What NS Records Are (And Why Changing Them Can Break Everything Else)

You migrate to a new DNS provider. You update the NS records at your registrar. For the next few hours, some resolvers hit your old nameservers and some hit the new ones. The site stays up, email keeps flowing, and eventually the old servers drop off. Everything works.

That's the normal case. NS records also have an abnormal case — and it's one of the more severe things that can happen to a domain. Understanding what NS records actually do is the first step to knowing why.

What NS records actually do

NS records tell the rest of the internet which DNS servers are authoritative for your domain. When a resolver needs to look up anything on example.com — an A record, an MX record, a TXT record — it doesn't already know where to go. It starts by asking the root servers who's in charge of .com, then asks the .com servers who's in charge of example.com. The answer comes back as your NS records.

Every other record on your domain flows through them. If your NS records point to the wrong servers, every A record, MX record, and TXT record on your domain becomes unreachable — regardless of whether those records are configured correctly.

Why NS records live in two places

Unlike most DNS records, NS records are stored in two places at once.

Your registrar publishes your NS records into the TLD registry — the global database that tells the world which DNS servers handle your domain. When a resolver asks "who handles example.com?", the TLD registry is what answers. This copy is what the world uses to find your DNS servers.

Your DNS provider also stores NS records as part of your zone, alongside your A records and MX records. This copy gets served once resolvers know who to ask.

The two should always match. This dual-location setup is why NS changes propagate slowly and why a mistake in one place can create inconsistencies that are harder to untangle than a broken A record.

When NS records legitimately change

These are the normal reasons NS records change:

Migrating to a new DNS provider. You move your zone from one provider to another, then update the NS records at your registrar to point to the new servers. During the transition, some resolvers may still hit the old servers until their cache expires.

Adding a secondary DNS provider. For redundancy, some setups use two DNS providers simultaneously. All nameservers are listed in the same NS record set, and resolvers can query any of them.

Subdomain delegation. You can delegate a subdomain to a different DNS provider — for example, having api.example.com handled by a separate set of nameservers. This creates NS records scoped to that subdomain only, not the root domain.

Domain expiry or auto-renewal. If a domain lapses and the registrar's grace period or auto-renew system catches it, the registrar may reset NS records to their own parking nameservers.

Outside of these cases, an NS record change on a live domain warrants a second look.

What an unauthorized NS record change looks like

If an attacker gains access to your registrar account, the most damaging thing they can do is change your NS records to servers they control.

From that point, they control what every DNS query on your domain resolves to. They can point your A records at a different server, redirect your MX records to intercept email, swap out TXT records used for domain verification, or satisfy a DNS-01 certificate challenge and issue a certificate on your behalf.

Because NS changes propagate slowly, there's often a window of hours between when the change happens and when someone notices something is wrong. By then, verification records may have already been used, certificates issued, or email intercepted.

At the registrar level, this attack shows up as an NS record change — which is exactly what DNS monitoring catches. Other attack vectors, such as BGP hijacking of a nameserver's IP address block, can redirect DNS queries without changing any record name.

If you detect an unexpected NS change, treat it as urgent: check your registrar account for unauthorized access, rotate your credentials, and enable registrar lock if it isn't already on. Check Certificate Transparency logs for any certificates issued for your domain during the window. Your registrar and DNS provider may also have audit logs showing what changed and when.

How to check your NS records

To see what NS records a public resolver currently returns — bypassing your local cache:

dig @8.8.8.8 NS example.com

To trace the full delegation path from the root servers down — the authoritative picture, and works for any TLD:

dig +trace NS example.com

If the two outputs differ, a migration may still be propagating. Check the TTL on the NS records and wait for it to expire before concluding something is wrong. If the change was unexpected, that warrants immediate attention.

If you don't have dig, dnschecker.org will show NS records from multiple global locations without installing anything.

How DNS monitoring fits in

Most DNS record changes are contained in scope. A wrong A record breaks one endpoint. A missing TXT record affects one service.

NS record changes affect everything. An unexpected NS change is almost never benign — it's either a provider migration nobody logged, or something that requires immediate attention.

OneDollarDNS monitors NS records alongside every other record type and checks for changes every hour by default, so an unexpected NS change shows up in your inbox before it shows up as a user complaint.