DNS Nameserver Changed — Possible Unauthorized Modification

TL;DR: Your domain's nameservers have changed, which could indicate a DNS hijacking attempt or unauthorized hosting migration.

Nameserver changes control where your domain's traffic is routed. An unauthorized change means someone can intercept all your traffic, email, and subdomains. If you didn't initiate this change, investigate immediately — check your domain registrar account for unauthorized access. Legitimate causes include hosting migrations or CDN changes.

What Scavo checks (plain English)

Scavo resolves NS records for the scanned domain and compares the set against prior state.

Current logic:

• Warning: domain cannot be determined
• Warning: NS records unavailable
• Info: first successful run stores baseline
• Warning: nameserver set changed
• Pass: nameserver set unchanged

How Scavo scores this check

Scavo assigns one result state for this check on the tested page:

• Pass: baseline signals for this check were found.
• Warning: partial coverage or risk signals were found and should be reviewed.
• Fail: required signals were missing or risky behavior was confirmed.
• Info: Scavo could not gather enough reliable evidence on this run to score pass/fail confidently.

In your scan report, this appears under What failed / What needs attention / What is working for nameserver_change, followed by Recommended next steps and Technical evidence (for developers) when needed.

• Scan key: nameserver_change
• Category: TECHNICAL

Why fixing this matters

Nameserver changes are high-impact: they change who controls DNS answers for your domain. Unexpected changes can signal operational mistakes or account security issues.

If you are not technical

1. Confirm whether the delegation change was planned.
2. If not planned, escalate urgently.
3. Ask for registrar log evidence and approved baseline values.
4. Re-run Scavo after remediation.

Scavo flagged Nameserver monitoring (nameserver_change). Please verify current NS delegation against approved registrar baseline, investigate unexpected changes, and confirm DNS authority remains with intended providers.

If you are technical

1. Verify registrar delegation state against internal source-of-truth.
2. Confirm new nameservers are intentional and fully propagated.
3. Investigate unauthorized changes and rotate credentials if needed.
4. Enforce registrar MFA and least-privilege access.

How to verify

• Query NS records via multiple resolvers.
• Validate registrar panel matches intended delegation.
• Confirm zone answers and critical services are stable.
• Re-run Scavo and confirm stable pass.

What this scan cannot confirm

• It does not validate the full correctness of all zone records.
• It cannot determine whether change intent was approved.
• Propagation windows can temporarily show mixed resolver outputs.

Owner checklist

• [ ] Assign owner for registrar and DNS delegation governance.
• [ ] Maintain approved NS baseline in runbooks.
• [ ] Enable audit logs and MFA on registrar accounts.
• [ ] Add incident procedure for unexpected delegation changes.

FAQ

Why is first run info?

Because the first run establishes baseline delegation for future comparisons.

Can planned migrations trigger warnings?

Yes. Warnings indicate detected change, not whether it was authorized.

Is this the same as A-record monitoring?

No. A-record checks monitor destination IPs; NS checks monitor delegation authority.

How urgent is an unexpected NS change?

Usually high priority, because it can affect all DNS-controlled services.

Sources

• RFC 1034: Domain concepts
• RFC 1035: DNS specification
• ICANN EPP status codes

Need a registrar hardening checklist for your ops team? Send support your registrar and DNS provider setup.