DNS record monitoring in Oh Dear
Every site that gets added to Oh Dear can have its DNS records automatically monitored.
How we perform DNS monitoring
Your DNS records are a crucial component to the availability of your website. Should they suddenly stop working, your site will be offline. If they change without your knowing, it could indicate someone has taken control of your domain name.
For that reason, our DNS monitoring is focussed on monitoring these key areas:
- DNS changes made to your domain
- Availability of your nameservers
- Validating all your nameservers return the same answers
Your site(s) added to Oh Dear can be configured to monitor your DNS at frequent intervals. We'll check every nameserver and every record for you on a 5-minute interval.
Determining which DNS records to monitor
Monitoring DNS records can lead you down a rabbithole pretty quickly. For that reason, we've taken a pragmatic approach to monitoring your DNS records.
If you monitor the domain
awesome-site.tld, we will monitor all DNS records we could find on that domain only.
That means we'll check for A, AAAA, CNAME, MX, ... records on
awesome-site.tld, but not on
www.awesome-site.tld or any other subdomain.
If you have other sites or sub-domains that are of interest, you can add specifically add them to Oh Dear. Since what we monitor can be toggled on/off, you can add
secretpage.awesome-site.tld to Oh Dear and just enable the DNS monitoring if you prefer.
If you'd like to monitor the DNS records of your main site and 3 subdomains, you can add those 4 sites into Oh Dear.
Monitoring Cloudflare nameservers
Because it is so common to use Cloudflare's DDoS protection when you are using their DNS, we have add an extra rule in place when we detect that a domain is using Cloudflare.
If a domain is using Cloudflare nameservers, we will automatically ignore any A and AAAA records when determining whether DNS records have been changed or whether nameservers are in sync.
Fine-tuning which records you care about
There are instances when your DNS records change all the time, and it's normal. If you're using a service that provides DDoS Protection, such as Akamai, it's common for them to change your DNS records to redirect you away from an ongoing attack.
This may still interest you to receive notifications about, but at the same time, it can get a little noisy.
For this use case, you can head over to the DNS Settings of your site and choose which records you care about. You could disable monitoring A or AAAA records but leave on the monitoring of TXT, MX, NS, ... records.
From there, you have the ability to pick exactly which DNS record you want to monitor.
A look into which nameservers are incorrect
One frequent problem to encounter is that not all nameservers are considered equal. Normally, if you change the DNS records at your hosting or domain name provider, you change them on what is a called a "main" or "master" nameserver.
That nameserver will then propagate the DNS changes to other, "secondary" or "slave", nameservers. On more than one occassion, not every secondary nameserver picks up that change.
That can leave you with a DNS change that is active on 3 out of your 4 nameservers. And this, can lead to immense headaches when trying to debug why something doesn't work all the time. After all, if a client happens to hit that 4th, incorrect, nameserver and your debug efforts are hitting one of the first 3, you're looking at different things. We've been there and it isn't fun.
This is why we look at the responses every one of your nameservers returns. And if there's an anomaly, you will be able to do 2 things:
- Get alerts when your nameservers are out-of-sync
- See clearly which nameserver isn't in-sync and which records they're returning differently
This can be a lifesaver when it comes to debugging DNS!