DNS & TLS verification · drift monitoring

Ship customer domains that actually resolve.

Define the DNS a customer should have. DNSconfig checks it against live records worldwide, watches their TLS certificates for expiry and misconfiguration, and hands each customer a link that shows exactly what to fix — no login, no ticket.

Multi-resolver quorum EU-hosted Re-checks on a schedule
verify · acme.example 1 failing · 1 expiring
Aacme.example ✓ verified
CNAMEwww.acme.example ✗ wrong value
expectededge.dnsconfig.net
currentold.legacy-cdn.net

Point the CNAME for www.acme.example to edge.dnsconfig.net.

TLSwww.acme.example ⚠ expires in 9 days
certvalid · Let's Encrypt

Renew the certificate before 2026-08-01.

Checked from Google · Cloudflare · Quad9 · OpenDNS Auto-pull from Cloudflare · Fastly · SendGrid · Mailgun · ACM One-click setup via Domain Connect

The problem

Broken DNS is a silent churn machine.

Custom domains, email deliverability, SSL, CDN — all of it hinges on DNS your customer controls. When a record is missing or wrong, things break quietly and the ticket lands on you. DNSconfig turns “is my DNS right?” into a question that answers itself.

Features

Get DNS & TLS right — and keep it right.

Live multi-resolver checks

Every record is resolved by multiple independent resolvers and decided by quorum, so still-propagating DNS never reads as a false failure.

SSL/TLS certificate monitoring

We probe every HTTPS endpoint's certificate — expiry, hostname match, trusted chain, protocol — and warn you well before a cert lapses.

Self-serve fix links

Send a signed link — no account needed. Customers see expected vs. current values with a clear diff and know precisely what to change.

Drift alerts

The moment a passing record breaks, get alerted by email, Slack, or webhook — with thresholds so you’re never paged on a single flap.

Auto-pull expected records

Connect Cloudflare, Fastly, SendGrid, Mailgun, or ACM and let the expected records sync themselves — no list to hand-maintain.

One-click setup

Where supported, Domain Connect applies the right records at the customer’s DNS provider in a single click.

Multi-tenant & API-first

Hard per-tenant isolation, API keys, usage tiers, a health dashboard, and status badges. Built to sit inside your platform.

How it works

Three steps to DNS you can trust.

step 1

Define the expected records

Add the records a customer should have — or auto-pull them from a connected vendor.

step 2

Share a link or call the API

Hand the customer a signed verify link, or drive it from your own onboarding flow.

step 3

Monitor & get alerted

DNSconfig keeps checking on a schedule and alerts you the instant a record drifts.

Pricing

Start free. Scale as you grow.

Priced per monitored customer. Every plan includes multi-resolver verification and self-serve fix links.

Starter

€29 /mo

  • Up to 25 customers
  • Hourly re-checks
  • Email drift alerts
  • Self-serve fix links
Start free
MOST POPULAR

Pro

€99 /mo

  • Up to 250 customers
  • Re-checks every 15 min
  • Vendor auto-pull & full API
  • Slack & webhook alerts
Start free

Scale

Custom

  • Unlimited customers
  • Custom check frequency & limits
  • SSO & priority support
  • Onboarding help
Talk to us

FAQ

Frequently asked

Do my customers need an account?

No. Each customer gets a signed, single-purpose link showing their DNS status and what to fix — no sign-up, no password.

What is “DNS drift”?

A record that was correct but later changed or vanished — a zone edit, a provider reset, a migration gone sideways. DNSconfig re-checks on a schedule and alerts you the moment a passing record breaks.

Which providers do you support?

Verification works against any public DNS. On top of that we auto-pull expected records from Cloudflare, Fastly, SendGrid, Mailgun, and ACM, and apply records in one click where Domain Connect is supported.

How is verification actually done?

Each record is resolved by multiple independent resolvers and decided by quorum, so still-propagating DNS is reported as “propagating” rather than a false failure.

Do you check SSL/TLS certificates too?

Yes. For each of a customer's HTTPS hostnames we connect and inspect the certificate — is it valid, does it match the hostname, is the chain trusted, and how many days until it expires? You get a warning well before a certificate lapses, alongside the same expected-vs-observed fix detail we give for DNS.

Where is data hosted?

DNSconfig runs in the EU (europe-west1). We ask for your consent before setting any analytics cookies.

Turn “is my DNS right?” into a question that answers itself.

Start free