Understanding DNS Record Types
What each record type does and why changes matter.
Maps a domain to an IPv4 address (e.g., 93.184.216.34). This is the most fundamental record type - it tells the internet where your website or service lives.
Why monitor: Unauthorized changes could redirect your traffic to a malicious server. This is one of the most common vectors for DNS hijacking.
Maps a domain to an IPv6 address. Same function as an A record, but for IPv6 networks.
Why monitor: Same risks as A records. As IPv6 adoption grows, monitoring these becomes increasingly important.
Specifies which mail servers accept email for your domain, and in what priority order.
Why monitor: A hijacked MX record can route all your organization's email to an attacker. This is a critical record to monitor for phishing prevention.
Creates an alias from one domain name to another (e.g., www.example.com → example.com).
Why monitor: Dangling CNAMEs (pointing to decommissioned services) are a common vector for subdomain takeover attacks.
Stores arbitrary text data. Commonly used for SPF (email sender verification), DKIM (email signing), DMARC (email authentication policy), and domain verification.
Why monitor: Unauthorized TXT changes can break your email deliverability (SPF/DKIM/DMARC) or allow someone else to verify ownership of your domain.
Specifies the authoritative nameservers for your domain. These are the servers that answer DNS queries for your domain.
Why monitor: If an attacker changes your NS records, they gain complete control over your domain's DNS. This is the nuclear option of DNS attacks.
Contains administrative information about the domain: primary nameserver, responsible party email, serial number, refresh/retry/expire timers.
Why monitor: SOA changes often indicate nameserver migrations. Unexpected changes could signal unauthorized DNS hosting changes.
Specifies the host and port for specific services (e.g., SIP, XMPP, LDAP). Includes priority and weight for load balancing.
Why monitor: SRV record changes can redirect service traffic. Important to monitor for organizations using SRV-dependent protocols.
Specifies which certificate authorities (CAs) are allowed to issue SSL/TLS certificates for your domain.
Why monitor: Removing or changing CAA records could allow unauthorized certificate issuance, enabling man-in-the-middle attacks.
DriftWatch monitors all 9 record types
Add a domain and every record type is discovered automatically.
Start monitoring for free