Zone Hygiene: a beginner's guide
Check SOA consistency and sensitive subdomain exposure
Zone hygiene: finding the DNS drift before it finds you
Zone hygiene is the umbrella term for how clean, consistent, and current a domain's DNS configuration actually is. Every production domain accumulates cruft over time: old SPF `include:` entries for SaaS tools nobody uses anymore, CNAMEs pointing at decommissioned staging servers, MX records that haven't been touched since the email migration three years ago, SOA serial numbers drifting out of sync between primary and secondary nameservers. None of this breaks anything on day one. All of it is how outages, security incidents, and email-deliverability drops begin on day four hundred.
You should care because DNS drift is the silent precondition to almost every "it was working yesterday" outage. Primary and secondary nameservers that disagree on what the current zone looks like produce random intermittent failures that nobody can reproduce. Orphan CNAMEs pointing at services that got cancelled years ago become subdomain takeover opportunities. Stale SPF includes quietly bloat the 10-lookup limit (RFC 7208) and push the whole record into PermError, disabling email authentication entirely. Zone hygiene is the maintenance work nobody schedules — and the reason most DNS incidents are self-inflicted rather than malicious.
The five things every zone-hygiene check looks at:
SOA serial consistency across nameservers. Every authoritative nameserver for a zone should report the same serial number. A mismatch means the primary has pushed changes the secondary hasn't pulled, or vice versa — and resolvers will get random answers depending on which they hit.
Orphan subdomains and dangling CNAMEs. Subdomains that resolve to IPs that no longer respond, or CNAMEs pointing at deprovisioned SaaS accounts, are both incident-in-waiting.
Internal-name leakage. Public DNS records whose names look like they should have been private (`internal-jenkins`, `dev-db`, `corp-vpn-old`) are reconnaissance gifts.
SPF include-chain size. Every `include:` costs one of your 10 DNS lookups. A record that has accumulated five defunct ESPs over the years is one audit away from a PermError.
TTL coherence. Wildly different TTLs on closely-related records (one A record at 30 seconds while the adjacent CNAME is at 86,400) is usually a sign that someone made a targeted change without cleaning up the rest.
Three questions a zone-hygiene check answers:
Are all my nameservers in sync, or am I about to debug intermittent failures with nobody able to reproduce them?
Which of my DNS records are pointing at things that no longer exist — and which of those are security risks?
Has my SPF record quietly grown to the point where it will break the next time I add a sender?
The cost of ignoring zone hygiene is the slow accumulation of cruft that eventually becomes an incident nobody can trace back to its origin. The fix is a quarterly (or continuous, via API) audit that flags drift and stale entries while the fix is still a one-line DNS edit rather than a post-incident review. The IETF's DNS Operations working group publishes best-current-practice documents that codify the hygiene checks every modern zone deserves.
The Zone Hygiene endpoint, in plain language
In one sentence: Check SOA consistency and sensitive subdomain exposure
Audits DNS (Domain Name System) zone health by checking two often-overlooked hygiene concerns: (1) SOA serial consistency across authoritative nameservers (drift indicates replication failure) and (2) exposure of sensitive internal subdomains commonly assumed to be private (vpn., admin., staging., jenkins., kibana., etc.).
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Enumerates authoritative nameservers via NS record (Name Server record) query. For each NS, resolves the SOA record (Start of Authority record) via multiple DoH (DNS over HTTPS) providers and compares serial numbers — reports drift when serials differ. Then probes a curated list of 20+ commonly-exposed sensitive subdomain names (vpn, admin, staging, dev, internal, jenkins, gitlab, kibana, grafana, prometheus, jira, confluence, etc.) — any that resolve to public IPs are flagged. Returns per-NS SOA data, list of exposed subdomains with their IPs, and an overall hygiene grade.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Zone Hygiene tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
SOA serial drift across authoritative NSes is a silent failure mode — no query fails, but some resolvers see stale data. Sensitive subdomain exposure is a common oversight — teams assume subdomains not in public docs are private, but attackers enumerate them routinely. This check catches both issues in a single audit.
Picture this in real life. Imagine a DNS administrator. Here's the situation they're walking into: Periodic check that all authoritative NSes are serving the same zone version — catches replication lag or failed transfers before customers notice stale records. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Zone Hygiene tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Zone Hygiene tool is built for you:
Is my domain pointing to the right place right now?
Did the DNS change I just made actually take effect everywhere in the world?
Is anything in my DNS misconfigured in a way that could break email or break the website?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Founders running their own infrastructure, marketers coordinating launches, IT admins inheriting domains from a former employee, and ops engineers troubleshooting live outages. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and you're flying blind on the one piece of config that decides whether your website and email work at all. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the developer plan. The technical details: `GET /v1/dns/zone-hygiene`.
When would I actually use this?
If you're still on the fence about whether the Zone Hygiene tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a DNS administrator, a security engineer, and an IT integration lead — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: DNS Replication Health
Imagine you're a DNS administrator. Periodic check that all authoritative NSes are serving the same zone version — catches replication lag or failed transfers before customers notice stale records.
Why it matters: Detect zone replication issues before they cause inconsistent resolution.
Story 2: Attack Surface Discovery
Imagine you're a security engineer. Identify sensitive internal services (VPN (Virtual Private Network) gateways, admin panels, CI dashboards) that resolve in public DNS (Domain Name System) and need IP (Internet Protocol address) allow-listing or split-horizon DNS.
Why it matters: Reduce attack surface by identifying exposed infrastructure before attackers do.
Story 3: M&A DNS Due Diligence
Imagine you're an IT integration lead. Assess DNS (Domain Name System) hygiene of acquired domains during M&A — replication health plus sensitive subdomain inventory informs consolidation planning.
Why it matters: Factor DNS (Domain Name System) cleanup into integration timelines and risk assessment.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Zone Hygiene tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
Right before launching a new website or migrating to a new host.
After making any DNS change, to confirm the new settings are live everywhere.
When customers report that your site or email "just stopped working" out of nowhere.
As a recurring monthly health check to catch silent misconfigurations early.
If you can see yourself in even one of those bullets, the Zone Hygiene tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Zone Hygiene tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the Zone Hygiene tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/dns/zone-hygiene?domain=example.com"What you need to provide
There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The zone apex to audit (e.g., example.com) | example.com |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The audited zone |
nameservers | array | Authoritative nameservers |
soa_consistency | object | Per-resolver SOA serial values and drift verdict |
soa_drift_detected | boolean | Whether SOA serial drift was observed |
exposed_subdomains | array | Sensitive subdomain names that resolve publicly |
exposed_count | number | Count of exposed sensitive subdomains |
wildcard_detected | boolean | True when the apex has a wildcard DNS (Domain Name System) record — sensitive-subdomain enumeration is skipped to avoid false positives |
hygiene_grade | string | Overall hygiene grade: A, B, C, D, F |
findings | array | Human-readable findings with severity |
recommendations | array | Remediation steps |
limitations | array | Caveats about the analysis (e.g., wildcard DNS (Domain Name System) skip) |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
DNS (Domain Name System) — The internet's address book. When you type a website name, DNS turns it into the actual numeric address computers use to find each other.
IP (Internet Protocol address) — A unique number that identifies a computer on the internet, like a phone number for a server.
NS record (Name Server record) — A DNS entry that says which servers are in charge of answering questions about your domain.
SOA record (Start of Authority record) — A DNS entry that holds the 'master settings' for your domain — who's in charge, how often other servers should refresh, and how long answers can be cached.
DoH (DNS over HTTPS) — A modern way of sending DNS queries that hides them inside encrypted HTTPS traffic, so people on the same network can't see which websites you're looking up.
VPN (Virtual Private Network) — A service that hides your real IP address by routing your internet traffic through someone else's server first. Used for privacy, getting around region locks, and connecting to work networks.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.