diff --git a/.aws/deploy/backend-task-definition.prod.json b/.aws/deploy/backend-task-definition.prod.json
index 4de452228..475663f24 100644
--- a/.aws/deploy/backend-task-definition.prod.json
+++ b/.aws/deploy/backend-task-definition.prod.json
@@ -103,6 +103,7 @@
           "valueFrom": "PROD_INCOMING_QUEUE_URL"
         },
         { "name": "JWT_SECRET", "valueFrom": "PROD_JWT_SECRET" },
+        { "name": "KEYCDN_API_KEY", "valueFrom": "PROD_KEYCDN_API_KEY" },
         {
           "name": "MAX_NUM_OTP_ATTEMPTS",
           "valueFrom": "PROD_MAX_NUM_OTP_ATTEMPTS"
@@ -132,6 +133,11 @@
           "name": "REDIRECT_URI",
           "valueFrom": "PROD_REDIRECT_URI"
         },
+        {
+          "name": "REDIRECTION_REPO_GITHUB_TOKEN",
+          "valueFrom": "PROD_REDIRECTION_REPO_GITHUB_TOKEN"
+        },
+        { "name": "REDIS_HOST", "valueFrom": "PROD_REDIS_HOST" },
         {
           "name": "SESSION_SECRET",
           "valueFrom": "PROD_SESSION_SECRET"
diff --git a/.aws/deploy/backend-task-definition.staging.json b/.aws/deploy/backend-task-definition.staging.json
index 2dcaa69a4..5c55e8f4d 100644
--- a/.aws/deploy/backend-task-definition.staging.json
+++ b/.aws/deploy/backend-task-definition.staging.json
@@ -112,6 +112,7 @@
           "valueFrom": "STAGING_INCOMING_QUEUE_URL"
         },
         { "name": "JWT_SECRET", "valueFrom": "STAGING_JWT_SECRET" },
+        { "name": "KEYCDN_API_KEY", "valueFrom": "STAGING_KEYCDN_API_KEY" },
         {
           "name": "MAX_NUM_OTP_ATTEMPTS",
           "valueFrom": "STAGING_MAX_NUM_OTP_ATTEMPTS"
@@ -141,6 +142,11 @@
           "name": "REDIRECT_URI",
           "valueFrom": "STAGING_REDIRECT_URI"
         },
+        {
+          "name": "REDIRECTION_REPO_GITHUB_TOKEN",
+          "valueFrom": "STAGING_REDIRECTION_REPO_GITHUB_TOKEN"
+        },
+        { "name": "REDIS_HOST", "valueFrom": "STAGING_REDIS_HOST" },
         {
           "name": "SESSION_SECRET",
           "valueFrom": "STAGING_SESSION_SECRET"
diff --git a/.aws/deploy/support-task-definition.prod.json b/.aws/deploy/support-task-definition.prod.json
index 0c62d5ff6..f5b5b5863 100644
--- a/.aws/deploy/support-task-definition.prod.json
+++ b/.aws/deploy/support-task-definition.prod.json
@@ -128,6 +128,10 @@
           "name": "REDIRECT_URI",
           "valueFrom": "PROD_REDIRECT_URI"
         },
+        {
+          "name": "REDIRECTION_REPO_GITHUB_TOKEN",
+          "valueFrom": "PROD_REDIRECTION_REPO_GITHUB_TOKEN"
+        },
         { "name": "REDIS_HOST", "valueFrom": "PROD_REDIS_HOST" },
         {
           "name": "SESSION_SECRET",
diff --git a/.aws/deploy/support-task-definition.staging.json b/.aws/deploy/support-task-definition.staging.json
index dac20c2ef..e8e21b0ab 100644
--- a/.aws/deploy/support-task-definition.staging.json
+++ b/.aws/deploy/support-task-definition.staging.json
@@ -137,6 +137,10 @@
           "name": "REDIRECT_URI",
           "valueFrom": "STAGING_REDIRECT_URI"
         },
+        {
+          "name": "REDIRECTION_REPO_GITHUB_TOKEN",
+          "valueFrom": "STAGING_REDIRECTION_REPO_GITHUB_TOKEN"
+        },
         { "name": "REDIS_HOST", "valueFrom": "STAGING_REDIS_HOST" },
         {
           "name": "SESSION_SECRET",
diff --git a/src/config/config.ts b/src/config/config.ts
index 5e2cebb69..87438fb99 100644
--- a/src/config/config.ts
+++ b/src/config/config.ts
@@ -254,6 +254,13 @@ const config = convict({
       format: "required-string",
       default: "",
     },
+    redirectionRepoGithubToken: {
+      doc: "Github access to read opengovsg/isomer-redirection",
+      env: "REDIRECTION_REPO_GITHUB_TOKEN",
+      sensitive: true,
+      format: "required-string",
+      default: "",
+    },
   },
   dataDog: {
     env: {
diff --git a/src/monitoring/MonitoringWorker.ts b/src/monitoring/MonitoringWorker.ts
index 91f102211..e9ad12a0c 100644
--- a/src/monitoring/MonitoringWorker.ts
+++ b/src/monitoring/MonitoringWorker.ts
@@ -106,14 +106,16 @@ export default class MonitoringWorker {
    * @returns List of redirection domains that are listed in the isomer-redirection repository
    */
   getRedirectionDomains() {
-    const SYSTEM_GITHUB_TOKEN = config.get("github.systemToken")
+    const REDIRECTION_REPO_GITHUB_TOKEN = config.get(
+      "github.redirectionRepoGithubToken"
+    )
     // seems to be a bug in typing, this is a direct
     // copy paste from the octokit documentation
     // https://octokit.github.io/rest.js/v20#automatic-retries
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     const OctokitRetry = Octokit.plugin(retry as any)
     const octokitWithRetry: Octokit = new OctokitRetry({
-      auth: SYSTEM_GITHUB_TOKEN,
+      auth: REDIRECTION_REPO_GITHUB_TOKEN,
       request: { retries: 5 },
     })
 
diff --git a/src/server.ts b/src/server.ts
index 58ff93c66..0b17a9324 100644
--- a/src/server.ts
+++ b/src/server.ts
@@ -81,7 +81,6 @@ import { mailer } from "@services/utilServices/MailClient"
 
 import { apiLogger } from "./middleware/apiLogger"
 import { NotificationOnEditHandler } from "./middleware/notificationOnEditHandler"
-import MonitoringService from "./monitoring"
 import getAuthenticatedSubrouter from "./routes/v2/authenticated"
 import { ReviewsRouter } from "./routes/v2/authenticated/review"
 import getAuthenticatedSitesSubrouter from "./routes/v2/authenticatedSites"
diff --git a/src/utils/dns-utils.ts b/src/utils/dns-utils.ts
index 8752663e4..864d9b42e 100644
--- a/src/utils/dns-utils.ts
+++ b/src/utils/dns-utils.ts
@@ -55,6 +55,17 @@ export default function getDnsCheckerMessage(
   intermediateRecords: string[] | null,
   redirectionRecords: string[] | null
 ): Result<string, string> {
+  console.log({
+    domain,
+    cnameDomain,
+    redirectionDomain,
+    cnameRecord,
+    indirectionDomain,
+    intermediateRecords,
+    redirectionRecords,
+  })
+  const isKeyCdnDomain = cnameRecord?.endsWith("key.kxcdn.com")
+
   // Domain has a CNAME pointing to one of our known suffixes
   const isDomainCnameCorrect =
     !!cnameRecord &&
@@ -171,8 +182,10 @@ export default function getDnsCheckerMessage(
 }
 
 export function dnsMonitor(domain: string): ResultAsync<string, string> {
+  console.log("in dns monitor", domain)
   return checkCname(domain)
     .andThen((cname) => {
+      console.log({ cname })
       // Original domain does not have a CNAME record, check if the www
       // version has a valid CNAME record
       if (!cname && !domain.startsWith("www.")) {
@@ -182,10 +195,10 @@ export function dnsMonitor(domain: string): ResultAsync<string, string> {
           checkCname(cnameDomain),
         ])
       }
-
       return ResultAsync.combine([okAsync(domain), okAsync(cname)])
     })
     .andThen(([cnameDomain, cnameRecord]) => {
+      console.log("indirection domain getting")
       // Original and www version of the domain do not have a CNAME record,
       // check if our indirection domain is still correct
       if (!cnameRecord) {
diff --git a/support/index.ts b/support/index.ts
index 535aeab29..6568d5fa7 100644
--- a/support/index.ts
+++ b/support/index.ts
@@ -7,7 +7,7 @@ import { useSharedMiddleware } from "@common/middleware"
 import { config } from "@root/config/config"
 import logger from "@root/logger/logger"
 import MonitoringService from "@root/monitoring/MonitoringService"
-import MonitoringWorker from "@root/monitoring/monitoringWorker"
+import MonitoringWorker from "@root/monitoring/MonitoringWorker"
 
 import { ROUTE_VERSION } from "./constants"
 import { v2Router } from "./routes"
@@ -24,6 +24,9 @@ infraService.pollMessages()
 export const monitoringWorker = new MonitoringWorker({
   launchesService,
 })
+// dnsMonitor("isomer.gov.sg").mapErr(console.log).map(console.log)
+// todo: remove after testing
+monitoringWorker.driver()
 
 export const monitoringService = new MonitoringService({
   monitoringWorker,