DNS-004 recommended Domain Management

DNS provider consolidated and access audited

All domains use a single DNS provider (or documented few) with audited access control. DNS changes are traceable to a person.

Question to ask

"How many DNS dashboards does your team need to check?"

What to check

  • Ask which DNS provider(s) are used
  • Verify who has write access to DNS
  • Check if DNS change audit log exists

Related items

DNS-001 Domain inventory maintained SEC-001 All environments behind Cloudflare

Verification guide

Severity: Recommended

Scattered DNS across multiple providers makes auditing harder and increases the risk of stale records or misconfiguration.

Ask user:

  • "How many DNS providers do you use?"
  • "Who has write access to DNS records?"
  • "Is there an audit log of DNS changes?"
  • "When was the last time you reviewed DNS access?"

Pass criteria:

  • DNS consolidated to one provider (or documented reason for multiple)
  • Write access limited to specific people/roles
  • DNS changes logged (Cloudflare does this by default)

Fail criteria:

  • DNS spread across 3+ providers with no documentation
  • Everyone in the org has DNS write access
  • No way to see who changed what

Evidence to capture:

  • DNS provider(s) and domains per provider
  • Who has write access
  • Whether audit logs exist

Section

20. Domain & Email Infrastructure

Error Tracking & Reliability

← Previous

DNS-003

Registrar account security

 Next →

DNS-005

SSL certificate lifecycle managed