New: SEO & AEO scanning — see how Google ranks you and how ChatGPT, Claude & Perplexity cite youSee how it works
Domain expiry, transfer locks, nameserver drift, DNSSEC, CAA, and certificate runway — watched daily, alerted on change.
Overview
The layer under your app — domain registration, DNS, certificates — changes rarely and fails completely. An expired domain or a hijacked nameserver set is a total outage that no application monitor sees coming. Domain Watchtower reads the public record (RDAP, DNS, Certificate Transparency logs) on a schedule and alerts on the deltas that matter.
What this scanner does
Tracks domain expiry runway and registrar lock status via RDAP, watches for nameserver drift and registrar changes, validates DNSSEC where deployed, checks CAA records controlling which CAs may issue your certificates, monitors certificate expiry through Certificate Transparency logs, and verifies hygiene basics — apex and www resolution and IPv6 presence.
Why it matters
Domains expire because a card lapsed and the reminder went to someone who left — it takes down multi-million-user services regularly. A dropped transfer lock or drifting nameservers is how hijacks start. None of it errors in your logs or fails a health check; the only defense is watching the public record and alerting on change, which is precisely automatable.
Common findings
Get a full security report with AI-powered fix suggestions in 30 seconds. No setup required.
Related checks
Infrastructure Check
Detect subdomain takeover vulnerabilities and domain registration security issues.
Configuration Audit
Verify your SSL/TLS configuration, certificate validity, and encryption strength.
Monitoring & Intel
SPF, DKIM, DMARC, MX, MTA-STS, and BIMI checked continuously — with a managed DMARC report inbox.
