Guides Security Monitoring

DNS Security Monitoring

Catch DNS-based attacks before they become incidents.

8 min read
By Tom Beech Published March 2026

DNS as an attack vector

DNS is one of the most undermonitored parts of infrastructure security. Attackers who gain access to DNS records can redirect traffic, intercept email, steal SSL certificates, and take over subdomains - often without triggering any existing monitoring.

Threats to watch for

DNS hijacking

An attacker changes your A or AAAA records to point to their server. All traffic intended for your site now goes to them. They can serve a phishing page, steal credentials, or intercept API calls.

What to monitor: A and AAAA record changes on your primary domains. Alert on any modification.

Email interception via MX

Changing MX records redirects all email to an attacker-controlled server. They can read sensitive communications, perform password resets on other services, and send phishing emails that appear to come from your domain.

What to monitor: MX record changes. Route these to Pushover or a high-priority Slack channel.

Subdomain takeover

When a CNAME record points to a service you no longer control (e.g., a decommissioned Heroku app, an expired Azure instance), an attacker can claim that service and serve content on your subdomain.

What to monitor: CNAME record deletions and changes. Regularly audit CNAMEs pointing to third-party services.

Nameserver hijacking

If an attacker changes your NS records, they gain complete control over all DNS for your domain. This is the most severe DNS attack.

What to monitor: NS record changes. These should almost never change - any modification should be treated as a critical alert.

Certificate authority manipulation

Removing or modifying CAA records can allow attackers to issue SSL certificates for your domain from unauthorized CAs, enabling man-in-the-middle attacks.

What to monitor: CAA record changes or deletions.

Recommended alert configuration

For security monitoring, we recommend:

  • Monitor all record types on all domains
  • Route A, AAAA, MX, NS changes to a high-priority channel (Pushover, dedicated Slack)
  • Route all other changes to a standard channel (email, general Slack)
  • Use the Enterprise plan for 1-minute scan intervals - faster detection means less time for attackers

Get started

Set up security monitoring for your domains in under 5 minutes.

Create your free account