DNS zone grew over years, nobody remembers what each record is for anymore
A messy DNS zone is a security and mail risk. Forgotten subdomains pointing at old IPs are prime subdomain-takeover material, and stale TXT records from departed vendors confuse mail validation.
Try this first
- 1Export the zone (BIND format or provider export) and put it in a spreadsheet or git repo so you can diff it.
- 2Per record: does the target still exist (curl, ping, cert check) and who owns it inside the company? Unknown = removal candidate.
- 3Filter all CNAMEs: do they still point at live hostnames? A CNAME to an expired Heroku app or S3 bucket is immediate takeover risk.
- 4Review TXT records: SaaS verifications, old DKIM keys, empty SPF leftovers. Anything unknown and old can go after a 30-day test period.
- 5Schedule the audit yearly or at every DNS host migration, and log every change in a changelog or CMDB.
When to bring us in
If you have hundreds of records or multiple registrars and no overview, we can run an audit, flag takeover risks and reduce the zone to what is actually in use.
See also
- Domain expires tomorrow and nobody saw the emailAn expired domain doesn't transfer instantly. There's a redemption window, but you pay extra.
- Unsure whether to enable auto-renewDisabling auto-renew only makes sense for domains you'll truly drop. For anything live, just keep it on.
- New registrar asks for auth code, can't find itEPP code or transfer code is the password to move a domain from registrar A to B.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.