DNS Monitoring Explained: Catching Outages at the Source

DNS is the phone book of the internet. When a user types your domain into their browser, DNS translates it to an IP address. If DNS fails, no user can reach your site — regardless of how healthy your servers are. DNS monitoring watches this critical layer and alerts you the moment something goes wrong.

How DNS Works (and How It Fails)

DNS resolution involves multiple steps, any of which can fail:

User types yoursite.com
  ↓
Browser checks local cache
  ↓ (cache miss)
Query sent to recursive resolver (ISP's DNS or 8.8.8.8)
  ↓ (resolver doesn't have cache)
Recursive resolver queries root nameservers
  ↓
Root directs to .com TLD nameservers
  ↓
TLD directs to yoursite.com authoritative nameservers
  ↓
Authoritative nameserver returns IP address
  ↓
Recursive resolver returns IP to browser
  ↓
Browser connects to your server at that IP

DNS failures can occur at any step:

• Authoritative nameserver failures — Your domain registrar's nameservers are down
• DNS record misconfiguration — Wrong IP address, missing records, typos
• Domain expiry — Domain registration lapses, all DNS stops working
• DNS propagation issues — Changes not yet visible from all resolvers
• DNSSEC validation failures — DNSSEC misconfiguration causes validation to fail
• DNS hijacking — Attackers modify your DNS records to redirect traffic

What DNS Monitoring Checks

DNS monitoring periodically queries your domain from multiple resolvers and checks:

Record resolution: Does yoursite.com resolve at all? If DNS returns NXDOMAIN (non-existent domain), something is seriously wrong.

IP address correctness: Does the resolved IP match what you expect? Unexpected IP changes can indicate DNS hijacking or misconfiguration.

Record type validation:

• A records: IPv4 address
• AAAA records: IPv6 address
• CNAME records: Canonical name aliases
• MX records: Mail server records
• TXT records: SPF, DKIM, domain verification

Response time: How long does DNS resolution take? Slow DNS resolution contributes to perceived site slowness even when the site itself is fast.

DNSSEC validation: If you use DNSSEC, monitor that validation succeeds. A DNSSEC misconfiguration can make your domain unresolvable for users with strict DNSSEC enforcement.

Types of DNS Incidents DNS Monitoring Catches

Accidental Record Deletion

A team member with DNS access accidentally deletes an A record during a routine cleanup. The site becomes inaccessible within minutes as DNS caches expire. Without monitoring, you find out from users.

DNS monitoring catches this within 1-5 minutes of the record disappearing.

Domain Expiry

Domains expire when registration fees aren't paid. Auto-renewal failures (credit card expired, email change, payment processor issues) cause domains to lapse. Once lapsed, all DNS stops working.

DNS monitoring catches domain expiry-related failures immediately. Combined with domain expiry monitoring (alerts 30, 14, 7 days before expiry), you can prevent this entirely.

DNS Hijacking

DNS hijacking occurs when an attacker modifies your DNS records — typically by compromising your domain registrar account or exploiting a vulnerability in the DNS chain. Your domain resolves to an IP address controlled by the attacker.

DNS monitoring that checks expected IP addresses detects hijacking immediately. Alert when the resolved IP changes unexpectedly.

Nameserver Failures

Your domain's nameservers are operated by your registrar or a dedicated DNS provider. These can experience outages. When nameservers are unreachable, DNS resolution fails globally.

DNS monitoring from multiple geographic locations detects nameserver failures quickly and distinguishes between a nameserver failure (fails globally) and a regional resolver issue (fails from specific locations).

Misconfiguration After Changes

DNS changes are error-prone. A typo in an IP address, a missing dot at the end of a CNAME record, or a wrong record type can break specific functionality. Monitoring DNS records after changes confirms they took effect correctly.

Configuring DNS Monitoring

In AzMonitor, DNS monitoring is a distinct monitor type:

monitor_type: dns
domain: yoursite.com
record_type: A
expected_value: 203.0.113.42  # Your expected IP
check_interval: 5 minutes
alert_on:
  - resolution_failure
  - unexpected_ip_change
  - response_time > 500ms
locations:
  - us-east
  - eu-west
  - ap-southeast

For comprehensive DNS coverage, add monitors for:

• Main domain (A and AAAA records)
• www subdomain
• API subdomain
• Mail records (MX) if you operate email

DNS TTL and Propagation Monitoring

DNS records have a Time-To-Live (TTL) value that tells resolvers how long to cache the record. When you make a DNS change, the old value persists in caches for up to the TTL duration.

Common TTL values and their implications:

| TTL | Cache Duration | Use Case | |-----|---------------|----------| | 60 seconds | 1 minute | Dynamic IPs, frequent changes | | 300 seconds | 5 minutes | Balanced responsiveness | | 3600 seconds | 1 hour | Standard static hosting | | 86400 seconds | 24 hours | Highly stable records |

Before a major DNS change: Lower your TTL to 60-300 seconds a few days before. This ensures the change propagates quickly if you need to roll back.

After a major DNS change: Monitor from multiple locations to verify propagation. Some resolvers are slow to pick up changes, and global propagation can take the full TTL duration.

DNS Monitoring for DNSSEC

DNSSEC adds cryptographic signatures to DNS records, preventing spoofing. But DNSSEC requires careful key management — an expired DNSSEC signing key can make your domain completely unresolvable for users with DNSSEC-enforcing resolvers.

Monitor DNSSEC health by checking:

• DNSSEC validation succeeds from multiple resolvers
• RRSIG (record signature) records have sufficient validity remaining
• DS records in the parent zone match DNSKEY records in your zone

Most DNS monitoring tools support DNSSEC validation checks. Configure alerts 30 days before DNSSEC keys expire.

Integrating DNS Monitoring with Incident Response

DNS monitoring alerts should include enough context for fast response:

• Which records are failing
• Expected value vs actual value (or no response)
• Geographic locations where the failure occurs
• Time since last successful resolution

This context allows an engineer to diagnose the issue type immediately — DNS hijacking (unexpected IP), nameserver failure (no response from all locations), or propagation issue (failing from some locations but not others).

Add DNS monitoring to your AzMonitor account alongside your HTTP checks for complete infrastructure visibility. DNS and HTTP monitoring together catch the full range of failure modes that prevent users from reaching your site.