What TLINK PRO's DNS analysis catches that automated scanners miss

Automated scanners are a commodity. They run CVE databases against version strings, check for known misconfigurations, and report what matches. That's valuable work, but it's table stakes — and it largely misses the DNS layer, where some of the most actionable threat intelligence lives.

Subdomain takeover candidates

A subdomain takeover happens when a DNS record points to a resource that no longer exists — a deprovisioned cloud service, an expired CDN configuration, a deleted GitHub Pages deployment — and an attacker claims that resource to serve content from your domain. The DNS record is still live. The attacker registers the underlying service. Your subdomain is now theirs.

Automated scanners check what's running at a given endpoint. They don't cross-reference what a DNS record claims to point to against whether that target is actually under your control. TLINK PRO's DNS analysis maps your subdomains and flags CNAME targets that point to known cloud service patterns (S3 buckets, Azure blob endpoints, GitHub Pages, Heroku, Fastly, etc.) where the underlying resource appears unclaimed. This is not a theoretical finding — subdomain takeover is a well-documented initial access vector used in real campaigns.

Stale DNS delegations

NS delegation records that haven't been reviewed in years are common in environments that have gone through acquisitions, infrastructure migrations, or hosting provider changes. A domain segment delegated to a registrar you no longer use is an access vector if the account was closed but not cleaned up. TLINK PRO identifies NS records pointing to registrars with known account recovery weaknesses or that appear inconsistent with your primary DNS infrastructure.

Lookalike and typosquat monitoring

Scanners run against your infrastructure. They don't watch what's being registered that looks like your infrastructure. TLINK PRO's domain monitoring watches for registrations that are visually or phonetically similar to your primary domains — homograph attacks (using Unicode characters that render identically to ASCII), transposition typos, TLD variations — and surfaces them as they appear, before a phishing campaign goes live. This is intelligence work, not configuration scanning.

SPF/DKIM/DMARC coherence

Email authentication records are often set once and never revisited. A DMARC policy of p=none provides reporting but no protection. An SPF record that includes +all at the end negates everything before it. DKIM selectors that were added for services no longer in use remain valid signing keys that an attacker who compromises the old provider's infrastructure could potentially use.

TLINK PRO's DNS analyzer parses these records structurally — not just "does it exist" but "does it actually enforce what you think it does." The difference between ~all (soft fail) and -all (hard fail) in an SPF record is the difference between a policy that deflects and one that actually rejects unauthorized senders.

Using DNS findings operationally

DNS analysis is most valuable as a regular cadence, not a one-time snapshot. The attack surface changes as subdomains are created and forgotten, as vendors are onboarded and offboarded, as cloud resource lifecycles don't stay in sync with DNS. TLINK PRO's asset monitoring runs these checks on your registered domains continuously and surfaces changes in the analyst workspace, so your team or ThreatGrid's MDR analysts see the delta, not just a static report.

If you want to run a DNS review against your domains, open TLINK PRO Tools — no account required for the public DNS and WHOIS analyzers. For continuous monitoring and alert integration, request TLINK PRO access.