DriftSensor
DriftSensor Docs

DNS Records & Monitoring

How DriftSensor tracks your DNS records, detects drift, and alerts you to unauthorized changes.

How Monitoring Works

DriftSensor continuously monitors your domains by comparing live DNS records against your master records - the expected, authorized state of your DNS configuration.

The Monitoring Cycle

  1. Baseline Scan - When you first add a domain and import its records, DriftSensor captures a snapshot of your current DNS state. These become your master records.
  2. Scheduled Checks - At your configured interval (5 min to 24 hours), DriftSensor queries your domain's DNS from multiple public resolvers.
  3. Comparison - Each check compares live DNS against your master records in both directions:
    • Forward check - Are all your master records still present in DNS with the correct values?
    • Reverse check - Are there any records in DNS that aren't in your master list? (Scans critical types: A, AAAA, MX, CNAME, TXT, plus 55+ high-risk subdomains like login, admin, mail, vpn, etc.)
  4. Drift Detection - Any differences are logged as drift events and trigger alerts.
  5. Auto-Resolution - If a previously detected drift is no longer present on the next check (e.g., someone fixed the DNS), it's automatically marked as resolved and a recovery notification is sent.

DNS Resolvers

DriftSensor queries multiple authoritative resolvers for accuracy:

  • Google (8.8.8.8, 8.8.4.4)
  • Cloudflare (1.1.1.1)
  • Quad9 (9.9.9.9)

Smart Detection

DriftSensor includes intelligence to reduce false positives:

  • IP Rotation / GeoDNS - If resolvers return different IPs for the same host (common with CDNs and load balancers), value-level comparisons are skipped to avoid noise.
  • CDN Recognition - Known CDN providers (CloudFront, Akamai, Cloudflare, Fastly, Vercel, Netlify, etc.) are detected automatically and their dynamic A/AAAA records are handled gracefully.
  • Wildcard DNS Detection - If many non-master hosts resolve to the same IP, wildcard DNS is assumed and false positives are suppressed.
  • Oscillation Suppression - Drift that resolved within the last 6 hours and reappears is not re-logged.
  • Consecutive Failure Handling - After 3 failed checks, you get a warning. After 5, a critical alert. After 10, the domain is auto-paused.

Drift Types

When DriftSensor detects a difference, it classifies it into one of three drift types:

Drift TypeWhat It Means
UnauthorizedA DNS record exists that is NOT in your master records. Someone (or something) added it without your knowledge.
MissingA master record is NOT found in live DNS. It was deleted or is unreachable.
Value ChangedA master record exists in DNS but with a different value than expected.

Monitoring Page

Navigate to Monitoring in the sidebar to view drift detection results and scan history.

Domain Selection

Use the domain selector at the top to choose which domain to inspect. Admins can also filter by customer first.

Summary Cards

Three cards show at-a-glance stats for the selected domain:

  • Total Changes - Number of drift events detected in the selected date range.
  • Total Snapshots - Number of DNS state snapshots captured.
  • Active Domains - Total number of actively monitored domains.

Change Log Tab

The change log table shows all detected drift events:

ColumnDescription
Record TypeBadge showing the DNS record type (A, MX, TXT, etc.)
HostThe hostname (@ for root, or subdomain like www, mail)
Expected ValueWhat your master record says the value should be
Current in DNSWhat was actually found - or MISSING in red
DetectedWhen the drift was first detected
StatusActive (amber) - unresolved drift. Resolved (green) - drift is no longer present.
ActionsAccept button to acknowledge the change

Accepting Changes

When you accept a drift event, you're telling DriftSensor "this change is intentional - update the master records."

  • Unauthorized record → Accepting creates a new master record with the DNS value.
  • Missing record → Accepting removes the master record.
  • Value changed → Accepting updates the master record to match current DNS.

You can accept changes individually or in bulk (select checkboxes, then click Accept Selected - up to 50 at a time).

Snapshots Tab

View point-in-time captures of your domain's DNS state. Each snapshot shows:

  • Snapshot ID - Unique identifier (first 8 characters)
  • Records - Badge showing the count of record types
  • Timestamp - When the snapshot was taken
  • Click View to see the full snapshot contents - all records organized by type

Manual Check

Click Trigger Check to run an on-demand DNS scan right now (instead of waiting for the next scheduled check). There's a 60-second cooldown between manual checks. The button shows a spinner while the check is in progress.

Manual checks are not available on the Free plan.

Records Page

Navigate to Records in the sidebar to view and manage the master DNS records for each domain.

Domain List

First, you'll see a list of all your domains. Click View Records on any domain to see its master records.

Records Table

ColumnDescription
TypeDNS record type badge (A, AAAA, MX, TXT, CNAME, NS, SRV, SPF, DKIM, DMARC)
HostHostname (@, www, mail, etc.)
ValueThe expected record value
TTLTime-to-live in seconds
SourceHow the record was added: Imported (auto-discovered), Manual (user-created), or Accepted Drift (from change log)
ActionsEdit and Delete

Filter by record type or search by host/value.

Adding Records Manually

Click Add Record and fill in:

  • Record Type - Select from A, AAAA, MX, TXT, CNAME, NS, SRV, SPF, DKIM, DMARC
  • Host - The hostname (max 63 characters)
  • Value - The record value (max 2,048 characters)
  • TTL - Time-to-live (default: 3600 seconds)
  • Priority - For MX and SRV records only (range: 0–65,535, default: 10)

Adding a record that matches an existing drift entry will automatically resolve that drift.

Editing and Deleting Records

Use the edit icon to modify any field on an existing record. Use delete to remove individual records, or select multiple and use Delete Selected for bulk removal.

DNS Security Checks

DriftSensor performs a comprehensive security audit of your domain's DNS configuration.

Security Score

Each domain receives a score from 0 to 100 based on 7 checks:

CheckWeightWhat It Tests
SPF20 pointsEmail sender authentication (v=spf1 TXT record). Strict -all gets full score, soft fail ~all gets partial.
DMARC20 pointsEmail authentication policy at _dmarc.domain. p=reject is strongest, p=quarantine is good, p=none is monitoring-only.
SSL Certificate20 pointsChecks port 443 - certificate validity, expiry date, issuer. Flags if expiring within 7/30/60 days.
DNSSEC15 pointsFull validation - DNSKEY, DS record, RRSIG signatures, chain of trust.
CAA10 pointsCertificate Authority Authorization - controls which CAs can issue certs for your domain.
MX10 pointsMail Exchange records - presence indicates email capability.
DKIM5 pointsDomainKeys Identified Mail - checks 12 common selectors for public key presence.

Letter Grades

ScoreGrade
90–100A
80–89B
70–79C
60–69D
0–59F

Running Security Checks

  • From the Dashboard, use the DNS Security Health widget's Check All button.
  • From a Domain Detail page, open the Security tab.
  • Security checks also run automatically on a daily schedule.

Domain Management

Add, organize, and configure the domains you want to monitor with DriftSensor.

Alerts & Notifications

Configure how and when DriftSensor notifies you about DNS changes - email, webhooks, Microsoft Teams, and in-app notifications.

On this page

How Monitoring WorksThe Monitoring CycleDNS ResolversSmart DetectionDrift TypesMonitoring PageDomain SelectionSummary CardsChange Log TabAccepting ChangesSnapshots TabManual CheckRecords PageDomain ListRecords TableAdding Records ManuallyEditing and Deleting RecordsDNS Security ChecksSecurity ScoreLetter GradesRunning Security Checks