DNS monitoring across 20+ record types, with DNSSEC validation

DNS monitoring is the practice of checking your domain's DNS records on a schedule and alerting you when something changes unexpectedly. Those records include A, AAAA, MX, CNAME, TXT, CAA, NS, and SOA, along with DNSSEC validation and email authentication like SPF, DMARC, and BIMI. WebPixie runs these checks daily from multiple resolvers across 20+ record types, so an edited record or a broken DNSSEC chain shows up with the old and new value, instead of a silent change you discover later. It works alongside domain monitoring and uptime monitoring in one workspace, and you can start on the free plan with the limits on the pricing page.

WebPixie monitors more than 20 DNS record types, grouped by what they control. Name resolution covers A, AAAA, CNAME, NS, and SOA; email authentication covers MX, SPF, DMARC, and BIMI; certificate authority restrictions use CAA; and DNS security covers the DNSSEC records DNSKEY, DS, CDNSKEY, and CDS. General purpose records like TXT, PTR, and SRV are included too. Each type is checked daily, and a changed value is flagged with its old and new value. This is the same data that feeds DNS monitoring alerts and your DNS sub-score, and it works next to SSL monitoring and domain monitoring in one workspace.

WebPixie queries every monitored DNS record daily from multiple resolvers, then compares each response to the previous one. When a response changes, WebPixie flags it with the previous value, the new value, the record type, the detection timestamp, and the resolver path that saw the change. Querying several resolvers also separates a real change from propagation lag, because a value that differs on only one resolver is usually still propagating rather than newly broken. That context helps you tell an authorized update from your team apart from an unexpected modification worth investigating. DNS changes are tracked separately from incident records and sit next to uptime monitoring in the same workspace.

Yes. WebPixie validates the full DNSSEC chain on every daily check, covering the DNSKEY records, the DS records in the parent zone, the RRSIG signatures, and the NSEC negative-response records. The result is reported as secure, insecure, bogus, or indeterminate, so you can tell a correctly signed zone from an unsigned one or a broken one. This matters because when DNSSEC breaks, validating resolvers refuse to return the record at all, and the domain goes dark for users on those resolvers. The daily check flags a bogus chain so you can fix it quickly instead of waiting for user reports. DNSSEC checks run on every plan, including the free one on the pricing page, and are part of DNS monitoring.

No. WebPixie monitors DNS records; it does not host them. Your records stay wherever you run them today, whether that is Cloudflare, AWS Route 53, NS1, your registrar, or another provider, and you keep managing them there. WebPixie adds an independent daily check from multiple resolvers, so when a record changes or a DNSSEC chain breaks, you see it with the old and new value without moving anything. Keeping hosting and monitoring separate is deliberate, because an outside observer can flag a misconfiguration that the system serving the records would not catch on its own. To see what is tracked, visit DNS monitoring; it pairs with domain monitoring for the registration layer, and you can start on the free plan on the pricing page.