So that we can stop entire sub-domain takeovers
As a network administrator
I would like to be notified of ns records in a dns zone where I don't have a corresponding dns zone for the subdomain.
Describe the solution you'd like
I'd like a new resource type, ns-record, to be added to the list of entries detected as dangling.
Describe alternatives you have considered
Nope - for large dns deployments ns records are routinely used to simplify management.
Additional context
ns-records point to generic azure dns name-servers.
If I
own mydomain.com and have Azure DNS managing it.
create another Azure DNS record to manage sub.mydomain.com
create an ns record set against mydomain.com pointing to the name servers controlling sub,mydomain.com (an Azure generic dns server such as "ns1-09.azure-dns.com")
delete the sub-domain without deleting the ns record.
Someone else can now create a dns zone for sub.mydomain.com and has a chance of getting it on the same ns1-09.azure-dns.com Azure dns servers. When they do then they've effectively taken over an entire subdomain.
So that we can stop entire sub-domain takeovers As a network administrator I would like to be notified of ns records in a dns zone where I don't have a corresponding dns zone for the subdomain.
Describe the solution you'd like I'd like a new resource type, ns-record, to be added to the list of entries detected as dangling.
Describe alternatives you have considered Nope - for large dns deployments ns records are routinely used to simplify management.
Additional context ns-records point to generic azure dns name-servers. If I
Someone else can now create a dns zone for sub.mydomain.com and has a chance of getting it on the same ns1-09.azure-dns.com Azure dns servers. When they do then they've effectively taken over an entire subdomain.
Happy to submit a pull request to detect this!