# Providers

A *provider* is a connection to the service that hosts your DNS. Once connected, DNScheck imports your zones, keeps their records in sync, and records every change it detects. You can also edit records straight from the dashboard.

DNScheck currently supports three providers:

- [Cloudflare](#cloudflare)
- [DigitalOcean](#digitalocean)
- [AWS Route 53](#aws-route-53)

## Connecting a provider

1. Go to **Providers** and click **Connect provider**.
2. Pick the provider type and give the connection a name (just for your reference).
3. Enter the credentials below and click **Connect**.

DNScheck tests the credentials before saving and then syncs your zones. Credentials are stored encrypted and are never shown again after you save them — to rotate them, reconnect the provider.

> **A note on permissions.** DNScheck can both read your records (to monitor them) and edit them (from the dashboard). The credentials below therefore need *write* access, not just read. If you only want monitoring, you can use read-only credentials — editing from DNScheck will simply fail until you grant write access.

## Cloudflare

**You need:** an API token.

1. In the Cloudflare dashboard, go to **My Profile → API Tokens → Create Token**.
2. Use the **Edit zone DNS** template, or create a custom token with the **Zone › DNS › Edit** permission.
3. Scope it to the zones you want DNScheck to manage, then create the token and copy it.
4. In DNScheck, choose **Cloudflare**, paste the token into **API token**, and connect.

Cloudflare is the only provider that exposes the **proxied** (orange-cloud) flag, so DNScheck shows and lets you toggle it on Cloudflare records. Editable record types include A, AAAA, CNAME, MX, TXT, NS, SRV, and CAA. If Cloudflare rate-limits a request, DNScheck surfaces the error so you can try again in a moment; monitoring continues on the normal sync schedule.

## DigitalOcean

**You need:** a Personal Access Token.

1. In the DigitalOcean control panel, go to **API → Tokens → Generate New Token**.
2. Give it **read and write** scope.
3. Copy the token.
4. In DNScheck, choose **DigitalOcean**, paste the token into **API token**, and connect.

DigitalOcean does not have a proxy concept, so the proxied flag is never shown for these records. Priority is supported for MX and SRV records. Record names are normalised to fully-qualified form for consistency.

## AWS Route 53

**You need:** an IAM access key (access key ID + secret access key), and optionally a region.

1. In the AWS IAM console, create (or reuse) a user or role and attach a policy allowing:
   - `route53:ListHostedZones`
   - `route53:ListResourceRecordSets`
   - `route53:ChangeResourceRecordSets`
2. Create an access key for that identity and copy the **access key ID** and **secret access key**.
3. In DNScheck, choose **AWS Route 53**, paste both values, and connect. **Region** is optional — Route 53 is a global service and DNScheck defaults to `us-east-1` for the control plane.

Some Route 53 records are managed by AWS and can't be edited through DNScheck. These are shown as **read-only**:

- **SOA** records
- **Apex NS** records (the nameservers for the zone itself)
- **Alias** records (Route 53's pointer-to-AWS-resource records)
- Records that use **routing policies** (weighted, latency, geolocation, etc.)

DNScheck still monitors these read-only records and reports changes — it just won't let you edit them from the dashboard.

## Testing and removing a connection

From the **Providers** list you can **test** a connection at any time (DNScheck re-checks the credentials and zone access) or **delete** it. Deleting a provider stops monitoring its zones; it does not change anything at the provider.

## Need help?

[Contact us](/contact) and we'll help you get connected.