• Log In
  • Sign Up
  • Contact Us
PowerDMARC
  • Features
    • PowerDMARC
    • Hosted DKIM
    • PowerSPF
    • PowerBIMI
    • PowerMTA-STS
    • PowerTLS-RPT
    • PowerAlerts
    • Reputation Monitoring
  • Services
    • Deployment Services
    • Managed Services
    • Support Services
    • Service Benefits
  • Pricing
  • Power Toolbox
  • Partners
    • Reseller Program
    • MSSP Program
    • Technology Partners
    • Industry Partners
    • Become a Partner
  • Resources
    • DMARC: What is it and How does it Work?
    • Datasheets
    • Case Studies
    • Blog
    • DMARC Training
    • DMARC in Your Country
    • DMARC by Industry
    • Support
  • About
    • Our company
    • Clients
    • Contact us
    • Book a demo
    • Events
  • Menu Menu

Detecting Dangling DNS Records to stop Subdomain Takeover Attacks

Blogs
Subdomain Takeover Attacks

A Domain Name System is a decentralized naming system that can be used to locate various resources over the Internet. Domain names like google.com are human-readable and cannot be decoded by computers. Therefore to translate these names into machine language, the DNS converts the domain names into their subsequent IP addresses. As opposed to your domain name, your domain IP is a numerical value (e.g. 101.102.25.22). 

Think of it as a telephone directory. In a directory, we have a list of human names with telephone numbers adjacent to them. This helps us associate the person with their respective numbers, making it easier for us to contact them. Similarly, the DNS helps translate domain names to numerical IP addresses that are difficult for humans to remember. The DNS, though is a very convenient system, can often have misconfigurations that may lead to the issue we are going to talk about today: dangling DNS configurations.

Why do DNS misconfigurations take place?

The Domain Name System is configured separately from the internet resource we want to interact with. DNS records added to the DNS point to these resources, helping us access them. In certain cases, a previously configured resource may get deconfigured by its host. For example, a DNS record was configured by a domain owner to point to a server’s IP. This server is now no longer in use. The DNS record now points to a resource that no longer exists and hence can be termed as a “dangling DNS” entry.

Dangling DNS Records: How are they formed?

As discussed in the previous section, when a DNS entry points to a deconfigured internet resource, it is termed dangling DNS. Cybercriminals on the internet are always on the hunt for such DNS entries since they are susceptible to information leakage. Some of these entries may contain sensitive information about a domain, becoming a data goldmine for threat actors to benefit from. 

Are my email authentication DNS records susceptible to dangling DNS issues?

The answer is Yes. The following email authentication records may be vulnerable to dangling DNS issues:

1. DMARC record

Email authentication protocols like DMARC are configured by adding a TXT record to your DNS. Apart from configuring a policy for your domain’s emails, you can also leverage DMARC to enable a reporting mechanism to send you a wealth of information about your domains, vendors, and email sources.

2. SPF record

Another commonly used email source verification system, SPF exists in your DNS as a TXT record containing a list of authorized sending sources for your emails.

3. TLS-RPT

SMTP TLS reports (TLS-RPT) are an additional reporting mechanism configured along with MTA-STS to send domain owners notifications in form of JSON reports on deliverability issues due to failures in TLS encryption between two communicating email servers.

4. DKIM CNAME records

CNAME records create domain name aliases to point one domain to another. You can use CNAME to point a subdomain to another domain that contains all information and configurations pertaining to the subdomain. 

For example, the subdomain mail.domain.com is an alias for CNAME info.domain.com. Hence when a server looks up mail.domain.com it will be routed to info.domain.com. 

Your DKIM authentication system is often added to the DNS as a CNAME record. 

Each of these entries contains valuable information about your organizational domain, email data, IP addresses, and email sending sources. Syntax errors that you may often overlook can result in dangling records that may go undetected for long periods of time. A domain that has been discontinued by the host with a DKIM CNAME or SPF record pointing to it may also cause the same issues. 

Note: It is important to note that MX, NS, A, and AAA records are also susceptible to Dangling DNS issues. For the sake of this article, we have only covered email authentication records that have these implications, offering solutions around how to fix them.

What is a Subdomain Takeover Attack?

When an attacker detects a dangling DNS entry that points to a deconfigured resource, he immediately jumps on the chance. The attacker takes over the (sub)domain that the dangling DNS record points to, thereby routing the entire traffic to an attacker-controlled domain with complete access to the domain’s content and resources.

Subsequent impacts of your domain/subdomain being hijacked by an attacker:dangling dns records

A deconfigured domain or server can become a breeding ground for malicious resources manipulated by an attacker that the domain owner has no control over. This means that the attacker can completely exercise dominance over the domain name to run an illegal service, launch phishing campaigns on unsuspecting victims and malign your organization’s good name in the market. 

Detecting your misconfigured DNS records 

Identifying DNS records that are pointing to unprovisioned resources in their nascent stage can help protect your brand. A DNS monitoring tool can prove to be useful in such circumstances. Look at it as a roster for your domains and subdomains, i.e. one platform that assembles all the relevant data pertaining to them in an organized manner that can be easily monitored from time to time. 

PowerDMARC does just that. When you sign up for our domain monitoring tool we provide you access to a customized dashboard that assembles all your registered root domains. Our brand new feature can now automatically add system-detected subdomains for users without them even having to go for manual registration. 

Check your domain’s records for free!

If you don’t want to commit to full-time service for your domain monitoring, you can do a quick domain analysis with the help of our PowerAnalyzer tool. It’s free! Once you enter your domain name and click on “Check now”, you will be able to view all your DNS record configurations along with any detected misconfigurations with tips on how to resolve them quickly.

dangling dns records

  • About
  • Latest Posts
Syuzanna Papazyan
Syuzanna works as a Visual Designer at PowerDMARC.
She is artistic person with innovative ideas and designs.
Latest posts by Syuzanna Papazyan (see all)
  • Types of Domain Vulnerabilities You Should be Aware of - August 18, 2023
  • How to Implement Mail Domain Authentication in Your Email Infrastructure - February 22, 2023
  • How to fix “SPF alignment failed”? - January 3, 2023
March 4, 2022/by Syuzanna Papazyan
Tags: dangling dns, dangling dns records, dns records, domain takeover, subdomain takeover
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on Twitter
  • Share on WhatsApp
  • Share on LinkedIn
  • Share by Mail
You might also like
DNS record. Main types of DNS RecordsWhat is a DNS Record? | 8 Main Types of DNS Records

Secure Your Email

Stop Email Spoofing and Improve Email Deliverability

15-day Free trial!


Categories

  • Blogs
  • News
  • Press Releases

Latest Blogs

  • dangling dns records
    DMARC Black Friday: Fortify Your Emails This Holiday SeasonNovember 23, 2023 - 8:00 pm
  • Google and Yahoo New Requirements 2024
    Google and Yahoo Updated Email Authentication Requirements for 2024November 15, 2023 - 3:23 pm
  • protect from spoofing blog
    How to Find the Best DMARC Solution Provider for Your Business?November 8, 2023 - 6:29 pm
  • Preventing-Phishing-Attacks-in-Academic-Institutions
    Preventing Phishing Attacks in Academic InstitutionsOctober 31, 2023 - 2:29 pm
logo footer powerdmarc
SOC2 GDPR PowerDMARC GDPR comliant crown commercial service
global cyber alliance certified powerdmarc csa

Knowledge

What is Email Authentication?
What is DMARC?
What is DMARC Policy?
What is SPF?
What is DKIM?
What is BIMI?
What is MTA-STS?
What is TLS-RPT?
What is RUA?
What is RUF?
AntiSpam vs DMARC
DMARC Alignment
DMARC Compliance
DMARC Enforcement
BIMI Implementation Guide
Permerror
MTA-STS & TLS-RPT Implementation Guide

Tools

Free DMARC Record Generator
Free DMARC Record Checker
Free SPF Record Generator
Free SPF Record Lookup
Free DKIM Record Generator
Free DKIM Record Lookup
Free BIMI Record Generator
Free BIMI Record Lookup
Free FCrDNS Record Lookup
Free TLS-RPT Record Checker
Free MTA-STS Record Checker
Free TLS-RPT Record Generator

Product

Product Tour
Features
PowerSPF
PowerBIMI
PowerMTA-STS
PowerTLS-RPT
PowerAlerts
Reputation Monitoring
API Documentation
Managed Services
Email Spoofing Protection
Brand Protection
Anti Phishing
DMARC for Office365
DMARC for Google Mail GSuite
DMARC for Zimbra
Free DMARC Training

Try Us

Contact Us
Free Trial
Book Demo
Partnership
Pricing
FAQ
Support
Blog
Events
Feature Request
Change Log
System Status

  • Français
  • Dansk
  • Nederlands
  • Deutsch
  • Русский
  • Polski
  • Español
  • Italiano
  • 日本語
  • 中文 (简体)
  • Português
  • Norsk
  • Svenska
  • 한국어
© PowerDMARC is a registered trademark.
  • Twitter
  • Youtube
  • LinkedIn
  • Facebook
  • Instagram
  • Contact us
  • Terms & Conditions
  • Privacy Policy
  • Cookie Policy
  • Security Policy
  • Compliance
  • GDPR Notice
  • Sitemap
PowerDMARC Email Authentication SaaS Platform achieves ISO 27001 Certificat...PowerDMARCISO27001ice phishing attackWhat is an “Ice Phishing” attack?
Scroll to top