Why Should I Perform a DNS Audit?

reconnaissance

SecurityTrails Blog · Oct 30 · SecurityTrails team

DNS auditing is a critical task when it comes to infrastructure and system administration. Ironically, it’s also one of the most underrated internet services available, often overlooked when someone is performing IT auditing tasks.

Most companies set up a traditional DNS server like BIND, add some DNS zones and records — and then they totally forget about it. In many cases, the DNS server software is outdated, or some tweaking to TTLs or DNS caching mechanisms is required to avoid future issues. Furthermore, keeping an eye on your DNS zones, domains and IP addresses can help you to avoid many problems.

A DNS audit should be performed by your SysAdmin team periodically, but it’s especially useful whenever you ask yourself any of these questions:

  • Why are my subdomains down?
  • Has someone changed or deleted this DNS record?
  • What are the current DNS records for my domain.com?
  • How much information am I exposing about my website and company?
  • What’s my email reputation while reaching popular ISPs like Gmail, Hotmail or Yahoo?
  • Are there any phishing domains associated with my company’s trademark?
  • Is my domain name safe from hijacking? Do I have stale DNS records?

6 reasons to perform a full DNS audit

Today we’ll show you the top six reasons why you should perform a full DNS audit for your domain names and online services. Let’s begin.

Prevent phishing attacks

New phishing attacks are emerging every day. It’s a never-ending road to fight this kind of malicious activity.

Did you know that any person can register a domain name containing your trademark or main corporate product name?

Let’s suppose you owned the domain name “PayPal.com.” Attackers would then try to register alternative domains like:

  • paypalsupport.com
  • paypalid.com
  • paypallogin.com
  • paypalclientarea.com

When this happens to your company, attackers try to spread the usage of these non-official domains by creating fake email addresses or spoofing real ones in order to get in touch with your email contacts. Once that’s accomplished, they’ll advise your contacts to login into fake websites that resemble your real one.

But how can you find out if these domains are registered and alive? Easily — our brilliant domain explorer technology lets you fetch domain names containing any keywords.

Follow the steps below:

  • Open up securityrails.com
  • Type any keyword combination like PayPal
  • You’ll get many results

In this case, there are a lot of domains using the keyword “paypal”, exactly 30,498 results in fact. No doubt, many of them are for phishing and scams.

Scam domains

Improve your email reputation

A DNS audit can help you in other areas of your company not directly related to the DNS but affected by it, such as your email service.

Now you might be asking yourself, “How can my email service be affected by my DNS settings?”

Well, it’s pretty easy — DNS controls every web service you use. Believe it or not, web, email and other online services all rely directly on DNS servers and their configurations.

One issue we’ve seen in several web hosting companies are users complaining that outgoing emails don’t reach their destination, or when they do, they land in the SPAM folder instead of the inbox.

This issue is often caused by a DNS misconfiguration; in particular, the lack of important DNS records such as SPF, along with other not-so-famous records like DKIM and DMARC.

The most important one is SPF. By auditing your DNS zone and its records, you’ll be able to detect if you’ve been using an SPF record.

How can I check if my SPF records exist?

  • Open up securitytrails.com
  • Type your domain name, eg: yoursite.com
  • Wait for the results and check the TXT block

If you have SPF records set, you should see something like this:

SPF record check

And if you need to check out DMARC records, you can also request that information from our Feeds page.

Check your PTR records

Another thing that common email providers like Hotmail, Gmail, Yahoo and others usually do is perform a reverse lookup (PTR) on the IP address of your mail server. If you don’t have one, that could be a problem — many email service providers will not accept incoming email from servers without PTR records.

You can easily check your PTR records by using our DLS API endpoint automatically. For example:

curl -X POST -d '{"query":"ip = "\8.8.8.8\""}' http://api.securitytrails.com/v1/ips/list?apikey=yourapikey

Expected results exposing the PTR record, along with open ports from that IP address:

{  
  "records": [  
  {  
    "ptr": "google-public-dns-a.google.com",  
    "ports": [  
    443  
    ],  
    "ip": "\8.8.8.8\"  
  }  
  ],  
  "record_count": 1,  
  "meta": {  
    "total_pages": 1,  
    "query": "ip = "8.8.8.8"",  
    "page": 1,  
    "max_page": 1  
  },  
  "endpoint": "/v1/ips/list"  
}  

This simple curl request will return the result of the PTR check for Google DNS server IP 8.8.8.8 (make sure you are using your real API key by replacing the “yourapikey” string, and replace 8.8.8.8 with your real domain IP address).

Avoid downtime from DNS record deletions

Did anyone of your employees delete a DNS record by mistake? Or maybe it was you? This happens in all kind of organizations, and there are two ways you can deal with it:

  1. It was an unused DNS record, and it doesn’t matter if it’s alive or not.
  2. It was a high traffic DNS record, an essential part of your domain structure and online services.

In the second scenario, you’re in trouble if you don’t have a way to audit your DNS zones. Luckily, you can detect any DNS changes almost instantly by using our Historical DNS Records database.

This is possible by fetching the information manually from our website, or using our amazing API to detect almost instantly when any DNS changes happen in your zone, and by this, we mean not only record deletions, but any IP modifications as well.

Don’t feel alone if you lost your DNS records — use SecurityTrails to perform a DNS examination and find the ones you’re missing really fast.

Avoid stale DNS issues

Let’s suppose your domain name has a blog.yourdomain.com A record pointing to 1.2.3.4

This IP address was assigned by your network provider (cloud or bare metal) when you purchased your web hosting space.

A few years later, you decide to shut down your blog subdomain along with the cloud service that was dedicated to that part of your website.

And that’s it — your blog is no longer online. However, you’re forgetting something… you never deleted the A record from your DNS zones.

This is what we call a stale DNS record, and attackers can take advantage of this to recall the same IP address and add a phishing page, or any other malicious content inside your blog.yourdomain.com, without you even noticing it.

The good news? You can stay one step ahead of the bad guys by performing scheduled DNS audits of all your DNS zones and records, and the easiest way is to use our DNS record explorer. It allows you to detect any stale DNS records by taking a quick, but critical, look into your DNS zones.

Revisit our previous post to learn more about web attacks and stale DNS records: Risks of modern free SSL certificates and stale DNS records

Prevent DNS attacks

If you’re running your own authoritative DNS server, you should always be subscribed to your DNS software mailing list to know when new updates are launched, or whenever a new patch is released to prevent attacks prompted by bugs or vulnerabilities.

Auditing your DNS server will also reveal if your organization is using DNSSEC or not; a useful technique to avoid DNS spoofing and DNS cache poisoning attacks.

Read more about this topic in our previous article: 8 tips to prevent DNS attacks

Reduce web attacks

Information gathering is the first step in planning any computer attack, meaning the less information you expose, the better.

By taking a look into your domain, IPs and DNS zones, you can quickly assess how much information you are exposing to the internet.

Is your domain name using whois protection? Are you exposing all of your personal details like phone number, mailing address, city, country and email address to possible attackers?

You can quickly find out how much information you’re exposing in your web domains by using our WHOIS data via API:

curl –request GET –url ‘https://api.securitytrails.com/v1/history/estebanborges.com/whois?apikey=yourapikey’

Expected output showing you the current WHOIS details containing your personal information:

"contact": [  
  {  
    "type": "registrant",  
    "telephone": "59898814335",  
    "street1": "5th Avenue 313 Apt 2024",  
    "state": "New York",  
    "postalCode": "11212",  
    "name": "Steven Borch",  
    "fax": "15555555555",  
    "email": "your@email.com",  
    "country": "United States",  
    "city": "New York"  
  }

What about your DNS records? Are you exposing intranet or private records by mistake? Doing so enables attackers to create a map of all your DNS zones and records. However, you can take advantage of this vulnerability and do it yourself, first.

  • Jump into securitytrails.com
  • Enter your domain name
  • Analyze your current active DNS records
  • If there are detected intranet DNS records, edit your DNS zone and remove any of them

Final thoughts

Auditing the IT infrastructure and services of any company is a critical and necessary task. Always keep in mind the importance of including DNS and domain services in performing your digital auditing tasks.

Conducting a full DNS audit can help prevent problems like bad email reputation, domain hijacking, web attacks and even phishing attacks by stale DNS records. Fortunately, you can avoid all of this by using our cyber security toolkit, right here at SecurityTrails.


Grab a free API account and start auditing all your DNS, domains and IP addresses in one centralized platform.