DNS records security audit checklist showing CNAME dangling record check SPF DMARC review and nameserver verification
# website monitoring

How to Audit Your DNS Records for Security Issues

DNS is infrastructure that accumulates technical debt. Records added for a service you used three years ago, CNAMEs pointing to decommissioned servers, overly-permissive SPF records from a mail service you stopped using — none of these clean themselves up. A DNS security audit finds these problems before attackers do.

Step 1: Export Your Current DNS Records

Start with a full export of all DNS records for every domain and subdomain you operate.

Methods:

  • Log into your DNS provider (Cloudflare, Route 53, DNSimple, etc.) and export the zone file
  • Use dig to enumerate records for known subdomains
  • Use a zone transfer (AXFR) if your DNS provider allows it

For each domain, collect all: A, AAAA, CNAME, MX, TXT, NS, SOA, and CAA records.

Step 2: Audit CNAME Records for Dangling Targets

For every CNAME record, verify the target still exists and is still claimed by you.

Check each CNAME target:

# For each CNAME target, check if it exists
dig CNAME api.yourcompany.com
# If the target returns NXDOMAIN, the CNAME is dangling
dig your-app.herokuapp.com

High-risk CNAME targets to check:

  • *.herokuapp.com — Heroku free tier was shut down; any Heroku CNAMEs from before 2022 are suspect
  • *.netlify.app, *.vercel.app — deprovisioned deployments
  • *.github.io — GitHub Pages deployments for repos you may have deleted
  • *.s3.amazonaws.com — S3 static hosting buckets
  • *.azurewebsites.net, *.azurefd.net — Azure services
  • Third-party SaaS tools (Zendesk, HubSpot, Shopify) — subdomains from cancelled accounts

A CNAME pointing to a target that returns NXDOMAIN is a subdomain takeover risk. Remove the DNS record immediately.

Step 3: Review MX Records and Email Authentication

Verify MX records point to your actual mail provider:

Cross-reference your MX records against the documentation for your email provider (Google Workspace, Microsoft 365, Fastmail, etc.). Unexpected MX records are a serious signal.

Check SPF records:

dig TXT yourcompany.com | grep spf

Look for:

  • +all or ?all at the end — these effectively disable SPF enforcement; change to -all
  • include: entries for services you no longer use — remove them
  • Multiple SPF records (only one is valid; having two causes delivery issues)

Check DMARC:

dig TXT _dmarc.yourcompany.com

If no DMARC record exists, add one at minimum with p=none and a rua reporting address to start receiving reports. See how to monitor MX, SPF, DKIM, and DMARC for a full setup guide.

Check DKIM:

DKIM selectors are published as TXT records at {selector}._domainkey.yourcompany.com. Verify you have DKIM records for all active sending services and remove selectors for services you no longer use.

Step 4: Verify Nameservers

Confirm your nameservers are what you expect:

dig NS yourcompany.com

Cross-reference against your domain registrar's records. An unexpected nameserver is a high-priority finding — it may indicate domain hijacking. See DNS security monitoring for what nameserver changes signal.

Step 5: Review Unused Subdomains

List all subdomains in your DNS zone. For each subdomain:

  1. Does it still serve a live service?
  2. Do you know who owns and maintains it?
  3. If it's a CNAME, does the target still exist?

Subdomains for internal tools, staging environments, and old marketing campaigns often outlive their purpose. Delete unused records — they're attack surface you don't need.

Step 6: Check CAA Records

Certificate Authority Authorisation (CAA) records restrict which certificate authorities can issue SSL certificates for your domain. If you don't have CAA records, any CA can issue certificates for your domain.

dig CAA yourcompany.com

If no CAA records exist, add them to restrict issuance to your preferred CA (Let's Encrypt, DigiCert, etc.). See CAA records explained.

Ongoing DNS Security

A one-time audit is a starting point. Ongoing DNS monitoring ensures that any record changes — intentional or not — are detected immediately.

Domain Monitor monitors all DNS record types and alerts on any change, giving you continuous visibility without manual audits. Create a free account.

More posts

What Is a Subdomain Takeover and How to Prevent It

A subdomain takeover lets an attacker claim your subdomain by exploiting dangling DNS records. Learn how it happens, real-world examples, and how DNS monitoring detects it.

Read more
What Is Mean Time to Detect (MTTD)?

Mean time to detect (MTTD) measures how long it takes to discover an incident after it starts. Reducing MTTD is one of the highest-leverage improvements in reliability engineering.

Read more
What Is Black Box Monitoring?

Black box monitoring tests your systems from the outside, the way users experience them — without access to internal code or infrastructure. Learn how it works and when to use it.

Read more

Subscribe to our PRO plan.

Looking to monitor your website and domains? Join our platform and start today.

View pricing & plans