Detecting Dangling DNS Records to stop Subdomain Takeover Attacks

A Domain Name System is a decentralized naming system that can be used to locate various resources over the Internet. Domain names like google.com are human-readable and cannot be decoded by computers. Therefore to translate these names into machine language, the DNS converts the domain names into their subsequent IP addresses. As opposed to your domain name, your domain IP is a numerical value (e.g. 101.102.25.22). 

Think of it as a telephone directory. In a directory, we have a list of human names with telephone numbers adjacent to them. This helps us associate the person with their respective numbers, making it easier for us to contact them. Similarly, the DNS helps translate domain names to numerical IP addresses that are difficult for humans to remember. The DNS, though is a very convenient system, can often have misconfigurations that may lead to the issue we are going to talk about today: dangling DNS configurations.

Why do DNS misconfigurations take place?

The Domain Name System is configured separately from the internet resource we want to interact with. DNS records added to the DNS point to these resources, helping us access them. In certain cases, a previously configured resource may get deconfigured by its host. For example, a DNS record was configured by a domain owner to point to a server’s IP. This server is now no longer in use. The DNS record now points to a resource that no longer exists and hence can be termed as a “dangling DNS” entry.

Dangling DNS Records: How are they formed?

As discussed in the previous section, when a DNS entry points to a deconfigured internet resource, it is termed dangling DNS. Cybercriminals on the internet are always on the hunt for such DNS entries since they are susceptible to information leakage. Some of these entries may contain sensitive information about a domain, becoming a data goldmine for threat actors to benefit from. 

Are my email authentication DNS records susceptible to dangling DNS issues?

The answer is Yes. The following email authentication records may be vulnerable to dangling DNS issues:

1. DMARC record

Email authentication protocols like DMARC are configured by adding a TXT record to your DNS. Apart from configuring a policy for your domain’s emails, you can also leverage DMARC to enable a reporting mechanism to send you a wealth of information about your domains, vendors, and email sources.

2. SPF record

Another commonly used email source verification system, SPF exists in your DNS as a TXT record containing a list of authorized sending sources for your emails.

3. TLS-RPT

SMTP TLS reports (TLS-RPT) are an additional reporting mechanism configured along with MTA-STS to send domain owners notifications in form of JSON reports on deliverability issues due to failures in TLS encryption between two communicating email servers.

4. DKIM CNAME records

CNAME records create domain name aliases to point one domain to another. You can use CNAME to point a subdomain to another domain that contains all information and configurations pertaining to the subdomain. 

For example, the subdomain mail.domain.com is an alias for CNAME info.domain.com. Hence when a server looks up mail.domain.com it will be routed to info.domain.com

Your DKIM authentication system is often added to the DNS as a CNAME record. 

Each of these entries contains valuable information about your organizational domain, email data, IP addresses, and email sending sources. Syntax errors that you may often overlook can result in dangling records that may go undetected for long periods of time. A domain that has been discontinued by the host with a DKIM CNAME or SPF record pointing to it may also cause the same issues. 

Note: It is important to note that MX, NS, A, and AAA records are also susceptible to Dangling DNS issues. For the sake of this article, we have only covered email authentication records that have these implications, offering solutions around how to fix them.

What is a Subdomain Takeover Attack?

When an attacker detects a dangling DNS entry that points to a deconfigured resource, he immediately jumps on the chance. The attacker takes over the (sub)domain that the dangling DNS record points to, thereby routing the entire traffic to an attacker-controlled domain with complete access to the domain’s content and resources.

Subsequent impacts of your domain/subdomain being hijacked by an attacker:

A deconfigured domain or server can become a breeding ground for malicious resources manipulated by an attacker that the domain owner has no control over. This means that the attacker can completely exercise dominance over the domain name to run an illegal service, launch phishing campaigns on unsuspecting victims and malign your organization’s good name in the market. 

Detecting your misconfigured DNS records 

Identifying DNS records that are pointing to unprovisioned resources in their nascent stage can help protect your brand. A DNS monitoring tool can prove to be useful in such circumstances. Look at it as a roster for your domains and subdomains, i.e. one platform that assembles all the relevant data pertaining to them in an organized manner that can be easily monitored from time to time. 

PowerDMARC does just that. When you sign up for our domain monitoring tool we provide you access to a customized dashboard that assembles all your registered root domains. Our brand new feature can now automatically add system-detected subdomains for users without them even having to go for manual registration. 

Check your domain’s records for free!

If you don’t want to commit to full-time service for your domain monitoring, you can do a quick domain analysis with the help of our PowerAnalyzer tool. It’s free! Once you enter your domain name and click on “Check now”, you will be able to view all your DNS record configurations along with any detected misconfigurations with tips on how to resolve them quickly.

Latest posts by Syuzanna Papazyan (see all)
/by