Hey everyone,
I've got this inactive domain that's not hosting any website or email, and I'm looking for some advice on how to secure it. Just to give you some context:
- DNSSEC is already enabled.
- DMARC is set to reject and SPF is configured with -all.
- I'm not using any services on this domain.
Should I go ahead and remove the A record completely, or is it better to redirect it to 0.0.0.0 or something like that to prevent misuse? What's the best practice here?
Thanks for your help!
3 Answers
Another option could be to CNAME it to your main corporate domain, but make sure your SPF, DKIM, and DMARC records are still in place as backups. But I wouldn't advise CNAMEing it unless you’re sure it won’t lead to a 404 error later.
Honestly, I’d recommend removing the A/AAAA records entirely. Keeping any record, like pointing to 0.0.0.0 or even 127.0.0.1, can leave your domain susceptible to abuse. If someone else were to get an IP address you’re using, they could potentially misuse it and cause major issues for you. Just ensure you keep your SPF, DKIM, and DMARC records to protect your domain from email abuse.
But isn't it risky to leave a domain without A records? Like, could that cause any issues?
Definitely don’t point it to `127.0.0.1`. If someone finds that, it could lead to unexpected problems. Using `0.0.0.0` is much safer to prevent any traffic from resolving. Overall, just deleting the A record is the safest route to keep things clean.
Thanks for clarifying! So you think `0.0.0.0` is better than just deleting the A record?
Yeah, I think just removing the A record is cleaner than CNAMEing it. Redirects could complicate things if not done correctly.