← Back to Glossary

DNS Monitoring

DNS monitoring is the practice of continuously tracking Domain Name System records and changes to detect potential brand threats — including new domain registrations that impersonate a brand, DNS record changes that signal malicious activity, and infrastructure patterns associated with phishing and counterfeit operations.

How DNS Works (and Why It Matters for Brand Protection)

The Domain Name System (DNS) translates human-readable domain names (like example.com) into IP addresses that computers use to communicate. Every domain name has a set of DNS records that define how it operates — where it's hosted, where its email goes, and what services are associated with it.

For brand protection, DNS data is one of the earliest signals that a threat is emerging. A new domain registration that resembles your brand, a DNS change pointing a previously parked domain to a web server, or an MX record being added to enable phishing emails — these are all detectable through DNS monitoring before the attack reaches your customers.

Key DNS Record Types for Threat Detection

Record Type What It Contains Brand Protection Relevance
A / AAAA IPv4 / IPv6 address of the domain Reveals hosting location; shared IPs can link related threat domains
MX Mail server configuration Indicates the domain can send/receive email (phishing risk)
NS Authoritative nameservers Identifies DNS provider; certain providers are associated with abuse
TXT Arbitrary text (often SPF, DKIM, DMARC) Presence of email authentication records signals intent to send email
CNAME Alias to another domain Can reveal domain infrastructure chains
SOA Start of Authority metadata Contains serial numbers and refresh intervals useful for change tracking

DNS Data Sources

Zone File Access

ICANN's Centralized Zone Data Service (CZDS) provides access to zone files for most generic top-level domains (gTLDs). A zone file is a complete list of all registered domains within a TLD. By comparing daily zone file snapshots, monitoring systems can identify newly registered domains that resemble a protected brand.

CZDS access is available to qualifying organizations through an application process. Coverage includes over 1,200 gTLDs but does not include country-code TLDs (ccTLDs) like .uk, .de, or .fr, which are managed by their respective registries.

Certificate Transparency Logs

Certificate Transparency (CT) is a public logging system for SSL/TLS certificates, required by major browsers since 2018. When a domain obtains an SSL certificate, the issuance is recorded in publicly accessible CT logs.

Monitoring CT logs provides near-real-time visibility into domains that are preparing to serve HTTPS content — which increasingly includes phishing sites. Services like crt.sh (operated by Sectigo) provide free search access to CT log data.

Passive DNS Databases

Passive DNS systems collect DNS resolution data by observing actual DNS traffic at recursive resolvers or network sensors. Unlike active scanning (which queries DNS servers directly), passive DNS records what domains are being resolved in real-world traffic.

Major passive DNS databases include Farsight DNSDB (containing over 100 billion DNS observations as of 2024), which is widely used in threat intelligence. Passive DNS is particularly valuable for:

  • Historical lookups — seeing what IP address a domain pointed to at a specific time
  • Reverse lookups — finding all domains that have ever pointed to a given IP address
  • Infrastructure mapping — identifying clusters of domains sharing hosting or nameserver infrastructure

Threat Domain Lifecycle

DNS monitoring is effective because threat domains follow a predictable lifecycle with detectable signals at each stage:

  1. Registration — Domain is registered. Detectable via zone file monitoring or WHOIS/RDAP data.
  2. Configuration — DNS records are set up (A records, MX records, nameservers). Detectable via DNS record monitoring.
  3. Activation — SSL certificate is obtained and web content is deployed. Detectable via Certificate Transparency logs and web crawling.
  4. Attack — The domain is used for phishing, scam shops, or impersonation. Detectable via content analysis and threat intelligence feeds.
  5. Rotation — Sophisticated attackers rotate through domains, abandoning detected ones and activating new ones from pre-registered pools.

The goal of DNS monitoring is to detect threats at stages 1-3, before they reach stage 4 and cause harm to customers.

Infrastructure Signals

Beyond individual domain monitoring, DNS data reveals infrastructure patterns that indicate organized abuse:

  • Shared IP addresses — Multiple brand-impersonating domains hosted on the same IP often indicate a single threat actor
  • Bulletproof hosting providers — Certain hosting providers are known for ignoring abuse complaints, and their IP ranges are documented in threat intelligence databases
  • Fast-flux DNS — Rapidly rotating A records across many IP addresses is a technique used to make takedowns more difficult
  • Nameserver clustering — Threat actors often use the same nameserver provider across their domain portfolio

Limitations of DNS Monitoring Alone

DNS monitoring is a foundational layer but is not sufficient on its own for comprehensive brand protection:

  • ccTLD coverage gaps — Country-code TLD zone files are not available through CZDS and require separate arrangements with each registry
  • Subdomain visibility — Subdomain-based attacks (e.g., yourbrand.malicious-site.com) don't create new zone file entries and require different detection methods
  • Content analysis — DNS data reveals infrastructure, not content. A domain that looks suspicious at the DNS level may be legitimate, and vice versa. Content analysis is needed to confirm actual brand infringement.
  • Speed vs. completeness — Zone files are typically updated daily, creating a lag between registration and detection. CT logs and passive DNS can fill this gap but don't cover every domain.

Effective brand protection combines DNS monitoring with web content analysis, image recognition, and threat intelligence enrichment to minimize both false positives and missed threats.

Related terms

Cybersquatting

Cybersquatting is the bad-faith registration of a domain name that is identical or confusingly similar to a trademark, typically with the intent to profit by selling it to the trademark owner or exploiting their brand recognition.

Typosquatting

Typosquatting is a cyberattack where bad actors register domain names that closely resemble legitimate brands — exploiting common typing errors to redirect users to malicious websites, phishing pages, or scam shops.

Domain Abuse

Domain abuse (also called DNS abuse) refers to the malicious use of domain names to conduct phishing, distribute malware, impersonate brands, or perpetrate fraud. ICANN defines five categories of DNS abuse: phishing, malware, botnets, pharming, and spam used to deliver other forms of DNS abuse.

Brand Protection

Brand protection is the practice of safeguarding a company's intellectual property — including trademarks, logos, domain names, and brand identity — from unauthorized use, counterfeiting, impersonation, and online abuse. It encompasses monitoring for threats, analyzing their severity, and enforcing rights to remove infringing content and shut down bad actors.

Your brand is likely already being impersonated somewhere online.

In the demo we show you:

  • How many active threats target your brand right now

  • How quickly Astra detects them

  • How fast they can be removed with instant approval

Get Started Now
Get Started Now

Fight AI with AI

hello@astraobp.com

How it worksPricingLogin
For law firmsFor brands
BlogGlossary
About us
© 2026 Astra OBP Inc