DevOps DNS Drift Detection
Catch unexpected DNS changes before they cause incidents.
What is DNS drift?
DNS drift happens when the actual state of your DNS records diverges from what your infrastructure-as-code defines. This can happen when someone makes a manual change in a DNS provider's UI, when a Terraform apply partially fails, or when an automated process modifies records outside your IaC pipeline.
Common causes
- Manual hotfixes - Someone changes a record in the Cloudflare dashboard during an incident and forgets to update Terraform
- Partial applies - A Terraform apply fails halfway through, leaving some records in the new state and some in the old
- Multiple sources of truth - Different teams managing DNS in different tools (Route 53, Cloudflare, registrar)
- Automated systems - Certificate validation, CDN provisioning, or email services that create DNS records
Using DriftWatch with IaC
Post-deploy verification
After a Terraform or CloudFormation deploy that modifies DNS records, use the DriftWatch API to trigger a scan and verify the changes applied correctly:
curl -X POST https://app.driftwatch.io/api/v1/domains/{id}/discover \
-H "Authorization: Bearer $DRIFTWATCH_TOKEN"
Continuous monitoring
Between deploys, DriftWatch continuously scans your domains and alerts you if anything changes unexpectedly. If a record changes outside your deploy pipeline, you'll know within minutes.
Webhook to CI/CD
Configure a webhook channel that posts to your CI/CD system. When DriftWatch detects a change, automatically trigger a pipeline that compares actual DNS state against your Terraform state file.