Set up threshold-based alarms across DNS Server, DNS Trace, and DNSSEC monitors so Cloudmon notifies your team the moment a DNS check fails, resolution degrades, or a DNSSEC signature becomes invalid.
Each DNS monitor type has its own available metric set. DNS Server monitors expose availability, resolution time, and response code metrics. DNS Trace monitors expose availability, final query time, total queries, and failed query count. DNSSEC monitors expose availability and validity state. Alarm rules are assigned directly to each monitor at the time of creation, or can be configured later from the monitor's Settings.
Each alarm is built around a simple IF/THEN model, where you select a metric, set a threshold, and define what happens when it is breached. Learn more.
Below are recommended alarm configurations across all three DNS monitor types:
| Use Case | Monitor Type | Metric | Suggested Threshold | Why |
| DNS server not responding | DNS Server | Availability | Below 100% for 1 interval | A DNS server that stops responding causes resolution failures for all services and users that depend on it, often manifesting as application timeouts before the DNS failure is identified. |
| DNS resolution time spiking | DNS Server | Resolution Time | Above 500ms for 3 intervals | Slow DNS resolution adds latency to every service request. Users experience application slowdowns that appear unrelated to DNS without dedicated monitoring to surface the root cause. |
| DNS server returning error response | DNS Server | Response Code | Not NOERROR for 1 interval | A SERVFAIL or NXDOMAIN response from a production DNS server indicates a misconfiguration, a missing record, or an upstream resolver failure that is actively breaking name resolution. |
| DNS trace resolution failing | DNS Trace | Availability | Below 100% for 1 interval | A trace failure means the full delegation chain for the domain is broken at one or more levels. The Log Report will show exactly which nameserver hop failed. |
| Failed query count increasing | DNS Trace | Failed Queries | Above 0 for 2 intervals | Intermittent query failures across trace intervals indicate an unstable nameserver at a specific delegation level that is not failing consistently enough to drop overall availability but is degrading resolution reliability. |
| DNSSEC validation failing | DNSSEC | Availability | Below 100% for 1 interval | A DNSSEC validation failure means the chain of trust is broken. Validating resolvers will refuse to return responses for the domain, causing resolution failures for all users on DNSSEC-aware networks. |
| DNSSEC signature approaching expiry | DNSSEC | Validity | Degrading for 1 interval | DNSSEC signatures must be refreshed before they expire. An expiring signature that is not renewed will cause validation failures for all resolvers checking the domain, breaking resolution for DNSSEC-aware users. |
Once saved, all triggers for a DNS monitor are listed in the Triggers table under the Alarm Rule section in that monitor's Settings. Each row shows the trigger title, alarm severity, notification configuration, and linked services. Triggers can be edited or deleted at any time using the action icons on the right.
All active alarms for a DNS monitor are visible under the Alarms tab within the monitor detail page, and in the global Alarms view under the Alarms menu in the navigation bar.