The Silent Outage Playbook: Domain Expiry, Nameserver Drift, and DNS A-Record Changes

How to prevent non-code outages caused by missed renewals and DNS control-plane drift.

A surprising number of high-severity incidents are not caused by code. They come from operational drift:

  • domain renewals missed,
  • nameserver changes no one approved,
  • A-record changes with no change ticket.

The good news is these are preventable with simple controls and ownership.

1) Domain expiry: treat as critical infrastructure

A domain expiry event is not "just billing." It is a service-availability incident.

Minimum controls:

  • Auto-renew enabled
  • Valid payment method
  • Multiple renewal contacts (not one person)
  • Quarterly registrar access review

2) Nameserver changes: treat as control-plane events

Nameserver changes reroute DNS authority. That should always be intentional, approved, and auditable.

Minimum controls:

  • MFA on registrar account
  • Least-privilege access
  • Change approval process for NS updates
  • Baseline record of approved nameserver set

3) A-record changes: treat as origin routing events

A-record changes can be valid during migrations, but surprise changes should trigger immediate review.

Minimum controls:

  • Document approved target IPs
  • Log every DNS change with timestamp + owner
  • Validate propagation after planned changes
Control-plane drift defense model covering domain expiry, nameserver changes, and A-record incident response.

Incident response pattern

When drift is detected:

  1. Confirm if change was planned.
  2. If not planned, treat it as a security and availability incident.
  3. Roll back to approved baseline where safe.
  4. Rotate credentials and audit access scope.

Owner checklist

  • [ ] Registrar, DNS, and incident contacts are current and shared (not single-owner only).
  • [ ] NS and A-record baselines are documented and versioned.
  • [ ] Any DNS/registrar change requires approval and post-change validation.
  • [ ] Quarterly resilience review includes domain and DNS controls.

Where Scavo helps

Scavo monitors domain expiry windows, nameserver changes, and A-record drift so teams can catch control-plane problems before they become outages.

These checks are especially valuable because they cover risks normal app-level tests never see.

Sources

What to do next in Scavo

  1. Run a fresh scan on your main domain.
  2. Open the matching help guide in /help, assign an owner, and ship the smallest safe fix.
  3. Re-scan after deployment and confirm the trend is moving in the right direction.

Related Reads

Keep digging with related fixes

Uptime Feb 15, 2026

Uptime Alerting Without Noise: Confirm First, Escalate Fast, Recover Cleanly

A practical uptime alert design that cuts false positives without missing real incidents.

Read article
AI Visibility May 6, 2026

AI Agent Readiness Is the New Website Health Check: What to Fix First

Cloudflare's 2026 Agent Readiness data shows the web still has basic AI visibility gaps.

Read article
Security Apr 8, 2026

Claude Mythos Preview raises the security baseline for everyone

Anthropic’s Mythos Preview is being held back because it can find serious vulnerabilities at scale. That shifts the security baseline for every team, even if you never use AI directly.

Read article

Ready to see this on your site?

Run a free scan and get a prioritized fix list in under 30 seconds. Or unlock full monitoring to keep the wins rolling in.

Run a free scan Start free trial

Raccoon Cookie Checkpoint

Can we use optional cookies?

Essentials always stay on. Optional cookies help with preferences, analytics, and smarter prompts.

Current setting: Decision needed