Go to All Forums

DNS monitors should detect a record's non-configured additional answers

Currently, DNS monitors have no problem detecting changes to records that contain multiple answers (ex. NS or TXT records) as long as each of the existing answers has been configured within the monitor. However, the monitor will not detect when the DNS response contains MORE answers than are configured within the monitor. This is a critical use case that would be extremely helpful to detect.

Example scenario:

Many third-party services use TXT records for domain validation. Assuming that a domain already has an SPF string within an existing TXT record, the new domain validation string must be added as an additional answer in that same record. Currently, a monitor that is configured to check for the SPF string will completely miss any additional answers that someone has added to the TXT record.

In another scenario, one can easily imagine the security risk of an attacker inserting an additional (malicious) name server into the NS record of a domain.

Like (1) Reply
Replies (0)