DriftSensor
DriftSensor Docs

Frequently Asked Questions

Answers to common questions about DriftSensor - plans, monitoring, security, integrations, and more.

General

What is DriftSensor?

DriftSensor is a DNS monitoring and drift detection platform. It continuously checks your domain's DNS records against a known baseline, alerts you to unauthorized changes, and provides a security health score for your entire DNS configuration.

How does DNS monitoring work?

DriftSensor queries your DNS records from multiple public resolvers (Google, Cloudflare, Quad9) in parallel. It compares the results against your established master records and flags any differences as drift - categorized as unauthorized additions, missing records, or value changes.

What DNS record types are monitored?

A, AAAA, CNAME, MX, NS, TXT, SOA, SRV, CAA, and PTR records are all monitored. DriftSensor also validates email authentication records (SPF, DMARC, DKIM) and checks SSL certificate expiration.

Plans & Pricing

What plans are available?

FreeStandardProfessionalMSP
Monthly$0$9.99/mo$29.99/mo$99.99/mo
Yearly$0$7.99/mo$23.99/mo$74.99/mo
Domains11050100+
Users12550
Check Interval24hr5min–24hr5min–24hr5min–24hr

See Billing & Plans for the full feature comparison.

Is there a free trial?

Yes. New accounts start with a 7-day free trial of the Standard plan - no credit card required. A reminder email is sent 2 days before the trial expires. After expiration your account automatically downgrades to the Free plan.

What happens if I exceed my plan limits?

You cannot add resources beyond your plan limits. For example, trying to add an 11th domain on the Standard plan returns an error: "Domain limit reached. Your Standard plan allows 10 domain(s). Please upgrade your plan to add more domains." The same applies to users, webhooks, API keys, and integration limits.

What happens when I downgrade?

DriftSensor automatically adjusts your account to fit the new plan:

  • Excess domains are paused (oldest kept active).
  • Check intervals are raised to the minimum allowed by the new plan.
  • Excess webhooks are disabled.
  • API keys are disabled if not available on the new plan.
  • Teams integrations are disabled if not available.
  • Excess users are deactivated (admins are never deactivated; read-only users are deactivated first).

Do you offer refunds?

Yes - DriftSensor offers a 30-day money-back guarantee on all paid plans.

Is there an annual discount?

Yes. Standard and Professional plans save 20% with yearly billing. The MSP plan saves 25% with yearly billing.

Monitoring & Drift Detection

Why am I not seeing any drift?

On the very first monitoring check for a new domain, DriftSensor establishes a baseline. Drift is logged internally but no alerts are sent during this initial run. Subsequent checks compare against the baseline and will generate alerts for any changes.

What is "smart detection"?

DriftSensor uses several techniques to prevent false positives:

  • GeoDNS / IP Rotation - Hosts that return different A/AAAA records across resolvers are flagged as "rotating" and value changes are suppressed.
  • CDN CNAME Detection - If a host points to a known CDN (CloudFront, Cloudflare, Akamai, Fastly, Vercel, Netlify, etc.), IP changes are ignored.
  • Oscillation Suppression - If the same drift was resolved within the last 6 hours, it won't re-trigger alerts.
  • Wildcard DNS Detection - If 8+ non-master hosts resolve to the same IP, wildcard DNS is detected and only master-record hosts are monitored.

What are "high-risk subdomains"?

DriftSensor automatically monitors 55 high-risk subdomains (such as login, admin, auth, mail, vpn, secure) for unauthorized records - even if they're not in your master records. This helps detect subdomain takeover attempts.

How often are checks performed?

Check frequency depends on your plan. Free plans are limited to every 24 hours. Paid plans support intervals of 5 minutes, 15 minutes, 30 minutes, 1 hour, 6 hours, 12 hours, or 24 hours.

Can I trigger a manual check?

Yes. Click Trigger Check on the Monitoring page. There is a 60-second cooldown between manual checks for the same domain.

What happens when DNS resolution fails?

Failed record types are skipped in drift detection to avoid false positives. DriftSensor tracks consecutive failures:

Consecutive FailuresAction
3HIGH priority warning notification
5CRITICAL notification: domain unreachable
10Domain auto-paused with critical notification

When a domain recovers after 3+ failures, a recovery notification is sent.

Security

How does the security health score work?

DriftSensor runs 7 security checks on each domain and calculates a score from 0–100:

  • SPF record presence and validity
  • DMARC record presence and policy strength
  • DKIM record presence
  • DNSSEC validation
  • CAA record presence
  • MX record security
  • SSL certificate validity and expiration

Scores map to letter grades: A (90–100), B (80–89), C (70–79), D (60–69), F (below 60).

How does SSL certificate monitoring work?

DriftSensor checks your SSL certificates and sends alerts at 30 days, 7 days, and on the day of expiration.

Is my data secure?

Yes. DriftSensor uses TLS 1.3 for all connections, AES-256 encryption for data at rest, and is GDPR compliant. API keys and backup codes are stored as SHA-256 hashes - the plain text values are shown only once at creation.

Alerts & Notifications

I'm not receiving email alerts

Check the following:

  1. Notification preferences - Go to Settings → Notifications and verify Email Notifications is toggled on.
  2. Critical Alerts Only - If enabled, only high and critical severity alerts are sent. Normal drift won't trigger an email.
  3. Daily Digest - If enabled, alerts are queued for the daily summary instead of being sent immediately.
  4. Spam folder - Check your spam/junk folder for emails from DriftSensor.
  5. Customer alert email - If you're a Tenant Admin, check Settings → Notification Email Address. If set, alerts go to that address instead of individual users.

What triggers a webhook?

Two event types:

  • dns.change - Sent when drift is detected (unauthorized, missing, or changed records).
  • dns.recovery - Sent when all drift for a domain has been resolved.

My webhook keeps failing

Webhooks have a 10-second timeout per delivery. After 10 consecutive failures, the webhook is automatically disabled. Common causes:

  • Your endpoint is returning non-2xx status codes.
  • Your endpoint is unreachable or timing out.
  • Your endpoint URL uses a private/internal IP address (blocked by SSRF protection).

Re-enable the webhook from Settings → Webhooks after fixing the issue. The failure counter resets on the next successful delivery.

Authentication & Account

How do I enable two-factor authentication?

Go to Settings → Two-Factor Authentication. You can choose:

  • Email Verification - A 6-digit code is sent to your email on each login.
  • Authenticator App (TOTP) - Use Google Authenticator, Microsoft Authenticator, or any TOTP-compatible app.

These are mutually exclusive - disable one before enabling the other. See Account Settings for the full setup flow.

I'm locked out of my account

After 5 failed login attempts, your account is temporarily locked. Wait 15 minutes for the auto-unlock, then try again. If you've forgotten your password, use the Forgot Password link on the login page - the reset link expires after 1 hour.

I lost my authenticator app / backup codes

If you have remaining backup codes, use one to log in and then disable TOTP from settings. If you've lost both your authenticator app and all backup codes, contact support for manual account recovery.

Can I change my email address?

No. Your email address is set during registration and cannot be changed.

API & Integrations

How do I get API access?

API access is available on Professional and MSP plans. Go to Settings → API Keys to create a key. Keys use the format ds_live_xxxxxxxxxxxx and are shown only once at creation.

What are the API rate limits?

Limit TypeProfessionalMSP
Burst50 req/min50 req/min
Daily5,000 req/day50,000 req/day

Rate limits are shared across all API keys on your account.

How does API key rotation work?

When you rotate a key, a new key is generated and a 24-hour grace period begins. Both the old and new keys work during the grace period. After 24 hours, the old key expires automatically.

How do I verify webhook signatures?

Webhooks include an X-Webhook-Signature header containing an HMAC-SHA256 signature of the request body, signed with your webhook secret. Compute the HMAC of the raw request body and compare it to the header value to verify authenticity.

MSP Features

How do MSP domain limits work?

Domain, user, and webhook limits are shared across your parent account and all sub-customers. For example, if your MSP plan allows 100 domains and you use 20 on the parent account, your sub-customers can use up to 80 combined.

Can I expand my domain limit?

Yes. MSP plans can purchase addon domain packs:

PackDomainsPrice
Starter+100$49/mo
Growth+500$199/mo
Enterprise+1,000$349/mo

Can sub-customers use the API?

No. Sub-customers (MSP-managed tenants) cannot access API keys, webhooks, Teams integrations, or billing directly. These are managed at the MSP parent level.

Support

How do I get help?

DriftSensor offers several support channels:

  • Knowledge Base - Browse articles in Settings → Knowledge Base.
  • AI Chatbot - Available 24/7 for instant answers.
  • Support Tickets - Create a ticket from the chatbot or Settings → Support Tickets.

What are the support response times?

PlanResponse Time
FreeBest effort
Standard24–48 hours
Professional4–8 hours
MSP1–2 hours

What is the uptime guarantee?

DriftSensor offers a 99.9% SLA with credits for downtime: 10% credit for 99.0–99.9%, 25% for 95.0–99.0%, and 50% for below 95.0%.

Account Settings

Manage your DriftSensor profile, security settings, two-factor authentication, notification preferences, and appearance.

Troubleshooting

Solutions for common DriftSensor issues - domain errors, notification failures, integration problems, and more.

On this page

GeneralWhat is DriftSensor?How does DNS monitoring work?What DNS record types are monitored?Plans & PricingWhat plans are available?Is there a free trial?What happens if I exceed my plan limits?What happens when I downgrade?Do you offer refunds?Is there an annual discount?Monitoring & Drift DetectionWhy am I not seeing any drift?What is "smart detection"?What are "high-risk subdomains"?How often are checks performed?Can I trigger a manual check?What happens when DNS resolution fails?SecurityHow does the security health score work?How does SSL certificate monitoring work?Is my data secure?Alerts & NotificationsI'm not receiving email alertsWhat triggers a webhook?My webhook keeps failingAuthentication & AccountHow do I enable two-factor authentication?I'm locked out of my accountI lost my authenticator app / backup codesCan I change my email address?API & IntegrationsHow do I get API access?What are the API rate limits?How does API key rotation work?How do I verify webhook signatures?MSP FeaturesHow do MSP domain limits work?Can I expand my domain limit?Can sub-customers use the API?SupportHow do I get help?What are the support response times?What is the uptime guarantee?