DNS Audit Checklist — How to Perform a DNS Security Audit

A DNS audit is a systematic review of your DNS configuration. You check every record, verify security settings, and look for misconfigurations that could cause problems. Regular DNS audits catch issues before they cause downtime or security incidents.

Most DNS problems are not caused by malicious activity. They come from configuration drift: records that were set temporarily and never cleaned up, TTL values that are too high or too low, missing SPF records that affect email delivery, or orphaned subdomains that are vulnerable to takeover.

This checklist covers everything you should review during a DNS audit. Run through it quarterly or after any major infrastructure change.

DNS Record Audit

Start with a complete inventory of your DNS records. Export all zones from your provider and review every record. For each record, ask: does this record need to exist? Is the value correct? Is the TTL appropriate?

Check for obsolete records. Old A records pointing to servers you decommissioned years ago are common. They do not cause immediate problems, but they clutter your zone and could be exploited if someone registers the old IP address.

Verify that all A and AAAA records point to the correct IP addresses. If you use a load balancer or CDN, the IP addresses might change when the provider updates their infrastructure. Check that your records still point to the correct endpoints.

Review MX records for correctness. The priority values should be numbered sensibly, with at least one backup mail server at a lower priority. Missing MX records cause email delivery failures. Incorrect priorities cause email to queue or bounce.

DNS Security Audit

DNSSEC should be enabled on every domain that you own. Check that your zones are signed, the signatures are valid, and the DS records at your registrar match the current DNSKEYs. Expired DNSSEC signatures are a common problem — some providers do not auto-renew them.

Check for open zone transfers. Your DNS server should only allow zone transfers from authorized secondary servers. An open zone transfer allows anyone to download your entire DNS configuration, revealing all your subdomains and internal server names.

Review CAA records. These specify which certificate authorities can issue SSL certificates for your domain. If you have no CAA record, any CA can issue a certificate for your domain. Add a CAA record restricting issuance to your preferred CA.

Check for subdomain takeover vulnerabilities. Look for CNAME records pointing to external services that you no longer use. If the external service is deactivated, an attacker can register that service name and receive traffic intended for your subdomain.

Email Authentication Audit

Email authentication records are some of the most important DNS records for business. SPF records list which servers are authorized to send email for your domain. A misconfigured SPF record can cause legitimate email to be rejected and allows spammers to forge email from your domain.

Check your SPF record for syntax errors. The record should include all servers that send email for your domain and end with a hard fail (-all) or soft fail (~all) mechanism. Avoid SPF lookups that exceed the DNS lookup limit of 10. Each include: mechanism counts as a lookup.

Verify your DKIM records. Each email-sending service should have a unique DKIM selector with a valid public key. Check that the keys have not expired. Some email services rotate DKIM keys periodically and you need to update the DNS record when they do.

Confirm your DMARC record is published. DMARC tells receiving mail servers how to handle email that fails SPF or DKIM authentication. Start with a p=none policy to monitor without affecting delivery, then move to p=quarantine or p=reject once you confirm legitimate email passes authentication.

Performance and Configuration Audit

Review your TTL values. Records that change frequently should have short TTLs (300 seconds). Records that rarely change can have long TTLs (86400 seconds). Inconsistent TTL values across your zone can cause unpredictable caching behavior.

Check that you have at least two nameservers. A single nameserver is a single point of failure. Most providers include multiple nameservers by default, but verify they are all functioning and reachable from different geographic locations.

Test DNS resolution speed from multiple locations. Use our DNS speed test to measure response times for your domain. Slow resolution affects every visitor. If your DNS is slow, consider switching to a provider with an anycast network.

Review your DNS provider's status and reliability. Check their uptime history and recent incidents. If your provider has had multiple outages, it might be time to consider alternatives. Our DNS hosting comparison can help you evaluate options.

Automating Your DNS Audits

Manual audits are important, but they only capture a snapshot in time. DNS configuration changes between audits. Automating your audit checks catches issues as they happen instead of discovering them weeks later in a quarterly review.

Use DNS monitoring tools that continuously verify your records. Set up alerts for configuration changes, DNSSEC expiration, and record value mismatches. Many monitoring tools can also check for common configuration errors.

If you manage DNS through infrastructure-as-code (Terraform, Pulumi, CloudFormation), integrate validation checks into your deployment pipeline. Automatically verify DNS records after every change. Prevent deployments that would create invalid DNS configurations.

For ongoing DNS health monitoring, see our DNS monitoring guide. For a complete review of DNS security, see our DNSSEC guide.