Short answer. DNS monitoring is the regular verification that your domain's records (A, AAAA, MX, NS, CNAME запись, TXT) resolve to the correct values. DNS failures are quiet and dangerous: the site is down for everyone even though the server is fine. Set up a DNS monitor that watches resolution and alerts on record changes. In enterno.io, DNS is one of four monitor types available for free.
Why DNS is a blind spot
Most teams monitor HTTP and SSL but forget DNS. That's a mistake: if the domain's NS servers are unreachable or the A record points to the wrong place, the user never even reaches your server — the browser can't resolve the name to an IP. An HTTP monitor will just show "timeout" without explaining why.
A DNS failure looks like the entire site going down, yet the server is perfectly healthy. Without DNS monitoring you'll hunt for the problem in the wrong place — in the application instead of the DNS zone.
What can go wrong
- Record tampering or an accidental change — someone edited the A record and broke routing.
- Expired domain — records stop resolving, NS records get pulled.
- DNS provider outage — authoritative servers go unreachable.
- Failover desync — the TTL hasn't expired, so some users still hit the dead address.
- Broken DNSSEC — an invalid signature causes SERVFAIL at resolvers.
Checking records manually
The go-to DNS diagnostic tool is dig. To get the A record:
dig example.com A +shortThis command prints only the IPs from the A record — exactly the value a monitor should watch for changes.
To detect record drift and catch a tampering event, you can periodically diff the output:
dig example.com A +short > current.txt
diff baseline.txt current.txt && echo "DNS unchanged" || echo "DNS CHANGED!"If the diff result is non-empty, the record changed — and that's a reason to alert.
Which records to monitor
| Record | What breaks on failure | Priority |
|---|---|---|
| A / AAAA | Site unreachable (no route to server) | critical |
| NS | Entire domain stops resolving | critical |
| MX | Email stops being delivered | high |
| CNAME | Subdomains and CDN break | medium |
| TXT (SPF/DKIM) | Email lands in spam | medium |
A full breakdown of record types is in the DNS records guide.
Setting up a DNS monitor
In enterno.io you create a monitor of type dns that periodically resolves the specified records and compares them to a baseline. When a value changes or resolution is lost, an alert fires. The check interval is configurable — for critical domains, a minute is reasonable.
Save a "baseline" snapshot of your records right after configuring the domain. Any divergence from it is either your intentional change or an incident.
DNS monitoring and failover
If you use DNS failover (switching to a backup IP when the primary goes down), DNS monitoring confirms the switch actually happened and the records propagated. More on the setup in DNS failover.
FAQ
How is DNS monitoring different from regular uptime monitoring?
An uptime monitor checks whether the server responds. A DNS monitor checks that the domain name resolves to the correct address at all — a layer below HTTP.
How often should I check DNS?
For critical domains, once a minute. DNS rarely changes, but when it changes by mistake the cost of downtime is high, so fast detection is justified.
Can I detect record tampering?
Yes. The monitor stores baseline values and alerts on any deviation — effective at catching both accidental edits and DNS attacks.
Do I need DNS monitoring if my domain is with a major provider?
Yes. Outages happen even at large providers, and human error (an accidental record edit) is independent of the provider.
Turn on DNS monitoring
Create a DNS monitor for free and check your records right now: the DNS Lookup tool and monitors. If you automate infrastructure, manage DNS monitors via the API документацию or the MCP server. For the general principles, see the uptime guide.