ThreatDNS • Authoritative DNS

Authoritative DNS built for security teams.

Manage zones, records, and API access from a single hardened control panel. Full PowerDNS integration, scoped API keys, and a tamper-evident audit log — every change traced, every request accountable.

Request Access Open ThreatDNS →

PowerDNS-backed Scoped API keys Tamper-evident log DNSSEC-ready

Best fit for

Security teams managing DNS across multiple zones
MSSPs delegating zone management per client
Organizations requiring compliance-grade audit logs
Teams automating DNS via CI/CD or IaC pipelines
Environments that need DNSSEC without manual key management

Backend PowerDNS Native Full PowerDNS authoritative backend. Deploy on-prem or cloud with your existing nameserver infrastructure.

Access Scoped API Keys Per-zone or global keys with read, write, or admin permissions. Rotate and revoke instantly.

Compliance Tamper-Evident Log Chained audit log of every zone and record change — suitable as compliance evidence.

Security DNSSEC Managed Per-zone DNSSEC signing with automated KSK/ZSK rotation. No manual key management required.

Control Panel

One interface for everything DNS.

Manage zones, records, API keys, DNSSEC, and audit history from a single hardened control panel — purpose-built for security operations, not general IT.

ThreatDNS Control Panel

ZoneRecordsSerialStatus

threatgrid.tech 47 2024041401 Active

admiresty.co 23 2024041302 Active

opentech.support 15 2024041201 DNSSEC

Core Features

Everything DNS needs. Nothing it doesn't.

ThreatDNS strips away the noise and gives security teams the exact controls they need — without the sprawl of general-purpose DNS platforms.

Zones & Records

Full Zone Management

Create, edit, and delete DNS zones and records from one interface. Supports all standard record types — A, AAAA, CNAME, MX, TXT, SRV, CAA, and more. Bulk import via AXFR or bind-format zone files.

API Access

Scoped API Keys

Issue API keys with fine-grained permissions: read-only, zone-specific write, or full admin. Rotate and revoke instantly. Keys carry owner metadata and last-used timestamps for full attribution.

Compliance

Tamper-Evident Audit Log

Every zone change, record edit, and key action is logged with a chained hash — making the log tamper-evident and suitable as supporting evidence in compliance audits and incident investigations.

Security

DNSSEC Signing

Enable DNSSEC per zone with a single toggle. ThreatDNS manages KSK/ZSK rotation, DS record generation, and re-signing automatically — signing failures trigger immediate alerts.

Visibility

Real-Time Change Feed

Subscribe to a live event stream for zone mutations. Feed into SIEMs, alerting pipelines, or TLINK PRO's monitoring layer for instant visibility on DNS changes across your environment.

Multi-Tenant

Isolated Zone Delegation

Delegate zone management to sub-accounts with isolated permissions. Ideal for MSSPs managing DNS across multiple clients from one platform without cross-tenant visibility.

Security Model

Hardened from the ground up.

ThreatDNS is designed around the assumption that DNS is a high-value target. Every layer — access, logging, and the control plane itself — is built with compromise in mind.

Tamper-Evident Log Chain

Each audit entry is cryptographically chained to the previous, making retroactive modification detectable. Suitable as supporting evidence in compliance audits and incident investigations.

Least-Privilege API Keys

Keys are scoped to the minimum required access at issuance. Zone-isolated keys cannot be elevated at runtime — escalation requires explicit re-issuance through the control panel or admin API.

Hardened Control Plane

The management API runs isolated from the DNS resolution path. A compromised API key cannot influence resolution until zone changes propagate — giving teams a detection window before impact.

Rate Limiting & Abuse Controls

Per-key and per-IP rate limits on the management API. Automated alerts on anomalous mutation rates — catch credential misuse before it becomes a DNS hijack.

SOC Team Visibility

ThreatGrid's analyst team can be granted read-only visibility into zone state and audit logs as part of a managed engagement — no standing admin access required.

DNSSEC Chain of Trust

Full DNSSEC signing with automated key rollover. DS records surfaced directly in the control panel for clean delegation setup. Signing failures trigger immediate alerts.

Integrations

Built on PowerDNS. Wired into your stack.

PowerDNS Authoritative

Native PowerDNS backend with full API compatibility. Deploy on-prem or cloud with your existing nameserver infrastructure.

TLINK PRO

Push zone change events into TLINK PRO's monitoring layer. DNS anomalies surface alongside your broader threat intelligence.

SIEM & Webhooks

Forward audit events to any SIEM via webhooks or syslog. Compatible with Splunk, Elastic, Microsoft Sentinel, and custom HTTP endpoints.

REST API

Fully documented REST API with OpenAPI schema. Automate zone provisioning and record management from any CI/CD pipeline or IaC tooling.

Get Started

Ready to harden your DNS layer?

ThreatDNS is provisioned through ThreatGrid. Request access and our team will scope coverage, configure your zones, and integrate audit events with your existing security stack.

Request Access Contact Us

Included with ThreatGrid Pro

Unlimited zones and records
Full API access with scoped keys
Tamper-evident audit log retention
DNSSEC management across all zones
TLINK PRO event integration
SOC team visibility on request