{"id":5524,"date":"2026-01-07T10:05:36","date_gmt":"2026-01-07T18:05:36","guid":{"rendered":"https:\/\/www.sslshopper.com\/website-monitoring\/?p=5524"},"modified":"2026-01-07T10:05:37","modified_gmt":"2026-01-07T18:05:37","slug":"dns-domain-monitoring","status":"publish","type":"post","link":"https:\/\/www.sslshopper.com\/website-monitoring\/dns-domain-monitoring\/","title":{"rendered":"Domain &#038; DNS Monitoring: Catch Misconfigurations and Expirations"},"content":{"rendered":"\n<p><strong><mark style=\"background-color:var(--base)\" class=\"has-inline-color has-contrast-3-color\">[1,222 words, 6 minute read time]<\/mark><\/strong><\/p>\n\n\n\n<p>Most teams think \u201cthe website is down\u201d means hosting or code. But a surprising number of outages start somewhere else entirely:<\/p>\n\n\n\n<p><strong>DNS problems masquerade as hosting or \u201crandom outages.\u201d<\/strong><\/p>\n\n\n\n<p>DNS and domain failures create the classic chaos:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u201cIt works for me.\u201d<\/li>\n\n\n\n<li>\u201cIt works on my phone but not my laptop.\u201d<\/li>\n\n\n\n<li>\u201cIt\u2019s down in Europe but fine in the US.\u201d<\/li>\n\n\n\n<li>\u201cOur monitor says down, but the server is responding.\u201d<\/li>\n<\/ul>\n\n\n\n<p>This guide explains <strong>DNS monitoring<\/strong> (and domain monitoring) in practical terms: what DNS failures look like, domain expiration risks, the key record types (A\/AAAA\/CNAME), TTL\/propagation, an incident checklist, and copy\/paste tables and reminders.<\/p>\n\n\n\n<p>For the full monitoring roadmap, start with the <strong><a href=\"https:\/\/www.sslshopper.com\/website-monitoring\/website-uptime-monitoring-complete-guide\/\">complete guide<\/a><\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">What DNS failures look like (symptoms you\u2019ll see)<\/h2>\n\n\n\n<p>DNS failures don\u2019t always look like \u201cDNS.\u201d They show up as confusing symptoms that are easy to misdiagnose.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Common DNS-related symptoms<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Browser shows <strong>\u201cDNS_PROBE_FINISHED_NXDOMAIN\u201d<\/strong> or \u201cserver IP address could not be found\u201d<\/li>\n\n\n\n<li>Site times out for some users but not others<\/li>\n\n\n\n<li>Only one hostname fails (e.g., <code>www<\/code> works but apex doesn\u2019t, or vice versa)<\/li>\n\n\n\n<li>Outage appears <strong>regional<\/strong> (works in one location, fails in another)<\/li>\n\n\n\n<li>API works but website doesn\u2019t (or the reverse)<\/li>\n\n\n\n<li>Monitoring shows intermittent \u201cdown\u201d flapping around DNS change windows<\/li>\n<\/ul>\n\n\n\n<p><strong>If you only monitor from one location, DNS problems can hide.<\/strong><br>That\u2019s why multi-location monitoring is a strong companion: <strong><a href=\"https:\/\/www.sslshopper.com\/website-monitoring\/multi-location-uptime-monitoring\/\">multi-location uptime monitoring<\/a><\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">The two big buckets: domain\/registrar vs DNS provider<\/h2>\n\n\n\n<p>When something \u201cDNS-ish\u201d breaks, it usually falls into one of these categories:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Domain\/registrar issues (ownership and renewals)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>domain expired (or is in grace\/redemption)<\/li>\n\n\n\n<li>registrar account compromised<\/li>\n\n\n\n<li>nameservers changed (maliciously or accidentally)<\/li>\n\n\n\n<li>contact email invalid (renewal notices never arrive)<\/li>\n\n\n\n<li>auto-renew failed due to billing<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) DNS provider issues (records and resolution)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>record changed incorrectly (A\/AAAA\/CNAME)<\/li>\n\n\n\n<li>record deleted<\/li>\n\n\n\n<li>DNSSEC misconfiguration (advanced, but common enough to mention)<\/li>\n\n\n\n<li>propagation\/TTL confusion after changes<\/li>\n\n\n\n<li>provider outage (less common, but possible)<\/li>\n<\/ul>\n\n\n\n<p>DNS monitoring is about catching both: <strong>resolution failures<\/strong> and <strong>upcoming renewal risks<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Domain expiration and registrar risks (why this is high-stakes)<\/h2>\n\n\n\n<p>A domain is not just a DNS setting. It\u2019s your identity. Domain expiration can look like sudden total downtime\u2014and it can quickly turn into a nightmare.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What can happen when a domain expires<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DNS stops resolving (site \u201cvanishes\u201d)<\/li>\n\n\n\n<li>email stops working (password resets fail, support inbox dies)<\/li>\n\n\n\n<li>customers see scary warnings or dead pages<\/li>\n\n\n\n<li>in worst cases, the domain is purchased by someone else after expiration windows<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Registrar risk checklist (high ROI)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable <strong>auto-renew<\/strong><\/li>\n\n\n\n<li>Use a payment method that won\u2019t fail silently (and keep it updated)<\/li>\n\n\n\n<li>Set a <strong>calendar reminder<\/strong> 30\u201360 days before expiration<\/li>\n\n\n\n<li>Ensure WHOIS\/contact email is valid and monitored<\/li>\n\n\n\n<li>Turn on <strong>2FA<\/strong> for registrar accounts<\/li>\n\n\n\n<li>Restrict who has access (agencies: separate client credentials or vault)<\/li>\n\n\n\n<li>Consider <strong>registry lock<\/strong> for high-value domains (advanced\/enterprise)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">DNS record basics (A\/AAAA\/CNAME) at a high level<\/h2>\n\n\n\n<p>You don\u2019t need to become a DNS engineer to monitor it well. Here are the records you\u2019ll interact with most:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">A record<\/h3>\n\n\n\n<p>Maps a hostname (like <code>example.com<\/code>) to an <strong>IPv4<\/strong> address.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">AAAA record<\/h3>\n\n\n\n<p>Maps a hostname to an <strong>IPv6<\/strong> address.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">CNAME record<\/h3>\n\n\n\n<p>Points one hostname to another hostname (common for <code>www<\/code> \u2192 <code>example.com<\/code> or CDN targets).<\/p>\n\n\n\n<p><strong>Common failure pattern:<\/strong><br>A site \u201cworks\u201d for some users if the A record is correct but the AAAA record points to a dead IPv6 target (or vice versa). Or <code>www<\/code> is a CNAME to an old CDN hostname.<\/p>\n\n\n\n<p>Monitoring should include the hostnames users actually type:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>example.com<\/code><\/li>\n\n\n\n<li><code>www.example.com<\/code><\/li>\n\n\n\n<li>critical subdomains (<code>api.<\/code>, <code>app.<\/code>, <code>status.<\/code>, <code>cdn.<\/code>)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Propagation and TTL (practical terms, not theory)<\/h2>\n\n\n\n<p>DNS changes aren\u2019t instantly consistent worldwide because resolvers cache answers.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">TTL in plain language<\/h3>\n\n\n\n<p><strong>TTL (time to live)<\/strong> is \u201chow long other systems are allowed to cache this DNS answer.\u201d<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Lower TTL (e.g., 60\u2013300 seconds): changes spread faster, but can increase query volume<\/li>\n\n\n\n<li>Higher TTL (e.g., 3600+ seconds): more stable caching, but slower change propagation<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Propagation in practice<\/h3>\n\n\n\n<p>When you change DNS:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>some resolvers pick it up quickly<\/li>\n\n\n\n<li>others keep old cached values until TTL expires<\/li>\n\n\n\n<li>users can see different answers at the same time<\/li>\n<\/ul>\n\n\n\n<p>That\u2019s why DNS incidents can look \u201crandom.\u201d<\/p>\n\n\n\n<p><strong>Practical change strategy<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For planned migrations: lower TTL 24\u201348 hours beforehand<\/li>\n\n\n\n<li>Make the change<\/li>\n\n\n\n<li>After stable: raise TTL back to a reasonable value<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">What DNS monitoring should actually do<\/h2>\n\n\n\n<p>A good DNS monitoring setup watches for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>resolution success\/failure<\/strong> (NXDOMAIN, SERVFAIL, timeout)<\/li>\n\n\n\n<li>correctness of returned records (A\/AAAA\/CNAME match expected)<\/li>\n\n\n\n<li>changes to nameservers<\/li>\n\n\n\n<li>domain expiration windows (renewal reminders)<\/li>\n\n\n\n<li>optionally: DNSSEC status changes (advanced)<\/li>\n<\/ul>\n\n\n\n<p>This complements uptime checks in your overall monitoring plan: <strong><a href=\"https:\/\/www.sslshopper.com\/website-monitoring\/website-uptime-monitoring-complete-guide\/\">complete guide<\/a><\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Symptom \u2192 likely cause table (copy\/paste)<\/h2>\n\n\n\n<p>Use this to triage quickly when something \u201cfeels like DNS.\u201d<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Symptom<\/th><th>Likely cause<\/th><th>First things to check<\/th><\/tr><\/thead><tbody><tr><td>\u201cDomain not found\u201d \/ NXDOMAIN<\/td><td>Record deleted, wrong zone, domain expired<\/td><td>Registrar status, DNS zone exists, record present<\/td><\/tr><tr><td>Works for you, not others<\/td><td>TTL\/propagation or regional resolver differences<\/td><td>Recent DNS changes, TTL, multi-location checks<\/td><\/tr><tr><td><code>www<\/code> works but apex doesn\u2019t (or vice versa)<\/td><td>Missing\/incorrect A\/CNAME on one hostname<\/td><td>Compare records for both hostnames<\/td><\/tr><tr><td>Intermittent failures<\/td><td>Provider instability, mixed A\/AAAA correctness, cached old records<\/td><td>AAAA record, recent changes, provider status<\/td><\/tr><tr><td>Suddenly points to wrong site<\/td><td>Nameserver change, hijack, mis-pointed records<\/td><td>Nameservers at registrar, change history, account security<\/td><\/tr><tr><td>Email breaks too<\/td><td>Domain\/DNS-wide issue<\/td><td>MX\/TXT records (not covered here deeply), registrar status<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">DNS incident checklist (first 15 minutes)<\/h2>\n\n\n\n<p>When you suspect DNS during an outage, don\u2019t guess\u2014confirm.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">DNS incident checklist<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Confirm resolution failures<\/strong><\/li>\n<\/ol>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Check <code>example.com<\/code> and <code>www.example.com<\/code><\/li>\n\n\n\n<li>Check from a second network\/location<\/li>\n<\/ul>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>Check if it\u2019s regional<\/strong><\/li>\n<\/ol>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Compare results from multiple regions (or use your monitoring probes)<\/li>\n\n\n\n<li>If only one region fails, suspect resolver\/propagation\/CDN edge<\/li>\n<\/ul>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><strong>Check registrar status<\/strong><\/li>\n<\/ol>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Is the domain expired or in renewal trouble?<\/li>\n\n\n\n<li>Were nameservers changed?<\/li>\n<\/ul>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li><strong>Check recent DNS changes<\/strong><\/li>\n<\/ol>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Did anyone change A\/AAAA\/CNAME records recently?<\/li>\n\n\n\n<li>Was a migration planned?<\/li>\n\n\n\n<li>Are TTLs very high (slower propagation)?<\/li>\n<\/ul>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li><strong>Validate expected targets<\/strong><\/li>\n<\/ol>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A\/AAAA point to the correct IPs?<\/li>\n\n\n\n<li>CNAME points to the correct hostname?<\/li>\n\n\n\n<li>Any stale records left over (especially AAAA)?<\/li>\n<\/ul>\n\n\n\n<ol start=\"6\" class=\"wp-block-list\">\n<li><strong>Mitigate<\/strong><\/li>\n<\/ol>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Roll back the DNS change if it\u2019s clearly wrong<\/li>\n\n\n\n<li>If nameservers were changed unexpectedly, revert immediately and secure accounts<\/li>\n\n\n\n<li>Communicate clearly: \u201cDNS issue confirmed; propagation may take X minutes after fix\u201d<\/li>\n<\/ul>\n\n\n\n<p>If this is part of a broader incident, use the full playbook: <strong><a href=\"https:\/\/www.sslshopper.com\/website-monitoring\/website-down-incident-response\/\">incident response<\/a><\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u201cRenewal reminders\u201d checklist (prevent the worst DNS outage)<\/h2>\n\n\n\n<p>Domain expiry is one of the most preventable outages. Agencies should treat it like client inventory.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Renewal reminders checklist<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Record domain expiration date for every client\/domain<\/li>\n\n\n\n<li>Set reminders for:\n<ul class=\"wp-block-list\">\n<li><strong>60 days<\/strong> before expiration (verify billing\/contact)<\/li>\n\n\n\n<li><strong>30 days<\/strong> before (confirm auto-renew)<\/li>\n\n\n\n<li><strong>14 days<\/strong> before (manual check: renewal queued)<\/li>\n\n\n\n<li><strong>7 days<\/strong> before (urgent escalation if uncertain)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Confirm:\n<ul class=\"wp-block-list\">\n<li>registrar access is current<\/li>\n\n\n\n<li>client contact email is valid<\/li>\n\n\n\n<li>2FA is enabled<\/li>\n\n\n\n<li>payment method is current<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><strong>Agency tip:<\/strong> keep domain ownership explicit in your contracts and onboarding (\u201cClient owns domain; agency manages DNS changes under approval\u201d).<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">How to add DNS monitoring to your overall stack (simple approach)<\/h2>\n\n\n\n<p>Start with three checks:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Monitor DNS resolution for <code>example.com<\/code><\/li>\n\n\n\n<li>Monitor DNS resolution for <code>www.example.com<\/code><\/li>\n\n\n\n<li>Add domain expiration reminders (calendar + tool alerts)<\/li>\n<\/ol>\n\n\n\n<p>Then level up:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>monitor critical subdomains (<code>app.<\/code>, <code>api.<\/code>, <code>status.<\/code>)<\/li>\n\n\n\n<li>multi-location checks for global audiences<\/li>\n\n\n\n<li>change alerts for nameservers\/records (if your tooling supports it)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">CTA: Add domain expiration reminders + monitor DNS resolution<\/h2>\n\n\n\n<p>DNS failures are frustrating because they look like \u201crandom outages,\u201d and domain expiration is catastrophic because it looks like instant disappearance.<\/p>\n\n\n\n<p><strong>CTA:<\/strong> Add <strong>domain expiration reminders<\/strong> and monitor <strong>DNS resolution<\/strong> (for apex + www) today\u2014before your next DNS change or renewal window turns into a surprise outage.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[1,222 words, 6 minute read time] Most teams think \u201cthe website is down\u201d means hosting or code. But a surprising number of outages start somewhere else entirely: DNS problems masquerade as hosting or \u201crandom outages.\u201d DNS and domain failures create the classic chaos: This guide explains DNS monitoring (and domain monitoring) in practical terms: what &#8230; <a title=\"Domain &#038; DNS Monitoring: Catch Misconfigurations and Expirations\" class=\"read-more\" href=\"https:\/\/www.sslshopper.com\/website-monitoring\/dns-domain-monitoring\/\" aria-label=\"Read more about Domain &#038; DNS Monitoring: Catch Misconfigurations and Expirations\">Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[108],"tags":[],"class_list":["post-5524","post","type-post","status-publish","format-standard","hentry","category-guides"],"_links":{"self":[{"href":"https:\/\/www.sslshopper.com\/website-monitoring\/wp-json\/wp\/v2\/posts\/5524","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sslshopper.com\/website-monitoring\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sslshopper.com\/website-monitoring\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sslshopper.com\/website-monitoring\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sslshopper.com\/website-monitoring\/wp-json\/wp\/v2\/comments?post=5524"}],"version-history":[{"count":2,"href":"https:\/\/www.sslshopper.com\/website-monitoring\/wp-json\/wp\/v2\/posts\/5524\/revisions"}],"predecessor-version":[{"id":5582,"href":"https:\/\/www.sslshopper.com\/website-monitoring\/wp-json\/wp\/v2\/posts\/5524\/revisions\/5582"}],"wp:attachment":[{"href":"https:\/\/www.sslshopper.com\/website-monitoring\/wp-json\/wp\/v2\/media?parent=5524"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sslshopper.com\/website-monitoring\/wp-json\/wp\/v2\/categories?post=5524"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sslshopper.com\/website-monitoring\/wp-json\/wp\/v2\/tags?post=5524"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}