DNS Change Detection

Someone changes an MX record. Someone else deletes a TXT verification record. A TTL gets dropped from 3600 to 60. None of these trigger an alert from your DNS provider. You find out when email stops arriving, or when a deploy fails, or when a customer calls.

BackupMyDNS catches every change the moment it happens.

DNS change detection showing record modifications

How it works

We connect to your DNS provider through their API using read-only credentials. On a schedule, we pull every record from every zone on that provider and compare the current state against the last known snapshot.

When we detect a difference, we capture the full zone and store the diff. The snapshot preserves the complete zone state. The diff shows exactly what moved.

No agents, no scripts, no DNS transfer zones. Just an API connection and a schedule.

What counts as a change

We track every modification the API can surface:

  • New record — an A record, CNAME, or any other type that didn’t exist before
  • Deleted record — a record that was present in the last snapshot and is now gone
  • Modified value — an A record pointing to a different IP, a TXT record with updated content
  • Changed TTL — the value is the same but the TTL is different
  • Updated priority — MX priority reordered, SRV weight adjusted

If the zone looks different from the last snapshot in any way, we capture it.

Check frequency

How often we poll depends on your plan:

Plan Frequency Latency to detect a change
Free Daily Up to 24 hours
Pro ($14/mo) Hourly Up to 60 minutes
Business ($49/mo) Every 10 minutes Up to 10 minutes

On Business, a record change at 2:03 PM is captured by 2:13 PM. That’s the window. For most teams running production infrastructure, the 10-minute interval is the one that matters.

Why provider audit logs aren’t enough

Some providers have audit logs. Cloudflare shows you who clicked what button. Route53 has CloudTrail events. These tell you an action occurred. They don’t tell you the before and after state of the zone.

An audit log says “user X modified record Y at timestamp Z.” BackupMyDNS shows you the actual data: this record had value 203.0.113.10 with TTL 3600, and now it has value 198.51.100.22 with TTL 300. That’s the difference between knowing something changed and knowing what changed.

Audit logs also don’t help when the change was made via API, terraform, or a script that doesn’t leave a clear trail. We watch the zone itself, not the actions taken against it.

Silent changes are the dangerous ones

The changes that cause outages are rarely dramatic. Nobody accidentally deletes an entire zone. The real problems are subtle: a DKIM key with one wrong character, a CAA record removed during a “cleanup,” an MX priority that got inverted.

These changes don’t announce themselves. They sit quietly until something downstream breaks — email deliverability drops, TLS certificate renewal fails, a third-party service can’t verify domain ownership.

Change detection turns these invisible problems into visible events. Pair it with email notifications and you’ll know about the change before the downstream impact hits.

Pair with notifications

Enable email notifications and you’ll get an alert every time we detect a change. The notification includes a summary of what changed. Click through to see the full diff in the dashboard.

This turns BackupMyDNS from a backup tool into a monitoring tool. You’re not just protecting against data loss — you’re watching for unexpected modifications in real time.

Start monitoring your DNS →

Free for your first domain. No credit card required.