DNS and Domain Security Check Checklist [FREE PDF]
DNS infrastructure is a critical attack surface—domain hijacking, DNS spoofing, and cache poisoning attacks can redirect traffic, intercept credentials, and enable phishing at scale. Regulatory frameworks including NIST CSF PR.IP-1, ISO/IEC 27001:2022 Annex A 8.20, and PCI DSS v4.0 Requirement 6.4 require organizations to secure their network infrastructure including DNS. This checklist provides a structured assessment of DNSSEC configuration, registrar security, email authentication records, an
- Industry: Managed IT Services
- Frequency: Monthly
- Estimated Time: 25-40 minutes
- Role: Network Engineer
- Total Items: 38
- Compliance: NIST CSF PR.IP-1 and DE.CM-1, ISO/IEC 27001:2022 Annex A 8.20, PCI DSS v4.0 Requirement 6.4.1, SOC 2 Type II CC6.6, GDPR Article 32(1)(b)
Domain Registrar & Account Security
Verify that domain registrar accounts are secured against unauthorized transfer, hijacking, and unauthorized modifications.
- Is multi-factor authentication (MFA) enabled on all domain registrar accounts?
- Is domain transfer lock (registrar lock) enabled for all production domains?
- Is WHOIS privacy protection enabled to prevent public exposure of registrant contact data?
- Are registrar account credentials unique and stored in an approved password manager or vault?
- Are domain expiration dates monitored with automated alerts at least 60 days before expiry?
- Is auto-renewal enabled for all production and critical domains?
DNSSEC Configuration & Validation
Assess whether DNSSEC is implemented and correctly configured to prevent DNS spoofing and cache poisoning attacks.
- Is DNSSEC enabled and active for all production domains?
- Have DNSSEC DS records been published at the parent zone (registrar) correctly?
- Are DNSSEC signatures (RRSIG records) valid and not expired?
- Are DNSSEC key rollovers performed on schedule (ZSK: monthly, KSK: annually)?
- Is DNSSEC validation enabled on all recursive resolvers used within the organization?
DNS Server Hardening & Configuration
Verify that authoritative and recursive DNS servers are hardened, updated, and configured securely.
- Are authoritative DNS servers patched and running a currently supported software version?
- Is DNS zone transfer (AXFR) restricted to authorized secondary servers only?
- Is DNS recursion disabled on authoritative DNS servers?
- Are DNS query logs enabled and being forwarded to a SIEM or centralized log system?
- Is rate limiting configured on recursive resolvers to mitigate DNS amplification risks?
Email Authentication DNS Records
Confirm SPF, DKIM, and DMARC records are correctly configured to prevent email spoofing and phishing.
- Is a valid SPF (Sender Policy Framework) TXT record published for all email-sending domains?
- Does the SPF record use '-all' (hard fail) rather than '~all' (soft fail) or '+all' (pass all)?
- Is a DMARC TXT record published with a policy of 'quarantine' or 'reject'?
- Is DMARC reporting (RUA/RUF tags) configured to receive aggregate and forensic email reports?
- Are DKIM public keys published as DNS TXT records for all email-sending services?
- Are parked or non-sending domains protected with a null SPF record and DMARC reject policy?
DNS Monitoring & Threat Detection
Verify that DNS traffic is monitored for anomalies, data exfiltration attempts, and malicious domain resolution.
- Is DNS traffic monitored for signs of DNS tunneling or data exfiltration?
- Is a DNS filtering or threat intelligence service (e.g., CISA protective DNS) in use?
- Are alerts configured for unexpected changes to DNS records (zone modifications)?
- Is there a defined process to investigate and respond to DNS anomaly alerts within 24 hours?
- Are external DNS lookups for the organization's domains monitored for unauthorized subdomain creation?
CAA Records & Ancillary DNS Security
Validate Certification Authority Authorization records and other auxiliary DNS security configurations.
- Are CAA (Certification Authority Authorization) DNS records published for all domains?
- Does the CAA record include an 'iodef' tag to receive mis-issuance reports?
- Are all dangling DNS records (pointing to decommissioned resources) identified and removed?
- Is a negative TTL (NCACHE) configured appropriately on the SOA record to reduce negative caching issues?
- Are DNS records for newly decommissioned subdomains or services removed within 24 hours?
DNS Change Management & Documentation
Confirm that all DNS changes follow a formal change management process with audit trails and documentation.
- Is a formal change management process required for all DNS record modifications?
- Are all DNS changes logged with timestamps, requester identity, and approver identity?
- Is there a documented DNS security policy reviewed and approved within the last 12 months?
- Have all DNS-related findings from the previous audit been remediated or formally accepted?
- Are staff responsible for DNS management trained on DNS attack vectors and secure configuration?
- Additional notes or observations from this DNS and domain security check?
Related Technology Checklists
- Email Security Configuration Audit Checklist [FREE PDF]
- API Security Review Inspection Checklist [FREE PDF]
- Network Firewall Rule Review Checklist [FREE PDF]
- Endpoint Security Inspection Checklist [FREE PDF]
- Mobile Device Management (MDM) Compliance Checklist [FREE PDF]
- Disaster Recovery Plan Test Checklist [FREE PDF]
- Change Management Process Audit Checklist [FREE PDF]
- Software License Compliance Inspection Checklist [FREE PDF]
Related Network Security Checklists
- Network Firewall Rule Review Checklist [FREE PDF] - FREE Download
- Endpoint Security Inspection Checklist [FREE PDF] - FREE Download
- Vulnerability Scan Review Checklist [FREE PDF] - FREE Download
- SSL/TLS Certificate Audit Checklist [FREE PDF] - FREE Download
- Email Security Configuration Audit Checklist [FREE PDF] - FREE Download
- API Security Review Inspection Checklist [FREE PDF] - FREE Download
Why Use This DNS and Domain Security Check Checklist [FREE PDF]?
This dns and domain security check checklist [free pdf] helps managed it services teams maintain compliance and operational excellence. Designed for network engineer professionals, this checklist covers 38 critical inspection points across 7 sections. Recommended frequency: monthly.
Ensures compliance with NIST CSF PR.IP-1 and DE.CM-1, ISO/IEC 27001:2022 Annex A 8.20, PCI DSS v4.0 Requirement 6.4.1, SOC 2 Type II CC6.6, GDPR Article 32(1)(b). Regulatory-aligned for audit readiness and inspection documentation.
Frequently Asked Questions
What does the DNS and Domain Security Check Checklist [FREE PDF] cover?
This checklist covers 38 inspection items across 7 sections: Domain Registrar & Account Security, DNSSEC Configuration & Validation, DNS Server Hardening & Configuration, Email Authentication DNS Records, DNS Monitoring & Threat Detection, CAA Records & Ancillary DNS Security, DNS Change Management & Documentation. It is designed for managed it services operations and compliance.
How often should this checklist be completed?
This checklist should be completed monthly. Each completion takes approximately 25-40 minutes.
Who should use this DNS and Domain Security Check Checklist [FREE PDF]?
This checklist is designed for Network Engineer professionals in the managed it services industry. It can be used for self-assessments, team audits, and regulatory compliance documentation.
Can I download this checklist as a PDF?
Yes, this checklist is available as a free PDF download. You can also use it digitally in the POPProbe mobile app for real-time data capture, photo documentation, and automatic reporting.