How BackupMyDNS works
The short version
You give us read-only API access to your DNS provider. We check your zones on a schedule. When something changes, we snapshot the entire zone and store the diff. You can download any snapshot as a standard BIND zone file, or compare any two versions side by side.
That’s it. No agents to install, no scripts to maintain, no cron jobs to babysit.
Step by step
1. Connect your provider
We support Cloudflare, AWS Route53, DNSimple, and GoDaddy. Each connection uses the minimum permissions possible:
- Cloudflare:
Zone:Read— we can list your zones and read records. Nothing else. - Route53:
route53:ListHostedZones+route53:ListResourceRecordSets— read-only. - DNSimple: Read-only OAuth token.
- GoDaddy: API key with domain read access.
We never write to your zones. We can’t. The permissions don’t allow it.
Setup takes about 60 seconds per provider.
2. We check for changes
How often depends on your plan:
| Plan | Check frequency |
|---|---|
| Free | Every 24 hours |
| Pro | Every hour |
| Business | Every 10 minutes |
Each check pulls every record from every zone on that provider. We compare the current state against the last known snapshot.
3. Changes trigger a snapshot
When we detect a difference — a new record, a deleted record, a changed value, a modified TTL — we capture the full zone state and store it. The diff between the previous snapshot and the new one is computed and stored alongside it.
This means you always have:
- The complete zone at any point in time
- The exact diff showing what changed between any two snapshots
- A timeline of every modification across all your domains
4. Download or compare
Every snapshot is downloadable as a standard BIND zone file. No proprietary format. Import it into any DNS provider, or use it as reference to rebuild records manually.
The diff view shows exactly what was added, removed, or modified — like git diff for your DNS. When something breaks at 2 AM, you’re not guessing. You’re looking at the change that caused it.
What we capture
Every record type your provider returns via their API:
A · AAAA · CNAME · MX · TXT · SRV · NS · SOA · CAA · and any other type the provider API exposes.
This includes the records most people forget about: DKIM keys, SPF records, DMARC policies, SRV records for Microsoft 365, CAA records for certificate authorities.
Security
Your zone data is AES-256 encrypted before storage. Our team cannot read your DNS data.
Fort Knox mode (Pro and Business): We email you the backup and delete it from our systems immediately. Your backups exist only in your inbox.
We don’t sell or share your data. Full details in our Privacy & Legal terms.
What happens when you need a restore
- Open BackupMyDNS and find the domain
- Browse the snapshot timeline or use the diff view to find the last known-good state
- Download the zone file
- Import it into your provider or use it to manually rebuild
The whole process takes minutes. Without a backup, you’re reconstructing from memory, from Slack messages, from old screenshots — and it takes hours.
Free for your first domain. No credit card required.