The Anatomy of a 30-Point Security Audit (And Why Every Domain Needs One)

Most domains have between six and ten security misconfigurations that their owners do not know about.

Not because the owners are careless. Because DNS is a layered system built over four decades, where each layer adds its own records, requirements, and failure modes — and where a misconfiguration in one layer often has no visible symptom until an attacker finds it first.

An open DNS resolver. A dangling CNAME pointing to a deleted Heroku app. An SMTP server that answers user enumeration queries. A DNSSEC chain with an expired signature. None of these appear in uptime monitors. None of them trigger alerts. All of them are exploitable.

A structured security audit checks every layer systematically. This post walks through all 30 checks — what each one tests, what a failure means in practice, and why the check exists.

How the Audit Is Organized