Security Check
Free DNS Hygiene Check
Instantly check your domain DNS configuration for dangling CNAMEs, missing CAA records, nameserver consistency issues, and other misconfigurations that expose your organisation to attack.
Check your DNS →What's Checked
- Dangling CNAME detection (subdomain takeover risk)
- CAA record presence and configuration
- Nameserver consistency between registrar and DNS authority
- MX record integrity check
- SPF DNS lookup count verification
- DNSSEC status
- TTL review for critical records
- Exportable report with actionable fixes
Why DNS is the foundation of your security posture
Everything your organisation does on the internet depends on DNS. Your website, your email, your client portal, your API endpoints — all rely on DNS records pointing to the right places. A single incorrect record can redirect traffic, expose a subdomain to takeover, or allow an unauthorised certificate to be issued.
VP Shield's DNS hygiene check examines your public DNS records against a database of known misconfigurations and risks, returning a prioritised list of issues with specific remediation steps.
Common Questions
- What is DNS hygiene and why does it matter?
- DNS hygiene refers to the accuracy and security of your domain DNS configuration. Poor DNS hygiene — dangling CNAMEs, missing CAA records, inconsistent nameservers — can be exploited by attackers for subdomain takeover, certificate fraud, and mail redirection. Regular DNS audits are a foundational security practice.
- What is a dangling CNAME?
- A dangling CNAME is a DNS CNAME record that points to a service that no longer exists. If an attacker can claim that service (for example, a deleted Heroku app or an S3 bucket), they can serve content from your subdomain — which browsers and users will trust as belonging to your organisation.
- How often should I check my DNS hygiene?
- Run a DNS hygiene check after every infrastructure change and at minimum quarterly. Cloud environments change frequently — apps are spun up and deleted, hosting is migrated, email providers change — and DNS records are often left behind.
Run a free domain security scan
VP Shield checks DNS, TLS, email authentication, security headers, and subdomain takeover risk for any domain. Free, no login, two minutes.
Related Services
Free Email Authentication Check
Check your domain SPF, DKIM, and DMARC configuration in seconds. See whether your domain can currently be spoofed for phishing email and get specific fixes to close the gap.
Check email authentication →Free TLS & SSL Grade Check
Check your domain TLS configuration and get an SSL Labs-equivalent grade. Identifies weak cipher suites, deprecated protocol versions, certificate issues, and missing HSTS.
Check your TLS grade →Free HTTP Security Headers Check
Check your website HTTP security headers — CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy — and get a Mozilla Observatory-equivalent grade with specific recommendations.
Check security headers →