Zone Hygiene
developer/v1/dns/zone-hygieneAudits DNS zone health by checking two often-overlooked hygiene concerns: (1) SOA serial consistency across authoritative nameservers (drift indicates replication failure) and (2) exposure of sensitive internal subdomains commonly assumed to be private (vpn., admin., staging., jenkins., kibana., etc.).
What It Does
Enumerates authoritative nameservers via NS record query. For each NS, resolves the SOA record via multiple DoH providers and compares serial numbers — reports drift when serials differ. Then probes a curated list of 20+ commonly-exposed sensitive subdomain names (vpn, admin, staging, dev, internal, jenkins, gitlab, kibana, grafana, prometheus, jira, confluence, etc.) — any that resolve to public IPs are flagged. Returns per-NS SOA data, list of exposed subdomains with their IPs, and an overall hygiene grade.
Why It's Useful
SOA serial drift across authoritative NSes is a silent failure mode — no query fails, but some resolvers see stale data. Sensitive subdomain exposure is a common oversight — teams assume subdomains not in public docs are private, but attackers enumerate them routinely. This check catches both issues in a single audit.
Use Cases
DNS Replication Health
Periodic check that all authoritative NSes are serving the same zone version — catches replication lag or failed transfers before customers notice stale records.
Detect zone replication issues before they cause inconsistent resolution.
Attack Surface Discovery
Identify sensitive internal services (VPN gateways, admin panels, CI dashboards) that resolve in public DNS and need IP allow-listing or split-horizon DNS.
Reduce attack surface by identifying exposed infrastructure before attackers do.
M&A DNS Due Diligence
Assess DNS hygiene of acquired domains during M&A — replication health plus sensitive subdomain inventory informs consolidation planning.
Factor DNS cleanup into integration timelines and risk assessment.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The zone apex to audit (e.g., example.com)Example: example.com |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The audited zone |
nameservers | array | Authoritative nameservers |
soa_consistency | object | Per-resolver SOA serial values and drift verdict |
soa_drift_detected | boolean | Whether SOA serial drift was observed |
exposed_subdomains | array | Sensitive subdomain names that resolve publicly |
exposed_count | number | Count of exposed sensitive subdomains |
wildcard_detected | boolean | True when the apex has a wildcard DNS record — sensitive-subdomain enumeration is skipped to avoid false positives |
hygiene_grade | string | Overall hygiene grade: A, B, C, D, F |
findings | array | Human-readable findings with severity |
recommendations | array | Remediation steps |
limitations | array | Caveats about the analysis (e.g., wildcard DNS skip) |
Code Examples
curl "https://api.edgedns.dev/v1/dns/zone-hygiene" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/dns/zone-hygiene?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/dns/zone-hygiene',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full Zone Hygiene guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the Zone Hygiene endpoint live in the playground.