DNS Change & Drift Monitoring
DNS is the foundation of your external attack surface. A single unauthorized change can redirect traffic, intercept email, or enable subdomain takeover. DriftAlarm monitors every DNS record across your domains and alerts you the moment something drifts.
Why DNS Changes Signal Security Risks
DNS is the most foundational and most overlooked layer of your external attack surface. Every interaction with your organization — website visits, email delivery, API calls, VPN connections — begins with a DNS lookup. When DNS records change without authorization, the consequences can be severe: website visitors redirected to phishing pages, email silently forwarded to attacker-controlled servers, or API traffic intercepted in real time. Unlike a server vulnerability that affects one system, a DNS hijack can compromise your entire domain.
The challenge is that DNS changes happen frequently for legitimate reasons. DevOps teams update A records when migrating servers. Marketing adds CNAME records for campaign tracking. IT adjusts MX records during email provider transitions. TXT records are modified for SPF, DKIM, and domain verification. In this constant flow of legitimate changes, an unauthorized modification — whether from a compromised registrar account, a social engineering attack on your DNS provider, or a misconfiguration by an overprivileged administrator — can easily go unnoticed.
This is exactly the problem that drift detection was built to solve, and it is why DriftAlarm is named DriftAlarm. Drift is the gap between what your infrastructure should look like and what it actually looks like. When applied to DNS, drift detection continuously compares your current DNS records against an established baseline and flags any deviation. A new A record, a changed MX record, a removed TXT record, an added CNAME — every modification is detected, recorded, and reported. Your team decides which changes are legitimate and which require investigation.
Traditional DNS monitoring approaches — checking registrar dashboards manually, reviewing DNS zones during audits, or relying on registrar notification emails — are too slow and too infrequent to catch real threats. Attackers who compromise DNS know they have a limited window before the change is noticed, so they act fast. Detecting a DNS change within hours instead of days or weeks is the difference between catching a hijack in progress and discovering it after the damage is done.
How DriftAlarm Detects DNS Drift
DriftAlarm queries all critical DNS record types for your domains and subdomains: A records (IPv4), AAAA records (IPv6), MX records (email routing), NS records (nameserver delegation), CNAME records (aliases), and TXT records (SPF, DKIM, domain verification). Records are collected using RDAP and direct DNS resolution to ensure accuracy and completeness.
On the initial scan, DriftAlarm captures a complete snapshot of your DNS configuration as your baseline. This includes every record type, its value, TTL, and associated metadata. The baseline represents the known-good state of your DNS — the reference point against which all future changes are measured.
Each subsequent scan compares the current DNS state against your baseline using DriftAlarm's drift detection engine. The engine applies 32 built-in rules across 7 rule packs to identify meaningful changes: new records added, existing records modified, records removed, nameserver changes, MX record reordering, and TXT record content modifications. Each detected change generates a drift event with full context.
When DNS drift is detected, DriftAlarm sends notifications through your configured channels — Slack and email are supported. Alerts include the specific record that changed, its previous and current values, when the change was detected, and the assessed risk severity. Critical changes like nameserver modifications or MX record redirections are flagged for immediate attention.
Claude AI analyzes each DNS drift event in context, considering the type of change, the affected domain, and potential security implications. The AI provides a risk assessment and recommended response: Is this an expected change from a known migration? Does the new MX record point to a legitimate email provider? Could this CNAME modification enable a subdomain takeover? This analysis helps your team triage alerts efficiently.
What You Get
Full DNS Record Monitoring
Track every DNS record type that matters for security: A and AAAA records for IP resolution, MX records for email routing, NS records for nameserver delegation, CNAME records for subdomain aliasing, and TXT records for SPF, DKIM, and domain verification. DriftAlarm captures the complete DNS configuration for each domain and subdomain, giving you a single source of truth for your DNS attack surface.
Drift Detection Built for DNS
DriftAlarm's name comes from its core capability: detecting drift in your external infrastructure. For DNS, this means tracking every record change across every domain with precision. The drift detection engine does not just tell you that something changed — it tells you what changed, from what value to what value, when the change was first detected, and how that change affects your security posture. This is continuous, automated DNS auditing.
DNS Hijacking Detection
Detect the indicators of DNS hijacking attacks: unexpected changes to NS records that could redirect your entire domain, modifications to A records that point traffic to attacker-controlled IPs, and MX record changes that reroute email. DriftAlarm's drift detection catches these changes at the DNS level, often before the downstream effects (phishing, email interception) are noticed by users.
Email Security Record Monitoring
Monitor the DNS records that protect your email: SPF records (TXT) that define authorized sending servers, DKIM records that enable message signing verification, and DMARC records that set email authentication policies. Unauthorized changes to these records can weaken your email security posture, enabling spoofing and phishing attacks that appear to come from your domain.
Dangling DNS and Takeover Prevention
Identify CNAME records that point to resources that no longer exist — a deprovisioned Heroku app, a deleted S3 bucket, or a terminated Azure App Service. These dangling records are the primary mechanism for subdomain takeover attacks. DriftAlarm detects when a CNAME target becomes unresponsive and flags the record for cleanup before an attacker claims the orphaned resource.
RDAP-Based Domain Intelligence
Beyond DNS record monitoring, DriftAlarm uses RDAP (the modern replacement for WHOIS) to track domain registration metadata: registrar changes, registration expiration dates, nameserver delegations, and registration status changes. This provides early warning of domain hijacking attempts that begin at the registrar level, such as unauthorized domain transfers or expired domain re-registrations.
See Your Attack Surface — Start Free Trial
Who Uses This
Security Operations Teams
SOC teams use DriftAlarm's DNS drift monitoring as an early warning system for domain-based attacks. DNS changes are among the first indicators of a domain hijack, and detecting them quickly — within the scan cycle rather than days later — gives the team time to respond before email is intercepted or website traffic is redirected. Slack integration puts DNS drift alerts directly into the SOC channel alongside other security events.
DNS and Domain Administrators
DNS administrators use DriftAlarm as an independent audit trail for DNS changes. Even with change management processes in place, unauthorized or accidental modifications happen — a junior admin updates the wrong record, a registrar portal session is compromised, or a DNS provider API key is exposed. DriftAlarm provides external validation that DNS records match expectations, independent of the DNS provider's own change logs.
Email Security and Anti-Phishing Teams
Email security teams monitor SPF, DKIM, and DMARC records through DriftAlarm to ensure that email authentication policies remain intact. An unauthorized change to an SPF record — adding an attacker's IP range as an authorized sender — could allow phishing emails that pass authentication checks. DriftAlarm detects these changes immediately and alerts the team before the modified records propagate and are exploited.
Compliance and Risk Management
Compliance teams use DNS drift monitoring to demonstrate continuous monitoring of critical infrastructure records, satisfying requirements in PCI DSS (Requirement 11), SOC 2 (CC7.1), and ISO 27001 (A.13.1). The drift event history provides audit-ready evidence that DNS changes are detected, recorded, and investigated, with timestamps and before/after values for every detected change.
Frequently Asked Questions
Detect DNS Changes Before Attackers Exploit Them
30-day free trial. No credit card required. Results in 90 seconds.