DNS Monitor
Complete guide to VistoShield DNS Monitor — DNS health checks, change detection, SSL monitoring, email security validation, and configuration.
Overview
DNS Monitor continuously audits your domain’s DNS configuration and SSL certificates to catch misconfigurations, unauthorized changes, and expiring certificates before they cause downtime or security incidents.
The plugin performs 9 categories of DNS checks, monitors your SSL certificate expiry, and detects any changes to your DNS records over time. Everything is implemented in pure PHP using native functions like dns_get_record(), checkdnsrr(), and stream_socket_client() — no exec() or shell commands are required, so it works on shared hosting with restricted environments.
Why DNS health matters:
- Email deliverability — Missing or misconfigured SPF, DKIM, or DMARC records cause emails to land in spam or get rejected entirely.
- Security — Unauthorized DNS changes can redirect your traffic to attacker-controlled servers.
- Availability — Expired SSL certificates, missing nameservers, or incorrect A records cause immediate downtime.
- Trust — DNSSEC, CAA, and proper HSTS configuration build trust with browsers and visitors.
Installation & Setup
- Install the plugin — Install from the WordPress plugin directory by searching for “VistoShield DNS Monitor”, or upload the ZIP file via Plugins → Add New → Upload Plugin.
- Activate — Activate the plugin from the Plugins screen. The database tables are created automatically on activation.
- Navigate to the dashboard — Go to VistoShield → DNS Monitor in the WordPress admin menu.
- Run your first check — Click the “Run Check Now” button. The plugin will perform all 9 DNS checks and the SSL certificate check, then display your DNS Health Score.
- Configure DKIM selector — If you use a custom DKIM selector (anything other than
default), go to Settings and enter your selector name so the DKIM check queries the correct record.
Dashboard
The dashboard provides a real-time overview of your domain’s DNS health:
DNS Health Score
The score is a weighted value from 0 to 100 based on the results of all 9 DNS check categories. Each category contributes a percentage of the total score based on its importance (see Scoring System below). A passing check earns 100% of its weight, a warning earns 50%, and a failure earns 0%.
Stats Cards
| Card | Description |
|---|---|
| DNS Score | Current health score out of 100, colour-coded green (≥80), orange (50–79), or red (<50) |
| SSL Days | Days remaining until your SSL certificate expires |
| Checks Run | Total number of DNS checks performed since installation |
| Changes | Number of DNS record changes detected |
Check Results
Each of the 9 categories displays a status indicator:
- Pass (green) — The check passed all validations.
- Warning (orange) — The configuration works but has room for improvement.
- Fail (red) — A critical misconfiguration was found that needs attention.
- N/A (grey) — The check could not be performed (e.g., DNS record type blocked by the host).
Recent Changes Feed
Below the check results, a chronological feed shows recent DNS record changes with old and new values, making it easy to spot unauthorized modifications.
DNS Checks Explained
DNS Monitor performs 9 categories of checks. Each is described below with what is checked and what each status means.
1. Nameservers (NS)
Verifies that your domain has at least 2 nameservers and that they resolve correctly.
| Status | Condition |
|---|---|
| Pass | 2 or more NS records found and all resolve to IP addresses |
| Warn | NS records exist but only 1 nameserver found (single point of failure) |
| Fail | No NS records found or nameservers do not resolve |
2. SOA (Start of Authority)
Checks the SOA record for RFC 1912 recommended values including serial format, refresh, retry, expire, and minimum TTL.
| Status | Condition |
|---|---|
| Pass | SOA record exists with reasonable refresh (1200–43200s), retry (180–900s), expire (1209600–2419200s), and minimum TTL (300–86400s) |
| Warn | SOA record exists but one or more values fall outside recommended ranges |
| Fail | No SOA record found |
3. MX (Mail Exchange)
Verifies that MX records exist and that the mail servers resolve, ensuring email delivery works.
| Status | Condition |
|---|---|
| Pass | One or more MX records found, all mail servers resolve to IP addresses |
| Warn | MX records exist but one or more mail servers fail to resolve |
| Fail | No MX records found — the domain cannot receive email |
4. SPF (Sender Policy Framework)
Validates the SPF TXT record, checking for common issues like exceeding the 10-lookup limit or using the dangerous +all mechanism.
| Status | Condition |
|---|---|
| Pass | Valid SPF record with -all or ~all and within the 10-lookup limit |
| Warn | SPF record uses ~all (softfail) instead of -all (hardfail), or is close to the lookup limit |
| Fail | No SPF record, uses +all (allows any server to send email as your domain), or exceeds 10 DNS lookups |
+all effectively disables SPF protection. Any mail server in the world can send email claiming to be from your domain.
5. DKIM (DomainKeys Identified Mail)
Checks for a DKIM public key record at <selector>._domainkey.yourdomain.com. The default selector is default, but this can be configured in Settings.
| Status | Condition |
|---|---|
| Pass | DKIM TXT record found containing a valid public key (p= tag) |
| Warn | DKIM record found but appears incomplete or malformed |
| Fail | No DKIM record found for the configured selector |
default, google, selector1 (Microsoft 365), and k1 (Mailchimp). Check your email provider’s documentation to find the correct selector.
6. DMARC (Domain-based Message Authentication)
Checks for a DMARC record at _dmarc.yourdomain.com and evaluates the policy level.
| Status | Condition |
|---|---|
| Pass | DMARC record with p=reject or p=quarantine |
| Warn | DMARC record exists but policy is p=none (monitoring only, does not enforce) |
| Fail | No DMARC record found |
7. DNSSEC
Verifies that DNSSEC is enabled by querying for a signed response. DNS Monitor uses Google’s DNS-over-HTTPS API (dns.google/resolve) to check the Authenticated Data (AD) flag, which indicates a valid chain of trust from the root zone to your domain.
| Status | Condition |
|---|---|
| Pass | DNSSEC is enabled and the AD flag is set (chain of trust is valid) |
| Warn | DNSSEC appears partially configured (DS record exists but validation fails) |
| Fail | DNSSEC is not enabled — responses are not authenticated |
8. CAA (Certificate Authority Authorization)
Checks for CAA records that restrict which Certificate Authorities can issue certificates for your domain. This prevents unauthorized certificate issuance.
| Status | Condition |
|---|---|
| Pass | One or more CAA records found restricting certificate issuance |
| Warn | N/A (CAA is either present or not) |
| Fail | No CAA records — any CA can issue certificates for your domain |
9. Web Records (A/AAAA)
Verifies that A and/or AAAA records exist for the domain and checks TTL values.
| Status | Condition |
|---|---|
| Pass | A or AAAA records found with reasonable TTL values (300–86400s) |
| Warn | Records found but TTL is very low (<300s) or very high (>86400s) |
| Fail | No A or AAAA records found — the domain does not resolve |
SSL Certificate Monitoring
DNS Monitor connects to your domain over TLS and inspects the certificate to detect issues before they cause browser warnings or downtime.
What It Checks
- Issuer — The Certificate Authority that issued the certificate
- Expiry date — Days remaining until expiration
- Subject Alternative Names (SANs) — Verifies your domain is listed in the certificate
- Protocol version — Confirms TLS 1.2 or higher is supported
Alert Thresholds
| Days Remaining | Alert Level |
|---|---|
| > 30 days | No alert |
| 14–30 days | Warning — certificate is expiring soon |
| 7–14 days | Urgent warning — renew immediately |
| < 7 days | Critical — certificate is about to expire or already expired |
How It Works
SSL checks use PHP’s stream_socket_client() with an SSL context to connect to port 443 and extract certificate metadata. No exec() or openssl CLI calls are used, so it works on shared hosting with restricted PHP configurations.
Change Detection Pro
DNS Monitor Pro takes periodic snapshots of your DNS records and compares them against previous snapshots to detect changes.
How Snapshots Work
After each check, the plugin serializes the current DNS state (all record types and values) and stores it in the database. On the next check, the new snapshot is compared against the previous one. Any differences are recorded as changes.
What Triggers Alerts
- A record added, removed, or modified
- AAAA record added, removed, or modified
- MX record priority or target changed
- NS record added or removed
- TXT record content changed (SPF, DKIM, DMARC, verification records)
- SOA serial or timing values changed
Change History View
The Changes tab displays a filterable log of all detected changes with timestamps, old values, new values, and the record type affected. This provides an audit trail for DNS modifications.
Settings Reference
| Setting | Description | Default |
|---|---|---|
| Check interval | How often automated checks run. Free: daily. Pro: hourly, every 6 hours, every 12 hours, or daily. | Daily |
| Alert email | Email address to receive alerts when checks fail or certificates are expiring. Leave blank to disable email alerts. | Site admin email |
| DKIM selector | The DKIM selector to query (e.g., default, google, selector1). | default |
| What to monitor | Toggles for each check category. Disable checks that are not relevant to your setup. | All enabled |
| Additional subdomains | Extra subdomains to monitor beyond the primary domain (e.g., mail, cdn, api). | None |
| VistoShield server | Integration with the VistoShield Linux daemon for centralized monitoring across multiple sites. | Disabled |
Scoring System
The DNS Health Score is calculated as a weighted sum of all 9 check categories:
| Category | Weight |
|---|---|
| Nameservers (NS) | 15% |
| Web Records (A/AAAA) | 15% |
| MX | 12% |
| SPF | 12% |
| DMARC | 10% |
| DKIM | 10% |
| SOA | 10% |
| DNSSEC | 8% |
| CAA | 8% |
How Status Maps to Score
| Check Status | Score Contribution |
|---|---|
| Pass | 100% of the category weight |
| Warning | 50% of the category weight |
| Fail | 0% of the category weight |
| N/A | Category is excluded from calculation (remaining categories are re-weighted) |
Technical Details
Pure PHP Implementation
DNS Monitor is built entirely with native PHP functions and requires no shell access:
| Function | Purpose |
|---|---|
dns_get_record() | Retrieve DNS records (A, AAAA, MX, TXT, NS, SOA, CAA) |
checkdnsrr() | Quick existence check for specific record types |
gethostbyname() | Resolve hostnames to IPv4 addresses |
fsockopen() | Test connectivity to mail servers (MX validation) |
stream_socket_client() | SSL/TLS certificate inspection without exec() |
stream_context_create() | Configure SSL context for certificate extraction |
wp_remote_get() | DNSSEC validation via Google DNS-over-HTTPS API |
DNSSEC via DNS-over-HTTPS
Since PHP’s dns_get_record() cannot check DNSSEC validation, DNS Monitor queries Google’s public DNS-over-HTTPS endpoint (https://dns.google/resolve?name=yourdomain.com&type=A) and checks the AD (Authenticated Data) flag in the response. This requires outbound HTTPS access to dns.google.
Shared Hosting Compatibility
Because no exec(), shell_exec(), or proc_open() calls are used, DNS Monitor works on virtually any WordPress hosting environment, including shared hosting with restricted PHP functions.
Database Tables
| Table | Purpose |
|---|---|
{prefix}vsdm_checks | Stores check results, scores, timestamps, and raw DNS data for each run |
{prefix}vsdm_changes | Records detected DNS changes with old/new values, record types, and timestamps |
Free vs Pro
| Feature | Free | Pro |
|---|---|---|
| DNS Health Score | Yes | Yes |
| All 9 DNS checks | Yes | Yes |
| SSL certificate monitoring | Yes | Yes |
| Manual “Run Check Now” | Yes | Yes |
| Automated daily checks | Yes | Yes |
| Email alerts | Yes | Yes |
| Check interval (hourly/6h/12h) | — | Yes |
| Change detection & snapshots | — | Yes |
| Change history & audit log | — | Yes |
| Additional subdomain monitoring | — | Yes |
| VistoShield server integration | — | Yes |
Troubleshooting / FAQ
Some checks show “N/A”
Your hosting provider may block certain DNS record type queries at the PHP level. This is common on some shared hosts that restrict dns_get_record() for specific record types (especially CAA and SOA). The affected categories are excluded from the score calculation so your health score is not penalized.
DNSSEC check fails or shows N/A
The DNSSEC check requires outbound HTTPS access to dns.google (port 443). If your server’s firewall blocks outbound HTTPS requests or if wp_remote_get() is disabled, this check cannot be performed. Verify that your server can reach https://dns.google/resolve.
SSL check shows wrong certificate
If your site is behind a CDN or reverse proxy (e.g., Cloudflare, Sucuri, or a load balancer), the SSL check may inspect the CDN’s certificate rather than your origin server’s certificate. This is expected behavior — the CDN certificate is what visitors actually see. If you need to monitor your origin certificate, check it directly from your hosting control panel.
DKIM check fails even though DKIM is configured
The most common cause is a mismatched selector name. The plugin queries <selector>._domainkey.yourdomain.com — if your email provider uses a different selector than the default (default), you need to update it in VistoShield → DNS Monitor → Settings. Check your email provider’s documentation for the correct selector name.
DKIM-Signature header — the s= tag contains your selector name.