Monitor and validate DNS IP changes using regex

Monitor and validate DNS IP changes using regex

DNS administrators often monitor their DNS servers to detect changes in domain resolution and ensure IP mappings remain secure and accurate.

Problem

When your organization adds or modifies an IP address for your domain name, it’s critical to:
  1. Be promptly notified of any changes.
  2. Validate whether the new IP belongs to your infrastructure and isn’t maliciously injected.

Solution

Use Answer Validation with regex pattern matching in Site24x7’s DNS Server monitor to track IP changes. This allows you to:
  1. Detect unauthorized or unintended DNS changes.
  2. Verify that newly added IPs resolve correctly for your domain.
  3. Ensure known IPs remain listed as expected.
  4. Get alerts when unexpected or malicious IPs appear.

How it works

Once you configure a DNS Server Monitor, Site24x7 regularly queries the DNS records of your domain. If there's a change in the resolved IPs (e.g., a new IP being added or an existing one being altered or removed), Site24x7 will immediately notify you based on your regex validation and alert settings.

Use case

Say your organization owns the domain zylker.com, which typically resolves to the following IP addresses:

<IP_ADDRESS>
100.100.10.10
100.100.10.11

Scenario 1: Should contain specific IP addresses
Directly provide the IP in the Answer Validation field. This will trigger an alert if the configured IP is not found in the answer. 

Scenario 2: Should not contain a specific IP address
Use this field if you want to make sure a particular IP (e.g., a retired or malicious IP) does not appear in DNS resolution. Consider the below example:

Regex pattern: ${^((?!(<IP_ADDRESS>)).)*$}

Example: ${^((?!(100\.100\.10\.10|10\.100\.10\.11)).)*$}

Explanation:
  1. ${}: Site24x7 pattern to configure regex.
  2. ^: Start of the string.
  3. (?!.*100\.100\.10\.10): Negative lookahead; ensures this specific IP does not appear anywhere in the string.
  4. .*: Matches any remaining characters.
This regex pattern alerts you only if either the IP 100.100.10.10 or 10.100.10.11 appears in the DNS response.

Scenario 3: Notify when any new IP address is added
Use this setting when you want to receive an alert if an unauthorized IP address is detected. Consider the below example:

Regex pattern: ${^(<IP_ADDRESS>)$}

Example: ${^(100\.100\.10\.10|100\.100\.10\.11)$}

Explanation:
  1. ^: Start of the string.
  2. (100\.100\.10\.11): Ensures this specific IP is available for your domain.
If the response deviates from the defined pattern—such as when a new IP address (e.g., xxx.xx.xx.xx) is added—it won’t match, triggering an alert.
Keep the regex updated whenever your authorized IPs change.

How to set the regex pattern

  1. In Site24x7, navigate to Admin > Inventory > Monitors > Add Monitor > DNS Server.
  2. Enter your domain details.
  3. In the Answer Validation section, using the Address box, enter your regex based on your expected IP pattern.
  4. Click Save.
When any IP change is detected—including the addition, removal, or modification of IP addresses—you’ll receive an alert based on your settings.

By utilizing regex in Site24x7's DNS Answer Validation feature, you gain a powerful and efficient way to monitor changes in your domain's IP addresses, ensuring the reliability and security of your online presence. 

    • Related Articles

    • No data for service and process in Windows server monitor

      If you see "No Data" for process and service metrics (such as CPU or memory usage of monitored services) in the Site24x7 Windows server monitor user interface, follow the troubleshooting steps below. Run PowerShell Commands Open PowerShell as ...

    • How do I check if URL redirection works correctly using the Website Monitor?

      A webpage can be made available from more than a single web address using URL redirection. Most redirects are automated and it becomes difficult to track if the redirection works in a specific way. This can be verified using website monitoring in ...

    • Validating sender email using DKIM authentication

      What is DKIM? DomainKeys Identified Mail (DKIM) is an advanced authentication method used widely by email service providers to verify the email from the point of its origin by validating the email sender. It allows the email senders to authenticate ...

    • Monitor database issues for OpenCart or Joomla websites

      Database issues for websites developed using OpenCart or Joomla can be identified by enabling a Content Match. Configure your website response such that a particular text is always present during all success responses and absent during all error ...

    • Executables and scripts to allow for Windows server monitoring

      One of the reasons you could not enable Site24x7 server monitoring could be your organization's group policy denying access to the executables, scripts, and batch files associated with Site24x7 server monitoring. Mark the following executables, ...