Notes on DNS security.
Field-tested guidance on subdomain takeover, email auth, certificate drift, and running a governed DNS portfolio at scale.
The 37 ports DNS Watchdog scans, and why each one matters
A complete reference to the 37 high-risk ports we check on every resolved IP, grouped by what an attacker does with them - and how each one lands in a real-world breach.
Why we flag SPF `+all` as critical
An SPF record ending in `+all` means any server on the internet can send mail claiming to be you. Here's why it's still on production domains in 2026, and how DNS Watchdog catches it.
What a dangling CNAME actually looks like
A walkthrough of a real dangling CNAME - how to spot one manually, why they're so easy to miss in a large estate, and what attackers do with them once they find one.
DNS: The Problem you can't ignore
How years of DNS drift create hidden security exposure - and why continuous monitoring is critical to preventing subdomain takeover and misconfiguration breaches.