Find dangling DNS records (CNAMEs to dead hosts, A records for retired servers) and propose deletions with risk-of-takeover notes.
Walks a DNS zone export (BIND format or AWS Route53 / Cloudflare API) and identifies records that are likely dangling: CNAMEs to NXDOMAIN, A/AAAA records pointing at retired IPs, and TXT records with stale verification keys. Flags subdomain-takeover candidates.
zone_source: path to a BIND-format zone file, or a directive like aws:Z123ABC / cloudflare:<zone-id>.aws_profile or CLOUDFLARE_API_TOKEN env vars.infra_inventory: a YAML file listing currently-allocated IPs and CNAMEs (e.g., from Terraform state) to confirm "still in use".aws route53 list-resource-record-sets --hosted-zone-id <id>.curl -H "Authorization: Bearer $TOKEN" https://api.cloudflare.com/client/v4/zones/<id>/dns_records.dig +short <target>. If NXDOMAIN, mark dangling-cname. Cross-check against the takeover database (e.g., *.s3.amazonaws.com patterns) and tag takeover-risk when applicable.unreachable-host.infra_inventory is provided, cross-reference: any A/CNAME not listed there is unmanaged; tag accordingly without auto-deleting.google-site-verification=, MS=, _acme-challenge), check whether the corresponding service is still configured. Older than 1 year and unmatched -> stale-verification.dig NS <subzone> @<server>); if not, mark broken-delegation.takeover-risk first, then dangling-cname, then unreachable-host, then advisory.dns-cleanup.md with a per-severity section, each row showing record type, name, target, observation, and a suggested action (delete vs verify vs migrate). Stdout prints counts.
For each takeover-risk candidate, attempt to fetch https://<name> and check whether the response includes a "domain not configured" or "no such bucket" message that confirms takeover potential. Re-resolve a sample of records 30 minutes later to rule out transient DNS misses; persistent NXDOMAIN remains flagged. Coordinate with infra owners before any deletion suggestion is acted on.
*.api): will resolve for any subdomain; skip the dangling-CNAME check and document the wildcard separately.Other publishers' experience with this skill. Self-rating is blocked.
Sign in and publish to the registry to leave a rating.
No ratings yet. Be the first.
Same domains or capabilities as amitte/dns-zone-cleanup.
Audit an AWS IAM policy against CloudTrail usage data and propose a minimized policy listing only actions actually invoked in the analysis window.
Read-only AWS surface — list/describe EC2, S3 buckets, IAM users, and Lambda functions. Auth via STS-assumed role; no mutating tools.
Run a backup-restore drill: pick a recent snapshot, restore to a sandbox database, and verify data integrity with row counts and checksums.
Read-only Cloudflare surface — list zones, DNS records, deployed Workers, and page rules. Auth via scoped API token; no mutating tools.
Identify imports and module-init code that contribute to Cloudflare Worker cold starts and propose lazy-load rewrites.
Map a SOC2 or ISO 27001 control to evidence artifacts in a typical engineering org — produce a list of artifacts, owners, and the query or path that produces each.