DNS Spy DNS Spy
Features Pricing API Free Tools Learn Blog Contact
Log in
DNS Spy Logo

The MSP’s DNS Security Checklist

Posted on August 4th, 2025

Back to blog overview

DNS is one of the most important and most overlooked layers in your client’s infrastructure.

As an MSP, you’re often the one who gets blamed when something breaks—whether you control the DNS or not. And while many DNS problems are silent, their consequences are loud: email failures, website outages, and frustrated clients.

This DNS security checklist will help you proactively identify and fix DNS risks across all your client domains.

✅ 1. Monitor All Authoritative Nameservers

  • Are all NS records correct and up-to-date?

  • Do all authoritative nameservers return the same records?

  • Are you checking for nameserver drift or propagation inconsistencies?

💡 Tip: Use a tool that checks sync status across nameservers on every change.

✅ 2. Validate SPF, DKIM, and DMARC Records

  • SPF records should be syntactically correct and only one per domain.

  • DKIM keys should be valid and rotate periodically.

  • DMARC should be present—even if set to p=none initially.

💡 Misconfigured or missing records can silently block legitimate emails.

✅ 3. Monitor All Changes to DNS Records

  • Are you alerted when any record changes?

  • Is there an audit trail or history of DNS changes?

  • Can you see what the previous value was?

💡 If your team didn't make the change, you need to know who did.

✅ 4. Eliminate Orphaned or Legacy Records

Remove A/CNAME records pointing to retired infrastructure

Identify dangling subdomains that could be hijacked

Clean up forgotten TXT or MX records from old providers

💡 These create unnecessary attack surface and confusion.

✅ 5. Check TTL Values

  • Are TTLs too short (causing cache floods) or too long (delaying updates)?

  • Are critical records set to a reasonable default (e.g., 3600 seconds)?

  • Are TTLs consistent across related records?

💡 Improper TTLs can delay changes and make rollbacks harder.

✅ 6. Ensure No Overly Permissive Wildcards

  • Does *.clientdomain.com resolve unintentionally?

  • Are wildcards needed—or were they left over from staging?

  • Are any subdomains unintentionally exposed?

💡 Wildcards can expose internal services or legacy systems.

✅ 7. Document Registrar & Zone Access

  • Who has access to update DNS?

  • Is 2FA enabled on registrar and DNS provider accounts?

  • Is DNS part of your standard onboarding/offboarding checklist?

💡 Control over DNS access is as important as monitoring it.

✅ 8. Automate Reporting & Audits

  • Can you provide regular DNS health reports to clients?

  • Is DNS included in quarterly business reviews (QBRs)?

  • Do you review DNS misconfigurations as part of a security audit?

💡 Visibility builds trust and shows clients you’re proactive.

🧰 Bonus: Tools to Help MSPs Stay Ahead

Doing all of this manually doesn’t scale. That’s why DNS Spy was built:

  • Change monitoring across all client domains

  • Alerts for drift, deletions, and misconfigurations

  • RFC compliance checks and report generation

  • Grows with you—start with 100 domains and scale as needed

👉 Get started with DNS Spy for MSPs →

Final Thoughts

DNS is foundational, but often forgotten. As an MSP, you have the opportunity to not just fix DNS problems—but prevent them.

Use this checklist as part of your onboarding process, quarterly review, or security audit. Better yet—automate it.

🛡️ Your clients will thank you before they even know there was a problem.

DNS Spy

is a DNS monitoring & alerting service. We alert on changed DNS records, invalid configurations, RFC violations, out-of-sync nameservers and plenty more DNS related errors. Interesting? Have a look at our feature set & signup to try us!

Share this post

Facebook Twitter Reddit Hacker News LinkedIn
DNS Spy

Features

Resources

Company