How to Track DNS Record Changes
Automatically detect when DNS records change - catch unauthorized IP changes, email routing modifications, and nameserver hijacks.
How to Track DNS Record Changes
DNS changes can indicate a hosting migration, email provider switch, CDN activation - or something more serious like a domain hijack or unauthorized DNS modification. Automated DNS change monitoring catches all of these.
How DNS Monitoring Works
On each scan, ElasticDomain queries both Google's public resolver (8.8.8.8) and Cloudflare's resolver (1.1.1.1) for all standard DNS record types:
- A - IPv4 address (where the domain points)
- AAAA - IPv6 address
- MX - mail server records (controls email routing)
- TXT - SPF, DKIM, DMARC, and verification tokens
- NS - nameservers (delegation authority)
- CNAME - canonical name aliases
- SOA - Start of Authority (zone serial number)
- CAA - Certification Authority Authorization
- SRV - service locator records
The results are compared to the previous scan. Any record that was added, removed, or changed in value triggers a change event.
Setting Up DNS Change Alerts
Alert for Any DNS Change
- Domain detail → Alerts → Create Alert Rule
- Trigger: DNS Record Changed
- Notify via: Email
- Save
This fires whenever any DNS record changes. Good for owned domains where you want to know about all changes.
Alert for Specific Record Types
For more granular control, set up per-record-type alerts:
A record change (IP address change):
- Trigger: IP Changed
- Most important alert for owned domains - catches unauthorized redirections
NS record change (nameserver change):
- Trigger: Nameserver Changed
- A nameserver change means someone has changed who controls your DNS. This is a critical alert for owned domains.
MX record change (email routing):
- Trigger: DNS Record Changed (filter: MX)
- Catches email provider migrations and unauthorized mail server changes
What a Change Event Looks Like
When a change is detected, the alert notification includes:
- What changed: Record type, old value, new value
- When detected: Timestamp of the scan that caught it
- Severity: Classified as info (expected changes), warning (unusual), or critical (nameserver change, A record pointing to unknown IP)
In the dashboard, the DNS tab shows a change history timeline - a log of every detected change with before/after values.
Reading the DNS Tab
The DNS tab lists all current records grouped by type. For each A record, ElasticDomain also shows enriched data:
- IP geolocation: Country, city, and region of the IP
- ASN: Autonomous System Number and organization (tells you whose network the IP belongs to - e.g. "AS13335 Cloudflare, Inc.")
- CDN detection: Whether the IP belongs to a known CDN (Cloudflare, Fastly, AWS CloudFront, etc.)
- Hosting provider: Detected from ASN data
This makes it easy to spot when a domain has moved from one host to another or is routing through an unexpected CDN.
DNSSEC Monitoring
ElasticDomain also checks DNSSEC status:
- Whether DS records exist (DNSSEC delegation)
- Whether DNSKEY records are present
- Algorithm used (ECDSA P-256 recommended; RSA/MD5 and DSA/SHA-1 are deprecated)
- Signature validity and expiry
DNSSEC validation failures are flagged in the Security tab and affect the domain health score.
Common DNS Change Scenarios
| Change | What It Means |
|---|---|
| A record changes to Cloudflare IP | Domain added to Cloudflare CDN |
| NS records change to new provider | DNS hosting migrated |
| MX records change | Email provider switched |
| TXT record added with google-site-verification | Google Search Console added |
| A record changes to unknown IP | Potential domain hijack - investigate immediately |
| All records disappear | Domain not renewing or DNS zone deleted |