Skip to main content
Security 6 min read

Reading DNS Logs Like a Pro: Common Patterns and Red Flags

Learn to identify suspicious DNS activity by understanding common log patterns — from normal CNAME chains to signs of domain takeovers, phishing, and brand impersonation.

Introduction

DNS logs are one of the most underutilized security data sources available to anyone running a domain or subdomain. Every DNS query to your nameserver leaves a trail that reveals who is accessing your services, where they are coming from, and — critically — whether someone is trying to abuse your infrastructure. Learning to read DNS logs is like gaining a superpower for threat detection. This post covers the common patterns you will see in DNS logs, what they mean, and how to identify signs of phishing, domain takeovers, and brand impersonation.

What DNS Logs Contain

A typical DNS log entry from Cloudflare (which powers is-pro.dev DNS) contains: timestamp, source IP, query name (the domain or subdomain being looked up), query type (A, CNAME, MX, etc.), response code (NOERROR, NXDOMAIN, SERVFAIL), response size, and edge POP location. Cloudflare provides DNS analytics in the dashboard showing query volume, top queried records, and response codes over time. For more detailed logging, you can enable DNS log push to R2 Storage or a third-party SIEM system. The key fields for security analysis are the query name and source IP — these tell you what someone is looking up and where they are doing it from. Unusual query patterns in these fields are the earliest indicator of potential abuse.

Normal Traffic Patterns

Before you can spot anomalies, you need to understand what normal DNS traffic looks like for your subdomain. For a typical portfolio site or blog, you will see A or AAAA record queries from users around the world, with peak traffic during waking hours in your target audience's time zone. Query volume is relatively stable day over day, with small increases when you share content on social media. MX record queries from email servers checking your mail configuration. TXT record queries from email receivers verifying SPF and DKIM. Occasional PTR record queries from reverse DNS lookups. The response code is almost always NOERROR. CNAME queries are rare after initial resolution (clients cache the result). This baseline varies by service type — an API endpoint will see different patterns than a game server or email server.

Signs of Phishing Activity

Phishing is the most common abuse targeting free subdomains. Early warning signs in DNS logs include: sudden spikes in DNS queries to a subdomain that was previously low-traffic, queries from geographic regions that do not match your typical audience, queries for unusual record types (like SOA or AXFR) that suggest reconnaissance, and a high volume of NXDOMAIN responses indicating someone is scanning for subdomains. If you see a subdomain that you did not create suddenly receiving traffic, someone may have registered a similar-looking subdomain for phishing. Compare query patterns across your subdomains — a subdomain that diverges significantly from the baseline warrants investigation. Check the subdomain's content by visiting it directly, and report any phishing to the abuse team.

Spotting Domain Takeover Attempts

Domain takeover occurs when someone registers a domain or service that a DNS CNAME record points to. For example, if you have a CNAME record pointing blog.is-pro.dev to myblog.netlify.app and you delete your Netlify site without removing the DNS record, someone else can create a Netlify site with the same name and effectively take over your subdomain. Signs of this in DNS logs include: CNAME queries that resolve to unexpected IP addresses, sudden changes in response content or behavior, reports from users that your subdomain is showing unfamiliar content, and certificate transparency log entries for domains you do not recognize. Prevent takeover by always deleting DNS records when you decommission services, setting up monitoring for CNAME resolution targets, and using CNAME validation tools to verify your records point to expected destinations. The is-pro.dev dashboard includes a CNAME validation tool that checks for dangling records.

Brand Impersonation Patterns

Impersonators register subdomains that look like legitimate brands — secure-paypal.is-pro.dev, login-facebook.is-pro.dev, or support-apple.is-pro.dev. These are almost always used for phishing. In DNS logs, these subdomains show distinct patterns: they are typically very new (registered within hours of the first query), they receive traffic from diverse geographic locations (indicating distributed phishing campaigns), and they often have high query volumes for A and AAAA records (visitors loading the phishing page). The source IPs for queries to these subdomains often correlate with known VPN and proxy providers, as attackers hide their registration activity. If you see a subdomain pattern matching a well-known brand being actively queried, it is almost certainly malicious and should be reported immediately.

Reconnaissance and Scanning Activity

Attackers often probe DNS infrastructure before launching an attack. Reconnaissance activities visible in DNS logs include: AXFR queries (zone transfer attempts — these should always be denied), high volumes of NXDOMAIN responses from sequential subdomain guesses (e.g., admin.is-pro.dev, test.is-pro.dev, dev.is-pro.dev), ANY or wildcard queries designed to enumerate records, and queries from IP addresses associated with known scanning services like Shodan or Censys. Blocking these IPs at the firewall level can reduce noise in your logs, but scanning is a fact of life on the internet. The important thing is to not have vulnerable configurations — disable zone transfers, do not use wildcard DNS records that could help attackers discover valid subdomains, and ensure your DNS dashboard credentials are protected with strong passwords and two-factor authentication.

Using DNS Logs for Incident Response

When you suspect a security incident involving your subdomain, DNS logs are a critical forensic resource. They can tell you: when the abusive subdomain was first queried (the earliest timestamp in logs), where queries originated (source IPs and geographic regions), how many potential victims were impacted (unique IPs that resolved the subdomain), and what records were queried (indicating whether visitors loaded a web page, sent email, or connected to a server). This information helps you assess the scope of an incident, notify affected users, and inform law enforcement if needed. Cloudflare's DNS analytics provide dashboards for this analysis, but for long-term retention and advanced querying, export logs to a SIEM or data analysis platform.

Conclusion

DNS logs are a rich source of security intelligence that most domain owners ignore. Learning to recognize normal patterns, phishing indicators, takeover attempts, and reconnaissance activity gives you a significant advantage in protecting your subdomains. With is-pro.dev's Cloudflare-powered DNS analytics, you have access to enterprise-grade logging and analysis tools — use them to keep your digital presence safe.

Key Takeaways

  • DNS logs reveal who is querying your subdomains and what they are looking up
  • Phishing activity shows as sudden traffic spikes from unexpected regions
  • Domain takeover signs include unexpected CNAME resolution changes
  • Brand impersonation subdomains follow recognizable naming patterns
  • Reconnaissance appears as AXFR attempts and sequential subdomain scanning
  • DNS logs are critical forensic evidence during security incident response

Frequently Asked Questions

Is is-pro.dev really free to use?

Yes, is-pro.dev provides free subdomains for developers with no hidden fees.

What can I host on an is-pro.dev subdomain?

Any legitimate project — portfolios, SaaS apps, game servers, APIs, and more.

Explore More

Deployment Guides

DNS & Security

Platform Resources