DNS-001 critical Domain Management

Domain inventory maintained

A centralized, up-to-date list of all domains and subdomains owned by the organization. Includes purpose, registrar, DNS provider, expiry date, and owner for each domain. This inventory feeds into email, security, and infrastructure audits.

Question to ask

"List every domain your org owns. All of them. Sure you got them all?"

What to check

  • Ask user for all owned domains (root + subdomains)
  • Cross-check with Cloudflare zones if API access available
  • Cross-check with registrar account(s)
  • Verify inventory includes purpose and owner for each domain

Related items

EMAIL-001 MX records configured SEC-001 All environments behind Cloudflare

Verification guide

Severity: Critical

A domain inventory is the foundation of infrastructure auditing. You can't secure, monitor, or authenticate what you don't know you own.

Check automatically:

  1. If Cloudflare API access available (preferred):
# List all zones (domains) in Cloudflare account
curl -X GET "https://api.cloudflare.com/client/v4/zones?per_page=50" \
  -H "Authorization: Bearer $CF_API_TOKEN" | jq '.result[] | {name, status}'

# For each zone, list all DNS records
curl -X GET "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records?per_page=100" \
  -H "Authorization: Bearer $CF_API_TOKEN" | jq '.result[] | {type, name, content}'
  1. WHOIS check for each known domain:
whois example.com | grep -iE "registrar|expir|creat|name server"

Ask user:

  • "List all root domains your organization owns"
  • "For each domain, what's its purpose?" (production, staging, marketing, redirect, parked)
  • "Which registrar(s) do you use?"
  • "Which DNS provider(s) do you use?"
  • "Is there a single document listing all your domains?"

Pass criteria:

  • Centralized inventory exists (document, spreadsheet, or structured file)
  • Includes all root domains and active subdomains
  • Each entry has: purpose, registrar, DNS provider, expiry date, owner
  • Updated within the last 6 months

Fail criteria:

  • No inventory — domains are "in people's heads"
  • Inventory exists but incomplete (missing domains discovered during audit)
  • No owner assigned to domains

Evidence to capture:

  • Complete domain list with purpose and registrar
  • Where the inventory lives (doc URL, file path)
  • When it was last updated
  • Any domains discovered during audit that weren't in the inventory

Section

20. Domain & Email Infrastructure

Error Tracking & Reliability

← Previous

ERR-008

Automated error triage

 Next →

DNS-002

Domain expiry monitoring