Context and Problem Statement
Managing DNS records in large organizations presents significant challenges in terms of consistency and tracking over time, which can have major operational impacts, particularly on cybersecurity. Organizations managing large-scale networks, such as international corporations or Internet service providers, often use the DNS CNAME functionality to handle the complexity and constant evolution of their network infrastructures. This constant evolution requires continuous adjustments to DNS records by NetOps and SecOps teams, both to ensure the proper operation of services and to prevent cybersecurity issues.
Outdated DNS records can pose significant cybersecurity risks. For example, DNS record chains that include a record belonging to the DNS zone of a defunct web agency can lead to “domain hijacking,” as hackers could purchase the agency’s domain name and receive requests intended for the original domain. This typically results in credential leaks, as the user’s Web browser continues to send cookies to the hackers’ server.
Imagine: all your DNS zones in a beautiful graph-oriented database, queryable and delivered with pre-written queries to easily find at-risk entries, thereby improving your cyber-rating.
A Knowledge Graph to Help Protect DNS
Researchers at Orange propose an approach that involves building an RDF knowledge graph from an organization’s DNS configuration data to facilitate inter-zone analysis of DNS records. The graph, called “DNS-KG,” is structured by DSecO, a lightweight ontology implemented in RDFS/OWL to enable a query-based audit approach for DNS data and facilitate connections to third-party knowledge bases for broader inference cases. DSecO is available as open source at https://w3id.org/dseco/.
Nine DNS administration use cases were studied based on interviews with DNS operations experts at Orange. These use cases were implemented as SPARQL queries to evaluate the audit approach on both generated and real data. A behavior-driven development (BDD) methodology was used to describe these use cases in natural language, making them suitable for automated data processing.
Operational Impact
Testing the DNS-KG approach on a sample dataset confirmed the effectiveness of the solution. The evaluation on a real dataset from Orange highlighted the relevance of the DNS-KG approach in an industrial environment, enabling SecOps teams to confidently identify and correct numerous non-compliant DNS configurations. Over 547 non-compliances were reported and forwarded to a SecOps team via a ticketing system for further analysis and remediation. Building on these successes, the DNS-KG approach is now used daily to help secure Orange’s infrastructures and services.

Before the implementation of the DNS-KG proposal, the evaluation of DNS configuration (i.e., audit tasks and cleanup/correction) was challenging for the involved SecOps team to conduct with such depth. The overall DNS-KG approach enhances operational efficiency by instilling confidence in the corrective actions to be performed on a large number of records. Beyond this increased efficiency, the learning and adoption of the DNS-KG solution within the SecOps team have also been positively evaluated.
An Open Source Solution with Multiple Benefits
This approach improves DNS management by transforming a complex manual task into an automated, reliable, and explainable process, significantly enhancing the security of network infrastructures. The use of ontologies and knowledge graphs replaces rare manual audits with systematic analysis. Audit rules are understandable and shareable among teams. Furthermore, the method is extensible: it is easy to add new use cases (i.e., write new SPARQL queries), and the knowledge graph is interoperable with other knowledge bases thanks to the use of the Semantic Web technologies.
Imagine: all your DNS zones in a beautiful graph-oriented database, queryable and delivered with pre-written queries to easily find at-risk entries, thereby improving your cyber-rating. We have the solution: DSecO and the DNS-KG approach. Feel free to use and contribute to the project; it is open source: https://w3id.org/dseco/.
This text has been translated by an artificial intelligence.
Glossary :
- DNS (Domain Name System): DNS is a critical service for the operation of networks and the Web. It associates Internet domain names with their IP addresses.
- RDF (Resource Description Framework): RDF is a graph model designed to describe Web resources and their metadata.
- SPARQL: SPARQL is a query language and protocol used to search, add, modify, or delete RDF data.
- Ontology: An ontology is a set of concepts and the relationships between these concepts, used to describe a domain of discourse.
- DSecO (DNS Security Ontology): DSecO is an open-source ontology developed by Orange, available at https://w3id.org/dseco/.
- Cyber-Rating: A cyber-rating is a “cyber-score” assigned to companies by agencies to quantify the cyber risk to which they are exposed.
Read more :
D. Bringer and L. Tailhardat, “DSecO: Domain Name System (DNS) Data as a Knowledge Graph for Enhanced Security Analysis,” in IEEE Transactions on Networking, vol. 34, pp. 370-383, 2026, doi: 10.1109/TON.2025.3598374
Lionel Tailhardat







