DNS failures are catastrophic and immediate
DNS hijacking redirects your customers to phishing sites that steal credentials and payment information. Attackers compromise your registrar account, change your A records, and suddenly example.com points to their malicious server. Your customers think they're on your site. They're not.
Accidental DNS changes during hosting migrations break everything. Change the wrong A record and your site becomes unreachable worldwide. Delete an MX record and all company email stops. No incoming messages, all external emails bounce, support tickets never arrive.
Wrong DNS settings persist for hours or days due to caching. Even after fixing DNS records, old (broken) values remain cached across the internet for the TTL period. The damage compounds: lost sales, customer support overload, email communication blackout, reputation damage.
We check all your DNS records every few hours (A, AAAA, MX, TXT, CNAME, NS) across all your nameservers. When any record changes, you'll know immediately, whether it was authorized or malicious.
Stop manually checking DNS records
Most teams check DNS one of these ways: running dig/nslookup commands occasionally (requires remembering and technical knowledge), using free DNS lookup tools when something breaks, checking registrar dashboards manually, or discovering DNS issues when customers report the site is down.
Manual checking doesn't catch unauthorized changes in real-time. By the time you notice DNS hijacking, attackers have already redirected your traffic for hours. By the time you discover a wrong MX record, you've lost a day's worth of email.
Free DNS tools check DNS at a single moment when you remember to run them. They don't monitor continuously. They don't alert you. They don't show DNS history. You only find out something changed when you think to check, usually after problems start.
We check your DNS automatically every few hours from multiple locations. You'll get alerts within minutes of any DNS change: authorized migrations, accidental changes, or malicious hijacking. Fix issues before they cascade into complete outages.
Check all nameservers and all record types
Most DNS tools query a single nameserver and show you a snapshot. We're different: we check every authoritative nameserver for your domain, comparing results to catch inconsistencies. If one nameserver has different records than the others, you'll know immediately.
We monitor all DNS record types (A, AAAA, MX, TXT, CNAME, NS, SOA), not just your website's A record. This catches MX record changes that break email, TXT record modifications that break email authentication (SPF/DKIM), CNAME changes that break subdomains, and NS record changes that indicate potential hijacking.
DNS history shows exactly what changed and when. Compare current records to past snapshots. Prove when unauthorized changes happened. Roll back to previous configurations. See which records existed before a migration broke things.
Zero configuration required. Add your site to Oh Dear and we auto-detect all DNS records from all nameservers. We'll monitor everything automatically, alerting you the moment any record changes.
This SPF record ends in "+all" (pass all), which authorizes the entire internet to send mail as your domain. Use "-all" or "~all" instead.
This CAA record uses an unknown tag "contactemail". Expected one of: issue, issuewild, iodef.
This MX record points to an IP address (203.0.113.10). An MX record must point to a hostname, not an IP address.
Catch the mistakes, not just the changes
Knowing that a record changed is useful. Knowing a record is wrong is better. On top of tracking changes, we read the content of your records and flag the mistakes that are easy to make and hard to spot.
An SPF record ending in +all that lets anyone on the internet send mail as you. Two SPF records on one name, which breaks SPF entirely. A DMARC or DKIM record published in the wrong place. An MX or NS record pointing at an IP address. A CNAME on your apex domain. A malformed CAA record that accidentally blocks every certificate authority. We check for 38 of these today, and we keep adding more.
They show up as warnings right next to the record, so you spot them at a glance. They're advisory: they won't fail your check or trigger an alert. They're there to help you tidy up the small mistakes that cause outages and email trouble. We even follow your same-domain SPF includes and fetch your DMARC record for you, so you see the full picture.
| Component | Value |
|---|---|
| Url | https://urlxyz.com |
| Error description | Operation timed out after 5001 milliseconds with 0 bytes received |
Downtime verified from Paris, France and Bangalore, India
Downtime verified from Paris, France and Bangalore, India
Messages
urlxyz.com has recovered after 2m. full report: https://ohdear.app/monitors/83/checks/411
Messages
urlxyz.com seems down! Error: HTTP/500 Downtown verified from Paris, France and Frankfurt
Messages
Pushover has been successfully enabled. We'll notify you when something goes wrong.
ntfy
urlxyz.com has recovered after 2m. full report: https://ohdear.app/monitors/83/checks/411
ntfy
urlxyz.com seems down! Error: HTTP/500 Downtime verified from Paris, France and Frankfurt
ntfy
ntfy has been successfully enabled. We'll notify you when something goes wrong.
Messages
urlxyz.com has recovered after 2m. full report: https:/ohdear.app/monitors/83/checks/411
Messages
urlxyz.com has recovered after 2m. full report: https:/ohdear.app/monitors/83/checks/411
Messages
Text messages for urlxyz.com have been successfully enabled. We'll notify you when something goes wrong.
$_TOKEN="your API token" $ curl -X GET "https://notifyservicexyz.com/api/alert/urlxyzcom" \ -H "Authorization: Bearer $_TOKEN" \ -H "Accept: application/json" \ -H "Content-Type: application/json"
Opsgenie
urlxyz.com has recovered after 2m. full report: https://app.opsgenie.com/monitors/83/checks/411
Opsgenie
urlxyz.com seems down! Error: HTTP/500 Downtown verified from Paris, France and Frankfurt
Opsgenie
Opsgenie has been successfully enabled. We'll notify you when something goes wrong.
PagerDuty
urlxyz.com has recovered after 2m. full report: https://pagerduty.com/monitors/83/checks/411
PagerDuty
urlxyz.com seems down! Error: HTTP/500 Downtown verified from Paris, France and Frankfurt
PagerDuty
PagerDuty has been successfully enabled within Oh Dear. Notifications are enabled.
Choose how we let you know
Receive our notifications on your preferred platform. Via email, SMS, Slack, Discord, Opsgenie, Microsoft Teams, Pushover, ntfy, webhooks,… we can notify you wherever your team is active.
Take notifications to the next level: only notify who needs notifying by assigning responsibilities to different team members.
What DNS monitoring checks (and what it doesn't)
DNS monitoring excels at tracking DNS record changes across all nameservers. We check every record type (A, AAAA, MX, TXT, CNAME, NS, SOA) and alert you immediately when any record changes, whether authorized or malicious.
We also read the content of your records and flag common misconfigurations: an SPF record that authorizes the entire internet, two SPF records on one name, a DMARC record in the wrong place, an MX record pointing at an IP address, a CNAME on your apex domain, and more. These show up as friendly warnings right next to the record, so you can fix the small mistakes that cause outages and email problems before they hit you. We even follow your SPF includes and fetch your DMARC record for you, so you see the full picture.
What it checks: all DNS record types, all authoritative nameservers, DNS record history over time, nameserver consistency, record misconfigurations, and DNS resolution failures.
What it doesn't check: domain expiration (we have separate monitoring for that), whether your site is actually up (uptime monitoring handles that), SSL certificate validity (we monitor certificates separately), or DNS propagation speed (we check records as they exist at nameservers, propagation to resolvers varies).
Think of DNS monitoring as your early warning system for DNS changes. It catches unauthorized modifications, migration mistakes, and hijacking attempts. Combine it with uptime monitoring to know if DNS changes actually work.
Who needs DNS monitoring?
Teams migrating hosting or CDN providers where DNS changes are critical and mistakes break everything. Wrong A records make your site unreachable. Wrong CNAME breaks your CDN.
Companies after security incidents needing to prevent DNS hijacking. If your registrar account was ever compromised, attackers can return and modify DNS to redirect your traffic.
Teams with complex DNS setups (multiple subdomains, email servers, CDNs). More DNS records mean more things that can break. MX records for email, TXT records for email security, CNAME for subdomains.
Agencies managing client domains who need to know immediately if a client or their registrar modifies DNS. Your reputation depends on client sites staying accessible.
Anyone using email where MX record changes mean complete email blackouts. No incoming customer emails, all outbound bounces, support tickets never arrive.
High-value domains attractive to hijackers. If your domain is worth stealing, attackers will try. DNS monitoring catches hijacking within hours, not days.
Stop worrying, start monitoring
Start a no-strings-attached 10-day free trial. You're all set in less than a minute. (No credit card needed.)
Not convinced yet? Need help? Get in touch via support@ohdear.app.
Monitor only the records that matter
Not all DNS records are equally critical. A and AAAA records point your domain to your server, so changes break your site. MX records control email delivery, so changes stop all company email. TXT records handle email authentication (SPF, DKIM, DMARC), so changes get you marked as spam or rejected entirely.
Some legitimate services change DNS frequently. DDoS protection services like Cloudflare rotate IP addresses constantly. CDN providers modify CNAME records for traffic management. If you're behind these services, disable A/AAAA or CNAME monitoring to avoid alert fatigue while still catching critical MX or TXT changes.
You can toggle each record type independently per site. Monitor everything for critical domains. Disable noisy record types for sites behind dynamic services. Customize per your infrastructure needs.
Frequently asked questions
What is DNS monitoring?
DNS monitoring keeps an eye on your DNS records and alerts you when one of them changes, whether the change was planned, a mistake, or an attack. We check your records every couple of hours, so a wrong A record or a deleted MX record doesn't go unnoticed for days.
Why is DNS monitoring important?
A bad DNS change is a silent outage. A hijacked subdomain, misrouted email, or a registrar compromise can sit unnoticed while customers land on a phishing page or your mail quietly bounces. The sooner you spot the change, the less damage it does.
Does Oh Dear alert me when my DNS records change?
Yes. We check your DNS every couple of hours, straight from your domain's nameservers. When a record changes, including the unauthorized changes that point to DNS hijacking or a subdomain takeover, you'll get an alert within minutes of that check so you can verify and react.
Can I see a history of my DNS record changes?
Yes. Every change we detect to your DNS records (A, AAAA, CNAME, MX, NS, TXT, and more) is logged with a timestamp and kept for a year, so you have a full audit trail of your DNS history.
How do I monitor my DNS records?
Add your domain to Oh Dear and switch on DNS monitoring. We record the current state of your records and check them every couple of hours from then on, alerting you on any change. There's no DNS-provider integration to set up.
Does Oh Dear monitor nameserver changes?
Yes. Your nameserver (NS) records are part of what we watch, and an unexpected nameserver change is one of the strongest signals of domain hijacking.
Does Oh Dear check for DNS misconfigurations?
Yes. On top of tracking changes, we read the content of your records and flag common mistakes: an SPF record ending in +all, two SPF records on one name, a DMARC record in the wrong place, an MX or NS record pointing at an IP address, a CNAME on your apex domain, a malformed CAA record, and more. They appear as warnings right next to the record. They're advisory, so they won't fail your check or trigger alerts, they're there to help you tidy up the small mistakes that cause outages and email problems.
What should a DNS monitoring tool include?
Is there a free way to monitor DNS changes?
You can monitor DNS free during Oh Dear's 10-day trial. Free lookup tools only show your records when you remember to check, and catching a malicious change needs continuous monitoring with alerting.
Can agencies or IT teams monitor DNS for client domains?
Yes. Monitor every client domain from one account, organise sites with tags, and route DNS-change alerts to the right people per domain.
Wait, there's even more
API & endpoint monitoring
Call your endpoints every minute and validate what they actually return: status codes, response bodies, headers and response times. Webhooks and scheduled jobs included.
Continuous certificate monitoring
SSL certificates are essential in website security. We check all your certificate expiration dates & alert any change we detect.
Performance monitoring
We provide highly detailed performance monitoring and insights. We'll notify you as soon as we detect your website is getting slow.
Fast and insightful notifications
Get notified instantly as soon as we detect an issue or an important change. Enable any channel you use, you're in full control.
Broken page & mixed content
We crawl and index your entire website, just like Google. As soon as we detect a broken link on your site we will let you know.
DNS record monitoring
Receive a notification whenever your DNS records are modified - intentionally or maliciously - so you can act and verify faster.
Application health monitoring
A lot can go wrong inside your app and server. Disk space may fill up, or the database may go down. We'll notify you when something is off.
Beautiful public status pages
In times of crisis, a public status page allows you to communicate to your clients. We'll host your status page so it's always available.
laravel.com
ign.comtakeaway.comWebsite uptime monitoring
When your website goes down we'll let you know instantly. Now you can act before your or your client's brand reputation takes a hit.
Domain monitoring
We can check how long your domain is still registered. If your renewal date is close, we'll notify you. This will avoid you losing your domain.
Lighthouse SEO monitoring
We track the speed & performance of your website over time. If we detect your website is suddenly slower, we'll let you know.
Sitemap monitoring
Elevate your SEO strategy and optimize your site. We analyse your sitemap health and check every URL for broken links.
Describe what you want to monitor
AI-powered monitoring
Use AI to verify anything you want on your websites and services with Oh Dear's AI-powered monitoring feature.
Port scanning monitoring
Define which ports should be open, and we scan all 65,535 ports on your server. Get alerted when expected ports go down or unexpected ports appear.
DNS blocklist monitoring
DNS blocklist monitoring helps you stay off spam and ad-block lists. Get notified when your DNS is blocked by a blacklist.
Single Sign-On (SSO)
Connect Oh Dear to your identity provider. Your team signs in with the credentials they already use.
Start monitoring instantly
Start a no-strings-attached 10-day free trial. You're all set in less than a minute. (No credit card needed.)
Not convinced yet? Need help? Get in touch via support@ohdear.app.
