Read-Only Provider API Credentials
ZoneWatcher only needs read access to your DNS records. Many providers support read-only API credentials, which we recommend using to follow the principle of least privilege.
Why Use Read-Only Credentials?
ZoneWatcher monitors your DNS records but never modifies them. By using read-only API credentials, you ensure that even if credentials were compromised, no changes could be made to your DNS configuration. We strongly recommend using the most restrictive credentials available for your provider.
Provider Support
The table below shows which DNS providers support read-only API credentials and how to configure them.
| Provider | Read-Only Support | Mechanism |
|---|---|---|
| AWS Route 53 | Yes | IAM policy: AmazonRoute53ReadOnlyAccess |
| Alibaba Cloud | Yes | RAM policy: AliyunDNSReadOnlyAccess |
| Ascio | No | Single username/password, no permission scoping |
| Atom | No | No documented permission scoping |
| Azure | Yes | RBAC Reader role |
| Azure Private DNS | Yes | RBAC Reader role |
| Bunny DNS | No | API keys have selectable permissions but DNS read-only scope is not documented |
| CSC Global | Yes | Service accounts with READ permission level (managed by CSC) |
| Civo | No | Team roles exist but API key scoping for DNS is unclear |
| ClouDNS | Yes | API sub-users with "Read only" access level |
| CloudFlare | Yes | Scoped API token with Zone:DNS:Read permission |
| Contabo | Yes | RBAC roles restricting to GET methods per endpoint |
| DNS Made Easy | No | RBAC roles exist but API key scoping to read-only is unclear |
| Digicert UltraDNS | No | |
| Digital Ocean | Yes | Scoped personal access tokens with "Read Only" option |
| Dnsimple | Yes | Scoped access tokens with read-only per resource type |
| Dreamhost | Yes | Per-command API key permissions (allow only dns-list_records) |
| Dynadot | No | Single API key, IP allowlist only |
| EasyDNS | No | Single token and key pair, no permission scoping |
| Gandi | No | PAT scoping exists but DNS permission does not split read/write |
| Gcore | Yes | Role-based API tokens with Viewer role |
| Go Daddy | No | No documented read-only API key scoping |
| Google Cloud | Yes | IAM dns.reader role |
| Hetzner | Yes | API tokens with Read permission level |
| Hostinger | No | Token permissions exist but scopes are not documented |
| Huawei Cloud | Yes | IAM policy: DNS ReadOnlyAccess |
| IBM Cloud | Yes | IAM Reader / Viewer roles |
| IONOS | Yes | IAM roles with read-only as default |
| Interserver | No | cPanel API tokens, no permission scoping |
| Katapult | Yes | Scoped API token permissions |
| LeaseWeb | Yes | API keys restricted to GET method only |
| Linode | Yes | Token scope: domains:read_only |
| Markmonitor | No | Granular permissions mentioned but not publicly documented |
| NS1 | Yes | API key with view_zones permission |
| Name.com | No | Single token, no scopes |
| NameSilo | Yes | Read-only checkbox on API key generation |
| Namecheap | No | Single API key, IP allowlist only |
| Netlify | No | No scope support for access tokens |
| OVH | Yes | Consumer Key access rules restricted to GET methods |
| Oracle Cloud | Yes | IAM policy with read verb |
| Porkbun | No | Single API key pair, no scoping |
| PowerDNS | Yes | Server-wide api-readonly configuration flag |
| Rackspace | Yes | RBAC Observer role |
| Scaleway | Yes | IAM policies with ReadOnly permission sets |
| Spaceship | Yes | API key scope: dnsrecords:read |
| Vercel | No | Tokens are team-scoped only, no granular permissions |
| Vultr | No | DNS ACL is all-or-nothing (read and write) |
| Wix | No | Scoped permissions exist but DNS read-only scope is not confirmed |
| deSEC | Yes | Token policies; all tokens can read, write permissions are configurable |
| eNom | No | Multiple tokens but no permission scoping |
Providers Without Read-Only Support
For providers that do not support read-only credentials, we recommend using a dedicated API key that is only used by ZoneWatcher. Some providers offer IP allowlisting as an alternative security measure, which you can configure to only allow requests from ZoneWatcher's IP addresses.
Alternative: Public DNS and AXFR Monitoring
If your provider does not support read-only API credentials and you are not comfortable granting full API access, ZoneWatcher offers two alternative monitoring methods that require no provider API credentials at all:
- Public DNS — monitors your domains by querying public DNS resolvers directly. No API credentials needed. This method can detect changes to any publicly visible DNS records, though it is limited to records that are discoverable through public queries.
- Zone Transfer Protocol (AXFR) — fetches a complete copy of your DNS zone directly from your authoritative nameserver using the AXFR protocol. This requires your nameserver to be configured to allow zone transfers from ZoneWatcher's IP addresses, but does not require any provider API credentials.