Features
Resources
Feature
Your domain's registration data tells a story. Who owns it, who manages it, when it expires, and what's allowed to happen to it. DNS Spy watches every chapter — and alerts you the moment the story changes.
No credit card required · 7-day trial · Full feature access
Domain hijacking doesn't start with a DNS change. It starts with a WHOIS change — a registrar transfer, a removed transfer lock, a modified registrant contact. By the time DNS records are altered, the attacker already controls the domain. If you're only monitoring DNS, you're catching hijacks after they've succeeded.
The other threat is quieter but equally damaging: domain expiration. A domain that lapses doesn't just take your website offline. It breaks email delivery, invalidates SSL certificates, disrupts API integrations, and — worst case — gets re-registered by someone else who can now impersonate your organization. Major companies have lost domains this way. It happens more often than anyone admits.
DNS Spy monitors both threats from a single dashboard: continuous WHOIS change detection to catch unauthorized modifications, and tiered expiration alerts to make sure nothing quietly lapses.
DNS Spy periodically queries RDAP and WHOIS servers for your domain's full registration data. RDAP is used as the primary source for structured, reliable data — with traditional WHOIS as a fallback for TLDs and registrars that don't yet support RDAP.
Each query result is compared against the stored record. When the registrar reports a new update timestamp, DNS Spy stores a new historical record — creating a complete change timeline for your domain.
WHOIS changes trigger instant notifications via email, Slack, Discord, or PagerDuty. Expiration dates feed into the Security Center with tiered alerts at 90, 30, and 7 days.
DNS Spy doesn't just check if the registrar changed. It monitors every field in the WHOIS record — contacts, dates, status flags, nameservers — and alerts you when any of them change.
Tracks the full lifecycle. Expiration date changes can indicate renewal or transfer. Update date changes trigger new WHOIS records.
A registrar change is one of the strongest signals of a domain transfer — authorized or not.
The domain owner record. Changes here can indicate a sale, transfer, or hijacking.
The administrative contact often has authority to make changes. Unauthorized modifications are a red flag.
Changes to technical contacts can precede DNS infrastructure modifications. Billing changes may indicate account takeover.
Critical for incident response — this is who you contact if the domain is being misused.
Status flag changes are high-signal events. Removal of transfer locks or addition of serverHold requires immediate investigation.
Cross-referenced with DNS monitoring. A nameserver change in WHOIS confirms (or conflicts with) what DNS queries show.
Most tools show you a WHOIS lookup. DNS Spy monitors WHOIS continuously, maintains a full history, and integrates expiration tracking directly into your security workflow.
DNS Spy periodically queries RDAP and WHOIS servers for your domain's registration data and compares each result against the stored record. When the registrar reports an update, a new historical record is created and you're notified immediately.
Unlike tools that show you a snapshot, DNS Spy maintains a complete history of every WHOIS record for every domain. You can trace exactly when the registrar changed, when the expiration date was extended, or when a contact was modified — and compare any two records side by side.
A single view showing every upcoming domain and SSL certificate expiration across your entire portfolio — sorted by urgency, filterable by type, with direct links to take action.
The Expiration Calendar combines domain registration expiration (from WHOIS) and SSL certificate expiration into one prioritized timeline. Stats at the top show you at a glance how many items are expired, expiring within 7 days, 30 days, and 90 days — split by domains and certificates.
Domain and SSL certificate expirations feed directly into the Security Center with checks at 90, 30, and 7 days — plus a critical alert for items already expired. Each tier has appropriate severity so you can triage by urgency.
The 90-day check gives you time to plan. The 30-day check is your action window. The 7-day check is urgent. And the expired check means something fell through the cracks and needs immediate attention. This multi-tier approach ensures that no domain or certificate quietly lapses.
DNS Spy tracks EPP status codes — the flags that control what can be done to your domain. Removal of clientTransferProhibited, addition of serverHold, or a pendingDelete status are all events that demand attention.
These status flags are the gatekeepers of your domain. clientTransferProhibited prevents unauthorized transfers. serverHold means the registry has suspended the domain. pendingDelete means the domain is about to be released for re-registration. DNS Spy watches all of them and includes status changes in WHOIS change notifications.
Every WHOIS change creates a new historical record with all fields preserved. Your domain's registration history becomes a fully auditable timeline — from the day you added it to DNS Spy.
Need to know when the registrar changed six months ago? Want to verify that the expiration date was renewed as expected? Need to trace a registrant contact change for a compliance audit? The full history is there, timestamped and searchable.
DNS Spy uses RDAP (Registration Data Access Protocol) as its primary data source — the modern, ICANN-mandated standard that returns structured, consistent JSON data — and falls back to traditional WHOIS when RDAP isn't available for a given TLD or registrar.
RDAP returns structured JSON with consistent field naming, proper jCard contact formatting, and support for internationalized data. For TLDs and registrars that don't yet support RDAP, DNS Spy falls back to traditional WHOIS lookups so you get coverage across your entire portfolio regardless of registrar. The result: more accurate and more complete data than tools that rely on a single protocol.
DNS Spy monitors both domain registration and SSL certificate expiration through the Security Center. Four severity tiers give your team multiple windows to act — from comfortable planning to emergency intervention.
Domain or certificate has already expired. Immediate action required — expired domains can be re-registered by attackers.
Expiring within one week. If renewal hasn't been initiated, this is an emergency.
Expiring within one month. This is your action window — renew now to avoid last-minute scrambles.
Expiring within three months. Good time to plan, budget, and schedule renewals.
Expiration Calendar Preview
GoDaddy
Let's Encrypt
Namecheap
DigiCert
Cloudflare Registrar
Sorted by urgency · Filterable by type
Not every WHOIS change is malicious — but some are high-signal events that demand immediate investigation. DNS Spy catches all of them.
Your domain moved to a different registrar. If you didn't initiate this, it's a potential unauthorized transfer — act immediately.
clientTransferProhibited was removed — the domain can now be transferred. This often precedes domain theft.
The domain's registered owner was modified. This can indicate a sale, an internal transfer, or an account compromise at the registrar.
The registry has suspended your domain — it won't resolve. This typically means a legal dispute, ICANN compliance issue, or abuse report was filed.
The nameservers listed in WHOIS were updated. Cross-reference with DNS monitoring to confirm the change is consistent and expected.
The domain's expiration date moved — extended (likely a renewal) or shortened (possible transfer or registrar error). Both are worth confirming.
When you manage domains across dozens of clients with different registrars, expiration tracking becomes a nightmare. DNS Spy gives you a single Expiration Calendar across every client's domains and SSL certificates — no more spreadsheets, no more missed renewals, no more "we forgot to renew that domain" conversations.
A registrar change, the removal of transfer locks, or a registrant contact update are all indicators of potential domain hijacking. DNS Spy monitors WHOIS data continuously and alerts you when these high-signal events occur — giving you time to investigate before the attacker leverages the compromised domain.
An expired domain doesn't just take your website offline — it breaks email delivery, invalidates SSL certificates, and potentially exposes your organization to domain takeover. DNS Spy's tiered alerts at 90, 30, and 7 days give your team multiple chances to catch and renew before disaster strikes.
Many compliance frameworks require documented proof that domain registrations are maintained and that changes are tracked. DNS Spy's WHOIS history provides an automated audit trail of every registrar change, ownership update, and expiration extension — exactly what auditors ask for.
8
WHOIS data categories monitored
4
Expiration alert tiers
RDAP + WHOIS
Dual-protocol coverage
Full
WHOIS change history
Add your domains and DNS Spy immediately starts tracking WHOIS data, expiration dates, and registration changes. No configuration required.
No credit card required · 7-day trial · Full feature access
Monitor 60+ record types across all authoritative nameservers.
40+ automated security checks with weighted scoring.
Look-alike domain detection and brand protection.
Certificate discovery, expiration tracking, and TLS auditing.
Organize domains by client, environment, or business unit.
Email, Slack, Discord & PagerDuty alert channels.
Connect Claude & AI agents to your DNS monitoring.
DNS Spy monitors comprehensive WHOIS data via RDAP and traditional WHOIS lookups, including: domain registration, update, and expiration dates; registrar name and IANA ID; registrant, administrative, technical, billing, and abuse contact information; domain status flags (clientTransferProhibited, serverDeleteProhibited, etc.); and the authoritative nameservers listed in the WHOIS record. When any of this data changes, DNS Spy creates a new historical record and sends an alert.
DNS Spy periodically queries RDAP and WHOIS servers for your domain's registration data. Each query result is compared against the previous record by checking the domain_updated_at timestamp from the registrar. When the registrar reports a new update timestamp, DNS Spy stores the new WHOIS record as a separate historical entry and fires a notification. This means you get a complete history of every WHOIS change, not just the current state.
WHOIS is the legacy protocol for querying domain registration data — it returns unstructured text that varies by registrar. RDAP (Registration Data Access Protocol) is the modern replacement mandated by ICANN, returning structured JSON with consistent formatting across all registrars. DNS Spy uses RDAP as its primary data source for more reliable parsing and better contact information extraction, and falls back to traditional WHOIS when RDAP data isn't available for a given TLD or registrar.
DNS Spy tracks the domain_expiry_at date from each WHOIS record and runs Security Center checks at multiple intervals: 90 days, 30 days, and 7 days before expiration, plus a check for already-expired domains. When a domain enters any of these windows, it appears in your Expiration Calendar and triggers a Security Center alert. This gives your team multiple opportunities to renew before a domain lapses.
Yes. DNS Spy monitors SSL certificate expiration alongside domain expiration in a unified Expiration Calendar. SSL certificates are checked at the same intervals — 90, 30, and 7 days — with separate Security Center checks for each tier. The calendar view shows both domain and SSL expirations sorted by urgency, with filtering by type.
WHOIS changes can indicate several security-critical events: unauthorized domain transfers (registrar or nameserver changes), domain hijacking (registrant contact changes), social engineering of registrar support (status flag changes), and preparation for domain expiration attacks. By monitoring WHOIS data continuously, DNS Spy catches these events as they happen — not weeks later when the damage is visible.
DNS Spy tracks all EPP (Extensible Provisioning Protocol) domain status flags reported via RDAP and WHOIS, including: clientTransferProhibited, clientDeleteProhibited, clientUpdateProhibited, serverTransferProhibited, serverDeleteProhibited, serverUpdateProhibited, clientHold, serverHold, pendingDelete, pendingTransfer, and others. Changes to these flags are significant security events — for example, removal of clientTransferProhibited could indicate preparation for an unauthorized domain transfer.
Yes. DNS Spy maintains a complete historical record of every WHOIS change for your domains. Each time the registrar reports an update, a new record is stored with all fields — you can compare any two records side by side to see exactly what changed. This creates a full audit trail of registrar changes, contact updates, and status flag modifications.
WHOIS change notifications are delivered through your configured notification channels: email, Slack, Discord, or PagerDuty. Each notification includes the domain name, registrar information, expiration date, and a summary of what changed. You can configure which notification types you want to receive per channel.
When a domain expires, DNS Spy's Security Center flags it with a critical-severity "Domain Expired" check. The Expiration Calendar shows it with negative days remaining. Expired domains are particularly dangerous because they can be re-registered by attackers to intercept email, serve malicious content, or impersonate your organization. DNS Spy continues monitoring expired domains so you know if and when they are re-registered.
WHOIS changes are the earliest signal of domain hijacking — and expiration is the most preventable cause of downtime. Start monitoring both today.
Start Free Trial
Features
Resources