IT Operations & Cybersecurity Encyclopedia

Public DNS and domain records audit preparation guide

Public DNS and domain records control how customers, employees, email systems, cloud services, websites, VPNs, and third-party platforms find and trust the business online. A DNS audit preparation process reviews registrars, authoritative name servers, zone records, MX, SPF, DKIM, DMARC, CAA, TTLs, stale records, ownership, access control, and change history before problems become outages or security incidents.

Registrar, DNS zones, and ownershipMX, SPF, DKIM, DMARC, CAA, and TTLsStale records, change control, and audit evidence

Why it matters

Use DNS audit preparation to reduce outage and impersonation risk

DNS is easy to overlook because it usually works quietly until a domain expires, an MX record changes, email authentication fails, an old vendor hostname remains active, or a critical service points to the wrong destination. Public DNS also affects phishing resistance, brand trust, email delivery, certificate issuance, cloud services, and incident response.

A strong audit preparation process creates a clean inventory of domains, registrars, DNS hosts, records, owners, business purpose, security settings, and change controls. It also identifies stale, risky, duplicate, or undocumented records before an auditor, attacker, or outage exposes them.

Practical rule: Every public DNS record should have a business purpose, owner, approved destination, review date, and removal plan when the service is retired.

Review scope

Areas to review in public DNS and domain records

Domain ownership

Review registrars, contacts, expiration, MFA, lock status, billing ownership, renewal process, and administrative access.

Authoritative DNS

Confirm delegated name servers, DNS hosting provider, zone exports, redundancy, and change-control ownership.

Email records

Validate MX, SPF, DKIM, DMARC, third-party senders, alignment, reporting, and Microsoft 365 email authentication.

Web and cloud records

Review A, AAAA, CNAME, CDN, website, SaaS, VPN, remote access, cloud validation, and certificate-related records.

Stale and risky records

Find dangling CNAMEs, old vendors, unused TXT validation, wildcard records, duplicate records, and undocumented subdomains.

Change and incident process

Document who can change DNS, how emergency changes work, TTL strategy, rollback, and audit evidence retention.

Review matrix

Public DNS audit preparation matrix

Area What to verify Questions to answer Evidence
Domain expiration risk A domain expires or renewal is tied to one person, old email, or expired payment method. Confirm auto-renewal, registrar lock, billing owner, contacts, MFA, and renewal calendar. Who is accountable for renewal?
Weak email authentication SPF, DKIM, or DMARC is missing, misaligned, too permissive, or undocumented. Review Microsoft 365 and third-party senders, align domains, monitor reports, and tighten policy in phases. Can attackers spoof this domain easily?
Stale vendor record DNS still points to an old SaaS, hosting, marketing, validation, or remote access service. Confirm owner and current use, remove unused records, and document the retirement decision. What happens if this hostname is reused or hijacked?
Dangling CNAME A CNAME points to a service that is no longer claimed or provisioned. Validate target ownership, remove or reclaim the service, and monitor for recurrence. Could this become a subdomain takeover path?
Uncontrolled changes Multiple users or vendors can change DNS without approval or documentation. Restrict access, require MFA, document changes, and keep rollback-ready exports. Would the team know who changed a critical record?

Step-by-step review

Public DNS audit preparation runbook

1

Inventory domains and registrars

List every owned domain, registrar, expiration date, lock status, MFA status, billing owner, and administrative contact.

2

Export DNS zones

Capture current records from authoritative DNS providers and document purpose, owner, destination, and review date.

3

Review email authentication

Validate MX, SPF, DKIM, DMARC, third-party senders, reporting, alignment, and phased enforcement plans.

4

Identify stale records

Find old vendor records, dangling CNAMEs, unused subdomains, wildcard entries, old TXT records, and duplicate records.

5

Verify access and change control

Review who can change registrar or DNS settings, require MFA, capture change history, and document emergency process.

6

Remediate and recheck

Remove stale records carefully, update owners, adjust TTLs where needed, and re-export records after changes.

Common risks

Common DNS audit preparation mistakes

No domain owner

Domains tied to one person’s email, card, or registrar account can create renewal and access risk.

Stale validation records

Old TXT records for SaaS, hosting, mail, or security tools can clutter zones and confuse audits.

Permissive SPF

Broad SPF includes, too many senders, or missing alignment can weaken email authentication.

DMARC never enforced

A monitor-only policy may be a good start, but it should have a roadmap, reporting, and owner review.

Dangling CNAMEs

Records pointing to unclaimed services can create takeover opportunities if not removed.

No rollback export

DNS changes should start with a zone export and rollback plan because mistakes can affect email and public services.

Related support

Where IT Perfection can help

IT Perfection can help inventory, document, monitor, and remediate public DNS and domain records through managed IT services, including Microsoft 365, domain registrar coordination, email authentication, and website support.

When DNS findings affect phishing risk, domain spoofing, audit readiness, cloud exposure, or incident response, OC Security Audit can provide cybersecurity assessment support.

Created by Ali Hassani, CISO

DNS audit perspective from Ali Hassani

Ali Hassani brings 25+ years of hands-on experience across IT operations, cybersecurity, Microsoft infrastructure, network security, compliance readiness, cloud services, healthcare IT, MSP services, and business technology leadership.

This guide is for initial education and planning. It does not replace a professional cybersecurity audit, compliance assessment, penetration test, legal review, vendor engineering review, or Microsoft professional services engagement.

Public DNS is small text with big business impact

Ali Hassani, CISO and IT infrastructure consultant, has 25+ years of experience across Microsoft 365, DNS, cybersecurity, compliance, managed IT, email security, and infrastructure operations. DNS audits help organizations reduce outage risk, phishing exposure, and undocumented external dependencies.

Related validation tools

Security validation tools for Public DNS and Domain Records Audit Preparation Guide

After reviewing this IT Perfection guide, administrators can use these OC Security Audit resources to validate the same control areas from a security, audit-readiness, or risk-review perspective.

Compliance Readiness Assessment

Use this to review control maturity, audit evidence, policy/process gaps, and compliance readiness across major frameworks.

These tools are for initial guidance only and do not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review.

FAQ

Public DNS and domain records FAQ

What should be included in a DNS audit?

Include domains, registrars, name servers, DNS zones, MX, SPF, DKIM, DMARC, CAA, A, AAAA, CNAME, TXT, SRV, owners, and stale records.

Why do stale DNS records matter?

Stale records can point to old vendors, unclaimed services, retired systems, or confusing destinations that create security and operational risk.

What is DMARC used for?

DMARC helps domain owners define how receiving mail systems should handle messages that fail SPF or DKIM alignment and provides reporting.

How often should public DNS be reviewed?

Review critical domains at least quarterly and after website, email, SaaS, hosting, Microsoft 365, merger, vendor, or branding changes.

Can IT Perfection help with DNS audit preparation?

Yes. IT Perfection can inventory records, verify Microsoft 365 email authentication, document owners, remove stale records, and support remediation.

Public DNS audit validation tools for administrators

After reviewing public DNS and domain records audit preparation, administrators can use these OC Security Audit resources to validate DNS posture, domain ownership, email authentication, public exposure, SaaS exposure, and audit-readiness evidence tied to external records. These tools are for initial guidance only and do not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review. These tools are for initial guidance only and do not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review.

Audit Readiness Scorecard

Use this when public DNS and domain evidence must support external audit, cyber insurance, or compliance readiness.

For broader security-specific checks, review the OC Security Audit free cybersecurity assessment tools library and choose only the tools that match the DNS and domain audit scope.