DNS Monitoring Explained: Catch Propagation Issues Before Users Do

DNS is the invisible infrastructure that makes everything work. When it fails, nothing works — and the symptoms are confusing. Users report “the site is down” but your servers are healthy. Pages load for some users but not others. Email stops being delivered but your mail server is fine.

DNS issues are notoriously difficult to diagnose because the symptoms look like something else entirely. DNS monitoring catches these problems at the source.

How DNS Works (Quick Refresher)

When a user types example.com in their browser:

1. Their device checks its local DNS cache
2. If not cached, it queries their ISP’s recursive resolver
3. The resolver queries root nameservers for the .com TLD
4. Root servers direct to .com TLD nameservers
5. TLD nameservers direct to your domain’s authoritative nameservers
6. Your nameservers return the IP address for example.com
7. The browser connects to that IP address

This happens in milliseconds, billions of times per day, and almost always works. But when it does not, the failure modes are subtle and distributed.

What Can Go Wrong

Accidental Record Changes

Someone on your team changes a DNS record and makes a typo. Or they delete a record they thought was unused. The change propagates worldwide within minutes to hours, and suddenly some users cannot reach your service.

Propagation Failures

After a DNS change, the new records need to propagate to DNS resolvers worldwide. This can take anywhere from minutes to 48 hours. During propagation:

• Some users see the old records
• Some users see the new records
• Some users see no records at all (if a record was deleted and re-created)

Domain Expiration

Domains expire if not renewed. When a domain expires:

• DNS resolution stops working
• Your website, email, and all services on that domain go offline
• The domain may enter a grace period, then become available for anyone to register

Major companies have lost domains to expiration. It is embarrassing and preventable.

Nameserver Failures

If your authoritative nameservers go down, no one can resolve your domain. This is why most DNS providers offer redundant nameservers, but misconfiguration can negate this redundancy.

DNS Hijacking and Poisoning

Malicious actors can:

• Redirect your domain to their servers
• Inject false DNS records
• Intercept traffic through BGP hijacking

DNS monitoring detects when your records change unexpectedly, which is often the first sign of a compromise.

TTL-Related Issues

TTL (Time To Live) tells resolvers how long to cache a record. If you set a TTL of 86400 (24 hours) and then need to make an emergency change, the old record will persist for up to 24 hours across the internet.

What DNS Monitoring Checks

Record Value Validation

Monitor that your DNS records return the expected values:

Record Type	What It Does	What to Check
A	Maps domain to IPv4 address	Correct IP address
AAAA	Maps domain to IPv6 address	Correct IPv6 address
CNAME	Creates an alias to another domain	Correct target domain
MX	Routes email to mail servers	Correct mail server and priority
TXT	Stores text data (SPF, DKIM, verification)	Expected text content
NS	Delegates to nameservers	Correct nameserver set
SRV	Service location records	Correct service endpoints

Response Time

DNS resolution should be fast (under 100ms for cached queries, under 500ms for uncached). Slow DNS resolution adds latency to every user request.

Record Existence

Verify that critical records exist. A deleted A record is not a “changed” record — it is an absent one, and some monitoring tools miss this distinction.

DNSSEC Validation

If you use DNSSEC, monitor that signatures are valid and chains of trust are intact. Broken DNSSEC can make your domain unreachable for users whose resolvers enforce DNSSEC validation.

Setting Up DNS Monitoring

Step 1: Identify Critical Records

List every DNS record that affects your service:

example.com          A     → 203.0.113.10
www.example.com      CNAME → example.com
api.example.com      A     → 203.0.113.20
mail.example.com     MX    → mail.example.com (priority 10)
example.com          TXT   → "v=spf1 include:_spf.google.com ~all"
example.com          NS    → ns1.dnsprovider.com, ns2.dnsprovider.com

Step 2: Create Monitors

In StatusApp, create a DNS monitor for each critical record:

{
  "type": "dns",
  "name": "Main Domain A Record",
  "hostname": "example.com",
  "recordType": "A",
  "expectedValue": "203.0.113.10",
  "interval": 300
}

Step 3: Add Domain Expiry Monitoring

Separately from DNS record monitoring, monitor your domain’s WHOIS expiration date:

{
  "type": "domain",
  "name": "Main Domain Expiry",
  "domain": "example.com",
  "alertDaysBeforeExpiry": [90, 60, 30, 14, 7]
}

Step 4: Configure Alerts

DNS issues require immediate attention. Route alerts to your infrastructure team via Slack or PagerDuty.

DNS Monitoring for Common Scenarios

After a DNS Migration

When moving DNS providers (e.g., from GoDaddy to Cloudflare):

1. Set up DNS monitors for all records before the migration
2. Perform the migration
3. Monitors will immediately detect if any records are missing or incorrect in the new provider
4. Watch for 48 hours to catch propagation-related issues

After a Server Migration

When moving to new servers with new IP addresses:

1. Update DNS monitors with the new expected IP addresses
2. Lower TTLs to 300 seconds (5 minutes) a few days before the migration
3. Update A/AAAA records
4. DNS monitors verify the new records are serving correctly
5. After propagation is complete, raise TTLs back to normal values

Email Deliverability

Email deliverability depends on correct DNS:

• MX records: Route email to correct mail servers
• SPF (TXT record): Authorize sending servers
• DKIM (TXT record): Cryptographic email signing
• DMARC (TXT record): Policy for handling unauthorized email

Monitor all four. A missing SPF record will not break your website, but it will send your emails to spam folders.

Best Practices

1. Monitor from multiple regions: DNS can be inconsistent across geographic regions
2. Set appropriate check intervals: Every 5 minutes for critical records, every 15-30 minutes for less critical ones
3. Monitor both domain and subdomains: api.example.com and www.example.com can have different records
4. Track DNS alongside uptime: A website outage might be a DNS issue in disguise
5. Document your DNS records: Maintain a record of what each DNS entry does and why it exists
6. Use DNSSEC: And monitor that it is working correctly

DNS Monitoring as Part of Your Strategy

DNS monitoring is not a replacement for other monitoring types — it is a complement. When your website monitor reports the site is down, a concurrent DNS monitor failure tells you immediately that it is a DNS issue, not a server issue. This dramatically reduces your time to diagnosis.

StatusApp supports DNS monitoring alongside website, API, SSL, server, and seven other monitor types, giving you a comprehensive view of your infrastructure health from a single dashboard.

---

Monitor your DNS records and catch issues before they impact users. Start with StatusApp free — DNS monitoring included on all plans.