I’ve been recently exploring the monitoring and capturing of DNS entry history for various types of DNS records, with a focus on (SOA, NS, MX, AAAA, A, TXT, CNAME) records. When working with different companies, you might build services that rely on DNS operated by other companies and individuals. Mistakes can occur when the service goes offline or automatic TLS certificate issuance fails. It’s important to monitor DNS records, set up alerts, and maintain a historical record of changes for specific DNS entries, including the chain of CNAME resolutions, without excessively capturing the rotation of DNS entries.
I came across a service online designed for DNS monitoring, but it operates differently than I expected.
If you have any recommendations on how to effectively monitor, maintain a history, and even set up alerts for specific DNS entries, I would greatly appreciate your input.
Own DNS History Monitoring
I did end up building my own, but still looking for commercial products.
I ended up not enabling all DNS types out of the box for every Domain but rather selectively chose what to monitor. I also built a custom interval for each check. I still have to fix the alert on change, however, this is not a major issue. Currently, the main issue here is that the email with the change alert might get too long with the before and after data. Providing just the information it changed with a link is not user-friendly. For now, I’m okay with consulting the tool in such cases to see what happened.
Mostly, I’m concerned with reviewing changes from the past 3 months. I think a resolution of 1 hour is mostly sufficient for my use case. Data older than 3 months will be automatically deleted.
I chose to order the history changes view. This means I can order the A records that have the same IP addresses just mixed in round-robin, which will not be seen as a change. This view allows me to see the last and most recent result and lists all recent “relevant” changes with the changed information only.
It’s puzzling to me why this does not exist or why I was unable to find this product on the internet.
Another interesting use case for me is that I can search for a specific IP address and quickly determine its ownership. This function will encompass all the DNS history data that I monitor. Therefore, if I receive penetration testing results with an IP address, it will be quick and easy to identify the owner, even if there is no reverse PTR record associated with the IP. This is particularly helpful when dealing with IPs originating from Azure, Google, or Amazon Cloud, which may not be listed in my IP Address Management (IPAM) system.
But the feature is not limited, and I can search through all of my DNS history data.
I have added features to remove a domain and all historical data, and a bulk add that will not allow duplicate entries for the same property.
This tool is currently closed-source and not available to the public.