Reviewing our DNS records, should these be removed?

After many years, I am reviewing our DNS records, and I don’t know why some are there. They seem unnecessary, and perhaps harmful, maybe put there by mistake. No comments were entered for them. Can someone tell me if it makes sense to have these?

These are each CNAME records, all are proxied. I don’t use subdomains like these:

Does the ‘ipv6’ one do anything? I thought ipv6 addresses are supposed to be set up as AAAA records.

The ‘www.ipv6’ has a warning saying “This hostname is not covered by a certificate.” Seems superfluous. Is there any reason to have a CNAME record like this?

I have no idea what the ‘zdirectz’ is for.

Should I try deleting these records? Any help would be appreciated.

That’s something to discuss with your webmaster, nobody here can tell you which entries you need.

ipv6 would usually suggest an IPv6 address, so a hostname in a CNAME context may be strange, but maybe that used an IPv6 hostname.

If you had a DNS wildcard when you set up your domain on Cloudflare, Cloudflare may have imported ipv6 automatically, though probably not www.ipv6. The warning about the latter is because the default proxy certificate won’t cover that hostname, so HTTPS wouldn’t work.

In short, discuss with your webmaster which entries you need and configure them accordingly.

You can always export your DNS entries, drop those, and re-add them from the backup should something not work any more.

Another option, you could set a WAF rule to challenge on those hostnames and look if they are hit and maybe solved to log if anyone (internal bot, external bot or human) is actually using them.

I am the webmaster, but don’t remember why these were included, so I’m trying to determine if they are normally included or not.

I may give this a try, thanks.

Thanks for the suggestion. Would I use a “Managed Challenge” for that, and how do I log it?

Then I am afraid only you can determine that. As mentioned, nobody else can know which entries you actually need. Drop them and re-add them should something not work.

You can certainly use a managed challenge as well, but that will only work for the web in the first place (though being proxied, it will be limited anyhow) and requests would show up in the firewall event log. Logging won’t be possible, unless you have an Enterprise plan.

Yes, use managed challenge. You’ll see a graph of rule hits over 24 hours and a % value for the solve rate. Details of unsolved challenges will be on the events page (source IP, ASN, URL, etc).

You may get hits to the hosts from bad bots (some never forget a hostname, even long after they have been deleted from the DNS in my experience). Up to you how long you wait to see if there are any human or internal bot hits.

However a challenge is not an indicator that the hostname is actually used, as any random client could send that request. You can certainly have a look at other parameters as well, but only you can tell if that’s worth it.

My advice would be to trim down the entries to what you actually need and re-add entries if something does not work any more.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.