Notifications
Configure notification channels to receive alerts when DNS Watchdog detects changes during scans.
DNS Watchdog sends notifications when scans detect changes to your DNS infrastructure — new records, deleted records, modified values, new security issues, and resolved issues. You can configure multiple notification channels so the right people are alerted through the right medium.
Supported channels
| Channel | Format | Configuration |
|---|---|---|
| HTML email with plain-text fallback | Recipient email address | |
| Slack | Block Kit formatted message | Slack Incoming Webhook URL |
| Microsoft Teams | Adaptive Card | Teams Incoming Webhook URL |
| Custom Webhook | Structured JSON payload | Any HTTPS endpoint URL |
You can configure multiple instances of each channel type — for example, send critical alerts to a Slack channel and a detailed summary to an email distribution list.
When notifications are sent
Notifications are triggered when a scan completes and changes have been detected. The following scan types trigger notifications:
| Scan Type | Trigger |
|---|---|
| Daily scan | Automated daily scheduled scan |
| Provider scan | Manual re-sync of a provider's zones and records |
| Zone scan | Manual re-sync of a specific zone's records |
| Record rescan | Manual rescan of specific records |
Notifications are suppressed during a provider's initial sync — the first time you connect a provider, all discovered zones and records are treated as baseline data rather than changes.
What's included in a notification
Every notification contains:
- Scan details — scan type, start/end time, who initiated it (user or system)
- Summary counts — number of changes grouped by category
- Top changes — the most security-relevant changes, prioritised with issues first
- Changelog link — direct link to the full changelog in DNS Watchdog
Change categories
Changes are grouped into the following categories:
| Category | Description |
|---|---|
| Issues Detected | New security issues found during the scan |
| Issues Resolved | Previously open issues that are no longer present |
| Records Added | New DNS records discovered |
| Records Changed | Existing records with modified values (includes field-level diffs) |
| Records Deleted | Records that were removed or archived |
| Zones Added | New zones discovered from a provider |
| Zones Deleted | Zones that are no longer present at the provider |
Changes are sorted by security relevance — issues are shown first, followed by deletions, then additions and modifications.
Setting up a channel
Navigate to Settings → Notifications to manage your notification channels.
- Click Add Channel and select Email
- Enter a label (e.g. "Security Team")
- Enter the recipient email address in the configuration
- Click Save
Email notifications are sent via Amazon SES and include both HTML and plain-text versions. The HTML version includes formatted tables showing before/after values for changed records.
Slack
- Create an Incoming Webhook in your Slack workspace
- Click Add Channel and select Slack
- Enter a label (e.g. "#dns-alerts")
- Paste the Slack webhook URL (must start with
https://hooks.slack.com/) - Click Save
Slack notifications use Block Kit formatting with structured layouts for scan summaries and change tables.
Microsoft Teams
- Create an Incoming Webhook connector in your Teams channel
- Click Add Channel and select Teams
- Enter a label (e.g. "DNS Monitoring")
- Paste the Teams webhook URL (must start with
https://*.webhook.office.com/) - Click Save
Teams notifications use Adaptive Card formatting with column-based layouts for change details.
Custom Webhook
- Click Add Channel and select Webhook
- Enter a label (e.g. "PagerDuty Integration")
- Paste your HTTPS endpoint URL
- Click Save
The webhook receives a structured JSON payload on every scan completion. See Webhook Payload below for the full schema.
Testing a channel
After creating a channel, click the Test button to send a test notification. This verifies that the endpoint is reachable and correctly configured.
The test payload for webhooks looks like:
{
"event": "test",
"message": "This is a test notification from DNS Watchdog. If you receive this, your webhook is configured correctly.",
"settings_url": "https://app.dnswatchdog.io/settings/notifications",
"source": "dns-watchdog"
}Channel status
Each channel tracks its connection status:
| Status | Meaning |
|---|---|
| Active | Channel is working normally |
| Disconnected | Channel has been disabled |
| Error | Channel has failed 3 or more consecutive deliveries |
When a channel enters the Error state after 3 consecutive failures, it remains enabled but is flagged for attention. Fix the underlying issue (e.g. expired webhook URL, invalid email) and send a test notification to reset the status.
Failures in one channel never block delivery to other channels — each channel is isolated.
Webhook payload
Custom webhooks receive a POST request with a JSON body on every scan that detects changes. The payload includes the same information delivered to email, Slack, and Teams channels.
Scan summary payload
{
"event": "scan_summary",
"source": "dns-watchdog",
"scan_type": "daily_scan",
"scope_id": "org_abc123",
"scan_id": "550e8400-e29b-41d4-a716-446655440000",
"total_changes": 7,
"scan_start_time": "2026-04-28T02:00:00+00:00",
"scan_end_time": "2026-04-28T02:15:30+00:00",
"initiated_by": "System",
"initiated_by_email": null,
"counts_by_group": {
"issues_detected": 2,
"issues_resolved": 1,
"records_added": 3,
"records_changed": 1
},
"changes": [
{
"change_type": "issue_detected",
"entity_type": "record",
"entity_name": "staging.example.com",
"zone_name": "example.com",
"record_type": "A",
"hostname": "staging",
"ttl": 300,
"value": "203.0.113.50",
"field_changes": []
},
{
"change_type": "record_changed",
"entity_type": "record",
"entity_name": "www.example.com",
"zone_name": "example.com",
"record_type": "A",
"hostname": "www",
"ttl": 300,
"value": "198.51.100.10",
"field_changes": [
{
"field_name": "value",
"old_value": "198.51.100.5",
"new_value": "198.51.100.10"
},
{
"field_name": "ttl",
"old_value": "3600",
"new_value": "300"
}
]
},
{
"change_type": "record_detected",
"entity_type": "record",
"entity_name": "api.example.com",
"zone_name": "example.com",
"record_type": "CNAME",
"hostname": "api",
"ttl": 300,
"value": "lb.example.com",
"field_changes": []
}
],
"changelog_url": "https://app.dnswatchdog.io/audit/changes?scan_id=550e8400-e29b-41d4-a716-446655440000"
}Top-level fields
| Field | Type | Description |
|---|---|---|
event | string | Always "scan_summary" for scan notifications, "test" for test pings |
source | string | Always "dns-watchdog" |
scan_type | string | One of: daily_scan, manual_resync, zone_scan, record_rescan |
scope_id | string | Your organisation's tenant ID |
scan_id | string | Unique identifier for this scan |
total_changes | integer | Total number of changes detected across all categories |
scan_start_time | string | ISO 8601 timestamp when the scan started |
scan_end_time | string | ISO 8601 timestamp when the scan completed |
initiated_by | string | null | Name of the user who triggered the scan, or "System" for automated scans |
initiated_by_email | string | null | Email of the user who triggered the scan |
counts_by_group | object | Change counts keyed by category (see Change categories) |
changes | array | Up to 50 individual changes, prioritised by security relevance |
changelog_url | string | Direct link to the full changelog in DNS Watchdog |
Change object fields
Each entry in the changes array has the following structure:
| Field | Type | Description |
|---|---|---|
change_type | string | Type of change (see table below) |
entity_type | string | "zone" or "record" |
entity_name | string | FQDN or zone name of the changed entity |
zone_name | string | null | Zone the entity belongs to |
record_type | string | null | DNS record type (A, AAAA, CNAME, MX, TXT, etc.) — null for zone changes |
hostname | string | null | Record hostname within the zone |
ttl | integer | null | Record TTL in seconds |
value | string | null | Record value (IP address, hostname, text content) |
field_changes | array | Field-level diffs — only populated for record_changed events |
Change types
| Value | Description |
|---|---|
issue_detected | A new security issue was found |
issue_resolved | A previously open issue is no longer present |
record_detected | A new DNS record was discovered |
record_changed | An existing record's value, TTL, or other fields were modified |
record_deleted | A record was removed or archived |
zone_detected | A new zone was discovered from a provider |
zone_removed | A zone is no longer present at the provider |
Field change object
For record_changed events, the field_changes array contains before/after diffs:
| Field | Type | Description |
|---|---|---|
field_name | string | Name of the changed field (e.g. value, ttl, name) |
old_value | string | null | Previous value |
new_value | string | null | New value |
Scanner metadata fields (port scan results, ISP data, HTTP status, etc.) are excluded from field-level diffs — only user-visible DNS record fields are included.
Managing channels
Enabling and disabling
You can enable or disable a channel without deleting it. Disabled channels skip delivery but retain their configuration.
Deleting a channel
Deleting a channel removes it permanently. The webhook URL or email address is also removed from secure storage.
Admin access required
Creating, updating, and deleting notification channels requires admin permissions within your organisation.