How to audit your DNS in 10 minutes

A practical, five-step guide to finding orphaned records, missing email authentication, and TTL problems across your domains.

DNS accumulates cruft. Records pointing at decommissioned servers. TXT records for services you cancelled two years ago. Conflicting entries nobody noticed because they only affect a subset of resolvers.

Here’s how to audit your DNS in five steps. No special tools. Just a terminal and ten minutes.

Step 1: List all your domains

Start with a complete inventory. Check your registrar accounts — all of them. Check Cloudflare, Route53, DNSimple, GoDaddy, wherever you have zones.

Most companies have more domains than they think. The main site, the marketing site, the old product domain, the one someone bought for a campaign in 2022. List every one.

If you can’t confidently list all your domains from memory, that’s the first problem.

Step 2: Export each zone

For each domain, pull the full zone data. Most providers offer an export:

  • Cloudflare: DNS tab, Advanced, Export DNS File
  • Route53: aws route53 list-resource-record-sets --hosted-zone-id XXXXX
  • GoDaddy: DNS Management, Export Zone File (CSV)
  • DNSimple: Zones API or the dashboard export

Save each export with a date. You’ll want to compare later.

Step 3: Look for orphaned records

Go through each zone and check: does this record still point at something real?

A records pointing at IP addresses you no longer own. CNAME records pointing at old-app.herokuapp.com for a Heroku app you deleted. MX records for a mail provider you migrated away from last year.

Orphaned records are not just clutter. A records pointing at IPs you’ve released can be claimed by someone else. That’s a subdomain takeover — a real security vulnerability.

Check every A, AAAA, and CNAME record. If you don’t recognize the target, investigate.

Step 4: Check email authentication

For each domain — even ones that don’t send email — verify three records:

SPF. Query the TXT records on the root domain. Look for a record starting with v=spf1. If the domain doesn’t send email, it should have v=spf1 -all to explicitly block spoofing.

DKIM. This is harder to check manually because you need to know the selector names. Check your email provider’s docs for the expected selector. Query selector._domainkey.example.com as a TXT record.

DMARC. Query _dmarc.example.com for a TXT record. It should exist for every domain, even parked ones. A minimal policy: v=DMARC1; p=reject; rua=mailto:dmarc@example.com.

Missing email auth records on any domain you own is an invitation for phishing.

Step 5: Review TTLs

Low TTLs (60-300 seconds) cause high query volume and slower resolution for users. High TTLs (86400 seconds) mean changes take a day to propagate.

For most records, 3600 seconds (one hour) is a reasonable default. Records you change frequently — like those behind a failover — should be lower. Records that never change can be higher.

Look for anything at the default TTL your provider set when you created the zone. It might not be what you want.

The problem with doing this once

This audit is useful today. But DNS changes constantly. Someone adds a record next week, and your audit is stale.

BackupMyDNS connects to your DNS providers via read-only API and captures every change automatically. You get a full zone snapshot on every modification, with diffs showing exactly what changed. It’s a continuous audit that runs itself.

Free for your first domain. Set it up and stop auditing manually.