DNS Drift Detector

For sysadmins and SREs managing 1–10 domains who need a nightly heads-up when a record quietly changes under them.

DNS records don't send you a notification when they change. A CNAME appears pointing at a decommissioned vendor. An SPF record disappears. You find out on a Tuesday afternoon, mid-incident, after an hour of debugging. DNS Drift Detector is a read-only bash toolkit that compares your live authoritative DNS records against a baseline you declare once. Declare what your DNS *should* look like in a single YAML file. Run the scanner — or let cron run it nightly. Get a color-coded diff of exactly what changed: MATCH, NEW, MISSING, or DRIFT. No accounts. No API keys. No cloud dashboards. Just your domains, `dig`, and a runbook that tells you what to do when something comes back wrong.

What's Inside

📦dns-drift-detector.sh — Main scanner. Queries authoritative DNS for A, AAAA, CNAME, MX, and TXT records. Diffs live results against your baseline. Outputs color-coded MATCH / NEW / MISSING / DRIFT states with --no-color and --quiet flags for cron-friendly use.
📦baseline.yaml — Annotated example baseline file. Swap in your own domains and expected values. This file becomes your living source of truth.
📦install-cron.sh — Idempotent one-command installer. Verifies dig availability, places scripts in ~/.local/bin, creates a log directory, and writes a nightly cron entry with a duplicate-guard marker.
📦runbook.md — Full operational guide covering install, baseline declaration, output interpretation, drift response steps, uninstall, and FAQ. Includes inline dig commands so you always know what to put in your baseline.
📦README.md — Product overview with 3-step quick-start, sample output, scope & limitations, and advanced usage flags.
📦CHANGELOG.md — Full v1.0.0 feature log.