# Providers

A *provider* is a connection to the service that hosts your DNS. Once connected, DNScheck imports your zones, keeps their records in sync, and records every change it detects. You can also edit records straight from the dashboard.

DNScheck currently supports six providers:

- [Cloudflare](#cloudflare)
- [DigitalOcean](#digitalocean)
- [AWS Route 53](#aws-route-53)
- [Hetzner DNS](#hetzner-dns)
- [Vultr](#vultr)
- [Linode](#linode)

## Connecting a provider

1. Go to **Providers** and click **Connect provider**.
2. Pick the provider type and give the connection a name (just for your reference).
3. Enter the credentials below and click **Connect**.

DNScheck tests the credentials before saving and then syncs your zones. Credentials are stored encrypted and are never shown again after you save them — to rotate them, reconnect the provider.

> **A note on permissions.** DNScheck can both read your records (to monitor them) and edit them (from the dashboard). The credentials below therefore need *write* access, not just read. If you only want monitoring, you can use read-only credentials — editing from DNScheck will simply fail until you grant write access.

## Cloudflare

**You need:** an API token.

1. In the Cloudflare dashboard, go to **My Profile → API Tokens → Create Token**.
2. Use the **Edit zone DNS** template, or create a custom token with the **Zone › DNS › Edit** permission.
3. Scope it to the zones you want DNScheck to manage, then create the token and copy it.
4. In DNScheck, choose **Cloudflare**, paste the token into **API token**, and connect.

Cloudflare is the only provider that exposes the **proxied** (orange-cloud) flag, so DNScheck shows and lets you toggle it on Cloudflare records. Editable record types include A, AAAA, CNAME, MX, TXT, NS, SRV, and CAA. If Cloudflare rate-limits a request, DNScheck surfaces the error so you can try again in a moment; monitoring continues on the normal sync schedule.

## DigitalOcean

**You need:** a Personal Access Token.

1. In the DigitalOcean control panel, go to **API → Tokens → Generate New Token**.
2. Give it **read and write** scope.
3. Copy the token.
4. In DNScheck, choose **DigitalOcean**, paste the token into **API token**, and connect.

DigitalOcean does not have a proxy concept, so the proxied flag is never shown for these records. Priority is supported for MX and SRV records. Record names are normalised to fully-qualified form for consistency.

## AWS Route 53

**You need:** an IAM access key (access key ID + secret access key), and optionally a region.

1. In the AWS IAM console, create (or reuse) a user or role and attach a policy allowing:
   - `route53:ListHostedZones`
   - `route53:ListResourceRecordSets`
   - `route53:ChangeResourceRecordSets`
2. Create an access key for that identity and copy the **access key ID** and **secret access key**.
3. In DNScheck, choose **AWS Route 53**, paste both values, and connect. **Region** is optional — Route 53 is a global service and DNScheck defaults to `us-east-1` for the control plane.

Some Route 53 records are managed by AWS and can't be edited through DNScheck. These are shown as **read-only**:

- **SOA** records
- **Apex NS** records (the nameservers for the zone itself)
- **Alias** records (Route 53's pointer-to-AWS-resource records)
- Records that use **routing policies** (weighted, latency, geolocation, etc.)

DNScheck still monitors these read-only records and reports changes — it just won't let you edit them from the dashboard.

## Hetzner DNS

**You need:** a Hetzner DNS API token.

1. In the Hetzner **DNS Console**, go to **API tokens** and create a token.
2. In DNScheck, choose **Hetzner**, paste the token into **API token**, and connect.

## Vultr

**You need:** a Vultr API key.

1. In the Vultr customer portal, go to **Account → API** and generate an API key allowed to manage DNS. If you use the key's access-control rules, make sure they don't block DNScheck.
2. In DNScheck, choose **Vultr**, paste the key into **API token**, and connect.

## Linode

**You need:** a personal access token.

1. In the Linode Cloud Manager, go to **Profile → API Tokens** and create a token with **Domains** read/write access.
2. In DNScheck, choose **Linode**, paste the token into **API token**, and connect.

## Testing and removing a connection

From the **Providers** list you can **test** a connection at any time (DNScheck re-checks the credentials and zone access) or **delete** it. Deleting a provider stops monitoring its zones; it does not change anything at the provider.

Deleting is forgiving: the provider and its zones, records, and history disappear from DNScheck immediately, but are kept for **30 days**. During that window the provider shows under **Recently deleted** on the Providers page, and **Restore** brings everything back — zones, change history, and health checks — with monitoring resuming on the next sync. After 30 days everything is permanently deleted.

## Need help?

[Contact us](/contact) and we'll help you get connected.
