Speaker: Peter LaMantia, CEO of Authentic Web
Introduction
Welcome everyone, and thanks for attending. It’s November 15th, 3 p.m., and I appreciate you joining. This session will run about 25–30 minutes.
If you have questions, submit them on screen; I’ll address them later. At the end, I’ll share an offer for attendees.
Today we’re covering external DNS vulnerabilities—the risks, mitigation, and how to manage them.
I’m Peter LaMantia, CEO of Authentic Web. I’ve led the company for about ten years, and I’ll explain how the business came to be.
Our agenda covers an introduction to Authentic Web, the DNS problem itself, why external DNS hygiene is critical, the root causes inside enterprises, specific domain and DNS hygiene risks, the business impacts of failing to fix them, and finally how leading organizations are modernizing control.
About Authentic Web
Authentic Web is an enterprise DNS security system—a technology company and a corporate domain registrar. The business formed around 2013‑14 after I struggled with domain management at a Fortune 1000 company. We owned about a thousand domains, and every quarter I received renewal lists. When I asked what was running on them, no one really knew. We renewed everything by default.
That experience showed me how unmanageable domain portfolios had become. We built tools to automate management of domains, DNS, and certificates, replacing forms, spreadsheets, and support tickets. The result: less manual work and fewer mistakes.
Why DNS Security Matters
DNS underpins every digital business process. Nearly every cyber‑incident begins with DNS, because it’s a public network used by attackers to discover endpoints. Locking it down requires clear policies and systems to enforce them—and those systems must be easy for teams to use.
DNS hygiene keeps the business and customers safe by maintaining brand trust. Making DNS management simple for IT and digital teams gives them control, visibility, and automation—reducing enterprise risk and improving productivity.
The Problem: Enterprise DNS Hygiene
In most enterprises, DNS hygiene is messy and exposes brands to hidden risks stemming from poor control and visibility.
Each domain should be tracked from registration to retirement. Initially, one domain and a few records seem simple—but over time, records accumulate, and few are ever deleted. The result: overgrown zone files and control gaps.
From the audits we’ve run, we consistently see dozens of DNS services active across one company—far too many for teams to manage without change control.
A lack of visibility into who changed what and when increases exposure. Consolidating DNS services and enforcing policy are essential to reduce risk.
SPF and DMARC
Adoption of SPF and DMARC records remains low. Most organizations set them only on flagship domains. Without SPF and DMARC, attackers can spoof your domains for phishing.
Even in financial services, roughly half of domains lack SPF records—giving malicious actors an open door.
Research and Industry Warnings
News reports confirm the growing scale of DNS compromises—hijacking, takeovers, and missing SOA records.
In 2020 the U.S. Department of Homeland Security and the U.K. National Cyber Security Centre issued alerts urging enterprises to secure DNS.
An IDC report emphasized that attackers now use DNS both for inbound intrusion and outbound data exfiltration—exploiting weak configurations and poor change management.
Inside the Enterprise
In the 1990s, managing domains was simple—one domain, one registrar, one nameserver.
Decades later, large organizations own hundreds or thousands of domains, multiple registrars, and even more DNS providers. Mergers, preferences, and acquisitions compound complexity.
Everyone touches DNS—marketing, IT, legal, infosec—but no one truly owns it.
The core issue is silos: siloed systems, siloed people, and manual processes.
When a domain change is needed, requests move through email or ticketing systems, someone enters data at one registrar, another updates a DNS provider, security teams check policy manually, and reviews happen only when something breaks.
Zone files become the digital equivalent of a junk drawer—new records pile in while old ones remain, creating confusion and risk. Attempted reviews end in stalled projects because no one knows which records still matter.
Vulnerabilities and Impacts
Domains and DNS remain prime targets for compromise: hijacking, phishing, social engineering, certificate abuse, ransomware, and DDoS.
Common internal weaknesses include:
- Disconnected systems and manual updates
- Shared or unmanaged logins
- Lack of change management controls
- Staff turnover and lost institutional knowledge
These gaps leave organizations exposed. The result: outages, impersonation, stolen data, compliance fines, and customer churn.
Every external penetration test lists DNS‑related findings at the top—proof of persistent vulnerability.
Modernizing the Approach
Leading enterprises are taking a new approach to DNS security built around four elements:
- Leadership Commitment – Executive sponsorship to acknowledge the issue and allocate resources.
- Comprehensive Audit – Assess exposure, identify vulnerabilities, and benchmark maturity.
- Security Policies – Define required records such as SPF, DMARC, and DNSSEC and enforce them.
- Control Systems – Implement modern tools with automation, visibility, and workflow integration.
Without automation, teams can’t keep up. The goal is to manage fewer domains—but manage them better, securely, and compliantly.
DNS Inspector
To support this modernization, Authentic Web developed DNS Inspector.
Originally, audits were manual and time‑intensive, taking a week per company. DNS Inspector now automates that process—scanning entire portfolios for vulnerabilities in DNS infrastructure, IP mappings, SPF, DMARC, redirects, CNAMES, and delegations.
It flags insecure configurations, orphaned IPs, and dangling CNAMES—records pointing to resources no longer active but still exploitable by attackers.
The system helps teams discover, investigate, resolve, and verify issues in one place.
DNS Inspector integrates with registries and DNS providers worldwide, giving enterprises a unified control hub—a single pane of glass for complete visibility and governance.
Summary and Call to Action
The risk is real, and evidence is growing. DNS still causes most digital outages, and manual management is no longer viable.
IT teams lack modern tools; it’s time to help them with automation and visibility that bring control back to the enterprise.
If your organization uses multiple registrars and DNS providers without centralized change control, you have a problem.
If you can’t see who made changes or where exposures lie, you have a problem.
Authentic Web can help. DNS Inspector is now available, and we’re offering free trials for a limited number of organizations.
Contact us for a demo and see how automation can reveal and fix vulnerabilities across your DNS.
DNS is powerful—but dangerous without control. Let’s make it secure.
Q&A Highlights
Question: Do you have webinars on DNS basics?
Answer: Yes. Visit our channel on BrightTALK for past sessions, or email me—we’re planning another fundamentals webinar soon.
Question: Where do you see the biggest risks for companies?
Answer: Two main areas:
- The registrar layer – most breaches begin with social‑engineering attacks against retail registrars not suited for enterprise use.
- DNS hygiene – orphaned IPs, dangling CNAMES, and missing SPF records. Even unused domains need “‑all” policies to prevent misuse.
If you lack a system to track every DNS change, you already face a DNS risk.
An audit will show where to start.
Peter LaMantia:
Thanks for joining today’s session. I hope this helped you better understand external DNS vulnerabilities and the value of modern control systems.
This recording will be available shortly. Reach out anytime if you’d like more details or a personal walkthrough. Have a great rest of your day.
