ZoneWatcher
Features Integrations Compliance Pricing FAQ Blog
Sign In Register

DNS Monitoring for Managed Service Providers: A Practical Guide

Tom Schlick · 5 min read

When something breaks (email stops delivering, a website goes down, a subdomain starts serving the wrong content), the client calls you. And your first question is always the same: "Did something change?"

DNS monitoring gives you the answer before the client even notices the problem.

The MSP DNS Problem

Managing DNS for multiple clients introduces challenges that don't exist when you're managing your own domains:

Fragmented providers. Client A is on Cloudflare. Client B is on GoDaddy. Client C has their DNS at AWS Route 53 but their registrar is somewhere else. You're logging into half a dozen different dashboards.

Incomplete handoffs. When you onboard a new client, you inherit their DNS zone as-is. Half the records have no documentation, and some point to servers decommissioned years ago. You're afraid to touch anything because you don't know what depends on what.

Shared responsibility. The client's internal IT team might have access to the DNS provider. They make changes without telling you, and you find out when something breaks.

SLA pressure. Your contract says you'll keep things running. A DNS misconfiguration that takes down a client's email for an afternoon is an SLA violation, even if the client's own staff caused it.

What to Monitor

At a minimum, monitor these record types across all client domains:

A and AAAA records for all client-facing services. An unexpected IP change means traffic is going somewhere it shouldn't.

MX records. Email is the most visible service. If MX records change, email delivery breaks within hours and the client notices fast.

NS records. A change to nameserver delegation is either a planned migration or a hijack. Either way, you need to know immediately.

TXT records (SPF, DKIM, DMARC). Email authentication failures cause deliverability problems that are hard to diagnose without knowing a record changed.

CNAME records. Especially for subdomains pointing to SaaS services; these are subdomain takeover candidates when the service is decommissioned.

CAA records. If a client uses automated certificate renewals like Let's Encrypt, a CAA change can silently block renewals.

Setting Up Multi-Client Monitoring

Organize by Client

Structure your monitoring so each client's domains are grouped together. When you get an alert at 2am, you need to know immediately which client is affected and what changed.

Use Autodiscovery

If a DNS provider API supports it, use autodiscovery to pull in all zones automatically. This catches new domains or subdomains that get added without your knowledge, which happens more often than it should.

Set Up Per-Client Notification Channels

Route alerts for each client to the appropriate channel. Your team's Slack channel for general monitoring, a client-specific channel for their domains, and email escalation for critical records.

Baseline Documentation

When you onboard a new client, take a snapshot of their DNS zone and store it as the baseline. This becomes your reference point; any future change is measured against this known-good state.

If the baseline itself has problems (stale records, misconfigured email authentication), document those findings and present them to the client as an onboarding audit. This is a value-add that many MSPs overlook.

Onboarding Audit Checklist

When you take over DNS management for a new client, run through this:

  • Export and document the current zone file
  • Verify all A/AAAA records resolve to active, expected servers
  • Verify MX records point to the client's actual email provider
  • Check SPF, DKIM, and DMARC records exist and are correctly configured
  • Identify CNAME records pointing to third-party services and verify those services are active
  • Check for dangling records (records pointing to resources that no longer exist)
  • Verify NS records and registrar configuration match
  • Check DNSSEC status (enabled, keys valid?)
  • Check CAA records against the client's certificate provider
  • Review TTL values for reasonable settings
  • Set up monitoring and alerting for the domain

Present the findings to the client. This establishes your credibility and often uncovers issues the previous provider ignored.

Incident Response for MSPs

When monitoring catches a change:

  1. Determine if it was planned. Check with your team first. Was anyone working on this client's DNS? Is there a change ticket?
  2. If unplanned, assess severity. A TTL change is low risk, while an A record or NS change is high risk. Act accordingly.
  3. Notify the client. Even if the change turns out to be benign (their internal IT made it), notify them. This demonstrates the value of your monitoring and reinforces that changes should go through your change management process.
  4. Document in the audit trail. Log the change, the response, and the resolution. This documentation supports SLA reporting and compliance requirements.

Selling DNS Monitoring as a Service

DNS monitoring is a natural addition to your managed services offering. Frame it around what the client cares about:

Uptime. "We'll know within minutes if a DNS change affects your website or email before your customers notice."

Security. "Unauthorized DNS changes are how domains get hijacked. We monitor for that."

Compliance. "Our audit trail gives you a complete history of every DNS change, timestamped and searchable. Your auditors will appreciate it."

Peace of mind. "When your internal team makes a DNS change, we'll see it and can verify it's correct. No more silent misconfigurations."

For most MSPs, DNS monitoring isn't a separate line item. It's baked into the managed services package as part of infrastructure monitoring. The cost is minimal, and the value becomes obvious the first time you catch a problem the client didn't know about.

Ready to protect your DNS?

Start your free trial today and get full access to all monitoring features.

Start Trial View Pricing