Monitor and validate DNS IP changes using regex

Monitor and validate DNS IP changes using regex

DNS administrators often monitor their DNS servers to detect changes in domain resolution and ensure IP mappings remain secure and accurate.

Problem

When your organization adds or modifies an IP address for your domain name, it’s critical to:
  1. Be promptly notified of any changes.
  2. Validate whether the new IP belongs to your infrastructure and isn’t maliciously injected.

Solution

Use Answer Validation with regex pattern matching in Site24x7’s DNS Server monitor to track IP changes. This allows you to:
  1. Detect unauthorized or unintended DNS changes.
  2. Verify that newly added IPs resolve correctly for your domain.
  3. Ensure known IPs remain listed as expected.
  4. Get alerts when unexpected or malicious IPs appear.

How it works

Once you configure a DNS Server Monitor, Site24x7 regularly queries the DNS records of your domain. If there's a change in the resolved IPs (e.g., a new IP being added or an existing one being altered or removed), Site24x7 will immediately notify you based on your regex validation and alert settings.

Use case

Say your organization owns the domain zylker.com, which typically resolves to the following IP addresses:

<IP_ADDRESS>
100.100.10.10
100.100.10.11

Scenario 1: Should contain specific IP addresses
Directly provide the IP in the Answer Validation field. This will trigger an alert if the configured IP is not found in the answer. 

Scenario 2: Should not contain a specific IP address
Use this field if you want to make sure a particular IP (e.g., a retired or malicious IP) does not appear in DNS resolution. Consider the below example:

Regex pattern: ${^((?!(<IP_ADDRESS>)).)*$}

Example: ${^((?!(100\.100\.10\.10|10\.100\.10\.11)).)*$}

Explanation:
  1. ${}: Site24x7 pattern to configure regex.
  2. ^: Start of the string.
  3. (?!.*100\.100\.10\.10): Negative lookahead; ensures this specific IP does not appear anywhere in the string.
  4. .*: Matches any remaining characters.
This regex pattern alerts you only if either the IP 100.100.10.10 or 10.100.10.11 appears in the DNS response.

Scenario 3: Notify when any new IP address is added
Use this setting when you want to receive an alert if an unauthorized IP address is detected. Consider the below example:

Regex pattern: ${^(<IP_ADDRESS>)$}

Example: ${^(100\.100\.10\.10|100\.100\.10\.11)$}

Explanation:
  1. ^: Start of the string.
  2. (100\.100\.10\.11): Ensures this specific IP is available for your domain.
If the response deviates from the defined pattern—such as when a new IP address (e.g., xxx.xx.xx.xx) is added—it won’t match, triggering an alert.
Keep the regex updated whenever your authorized IPs change.

How to set the regex pattern

  1. In Site24x7, navigate to Admin > Inventory > Monitors > Add Monitor > DNS Server.
  2. Enter your domain details.
  3. In the Answer Validation section, using the Address box, enter your regex based on your expected IP pattern.
  4. Click Save.
When any IP change is detected—including the addition, removal, or modification of IP addresses—you’ll receive an alert based on your settings.

By utilizing regex in Site24x7's DNS Answer Validation feature, you gain a powerful and efficient way to monitor changes in your domain's IP addresses, ensuring the reliability and security of your online presence. 

    • Related Articles

    • Amendments to Site24x7 Monitor Names

      We've recently renamed a few of our Monitors to help keep in sync with the current IT and DevOps trends. The new monitor names are designed to correctly resonate with the IT & DevOps crowd. We've made necessary changes in the Web client, Help ...

    • Monitor types that can be cloned using Site24x7 Clone option

      To create an exact copy of your existing monitor with the same configuration settings, you've to access the "Clone" functionality in the client. Most of the internet-facing services that Site24x7 supports can be cloned. Please find below the list of ...

    • No data for service and process in Windows server monitor

      If you see "No Data" for process and service metrics (such as CPU or memory usage of monitored services) in the Site24x7 Windows server monitor user interface, follow the troubleshooting steps below. Run PowerShell Commands Open PowerShell as ...

    • How does Site24x7 roll out IP updates to customers?

      Once an IP location update in planned by Site24x7, we make sure our customers are kept informed via email and our community post. This information will be passed onto the customers at least a four days prior to the actual IP being made live. This is ...

    • Steps to partially update monitor settings in bulk using API

      Monitor details like notification profiles, threshold and availability can be changed/updated in bulk using API without affecting the existing configuration settings. Use Case: A user wants to change only the notification profile of a monitor without ...