Dangling DNS Records: How to Prevent Subdomain Takeover?

Blog

Dangling DNS records pose serious risks, like subdomain takeovers and data breaches. Learn their causes, risks, and how to secure your domain.

by Yunes Tarada

Reading Time: 6 min
Dangling DNS Records: How to Prevent Subdomain Takeover?
Table Of Contents

Dangling DNS is a critical issue that arises from vulnerabilities within the Domain Name System (DNS) – a decentralized system used to locate resources across the Internet. By translating human-readable domain names, like google.com, into machine-readable IP addresses such as 101.102.25.22, DNS ensures seamless connectivity.

Think of it as a telephone directory, linking names to numbers for easier access. However, when DNS misconfigurations occur, they can result in dangling DNS records—entries pointing to non-existent or decommissioned resources—exposing domains to significant security risks. Addressing these issues is essential for maintaining a secure online presence.

Key Takeaways

  1. Dangling DNS records expose domains to significant security risks by pointing to non-existent or decommissioned resources.
  2. Common causes of dangling DNS records include misconfigurations, expired services, and discontinued hosting accounts.
  3. Subdomain takeover attacks can result from dangling DNS records, allowing attackers to control and serve malicious content through compromised domains.
  4. Email authentication records are particularly vulnerable to dangling DNS issues and require regular monitoring to ensure proper configuration.
  5. Both manual auditing and automated DNS monitoring tools are essential for detecting and addressing dangling DNS records effectively.

What Are Dangling DNS Records?

A dangling DNS record is a DNS entry that points to a resource that no longer exists or is inaccessible. Cybercriminals on the internet are always on the hunt for such DNS entries since they are susceptible to information leakage. Some of these entries may contain sensitive information about a domain, becoming a data goldmine for threat actors to benefit from. 

Common Scenarios Leading to Dangling DNS

  • DNS Misconfigurations

The Domain Name System is configured separately from the internet resource we want to interact with. DNS records added to the DNS point to these resources, helping us access them. In certain cases, a previously configured resource may get deconfigured by its host. For example, a DNS record was configured by a domain owner to point to a server’s IP. This server is now no longer in use. The DNS record now points to a resource that no longer exists and hence can be termed a “dangling DNS” entry. 

  • Expired or Deleted Cloud Resources

If a cloud service used by a domain owner expires or is deleted, any DNS record pointing to that service becomes a Danglish DNS record. This DNS record still remains active, and any attacker can use the resource to serve malicious content. 

  • Deprecated IPs

A company can migrate services to a new provider, while the previous IPs are deprecated. However, he forgets to update or remove the old DNS records. These old records are vulnerable to subdomain takeover attacks and can be exploited very easily. 

  • Service Decommissioning or Discontinuation

An email server, hosting account, or third-party service provider is discontinued or decommissioned, however, the DNS records like MX, A, and CNAME records are still active and configured. Attackers can exploit these active Dangling DNS records to impersonate the discontinued service. 

 

Simplify Dangling DNS Records with PowerDMARC!

Start 15-day trial Book a demo

The Risks of Dangling DNS Records

Hidden DNS vulnerabilities like Dangling DNS can lead to domain exploitation and cyber threats. 

What is a Subdomain Takeover Attack?

When an attacker detects a dangling DNS entry that points to a deconfigured resource, he immediately jumps on the chance. The attacker takes over the (sub)domain that the dangling DNS record points to, thereby routing the entire traffic to an attacker-controlled domain with complete access to the domain’s content and resources.

Subsequent impacts of your domain/subdomain being hijacked by an attacker: 

Dangling DNS causes subdomain hijack to attacker domain

A deconfigured domain or server can become a breeding ground for malicious resources manipulated by an attacker that the domain owner has no control over. This means that the attacker can completely exercise dominance over the domain name to run an illegal service, launch phishing campaigns on unsuspecting victims and malign your organization’s good name in the market. 

Are Your DNS Records at Risk of Dangling?

The answer is Yes. The following email authentication records may be vulnerable to dangling DNS issues: 

Email authentication protocols like DMARC are configured by adding a TXT record to your DNS. Apart from configuring a policy for your domain’s emails, you can also leverage DMARC to enable a reporting mechanism to send you a wealth of information about your domains, vendors, and email sources. 

  • SPF record

Another commonly used email source verification system, SPF exists in your DNS as a TXT record containing a list of authorized sending sources for your emails. 

  • TLS-RPT

SMTP TLS reports (TLS-RPT) are an additional reporting mechanism configured along with MTA-STS to send domain owners notifications in the form of JSON reports on deliverability issues due to failures in TLS encryption between two communicating email servers. 

  • DKIM CNAME records

CNAME records create domain name aliases to point one domain to another. You can use CNAME to point a subdomain to another domain that contains all information and configurations pertaining to the subdomain. 

For example, the subdomain mail.domain.com is an alias for CNAME info.domain.com. Hence when a server looks up mail.domain.com it will be routed to info.domain.com

Your DKIM authentication system is often added to the DNS as a CNAME record

Each of these entries contains valuable information about your organizational domain, email data, IP addresses, and email sending sources. Syntax errors that you may often overlook can result in dangling records that may go undetected for long periods of time. A domain that has been discontinued by the host with a DKIM CNAME or SPF record pointing to it may also cause the same issues. 

Note: It is important to note that MX, NS, A, and AAA records are also susceptible to Dangling DNS issues. For the sake of this article, we have only covered email authentication records that have these implications, offering solutions on how to fix them. 

How to Find Dangling DNS Records?

Identifying DNS records that are pointing to unprovisioned resources in their nascent stage can help protect your brand. You can go about it in two ways: manual and automated. 

1. Manual Dangling DNS Detection

Although time-intensive, a manual audit can help uncover outdated DNS records:

  • Audit your DNS entries: Cross-check all DNS records in your DNS management system against the active resources in your environment. Look for entries pointing to non-existent services or IPs.
  • Validate DNS configurations: Use tools like nslookup or dig to query each record and verify that the corresponding resource is provisioned and active.
  • Check for orphaned services: Investigate services such as third-party hosting, cloud platforms, or CDN providers that may have been terminated without removing the associated DNS entries.

While manual methods are thorough, they are prone to human error and can become unmanageable for domains with large or complex DNS configurations.

2. Automated Dangling DNS Detection

A DNS monitoring tool can prove to be useful in such circumstances. Look at it as a roster for your domains and subdomains, i.e. one platform that assembles all the relevant data pertaining to them in an organized manner that can be easily monitored from time to time. 

PowerDMARC does just that. When you sign up for our domain monitoring tool we provide you access to a customized dashboard that assembles all your registered root domains. Our brand new feature can now automatically add system-detected subdomains for users without them even having to go for manual registration. 

Check Your Domain’s Records for Free!

If you don’t want to commit to full-time service for your domain monitoring, you can check your domain with the help of our PowerAnalyzer tool. It’s free! Once you enter your domain name and click on “Check now”, you will be able to view all your DNS record configurations along with any detected misconfigurations with tips on how to resolve them quickly.

Latest posts by Yunes Tarada (see all)
PowerDMARC Integrates with ConnectWiseTop 10 PowerDMARC Alternatives and Competitors: Detailed Feature Comparison