UltraDNS Now Detects DCV Records and HTTPS Misconfigurations
We’re continuing to build on our efforts to strengthen DNS hygiene and security with enhancements to the Dangling DNS Records Detection feature in UltraDNS. In addition to identifying dangling CNAMEs, we’ve now added detection for:
- TXT-based Domain Control Validation (DCV) records
- HTTPS validation errors behind A records
These new checks help uncover security risks that may not be obvious from DNS configuration alone — giving you a more complete picture of your DNS exposure.
Detection of Dangling DCV TXT Records
Certificate Authorities use Domain Control Validation (DCV) to verify domain ownership via DNS. A TXT record is placed at _acme-challenge.domain.com. If not removed after certificate issuance, it can become a dangling record.
UltraDNS now detects:
- _acme-challenge TXT records older than 24 hours
- Validation records no longer in use
- Records left in zones promoted from secondary to primary
Why it matters: These records can be exploited for unauthorized certificate issuance or impersonation attacks.
HTTPS Validation Behind A Records
UltraDNS now performs HTTPS requests to the IPs behind A records to identify issues such as:
- Expired or invalid SSL certificates
- Hostname mismatches
- Self-signed or untrusted chains
- Missing intermediate certs
- 5XX server errors
This provides a more complete understanding of the security posture of the services your DNS records point to.
Use Cases This Feature Helps Solve
- Forgotten _acme-challenge TXT records after automation
- DNS migration left old validation entries
- A record points to a server with expired/self-signed SSL cert
- Temporary dev/staging records left active
- Subdomains pointing to unreachable or offline third-party services
Real Report Example
Host: _acme-challenge.demo-dangling.com. – DCV TXT record older than 24h
Host: a.demo-dangling.com. – SSL cert mismatch
Host: b.demo-dangling.com. – Self-signed certificate
Host: four.demo-dangling.com. – CNAME does not resolve
Host: five.demo-dangling.com. – CNAME does not resolve
Why This Matters
Dangling DNS records and misconfigured SSL endpoints expose organizations to:
- Phishing and impersonation
- Subdomain takeovers
- Trust and availability issues
This enhancement strengthens DNS visibility and helps proactively identify risks before they impact users or systems.
We’d Love Your Feedback
This update was driven by real-world customer needs. We welcome your feedback and suggestions as we continue improving DNS observability and protection.
Thanks for being part of the UltraDNS Community.