DNS recon — what we check and why

The DNS module enumerates A, AAAA, MX, NS, TXT, CNAME, and SOA records for every domain you monitor. We use this data for three purposes:

1. Inventory. Confirming which subdomains exist and resolve.
2. Email security. SPF, DMARC, DKIM, BIMI, MTA-STS, and DANE all live in DNS.
3. Zone-age signals. The SOA serial reveals when the zone was last edited — a useful corroborating signal for fraud scoring on look-alike domains.

Common findings

• Wildcard A record pointing to an unused IP — often a stale CDN configuration that can be hijacked.
• MX records pointing to deactivated mail providers — bounced emails appear to your customers as failed deliveries.
• TXT records containing old SPF includes — attackers can spoof from those domains.
• NS records pointing to a registrar's parking nameserver — the domain is no longer actively managed.

What to do

Most DNS findings are "tidy up" rather than "emergency." We grade severity by attack surface (active phishing > stale parking record). Your findings page sorts by severity automatically.

Frequency

DNS is checked daily on every monitored domain. Re-scanning manually is available on the asset detail page.