DNS Monitoring: The Invisible Dependency That Breaks Everything

Basic DNS monitoring verifies: - Your domain resolves to the expected IP address - DNS resolution completes within an acceptable time (<500ms) - All expected records exist (A, AAAA, MX, CNAME, TXT)

Advanced DNS monitoring adds: - Resolution consistency across multiple DNS providers (Google, Cloudflare, Route53) - MX record reachability (your mail server is actually up) - TTL values are not set too low (causing unnecessary traffic) or too high (preventing quick rollback)

DNS hijacking — where a malicious actor changes your DNS records to point at a different server — is rare but catastrophic. Monitor: - Check that the resolved IP matches your expected IP from multiple external vantage points - Alert on any unexpected IP change, even if the service appears to be working - Monitor your registrar's last-login and DNSSEC status

Before any deployment that changes IP addresses: 1. Lower your TTL to 60 seconds (one hour before the change) 2. Make the IP change 3. Wait 5 minutes (for old TTL to expire everywhere) 4. Raise TTL back to normal (300-3600 seconds)

Without this process, some users will be stuck on the old IP for hours after your deployment.

AlertsDock HTTP monitors test the full stack including DNS resolution. If your monitor fails: - With a timeout: often DNS or network - With a connection refused: DNS resolved but service down - With an SSL error: DNS resolved, service up, but certificate problem

The error type tells you where in the stack the problem is.

Email deliverability depends entirely on DNS records. Monitor: - MX records exist and point to live mail servers - SPF record is not missing or malformed - DMARC record exists with policy

Use MXToolbox or similar to check weekly.