Skip to content

The NS Record: Who controls the nameservers, controls everything

No other DNS record gives as much power over your entire domain as the NS record.

What is an NS record?

The NS record (Name Server Record) defines which nameservers are authoritative for a domain. When someone resolves your domain, the DNS system first asks the root servers, then the TLD servers – and those point to the nameservers listed in your NS record.

Simply put: The NS record is the answer to the question "Who is responsible for this domain?"

Why is it so critical?

Because the NS record sits hierarchically above all other records. Whoever controls the nameservers, controls:

• All A/AAAA records (where your traffic flows)
• All MX records (where your emails go)
• All TXT records (SPF, DKIM, domain verifications)
• All CNAME records (service mappings)
• All CAA records (who may issue certificates)

A compromised NS record isn't a single attack. It's the takeover of your entire domain identity.

What does an attack look like?

Scenario: An attacker gains access to your domain registrar – through a compromised API key, a weak password, or social engineering the support team.

They change the NS records of your domain. From now on, they point to nameservers under the attacker's control. What happens?

The attacker can now serve arbitrary DNS responses for your domain. They redirect your web traffic to their servers. They receive your emails. They can even issue valid TLS certificates for your domain – because they can easily pass the DNS challenge for Let's Encrypt.

And here's the insidious part: Your actual infrastructure keeps running. Your servers are online. Your monitoring tools report "all green" – because they resolve themselves and get the correct IPs. Only the rest of the world sees something different.

Why traditional monitoring fails

Most monitoring tools check: Is my server reachable? Does it respond correctly? Is the certificate valid?

But they don't check: Does my NS record still point to the correct nameservers? And that's exactly the gap.

An NS record attack is invisible to anything that only monitors its own infrastructure. You need an external perspective – someone checking from the outside whether the DNS delegation is still correct.

Real incidents

NS record manipulations aren't theoretical. In 2019, US-CERT documented a campaign (DNSpionage) where state actors specifically changed NS records of government and enterprise domains. The attackers redirected traffic, intercepted credentials, and issued valid certificates – all through manipulated nameserver delegations.

Smaller incidents happen regularly too: registrar accounts get compromised, support staff get deceived, API keys leak into Git repositories.

What Driftguard detects

Driftguard captures your NS records as a baseline on the first scan. From then on, every check verifies: Do the NS records still point to the same nameservers?

If something changes – whether through a planned provider migration or an attack – the deviation is immediately detected and documented. You decide: Acknowledge (because you switched providers) or act (because you didn't).

Because NS records almost never change. And when they do, you should know.