Features
Resources
Feature
Continuous monitoring across every authoritative nameserver. 60+ record types. Instant alerts when anything changes. Because DNS changes you don't know about are DNS changes that break things.
No credit card required · 7-day trial · Full feature access
A DNS record change takes seconds to make and hours to notice. An MX record pointing to the wrong mail server means email silently disappears. A modified A record can redirect your traffic to an attacker's infrastructure. A deleted CAA record opens the door to unauthorized certificate issuance. And when your nameservers disagree on what a record says, some of your users see the correct answer while others don't — an intermittent failure that's nearly impossible to diagnose without the right monitoring.
Most DNS monitoring tools check a single nameserver and move on. They miss propagation failures. They miss partial zone transfers. They miss the discrepancy between your primary and secondary nameservers that's causing 30% of your users to get stale data. DNS Spy doesn't work that way.
Add a domain and DNS Spy automatically discovers all authoritative nameservers, enumerates every DNS record, and begins monitoring. No manual record configuration needed — DNS Spy finds them all.
DNS Spy queries every authoritative nameserver for your domain on a regular interval. Each nameserver is checked independently, and results are compared to detect both changes and sync discrepancies.
When a record changes, a new record appears, or nameservers go out of sync, DNS Spy sends alerts through your configured channels — email, Slack, Discord, or PagerDuty. You see exactly what changed, from what, to what.
DNS monitoring is not a new idea. Doing it properly across every nameserver, for every record type, with intelligent change detection — that's where most tools fall short.
DNS Spy queries every authoritative nameserver for your domain independently. Most monitoring tools check one nameserver and call it a day. DNS Spy checks all of them — and tells you when they disagree.
This catches partial zone transfers, configuration drift between primary and secondary nameservers, and propagation failures that only affect a subset of your users depending on which nameserver their resolver hits.
Live Nameserver Comparison
When your nameservers return different values for the same record, DNS Spy flags it immediately. You see exactly which nameserver is returning what, so you can pinpoint the source of the discrepancy.
Out-of-sync records are one of the most insidious DNS issues because they cause intermittent failures — hard to reproduce, harder to diagnose. DNS Spy surfaces them automatically with a side-by-side comparison of values from each nameserver.
Every DNS record change is logged with timestamps, previous values, new values, and the nameserver that reported the change. Your DNS timeline becomes fully auditable.
Whether you need to trace when an MX record was modified for a compliance audit, or figure out which change broke email delivery last Tuesday, the history is there — per record, per nameserver.
Change History — example.com A Record
Get notified via email, Slack, Discord, or PagerDuty. Configure different channels for different domains or teams. Choose exactly which events matter to you.
Notification types include: DNS records changed, new records found, nameserver changes, nameservers out of sync, nameservers back in sync, domain online/offline, SOA record changes, and WHOIS updates.
Notification Channels
When new DNS records appear on your domain, DNS Spy detects and starts monitoring them automatically. No manual configuration required.
This is critical for catching unauthorized record additions — a common vector in DNS hijacking attacks where an attacker adds a TXT record for domain validation or an A record pointing to their infrastructure.
For A and AAAA records that resolve through CNAME chains, DNS Spy tracks the full resolution path. You see both the alias and the final target IP.
This matters because a CNAME record can stay the same while the target it points to changes completely. If your www CNAME points to a CDN hostname, DNS Spy tracks the underlying IP changes so you know when your CDN provider rotates infrastructure.
DNS Spy recognizes records that change frequently — like CDN load balancers or geo-DNS responses — and handles them intelligently to reduce alert noise.
Records that change more than 6 times in 90 minutes or 12 times in 24 hours are identified as frequently-changing. You still get the full change history, but DNS Spy adapts its alerting so you are not buried in notifications for expected behavior.
DNS Spy normalizes TXT record comparisons to handle RFC-valid formatting differences between nameservers — preventing false positives from quoted-string concatenation, DKIM key splitting, and whitespace variations.
Some nameservers return a DKIM record as a single quoted string while others split it into multiple quoted fragments. DNS Spy recognizes these as semantically identical, so you only get alerted for real changes — not formatting differences.
DNS Spy doesn't cherry-pick which record types to watch. From A records to ZONEMD, if your nameserver serves it, DNS Spy tracks it.
The records that keep your domains resolving and your email flowing.
Records that protect your domain from spoofing, hijacking, and forgery.
Records powering the next generation of DNS — encrypted connections, service binding, and application-layer routing.
The long tail of DNS — every record type your nameservers might serve.
DNS Spy doesn't just watch for value changes. It monitors the full lifecycle of your DNS infrastructure and alerts you to events that other tools ignore.
A record value or TTL changed on any nameserver. You see the old value, new value, and which nameserver reported it.
A DNS record was added to your domain that wasn't there before. Critical for detecting unauthorized record additions.
Your domain's authoritative nameservers changed — a major event that could indicate a registrar transfer or DNS hijacking.
Your authoritative nameservers are returning different values for the same record. Some users are getting stale or incorrect data.
A previously out-of-sync record is now consistent across all nameservers. The propagation issue has resolved.
Your domain's nameservers stopped responding — or came back online after being unreachable. Immediate notification either way.
The SOA serial number or other SOA fields changed, indicating a zone update. Useful for tracking DNS zone publication events.
Registrar information, expiration dates, or other WHOIS data changed for your domain. Tracked alongside DNS record changes.
Zone transfer (AXFR) availability changed — either failed when it was previously working, or recovered after a failure.
When you manage hundreds of client domains, a single DNS misconfiguration can mean downtime for a client who doesn't understand why their email stopped working. DNS Spy gives you a single dashboard across all client domains with instant alerting when anything changes — whether it was your team, the client, or an unauthorized third party.
DNS changes are a leading cause of outages, and they're often the last thing anyone checks. DNS Spy integrates into your existing alert workflow via Slack, Discord, or PagerDuty, so DNS changes surface alongside your other infrastructure alerts instead of being discovered hours later.
Unauthorized DNS changes can indicate domain hijacking, subdomain takeover attempts, or compromised registrar accounts. DNS Spy gives you a continuous audit trail of every record change across every nameserver — exactly what you need for incident investigation and compliance reporting.
Whether you own 10 domains or 1,000, DNS Spy monitors all of them with the same depth. Group domains together, set up team-wide alerting, and know that every record on every domain is being watched — even records you didn't know existed.
DNS Spy runs a distributed network of query nodes across multiple regions. Each monitoring check queries your authoritative nameservers directly — not recursive resolvers, not Google DNS, not Cloudflare's 1.1.1.1. This means DNS Spy sees exactly what your nameservers are serving, without caching layers or resolver-specific behavior masking the real state of your zone.
Every query captures response times from each nameserver, so you get performance data alongside correctness data. If one nameserver consistently responds 3x slower than the others, DNS Spy surfaces that too.
For domains using AXFR zone transfers, DNS Spy can monitor transfer availability and alert you when zone transfers fail. This is particularly valuable for secondary DNS configurations where a broken zone transfer means your backup nameservers are serving stale data without anyone knowing.
60+
DNS record types monitored
Every
authoritative nameserver checked
4
notification channels (Email, Slack, Discord, PagerDuty)
When you're monitoring dozens or hundreds of domains, organization matters. DNS Spy lets you group domains together — by client, by environment, by business unit — and manage monitoring settings at the group level.
Each domain group gives you an aggregated security score and a single view across all member domains, so you can quickly identify which group has outstanding DNS issues without clicking into every domain individually.
Domain Groups
Add your first domain in under a minute. DNS Spy automatically discovers your nameservers, enumerates every record, and starts monitoring. No configuration required.
No credit card required · 7-day trial · Full feature access
40+ automated security checks with weighted scoring.
Look-alike domain detection and brand protection.
Track WHOIS changes and domain expiration dates.
Certificate discovery, expiration tracking, and TLS auditing.
Organize domains by client, environment, or business unit.
Email, Slack, Discord & PagerDuty alert channels.
Connect Claude & AI agents to your DNS monitoring.
DNS Spy continuously monitors your DNS records on a regular interval. The exact frequency depends on your plan, but all plans include automated monitoring that checks your records across every authoritative nameserver for your domain — not just one.
DNS Spy monitors over 60 DNS record types including A, AAAA, CNAME, MX, TXT, NS, SOA, CAA, SRV, DNSKEY, DS, HTTPS, SVCB, NAPTR, SSHFP, TLSA, and many more. If your nameserver serves it, DNS Spy tracks it.
When you have multiple authoritative nameservers (which most domains do), each one should return the same DNS records. DNS Spy queries every nameserver independently and alerts you when they disagree — a condition called "out of sync." This catches propagation failures, partial updates, and configuration drift that could cause intermittent resolution issues for your users.
Yes. For A and AAAA records that resolve through CNAME chains, DNS Spy can track both the CNAME alias and the final resolved IP address. This means you get alerted not only when the CNAME itself changes, but also when the underlying target it points to changes — even if the CNAME record stays the same.
DNS Spy supports multiple notification channels: email, Slack, Discord, and PagerDuty. You can configure different channels per domain or team, and fine-tune which notification types you want to receive — including record changes, new records found, nameserver changes, out-of-sync alerts, and domain online/offline status.
Yes. DNS Spy includes intelligent change frequency detection that identifies records that change often (such as CDN or load-balanced A records). When a record changes more than 6 times in 90 minutes or 12 times in 24 hours, DNS Spy recognizes the pattern and can suppress noisy alerts while still tracking the changes in your history.
Yes. DNS Spy supports dynamic TTL tracking. You can flag records that have intentionally changing TTLs so that TTL changes alone don't trigger false out-of-sync alerts. The record value is still compared across nameservers — only the TTL comparison is relaxed.
A DNS lookup tool shows you a snapshot of one record at one point in time. DNS Spy continuously monitors all your records across all your authoritative nameservers, maintains a complete change history, detects sync issues between nameservers, identifies new and deleted records, and alerts you in real-time when something changes. It is the difference between checking your front door once and having a 24/7 security camera.
Yes. DNS Spy fully supports internationalized domain names using the IDNA UTS #46 standard. Domains with non-ASCII characters are properly handled and displayed in both their Unicode and Punycode representations.
Yes. DNS Spy provides export functionality for your DNS records including current values and TTLs, making it easy to maintain documentation or compare your live DNS state against your intended configuration.
Join the teams who monitor their DNS infrastructure with DNS Spy — because the worst DNS changes are the ones you find out about from your customers.
Start Free Trial
Features
Resources