DNS Hygiene for UK SMBs: 8 Things to Check Right Now

DNS is the foundation of your security posture

Domain Name System records control everything: where your mail goes, which servers are authorised to send email as you, which CAs can issue certificates for your domain, and whether your website serves real content or an attacker's page. A single incorrect DNS record can undermine everything else.

Most UK SMBs set up DNS records once — when they first registered their domain or changed hosting provider — and never review them. Here are eight checks to run right now.

1. Check for dangling CNAMEs

A CNAME that points to a service you no longer use is a subdomain takeover waiting to happen. List all your CNAME records and verify each target still exists and belongs to you. Pay particular attention to cloud platform CNAMEs (Azure, Heroku, GitHub Pages, S3).

2. Verify your CAA records

Certification Authority Authorisation (CAA) records restrict which certificate authorities can issue SSL/TLS certificates for your domain. Without CAA records, any CA can issue a certificate for your domain — a significant risk if an attacker tricks a CA's validation process.

A basic CAA record allowing only Let's Encrypt and DigiCert:

yourdomain.com. CAA 0 issue "letsencrypt.org"
yourdomain.com. CAA 0 issue "digicert.com"
yourdomain.com. CAA 0 issuewild ";"

The last line prohibits wildcard certificates from anyone.

3. Remove retired MX records

Unused MX records can receive mail that gets lost or, worse, received by whoever picks up the old mail server. Review MX records and remove any that point to services you no longer use.

4. Check your SPF for too many lookups

SPF has a hard limit of 10 DNS lookups during evaluation. Exceeding this causes SPF to return a permerror, which can be treated as a failure by receiving servers. If you have added multiple cloud mail services over the years, your SPF record may be broken without you knowing it.

5. Verify DMARC covers subdomains

Your DMARC record covers your primary domain. But attackers can use subdomains (billing.yourdomain.com, hr.yourdomain.com) for spoofing if you have not added sp=reject to your DMARC record. This is especially important for parked subdomains that do not send legitimate mail.

6. Check for open AXFR (zone transfer)

A DNS zone transfer (AXFR) returns the entire contents of your DNS zone to anyone who asks. This is how attackers enumerate all your subdomains in seconds. Most modern DNS providers disable AXFR by default, but legacy or self-hosted nameservers may still allow it.

7. Verify nameserver consistency

Your authoritative nameservers should match what your registrar reports. Mismatches indicate a potential DNS hijack — where an attacker has changed your nameservers at the registrar level to redirect queries to malicious servers.

8. Check TTL values

Very low TTL values (under 300 seconds) on your primary A record can indicate a recent change — or that someone is preparing to change your DNS. Very high TTLs (above 24 hours) make emergency DNS changes slow to propagate.

Run all eight checks in two minutes

VP Shield checks all of these automatically as part of the DNS hygiene section of every passive scan. Enter your domain to get a complete DNS health report at no cost.