How to Audit DNS Records Across Your Domain Portfolio

DNS zones accumulate cruft. Every service integration adds records. Every migration leaves remnants. Every experiment creates entries that nobody remembers to clean up. Over time, your DNS configuration drifts from its intended state, and that drift introduces security vulnerabilities, operational confusion, and wasted resources.

A DNS record audit is the process of systematically reviewing every record across your domains, identifying what should stay, what should go, and what is missing. This guide covers how to perform a thorough audit, what to look for, and how to keep your zones clean going forward.

Why Audit DNS Records?

Most organizations treat DNS as "set and forget." Records are added when services are configured, but rarely reviewed afterward. This leads to several problems:

Pre-Audit Preparation

Before starting the audit, gather:

1. A complete list of all domains your organization owns. Check your registrar accounts, procurement records, and billing statements. Shadow IT domains often exist outside the main registrar.
2. A list of all active services that use DNS: web hosting, email providers, CDNs, SaaS tools, marketing platforms, API services, and internal tools.
3. Access to DNS provider dashboards for every domain. You need to view and export zone files.
4. The expected configuration for each domain. If documentation does not exist, the audit itself will create it.

The DNS Audit Checklist

Work through this checklist for every domain in your portfolio.

1. Nameserver Delegation

2. A and AAAA Records

• Verify each A/AAAA record points to a server you control and that is currently active
• Check for records pointing to decommissioned servers or old IP addresses
• Identify wildcard records (*.example.com) and confirm they are intentional
• Ensure the root domain and www subdomain both resolve correctly

3. CNAME Records

• Identify all CNAME records and verify the targets still exist
• Flag CNAME records pointing to third-party services you no longer use (subdomain takeover risk)
• Check for CNAME records at the zone apex (this is invalid per DNS specifications and causes problems)
• Verify CNAME records do not coexist with other record types at the same name

4. MX Records

• Confirm MX records point to your current email provider
• Remove MX records for previous email providers
• Verify priority values are correctly ordered
• Ensure each MX hostname resolves to a valid IP address

5. TXT Records

This is typically where the most clutter accumulates.

6. Security Records

• CAA records: Should be present, limiting which certificate authorities can issue certificates for your domain
• DMARC: Should exist at _dmarc.yourdomain.com with a policy of quarantine or reject
• DNSSEC: If enabled, verify signatures are valid and DS records at the registrar are current

7. SOA Record

• Verify the administrator email address is current
• Check that serial numbers increment properly (relevant if using zone transfers)
• Confirm refresh and retry intervals are reasonable

Performing the Audit

Exporting and Reviewing Zone Data

For each domain, export the zone file from your DNS provider or query all record types:

# Query all major record types for a domain
for type in A AAAA CNAME MX NS TXT SOA CAA SRV; do
  echo "=== $type ==="
  dig example.com $type +short
done

# For subdomains, query each known subdomain
for sub in www mail api staging blog shop; do
  echo "=== $sub ==="
  dig $sub.example.com A +short
  dig $sub.example.com CNAME +short
done

Building an Audit Spreadsheet

For each record found, document:

| Field | Purpose | |-------|---------| | Domain | Which domain the record belongs to | | Name | The full record name (e.g., www.example.com) | | Type | Record type (A, CNAME, MX, TXT, etc.) | | Value | The record's current value | | Expected Value | What the value should be | | Owner | The service or team that uses this record | | Status | Active, Stale, Unknown, or Missing | | Action | Keep, Update, Remove, or Add |

Identifying Stale Records

Records are stale when they reference services, servers, or configurations that are no longer active. Common indicators:

• A records pointing to IP addresses not in your current infrastructure
• CNAME records targeting hostnames that return NXDOMAIN
• TXT records containing verification tokens for services you do not use
• MX records for email providers you have migrated away from
• SPF includes for services you have deprovisioned

Identifying Security Gaps

Records are missing when a security best practice requires them but they are absent:

• No SPF record (or SPF with +all)
• No DMARC record
• No CAA record
• DMARC with p=none after the monitoring period should have ended
• Missing DKIM records for active email-sending services

Remediation

After completing the audit, prioritize fixes:

Audit Frequency

Between formal audits, automated DNS monitoring provides continuous visibility. A monitoring tool that alerts you to record changes as they happen effectively turns audit findings from stale discoveries into real-time detections.

Automating Ongoing Audits

Manual audits are thorough but labor-intensive. For domains that change frequently or portfolios with many domains, automation is essential:

• Baseline snapshots: Capture the current state of all records after each audit and monitor for deviations
• Scheduled full queries: Automatically query all record types for all domains on a regular schedule
• Change alerting: Get notified immediately when any record changes, so you can evaluate whether the change was authorized
• Drift detection: Compare live DNS against your documented expected state and flag discrepancies

A DNS audit is not a one-time project. It is an ongoing practice that keeps your domain infrastructure clean, secure, and aligned with your actual services. Start with a thorough manual audit, remediate what you find, and then put automated monitoring in place to maintain that clean state.