Most domains have between six and ten security misconfigurations that their owners do not know about. Not because the owners are careless. Because DNS is a layered system built over four decades, where each layer adds its own records, requirements, and failure modes — and where a misconfiguration in one layer often has no visible symptom until an attacker finds it first. An open DNS resolver. A dangling CNAME pointing to a deleted Heroku app. An SMTP server that answers user enumeration queries. A DNSSEC chain with an expired signature. None of these appear in uptime monitors. None of them trigger alerts. All of them are exploitable. A structured security audit checks every layer systematically. This post walks through all 30 checks — what each one tests, what a failure means in practice, and why the check exists. How the Audit Is Organized The 30 checks fall into five categories, each targeting a different attack surface on the same domain.…