Enterprise DNS Audit Results Revealed: The State of DNS Security and Compliance

Peter Lamantia – CEO, Authentic Web
Webinar on Domain and DNS Security

Hello everyone, and thank you for joining us today—whether it’s morning, afternoon, or evening where you are. My name is Peter Lamantia, and I’m the CEO of Authentic Web, a corporate domain registrar and DNS service provider based in Toronto, Canada.

I founded Authentic Web in 2015 after leading a registrar within a Fortune 1000 company. Even though we were in the domain business, managing domains was still incredibly frustrating. So we built tools that gave IT teams visibility and control, and as we dug deeper, we discovered major gaps in DNS security and compliance. That’s what we’re here to talk about today.

Agenda

We’ll cover:

• The difference between domain security and DNS network security
• Industry research on the growing frequency and impact of DNS attacks
• Key findings from external DNS audits
• Why these vulnerabilities exist and what risks they create
• Best practices and practical recommendations to strengthen your DNS security posture

We’ll also look inside the enterprise to understand common internal challenges and wrap up with solutions for gaining real control.

Why DNS Security Matters

DNS is the backbone of the entire digital business ecosystem. Every website visit, email, and online transaction depends on it. Nearly every cyberattack starts somewhere within the DNS layer—attackers exploit its visibility to map networks, discover misconfigurations, and uncover vulnerabilities.

Historically, organizations tried to secure their perimeter, but that old model no longer works. There’s no true perimeter anymore. Everything runs in the cloud, through providers and customers, all relying on external DNS. That’s also where attackers operate.

Domain Security vs. DNS Security

Domain security covers essentials like registrar and registry locks, two-factor authentication, and access controls. It protects the domains themselves.

DNS security goes much further. It enforces end-to-end policies—covering HTTPS, SPF, DMARC, DNSSEC, CA records, and more. It requires change management, audit trails, compliance monitoring, and role-based permissions. Everyone should have visibility, but only authorized users should be able to edit DNS records.

Research Highlights

DNS compromises are increasing in scale and severity. From hijacks to orphan domains and phishing campaigns, attacks are becoming more complex and widespread. A 2021 IDC study found:

• 87% of organizations experienced a DNS-based attack
• The average cost was $950,000 per incident

Attackers exploit the DNS protocol itself, which by design is not secure and often misconfigured.

Key Findings from DNS Audits

We audited 11 enterprises across six industries, covering around 21,000 domains. The results revealed recurring patterns:

1. Multiple Registrars
Many companies use numerous registrars—sometimes a dozen or more—due to legacy setups or M&A activity. This makes it nearly impossible to maintain consistent control.
Best Practice: Consolidate to one or two trusted registrars and integrate them with DNS management and compliance systems.

2. Multiple Managed DNS Services
Some portfolios contained dozens of live DNS providers—an unmanageable and risky condition.
Best Practice: Consolidate DNS providers, implement centralized control, and enforce change management workflows.

3. IP Address Hygiene
Large numbers of legacy or orphaned IPs signal poor DNS hygiene. Forgotten or unmanaged endpoints increase brand impersonation risk and potential network exposure.
Best Practice: Monitor active IPs and automate DNS hygiene checks.

4. HTTP Response Hygiene
Non-resolving domains or missing Start of Authority (SOA) records indicate neglect and create hijacking risk.
Best Practice: Ensure every domain has an SOA record and regularly review zone health.

5. Secondary DNS
Low adoption increases downtime risk during DDoS events.
Best Practice: Implement automated secondary DNS for high availability and resilience.

6. SPF and DMARC Adoption
Many organizations only configure SPF and DMARC on email-active domains, leaving others exposed to phishing.
Best Practice: Apply SPF and DMARC across all domains—even those not used for mail—to prevent brand-based attacks.

7. DNSSEC Adoption
Still low due to complexity, but automation is closing that gap. Without DNSSEC, your DNS cache is vulnerable to poisoning or hijacking.
Best Practice: Enable DNSSEC with automated key management and daily compliance monitoring.

8. HTTPS Enforcement
Unsecured redirects can expose users to man-in-the-middle attacks.
Best Practice: Use secure HTTPS redirects across all domains and automate certificate provisioning and renewal.

Summary of Findings

DNS audits reveal major gaps in security, hygiene, and compliance. These problems lead to regulatory risk, brand damage, and costly reactive work when incidents occur. IT teams often lack ownership, visibility, and the right tools to manage the complexity created by silos, legacy systems, and decentralized processes.

Inside the Enterprise

It used to be simple: one domain, one registrar, one DNS service. Today, organizations manage hundreds or thousands of domains, often across multiple teams—brand, IT, marketing, legal—without centralized ownership or unified systems.

As a result, DNS management becomes fragmented and manual, relying on tickets, email threads, and spreadsheets. Policy enforcement and audit trails are often missing. Zone reviews are sporadic and resource-intensive, and institutional knowledge leaves when people do.

Three Key Questions

1. Can someone change a DNS zone without authorization?
2. Can you prove your system enforces security policies and records changes?
3. Is your DNS management integrated with registrar and DNS control systems?

If the answer to any of these is “no,” your business likely has compliance and security gaps.

How to Solve It

1. Acknowledge the risk: Domains and DNS are frequent targets.
2. Address internal challenges: Manual processes and silos make control nearly impossible.
3. Implement DNS security policies: Enforce them through centralized, automated systems.
4. Automate whenever possible: Automation ensures consistency, scalability, and cost efficiency.

For example, DNSSEC automation can handle record creation and key rotation automatically—far more reliable than manual maintenance. Over time, automation reduces both risk and cost of ownership.

Closing

DNS is foundational to every digital business. Yet for many, it remains the biggest unseen vulnerability. With the right systems and controls, you can secure it, simplify management, and reduce cost.

If you’d like to learn more, we have additional resources—white papers, webinars, and blog posts—available on our website.

Thank you for your time, and I hope this session gave you valuable insights into protecting your domains and DNS infrastructure.