DNS Security: The Zone Mess

Speaker: Peter LaMantia, CEO of Authentic Web

Introduction

Peter:
Good afternoon, good morning, or good evening—wherever you are today.
I’m Peter LaMantia from Authentic Web, and in this session, I want to focus on something that affects every enterprise: the external DNS zone mess.

The DNS underpins everything we do in digital. As organizations accelerate digital transformation and move to the cloud, the complexity of their DNS zone files keeps growing. That complexity has created an ungoverned sprawl—what I often call the “junk drawer” of digital infrastructure.

In the next 20 minutes, we’ll unpack examples of exposure risks, show why they matter, and discuss how teams can implement effective change‑management controls to regain visibility and control.

Agenda

We’ll cover:

1. The mission behind DNS hygiene
2. What the “zone mess” really looks like
3. Real‑world examples of dangling and orphaned DNS records
4. The business and brand impacts
5. Audit findings from enterprise DNS environments
6. A four‑point summary and two recommended next steps to help you maintain brand trust.

Because in today’s economy, loss of trust equals loss of business.

The Mission – DNS Hygiene

The objective of DNS hygiene is straightforward: protect the business and keep customers safe.

To achieve that, you need to:

• Establish control systems
• Gain visibility across zones
• Automate provisioning and monitoring for security exposures

Those three actions empower teams to get and keep control while reducing risk and cost—even as the digital surface area continues to expand.

Why the DNS Becomes a Mess

Let’s start with a new domain. On day one, it’s simple:
You register it, create a few resource records—SOA, A records for apex and “www,” MX for mail, maybe a CNAME for certificate validation, plus SPF and DMARC for phishing protection.

But as weeks, months, and years go by, people change roles. Teams add new records for campaigns, integrations, or testing—but rarely remove old ones.

The result is a control gap and an expanding zone full of forgotten settings.

Think of it like your kitchen junk drawer. It starts organized, but over time it fills with random objects.
Hidden among them are the loose items—DNS records—that attackers look for and exploit.

Example: Dangling DNS (CNAMEs and Subdomains)

Here’s how it happens in real life.

A web team sets up a new service for an app or campaign: new.webservice.com.
They launch it, everything works, and when the campaign ends, they shut down the web resource.

But they forget to remove the CNAME record in the DNS.
Now that record still exists, pointing to nothing—a dangling CNAME.

An attacker finds it, sets up a new resource with that same name on another cloud service, and hijacks that space under brandservice.com.
That’s a DNS hijack.

Example: Orphaned Subdomain

A similar problem occurs with A‑records that point to decommissioned IPs.

A marketing or product team sets up a resource in the cloud, runs a campaign, and later shuts the service down. The old IP goes back into the provider’s pool, but the DNS record remains active.

Attackers systematically cycle through available IPs, claim the one that matches your record, and now own that endpoint.
From there, they can impersonate your brand, collect credentials, or infect users.

Why These Risks Matter

These exposures happen constantly—and it’s likely happening in your organization right now without anyone knowing.

Attackers use these vulnerabilities for phishing, data collection, or lateral movement in multi‑stage attacks.
As Microsoft notes on its website:

“Subdomain takeovers are a common, high‑severity threat for organizations that regularly create and delete many resource records.”

Combine that with findings from IDC and EfficientIP:

• DNS‑based attacks are increasing in frequency and cost
• Attackers exploit both protocol weaknesses and configuration errors
• Business impact ranges from data theft to brand‑trust erosion

When you pair high probability with high severity, DNS exposure clearly ranks among the top enterprise risks.

Audit Evidence

At Authentic Web, we’ve conducted hundreds of enterprise DNS audits, revealing the same recurring themes.

1. Managed DNS Sprawl
Across 11 large enterprises, we found many using dozens of live DNS services. It’s impossible to enforce change controls across that many providers.
Best practice: consolidate DNS to a few governed systems with enforced workflows.

2. Live IP Overlays
Many registered domains still pointed to active IPs that no one could identify. Most of these are forgotten, and each one represents an orphaned or dangling DNS risk.
Best practice: gain visibility and establish approval processes for every zone edit.

3. Resolution Issues
A high percentage of domains failed to resolve correctly—a clear sign of poor hygiene.
Beyond security risk, these misconfigurations slow performance and weaken SEO.

Every non‑responsive domain must be reviewed, secured, and backed by proper SOA and HTTPS.

Why It Persists

If this sounds familiar, you’re not alone.
The problem persists because DNS management is hard.

Key reasons include:

• Outdated or manual processes
• Siloed ownership across departments
• Lack of automated tools and workflows
• Limited C‑level awareness or prioritization
• Fear of “breaking something” by cleaning up records

Most teams know it’s messy but avoid opening the drawer.

The Stakes

Four things summarize the situation:

1. DNS and domains are extremely vulnerable.
   Threats include social engineering, hijacking, DDoS, and phishing—and all start at the DNS layer.
2. IT teams struggle to maintain control.
   Manual processes and disconnected ticketing systems mean policy enforcement is nearly impossible.
3. Silos create inconsistent governance.
   Different groups manage DNS differently, with no unified approach.
4. A lack of control systems magnifies risk and cost.
   We’re simply not equipping teams with the right technology to manage this.

The Solution – Modern DNS Control Systems

To fix it, enterprises need digital control systems built for DNS management.

That means centralizing domain, DNS, and certificate workflows into one easy‑to‑use platform that provides:

• Unified visibility
• Audit trails
• Change approvals and automation

With automation, security improves while total cost of ownership actually goes down—eliminating thousands of manual hours and reducing human error.

Two Key Actions

Let me leave you with two takeaways:

1. Get and Keep DNS Hygiene Under Control.
   Prioritize visibility and policy enforcement. You can’t secure what you can’t see.
2. Make It Easy for Teams.
   Deploy systems that simplify—not complicate—governance. Automation and change‑control workflows make it manageable for everyone.

Implementing these steps reduces exposure, ensures compliance, and protects your brand reputation in the digital marketplace.

Closing

Thank you for joining today’s session. I hope this overview helps you think differently about your DNS zone hygiene and gives you talking points to bring to leadership.

If you’d like to see what a modern external DNS control system looks like, or arrange a demonstration, please reach out.

We’ve re‑engineered domain and DNS management to make it secure, simple, and observable, so you can keep your brand— and your customers—safe.

Have a great day, and best of luck in your mission to maintain DNS hygiene and brand trust.