Troubleshooting

Solutions to common problems with DNS Watchdog — provider connections, missing zones, scan failures, and more.

Provider credentials rejected

Symptoms: Provider status shows "Error" with a message about invalid credentials or access denied.

Solutions:

Verify the credentials haven't expired or been rotated
Check that the IAM user/service account has the required permissions (see Provider Setup Guides)
For AWS Route 53, ensure the access key is active in the IAM console
For Cloudflare, verify the API token hasn't been revoked
For Azure DNS, check the service principal's client secret hasn't expired
For Google Cloud DNS, ensure the service account key is still valid

To update credentials, go to Settings → Providers, select the provider, and enter new credentials.

Symptoms: Provider shows "Active" status but no zones are listed.

Solutions:

Wait 1–2 minutes — zone discovery runs asynchronously after the provider is connected
Check the provider's zone count on the Providers page
Verify the credentials have permission to list zones (not just read records)
For Route 53, ensure the IAM policy includes route53:ListHostedZones
For Cloudflare, ensure the token has Zone:Read permission for the correct zones
Try triggering a manual resync from the Providers page

Symptoms: Records show "pending" scan status for an extended period.

Solutions:

Daily scans process records in batches — large inventories may take several hours to complete
Check the Scan History page for any failed scans
Individual record rescans can be triggered manually from the Records page
If scans consistently fail for specific records, the target host may be blocking connections

Symptoms: Archive or restore operations show errors.

Solutions:

Verify the provider connection is read-write (not read-only)
Check the provider status is "Active" — operations cannot proceed if the provider is in error state
Review the Modification Log for detailed error messages
For CSC providers, multilocked zones require a phone call to CSC to unlock before changes can be made
Ensure the DNS record still exists at the provider (for archive) or doesn't already exist (for restore)

Issue severity is determined by the type of risk:

Critical — active security risks that could be exploited (expired certificates, dangling subdomains, exposed databases)
Warning — potential risks that should be reviewed but aren't immediately exploitable
Info — informational findings for awareness

See the individual issue pages for detailed explanations of why each issue type is flagged at its severity level.

Generate new credentials at your DNS provider (see Provider Setup Guides for the required permissions)
Go to Settings → Providers in DNS Watchdog
Select the provider and update the credentials
DNS Watchdog validates the new credentials immediately
Revoke the old credentials at your DNS provider

Solutions:

Check the channel status on Settings → Notifications — channels in "Error" state have failed 3+ consecutive deliveries
For Slack, verify the webhook URL hasn't been revoked in your Slack workspace settings
For Teams, check the incoming webhook connector is still active
For custom webhooks, ensure your endpoint returns a 2xx status code
Send a Test notification to verify the channel is working
Check that the scan actually detected changes — notifications are only sent when changes are found

If you're experiencing an issue not covered here, contact support at support@dnswatchdog.io.