DNS: The Problem you can't ignore

I’ve led Infrastructure & Operations teams across multiple companies and industries, and there’s been one constant everywhere I’ve worked: DNS never truly felt owned.

Not because the engineers adding and removing records weren’t capable or conscientious. They were. The problem was structural. In most large organisations — especially outside heavily regulated industries — the teams launching sites and requesting DNS changes aren’t the teams responsible for governing the zones long term. Over time, that separation creates quiet, compounding DNS drift.

Records are added for campaigns, migrations, vendors, proofs of concept. Projects end. People move on. Suppliers change. But the records remain.

So as an Operations lead, DNS isn’t something you build — it’s something you inherit. Years — sometimes decades — of accumulated entries. Little context. Sparse documentation. No continuous validation.

The Operational Challenge

If you're responsible for managing a DNS portfolio, it may be a challenge you're familiar with. You have thousands of records under management, but no reliable ways to determine which records are actively in use.

Sure you can nmap a hostname or stick it in the address bar of your browser, but doing so at scale — across multiple DNS providers — would be be a full-time job, and managing DNS is usualy only one of a myriad of your responsibilities, and almost certainly the least visible.

Add the fact that by being proactive and deleting a record no one asked you delete can cause an outage, and it's easy to see why DNS becomes akin to an append only log.

But doing nothing is no longer an option.

The Cost

I like to keep up with industry security news, and time and again I’d read about huge organisations with mature engineering teams getting breached due to of misconfigured DNS or dangling subdomains.

• In 2017 if was found that Uber’s authentication could be bypassed when a security researcher registered an expired subdomain.
• In 2020, researchers identified 670 Microsoft domains vulnerable to takeover.
• More recently, researchers found subdomains available for takeover across over 100 companies including Bose, Panasonic, Intel, PwC, and Unilever.

DNS — often treated as background infrastructure — is becoming an entry point.

Building dnswatchdog

Which is why I built dnswatchdog.

Connect your DNS providers via API and the platform builds a complete inventory of resources spanning Zones, Record, Redirects, IP Addresses, Certificates and Screenshots.

Once we have an inventory we run sucessive scans:

• Lookup ISP information for resolved IP so you can see at a glance where an A or CNAME is pointing
• Scan 37 high-risk ports commonly associated with remote access, databases, and administrative services
• Identify non-resolving CNAMEs (dangling subdomains)
• Flag IP addresses that don't appear to be hosting anything
• If port 80 or 443 is open, the hostname is crawled and screenshotted.
• TLS certificates details are indexed are inspected for expiry and hostname mismatch.
• HTTP behaviour and redirect chains are captured.

All of it is consolidated into a single, structured interface that give you the detail you need to confidently start remediating.

Safe Remediation, Built In

If you provide read/write API access, you can remove risky or unused records directly from the platform.

Before deletion, we snapshot the record configuration.

If you discover a record was still required — and it happens — you can restore it immediately.

Prefer to operate in read-only mode? That works too: Make the change in your DNS provider, and dnswatchdog detects it on the next scan and automatically and closes the issue.

dnswatchdog isn’t a one-time audit tool. It’s designed to provide continuous DNS attack surface visibility — so the problems that accumulate slowly don’t become tomorrow’s incident.

Get in touch

If this resonates, book a demo to see how dnswatchdog can help you transform your DNS from a blind spot into a governed security domain.