Dangling DNS Records: How to Prevent Subdomain Takeover?

Prevent dangling DNS records to stop domain/subdomain takeover attacks today. Free dangling DNS detection tool.

by

Reading Time: 5 min
Dangling DNS Records: How to Prevent Subdomain Takeover?
Table Of Contents

A Domain Name System is a decentralized naming system that can be used to locate various resources over the Internet. Domain names like google.com are human-readable and cannot be decoded by computers. Therefore to translate these names into machine language, the DNS converts the domain names into their subsequent IP addresses. As opposed to your domain name, your domain IP is a numerical value (e.g. 101.102.25.22). 

Think of it as a telephone directory. In a directory, we have a list of human names with telephone numbers adjacent to them. This helps us associate the person with their respective numbers, making it easier for us to contact them. Similarly, the DNS helps translate domain names to numerical IP addresses that are difficult for humans to remember. The DNS, though a very convenient system, can often have misconfigurations that may lead to the issue we are going to talk about today: dangling DNS configurations. 

Key takeaways

  • Dangling DNS records point to non-existent or inaccessible resources, making them vulnerable to exploitation.  
  • Common causes include DNS misconfigurations, expired cloud resources, deprecated IPs, and discontinued services.  
  • Dangling DNS records can lead to subdomain takeover attacks, allowing attackers to serve malicious content.  
  • Email authentication records like DMARC, SPF, TLS-RPT, and DKIM CNAME are especially at risk.  
  • Manual detection involves auditing DNS records, validating configurations, and identifying orphaned services.  
  • Automated tools like DNS monitoring systems simplify detection and reduce errors.  
  • PowerDMARC offers DNS monitoring, automated subdomain detection, and a free PowerAnalyzer tool to check for misconfigurations. 

What Are Dangling DNS Records?

A dangling DNS record is a DNS entry that points to a resource that no longer exists or is inaccessible. Cybercriminals on the internet are always on the hunt for such DNS entries since they are susceptible to information leakage. Some of these entries may contain sensitive information about a domain, becoming a data goldmine for threat actors to benefit from. 

Common Scenarios Leading to Dangling DNS

  • DNS Misconfigurations

The Domain Name System is configured separately from the internet resource we want to interact with. DNS records added to the DNS point to these resources, helping us access them. In certain cases, a previously configured resource may get deconfigured by its host. For example, a DNS record was configured by a domain owner to point to a server’s IP. This server is now no longer in use. The DNS record now points to a resource that no longer exists and hence can be termed a “dangling DNS” entry. 

  • Expired or Deleted Cloud Resources

If a cloud service used by a domain owner expires or is deleted, any DNS record pointing to that service becomes a Danglish DNS record. This DNS record still remains active, and any attacker can use the resource to serve malicious content. 

  • Deprecated IPs

A company can migrate services to a new provider, while the previous IPs are deprecated. However, he forgets to update or remove the old DNS records. These old records are vulnerable to subdomain takeover attacks and can be exploited very easily. 

  • Service Decommissioning or Discontinuation

An email server, hosting account, or third-party service provider is discontinued or decommissioned, however, the DNS records like MX, A, and CNAME records are still active and configured. Attackers can exploit these active Dangling DNS records to impersonate the discontinued service. 

The Risks of Dangling DNS Records

Hidden DNS vulnerabilities like Dangling DNS can lead to domain exploitation and cyber threats. 

What is a Subdomain Takeover Attack?

When an attacker detects a dangling DNS entry that points to a deconfigured resource, he immediately jumps on the chance. The attacker takes over the (sub)domain that the dangling DNS record points to, thereby routing the entire traffic to an attacker-controlled domain with complete access to the domain’s content and resources.

Subsequent impacts of your domain/subdomain being hijacked by an attacker: 

Dangling DNS causes subdomain hijack to attacker domain

A deconfigured domain or server can become a breeding ground for malicious resources manipulated by an attacker that the domain owner has no control over. This means that the attacker can completely exercise dominance over the domain name to run an illegal service, launch phishing campaigns on unsuspecting victims and malign your organization’s good name in the market. 

Are Your DNS Records at Risk of Dangling?

The answer is Yes. The following email authentication records may be vulnerable to dangling DNS issues: 

Email authentication protocols like DMARC are configured by adding a TXT record to your DNS. Apart from configuring a policy for your domain’s emails, you can also leverage DMARC to enable a reporting mechanism to send you a wealth of information about your domains, vendors, and email sources. 

  • SPF record

Another commonly used email source verification system, SPF exists in your DNS as a TXT record containing a list of authorized sending sources for your emails. 

  • TLS-RPT

SMTP TLS reports (TLS-RPT) are an additional reporting mechanism configured along with MTA-STS to send domain owners notifications in the form of JSON reports on deliverability issues due to failures in TLS encryption between two communicating email servers. 

  • DKIM CNAME records

CNAME records create domain name aliases to point one domain to another. You can use CNAME to point a subdomain to another domain that contains all information and configurations pertaining to the subdomain. 

For example, the subdomain mail.domain.com is an alias for CNAME info.domain.com. Hence when a server looks up mail.domain.com it will be routed to info.domain.com

Your DKIM authentication system is often added to the DNS as a CNAME record

Each of these entries contains valuable information about your organizational domain, email data, IP addresses, and email sending sources. Syntax errors that you may often overlook can result in dangling records that may go undetected for long periods of time. A domain that has been discontinued by the host with a DKIM CNAME or SPF record pointing to it may also cause the same issues. 

Note: It is important to note that MX, NS, A, and AAA records are also susceptible to Dangling DNS issues. For the sake of this article, we have only covered email authentication records that have these implications, offering solutions on how to fix them. 

How to Find Dangling DNS Records?

Identifying DNS records that are pointing to unprovisioned resources in their nascent stage can help protect your brand. You can go about it in two ways: manual and automated. 

1. Manual Dangling DNS Detection

Although time-intensive, a manual audit can help uncover outdated DNS records:

  • Audit your DNS entries: Cross-check all DNS records in your DNS management system against the active resources in your environment. Look for entries pointing to non-existent services or IPs.
  • Validate DNS configurations: Use tools like nslookup or dig to query each record and verify that the corresponding resource is provisioned and active.
  • Check for orphaned services: Investigate services such as third-party hosting, cloud platforms, or CDN providers that may have been terminated without removing the associated DNS entries.

While manual methods are thorough, they are prone to human error and can become unmanageable for domains with large or complex DNS configurations.

2. Automated Dangling DNS Detection

A DNS monitoring tool can prove to be useful in such circumstances. Look at it as a roster for your domains and subdomains, i.e. one platform that assembles all the relevant data pertaining to them in an organized manner that can be easily monitored from time to time. 

PowerDMARC does just that. When you sign up for our domain monitoring tool we provide you access to a customized dashboard that assembles all your registered root domains. Our brand new feature can now automatically add system-detected subdomains for users without them even having to go for manual registration. 

Check Your Domain’s Records for Free!

If you don’t want to commit to full-time service for your domain monitoring, you can check your domain with the help of our PowerAnalyzer tool. It’s free! Once you enter your domain name and click on “Check now”, you will be able to view all your DNS record configurations along with any detected misconfigurations with tips on how to resolve them quickly.

Latest posts by Yunes Tarada (see all)
PowerDMARC Email Authentication SaaS Platform achieves ISO 27001 Certificat...PowerDMARCISO27001ice phishing attackWhat is an “Ice Phishing” attack?