mistake is setting a low TTL during a migration and forgetting to increase it afterward. Your DNS servers handle unnecessary traffic indefinitely.
Expired domain
If your domain registration expires and you miss the renewal, your registrar typically holds it for a grace period and then releases it. During the grace period, your DNS records may stop resolving. After release, anyone can register your domain. Domain squatters actively monitor expiring domains and snap them up within seconds.
How DNS monitoring works
DNS monitoring is straightforward. A monitoring service performs DNS lookups for your domain at regular intervals and records the results. It compares each result against the previous one. If any record changes, you get an alert.
With Uptrue, you set up a DNS monitor by entering your domain and selecting which record types to track. The monitor checks your records on a regular schedule and alerts you via your chosen channel — email, Slack, or Teams — when any record changes.
The alert tells you exactly what changed: which record type, what the old value was, and what the new value is. You can then verify whether the change was intentional or investigate if it was not.
What to monitor and how to set it up
Step 1: Document your current records
Before you set up monitoring, know what your records should be. Use a tool like MXToolbox or dig on the command line to list your current A, AAAA, CNAME, MX, TXT, and NS records. Save these as your baseline. Any change from this baseline is worth investigating.
Step 2: Set up DNS monitoring
- Sign up at uptrue.io/signup (free plan available)
- Click Add Monitor
- Select DNS as the monitor type
- Enter your domain name
- Select the record types to monitor — at minimum: A, MX, NS, and any CNAME records for subdomains you use
- Configure your alert channel
Step 3: Combine with HTTP monitoring
DNS monitoring tells you when records change. HTTP monitoring tells you when your site is actually down. Together, they give you complete coverage. If your site goes down and your DNS records have not changed, you know the problem is at the server level. If your site goes down and a DNS record just changed, you know exactly where to look.
Check your DNS records and site health right now
Instant health score covering DNS configuration, SSL, security headers, uptime, and performance. Free, no account required.
Check Your Website ScoreProtecting your DNS beyond monitoring
Lock your domain at the registrar
Enable registrar lock (also called transfer lock or client transfer prohibited) on your domain. This prevents anyone from transferring your domain to another registrar without explicitly unlocking it first. Most registrars offer this as a free feature.
Enable two-factor authentication on your registrar account
Your domain registrar account is the keys to your kingdom. If someone gets in, they can change any DNS record, transfer your domain, or point your website and email anywhere. Enable two-factor authentication and use a strong, unique password. The ICANN guidance on domain security covers best practices.
Use DNSSEC where supported
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, preventing attackers from forging DNS responses. It does not prevent changes at the registrar level, but it protects against man-in-the-middle DNS attacks. Not all registrars and hosting providers support it, but if yours does, enable it.
Set appropriate TTLs
For stable records that rarely change, set the TTL to 3600 seconds (1 hour) or higher. This reduces DNS lookup traffic and improves resolution speed. Before making a planned change, lower the TTL to 300 seconds a day in advance so the change propagates quickly when you make it.
DNS is your foundation — monitor it
Every other monitoring tool — HTTP, SSL, keyword — checks things that depend on DNS being correct. If your DNS records are wrong, your site is unreachable no matter how healthy your server is. Your email stops working no matter how well your mail server is running.
DNS monitoring is the one check that protects the foundation everything else sits on. Set it up once, and you will know the moment anything changes.
Start monitoring your DNS records for free
Free plan. DNS, HTTP, keyword, and SSL monitoring. Alerts on Slack, email, or Teams. No credit card required.
Frequently asked questions
What is DNS monitoring?
DNS monitoring automatically checks your domain name records at regular intervals and alerts you when any record changes. It tracks A records, AAAA records, CNAME records, MX records, TXT records, and NS records. When a record changes unexpectedly — whether from an accidental edit, a misconfiguration, or a malicious attack — you are alerted immediately.
Why do DNS records matter for my website?
DNS records are the address book of the internet. Your A record tells browsers which server to connect to for your website. Your MX records tell email servers where to deliver your mail. If any of these records are wrong, your website is unreachable, your email stops working, or your domain points to the wrong server entirely. Everything depends on DNS being correct.
What happens if my DNS records change without me knowing?
If your A record changes, your domain points to a different server — possibly one that shows nothing, shows an error, or shows content controlled by someone else. If your MX records change, your email gets delivered to the wrong server. If your NS records change, someone else controls your entire domain. All of these can happen silently.
Can DNS records be changed by hackers?
Yes. DNS hijacking is a real attack vector. If an attacker gains access to your domain registrar account, they can change your DNS records to point your domain to their own server. They can intercept your email by changing MX records. They can even issue SSL certificates for your domain. This is why monitoring DNS records and securing your registrar account with two-factor authentication are both critical.
How often should DNS records be monitored?
DNS records should be checked at least every hour. Changes to DNS records propagate across the internet over 24 to 48 hours, so catching a change early gives you time to revert it before the incorrect records spread to all DNS resolvers worldwide. Uptrue checks DNS records on a regular schedule and alerts on any change.
What is DNS propagation and why does it make DNS problems worse?
When you change a DNS record, the change does not take effect instantly worldwide. DNS resolvers around the world cache records based on the TTL (Time to Live) setting. It can take 24 to 48 hours for the change to propagate to every resolver. This means a bad DNS change causes problems that get progressively worse over hours and affect different users at different times — making the issue very hard to diagnose without monitoring.
What DNS records should I monitor?
At minimum, monitor your A record (where your website points), MX records (where your email is delivered), NS records (who controls your DNS), and any CNAME records for subdomains. If you use SPF, DKIM, or DMARC for email authentication, monitor those TXT records as well — a broken SPF record means your emails start landing in spam.
Is DNS monitoring included in standard uptime monitoring?
Not always. Many uptime monitoring tools only check HTTP status codes and do not monitor DNS records separately. Uptrue includes DNS monitoring as a dedicated monitor type, checking your records independently from HTTP monitoring. This catches DNS-level failures that HTTP monitoring alone would attribute to a generic "site down" event.