Nameserver Monitoring API: Detect DNS Delegation Changes

Q: What is a nameserver monitoring API?

A nameserver monitoring API is a workflow that queries NS records for a domain, stores the expected nameserver set, and alerts when the current delegation differs from the baseline.

Introduction

Nameserver changes are one of the highest-impact DNS events a domain operations team can monitor. When authoritative nameservers move, the whole zone can move with them: web records, email routing, verification TXT records, CAA policy, and subdomain behavior.

WhoisJSON does not expose a dedicated nameserver-only endpoint. The precise workflow uses the documented GET /api/v1/nslookup endpoint to read active NS records, then optionally compares those values with nameserver data returned by GET /api/v1/whois when WHOIS/RDAP data is available.

This article shows how to build that workflow, store a baseline, alert on unexpected delegation changes, and connect nameserver monitoring to a broader domain portfolio management process.

What Is a Nameserver Monitoring API?

A nameserver monitoring API is a workflow that queries authoritative DNS delegation data on a schedule, stores the expected nameserver set, and reports when the current set differs from the baseline.

Endpoint used for live DNS delegation: GET /api/v1/nslookup?domain=example.com. Read the NS array from the JSON response.

In practice, nameserver monitoring is less about a single field and more about control. If a critical domain suddenly moves from an expected provider to an unknown provider, the team needs to know before customers experience broken DNS, failed email delivery, or an account takeover incident.

Why Nameserver Changes Matter

NS records define which servers are authoritative for a DNS zone. A normal change can be part of a planned migration. An unexpected change can indicate misconfiguration, registrar account compromise, vendor offboarding mistakes, or a forgotten domain moving outside the current operating model.

DNS provider migration

A planned move from one provider to another should match a change ticket, migration window, and expected provider list.

Delegation drift

A domain may still resolve, but its authoritative provider no longer matches the portfolio baseline.

Hijack or account abuse

An attacker with registrar access can change nameservers and redirect the entire zone.

Legacy domain risk

Old campaign, redirect, acquisition, and ccTLD domains often lack clear DNS ownership.

Which WhoisJSON Fields to Use

The documented DNS Lookup API and WHOIS API expose complementary nameserver signals.

Signal	Endpoint	Field	Use
Live DNS delegation	`/nslookup`	`NS`	Compare the active authoritative nameserver set with your stored baseline.
WHOIS/RDAP nameservers	`/whois`	`nameserver`	Compare registrar/RDAP nameserver data with live DNS answers when present.
Nameserver provider hints	`/whois`	`nsAnalysis`	Use RDAP enrichment such as detected providers, self-hosted nameservers, and mixed infrastructure when available.
Zone update trigger	`/nslookup`	`SOA.serial`	Detect that the DNS zone changed, then inspect NS and other records for detail.

Keep the comparison tolerant. DNS responses may differ in ordering and letter case. Normalize hostnames before comparing arrays.

Query NS Records in JSON

Authenticate with Authorization: TOKEN=YOUR_API_KEY and pass the root domain in the query string.

RequestcURL

curl "https://whoisjson.com/api/v1/nslookup?domain=example.com" \
  -H "Authorization: TOKEN=YOUR_API_KEY"

The DNS response can include standard DNS records in one object. For nameserver monitoring, the core field is the NS array.

Response shapeJSON

{
  "NS": [
    "a.iana-servers.net",
    "b.iana-servers.net"
  ],
  "SOA": {
    "nsname": "ns.icann.org",
    "hostmaster": "noc.dns.icann.org",
    "serial": 2024021764,
    "refresh": 7200,
    "retry": 3600,
    "expire": 1209600,
    "minttl": 3600
  }
}

Compare DNS NS Records with WHOIS/RDAP Nameservers

Live DNS and WHOIS/RDAP nameserver fields answer related but not identical questions. DNS NS records show the currently returned delegation data. WHOIS/RDAP nameservers show registration-side nameserver data when the upstream source provides it.

Query /whois when you want registration context, including the nameserver array and RDAP nsAnalysis object when available.

WHOIS/RDAP nameserverscURL

curl "https://whoisjson.com/api/v1/whois?domain=example.com" \
  -H "Authorization: TOKEN=YOUR_API_KEY"

Relevant fieldsJSON

{
  "nameserver": [
    "a.iana-servers.net",
    "b.iana-servers.net"
  ],
  "nsAnalysis": {
    "count": 2,
    "list": [
      "a.iana-servers.net",
      "b.iana-servers.net"
    ],
    "detectedProviders": [],
    "detectedProviderCount": 0,
    "uniqueNsDomains": 1,
    "mixedInfrastructure": false,
    "singleInfrastructure": true,
    "selfHosted": false
  }
}

Treat differences as investigation signals, not automatic verdicts. A registry update, DNS propagation window, provider migration, or upstream source difference can create temporary mismatch.

Python Example: Alert on NS Changes

Store normalized nameservers in your inventory. On each scheduled run, fetch the current NS array, compare sets, and only alert when the set changed.

nameserver_monitor.pyPython

import requests

API_KEY = "YOUR_API_KEY"
BASE_URL = "https://whoisjson.com/api/v1"
HEADERS = {"Authorization": f"TOKEN={API_KEY}"}


def normalize_ns(values):
    return sorted({
        value.rstrip(".").lower()
        for value in values or []
        if isinstance(value, str) and value.strip()
    })


def get_dns_nameservers(domain):
    response = requests.get(
        f"{BASE_URL}/nslookup",
        headers=HEADERS,
        params={"domain": domain},
        timeout=10,
    )
    response.raise_for_status()
    return normalize_ns(response.json().get("NS", []))


def compare_nameservers(domain, previous_ns):
    current_ns = get_dns_nameservers(domain)
    previous = normalize_ns(previous_ns)

    added = sorted(set(current_ns) - set(previous))
    removed = sorted(set(previous) - set(current_ns))

    return {
        "domain": domain,
        "changed": bool(added or removed),
        "previous": previous,
        "current": current_ns,
        "added": added,
        "removed": removed,
    }


baseline = ["a.iana-servers.net", "b.iana-servers.net"]
print(compare_nameservers("example.com", baseline))

Production jobs should persist a new baseline only after a successful response and handle 429 or transient 5xx errors with bounded backoff. See the rate limits and retries guide for retry patterns.

Node.js Example: Compare DNS and WHOIS Nameservers

This example calls both documented endpoints and reports whether live DNS nameservers differ from WHOIS/RDAP nameservers.

nameserver-compare.jsNode.js

const API_KEY = "YOUR_API_KEY";
const BASE_URL = "https://whoisjson.com/api/v1";

function normalizeNs(values = []) {
  return [...new Set(
    values
      .filter((value) => typeof value === "string")
      .map((value) => value.trim().replace(/\.$/, "").toLowerCase())
      .filter(Boolean)
  )].sort();
}

async function getJson(path, domain) {
  const url = new URL(`${BASE_URL}/${path}`);
  url.searchParams.set("domain", domain);

  const response = await fetch(url, {
    headers: { Authorization: `TOKEN=${API_KEY}` },
  });
  if (!response.ok) {
    throw new Error(`${path} failed: ${response.status}`);
  }
  return response.json();
}

async function compareDelegation(domain) {
  const [dns, whois] = await Promise.all([
    getJson("nslookup", domain),
    getJson("whois", domain),
  ]);

  const dnsNs = normalizeNs(dns.NS);
  const whoisNs = normalizeNs(whois.nameserver);

  return {
    domain,
    dnsNameservers: dnsNs,
    whoisNameservers: whoisNs,
    mismatch:
      dnsNs.length > 0 &&
      whoisNs.length > 0 &&
      dnsNs.join("|") !== whoisNs.join("|"),
    rdapAnalysis: whois.nsAnalysis ?? null,
  };
}

compareDelegation("example.com")
  .then(console.log)
  .catch(console.error);

Operational Workflow for NS Monitoring

Build an inventory of critical domains: website, login, payment, email, API, SSO, redirects and customer-facing product domains.
Query each domain with /nslookup and store the normalized NS array as the baseline.
Add the expected DNS provider or expected nameserver suffix to your portfolio record.
On every refresh, compare the current NS set with the baseline.
If the set changed, query /whois for registrar/RDAP context and nsAnalysis when available.
Check the SOA.serial and compare other DNS records to understand whether the zone changed beyond delegation.
Route expected migrations to low-noise reporting and unexpected changes to incident review.

The SOA record lookup API guide is a useful companion when you want a zone-level change trigger before comparing record arrays.

Risk Signals to Track

Unknown provider: the current NS set does not match any approved DNS provider for the domain or business unit.

Unexpected self-hosting: RDAP nsAnalysis.selfHosted is true for a domain that should use managed DNS.

Mixed infrastructure: RDAP nsAnalysis.mixedInfrastructure may be expected for resilience, but it should be intentional.

WHOIS/DNS mismatch: registration-side nameservers and live DNS NS records differ outside a known migration window.

NS changed with MX or TXT drift: delegation changes combined with email routing or verification-token changes deserve faster review.

Limits and Non-Goals

Keep the implementation honest and explicit about what the documented endpoints do and do not provide.

WhoisJSON does not expose a dedicated nameserver-only endpoint; use /nslookup and read NS.
The workflow does not perform DNS zone transfers. There is no AXFR or IXFR operation.
The workflow does not provide historical DNS by itself. Store baselines in your application or use monitoring where change history is needed.
A single response is not a global DNS propagation report across every resolver or region.
Provider detection in nsAnalysis is informational and depends on pattern matching when RDAP data is available.
This guide does not use reverse IP or reverse WHOIS workflows.

FAQ

What is a nameserver monitoring API?

It is a workflow that queries NS records for a domain, stores the expected nameserver set, and alerts when the current delegation differs from the baseline.

Which WhoisJSON endpoint returns NS records?

Use GET /api/v1/nslookup with the domain query parameter, then read the NS array from the JSON response.

Can I compare DNS nameservers with WHOIS nameservers?

Yes. Use /nslookup for live DNS NS records and /whois for the nameserver array and nsAnalysis object when those fields are available from WHOIS/RDAP data.

Does a nameserver change always mean compromise?

No. It may be a planned DNS provider migration or registrar-side update. Treat it as an operational signal and compare it with change tickets, expected providers and other DNS record changes.

Does WhoisJSON provide historical nameserver data?

The documented lookup endpoints return current data. For history, store snapshots in your own system or use domain monitoring workflows for domains where changes must trigger action.

Conclusion

Nameserver monitoring is a small workflow with a large operational payoff. If a domain's authoritative delegation changes unexpectedly, the business needs to know quickly because every DNS-dependent service can be affected.

The safe implementation is straightforward: read NS records from /nslookup, normalize and compare them against a baseline, enrich suspicious changes with /whois nameserver data and nsAnalysis when available, then investigate alongside SOA, MX, TXT, SSL and business ownership context.

Monitor DNS delegation with WhoisJSON

Query NS, SOA, MX, TXT, CAA and WHOIS/RDAP nameserver data with one API key.

Check NS Records View Documentation

Nameserver Monitoring API: Detect DNS Delegation Changes in JSON