Operations | Monitoring | ITSM | DevOps | Cloud

DNS monitoring should be simple. You want to know if something changed. You want to know if a record propagated. You want to know if a phishing site just went live with your brand name in the domain. But in practice it takes work. You log in to a dashboard. You click through menus. You run a check, copy the output, paste it somewhere else. You repeat that process every time someone on the team asks a question. AI assistants like Claude and ChatGPT could help.

The FBI published a warning last week. Threat actors have registered more than 498 fake domains tied to the 2026 FIFA World Cup. Fake ticket sites. Fake job listings. Fake merchandise stores. All live in DNS right now. Every one of those domains is catchable. Not after victims report fraud. Before anyone gets hurt. That is what DNS Spy’s Phishing Sentinel is built to do.

A new attack technique called Underminr was disclosed this week. It slips past protective DNS by abusing shared CDN edge IPs. The DNS query looks clean. The connection lands on malware. This post walks through what Underminr is, why protective DNS misses it, what actually stops it, and the OTHER DNS layer most teams forget to watch.

Today we are launching the DNS Spy DNS Propagation Checker. It is free. It works on any domain. It shows you what is happening in more places, in more detail, and faster than the tools you have been using. You can try it right now: dnsspy.io/dns-tools/dns-propagation-checker.

If you run an MSP, this is the call that ages you. The fix is almost always small. A record was edited at the registrar. A vendor changed an MX target. A new tool added a TXT record and pushed SPF over the lookup limit. None of that should reach a client. With the right monitoring, none of it does. Here is a real one. A 40-person law firm renews their EV certificate. The vendor needs a CAA record cleaned up.

Here are the three records most teams forget to monitor — and what happens when they break.

The Start of Authority record is the first record in any DNS zone file. It's the record that says "this zone exists, this is the primary nameserver in charge, and here are the timing rules that govern how this zone behaves." A full SOA record looks like this when you query it: Each of those numbers does something different. The one that triggered your warning is the Expire value, the fourth number. In this example, 1209600 seconds, which is exactly 14 days.

When your mail server connects to a recipient server to deliver email, the very first thing it does after the TCP connection is established is introduce itself. That introduction happens through the EHLO command (or its older predecessor HELO), and it looks like this: That hostname in the EHLO line is your SMTP banner. It is what your server claims to be.

DNS Spy now goes well beyond DNS record monitoring. We've shipped SSL certificate discovery and security auditing, expanded the Security Center to 40+ automated checks across six categories, and built expiration tracking for both domains and SSL certificates — with tiered alerts so nothing expires without warning.

On March 25, 2026, the Internet Systems Consortium (ISC) released patches for three vulnerabilities in BIND 9, the most widely deployed DNS server software in the world. The headline flaw — CVE-2026-1519 — carries a CVSS score of 7.5 and is remotely exploitable with no authentication required. An attacker who controls a maliciously crafted DNS zone can trigger the vulnerability by forcing a BIND resolver to process excessive NSEC3 iterations during DNSSEC validation of an insecure delegation.