Monitor and validate DNS IP changes using regex

Monitor and validate DNS IP changes using regex

DNS administrators often monitor their DNS servers to detect changes in domain resolution and ensure IP mappings remain secure and accurate.

Problem

When your organization adds or modifies an IP address for your domain name, it’s critical to:
  1. Be promptly notified of any changes.
  2. Validate whether the new IP belongs to your infrastructure and isn’t maliciously injected.

Solution

Use Answer Validation with regex pattern matching in Site24x7’s DNS Server monitor to track IP changes. This allows you to:
  1. Detect unauthorized or unintended DNS changes.
  2. Verify that newly added IPs resolve correctly for your domain.
  3. Ensure known IPs remain listed as expected.
  4. Get alerts when unexpected or malicious IPs appear.

How it works

Once you configure a DNS Server Monitor, Site24x7 regularly queries the DNS records of your domain. If there's a change in the resolved IPs (e.g., a new IP being added or an existing one being altered or removed), Site24x7 will immediately notify you based on your regex validation and alert settings.

Use case

Say your organization owns the domain zylker.com, which typically resolves to the following IP addresses:

<IP_ADDRESS>
100.100.10.10
100.100.10.11

Scenario 1: Should contain specific IP addresses
Directly provide the IP in the Answer Validation field. This will trigger an alert if the configured IP is not found in the answer. 

Scenario 2: Should not contain a specific IP address
Use this field if you want to make sure a particular IP (e.g., a retired or malicious IP) does not appear in DNS resolution. Consider the below example:

Regex pattern: ${^((?!(<IP_ADDRESS>)).)*$}

Example: ${^((?!(100\.100\.10\.10|10\.100\.10\.11)).)*$}

Explanation:
  1. ${}: Site24x7 pattern to configure regex.
  2. ^: Start of the string.
  3. (?!.*100\.100\.10\.10): Negative lookahead; ensures this specific IP does not appear anywhere in the string.
  4. .*: Matches any remaining characters.
This regex pattern alerts you only if either the IP 100.100.10.10 or 10.100.10.11 appears in the DNS response.

Scenario 3: Notify when any new IP address is added
Use this setting when you want to receive an alert if an unauthorized IP address is detected. Consider the below example:

Regex pattern: ${^(<IP_ADDRESS>)$}

Example: ${^(100\.100\.10\.10|100\.100\.10\.11)$}

Explanation:
  1. ^: Start of the string.
  2. (100\.100\.10\.11): Ensures this specific IP is available for your domain.
If the response deviates from the defined pattern—such as when a new IP address (e.g., xxx.xx.xx.xx) is added—it won’t match, triggering an alert.
Keep the regex updated whenever your authorized IPs change.

How to set the regex pattern

  1. In Site24x7, navigate to Admin > Inventory > Monitors > Add Monitor > DNS Server.
  2. Enter your domain details.
  3. In the Answer Validation section, using the Address box, enter your regex based on your expected IP pattern.
  4. Click Save.
When any IP change is detected—including the addition, removal, or modification of IP addresses—you’ll receive an alert based on your settings.

By utilizing regex in Site24x7's DNS Answer Validation feature, you gain a powerful and efficient way to monitor changes in your domain's IP addresses, ensuring the reliability and security of your online presence. 

    • Related Articles

    • Validate the DNS results

      After adding a DNS Server , you can validate the DNS Server results to ensure they are correct. How it works? DNS server monitoring is performed such that we do the lookup only in the DNS server configured. We do not do a retry from multiple ...

    • DNSSEC validation results and troubleshooting tips

      After adding a DNS server monitor, you can validate your DNS responses by enabling Domain Name System Security Extensions (DNSSEC). DNSSEC is a set of protocols that add an extra layer of security to the DNS lookup and exchange processes by digitally ...

    • Using negative lookaheads for non-matching content checks in regular expression for synthetic monitors

      What is a negative lookahead? A negative lookahead assertion in regular expression (RegEx) checks if the pattern inside the lookahead does not match with the input string. The syntax for the negative lookahead is (?! pattern). (?!) - negative ...

    • Amendments to Site24x7 Monitor Names

      We've recently renamed a few of our Monitors to help keep in sync with the current IT and DevOps trends. The new monitor names are designed to correctly resonate with the IT & DevOps crowd. We've made necessary changes in the Web client, Help ...

    • How to monitor an intranet application using RUM?

      To monitor an intranet application using RUM, follow the below steps: Check if you are behind a proxy server or firewall to ensure no connectivity issues exist between your browser and Site24x7's servers. In case of connectivity issues, enable the ...