Dangling DNS is a critical issue that arises from vulnerabilities within the Domain Name System (DNS) – a decentralized system used to locate resources across the Internet. By translating human-readable domain names, like google.com, into machine-readable IP addresses such as 101.102.25.22, DNS ensures seamless connectivity.
Think of it as a telephone directory, linking names to numbers for easier access. However, when DNS misconfigurations occur, they can result in dangling DNS records—entries pointing to non-existent or decommissioned resources—exposing domains to significant security risks. Addressing these issues is essential for maintaining a secure online presence.
Key takeaways
- Dangling DNS records point to non-existent or inaccessible resources, making them vulnerable to exploitation.
- Common causes include DNS misconfigurations, expired cloud resources, deprecated IPs, and discontinued services.
- Dangling DNS records can lead to subdomain takeover attacks, allowing attackers to serve malicious content.
- Email authentication records like DMARC, SPF, TLS-RPT, and DKIM CNAME are especially at risk.
- Manual detection involves auditing DNS records, validating configurations, and identifying orphaned services.
- Automated tools like DNS monitoring systems simplify detection and reduce errors.
- PowerDMARC offers DNS monitoring, automated subdomain detection, and a free PowerAnalyzer tool to check for misconfigurations.
What Are Dangling DNS Records?
A dangling DNS record is a DNS entry that points to a resource that no longer exists or is inaccessible. Cybercriminals on the internet are always on the hunt for such DNS entries since they are susceptible to information leakage. Some of these entries may contain sensitive information about a domain, becoming a data goldmine for threat actors to benefit from.
Common Scenarios Leading to Dangling DNS
- DNS Misconfigurations
The Domain Name System is configured separately from the internet resource we want to interact with. DNS records added to the DNS point to these resources, helping us access them. In certain cases, a previously configured resource may get deconfigured by its host. For example, a DNS record was configured by a domain owner to point to a server’s IP. This server is now no longer in use. The DNS record now points to a resource that no longer exists and hence can be termed a “dangling DNS” entry.
- Expired or Deleted Cloud Resources
If a cloud service used by a domain owner expires or is deleted, any DNS record pointing to that service becomes a Danglish DNS record. This DNS record still remains active, and any attacker can use the resource to serve malicious content.
- Deprecated IPs
A company can migrate services to a new provider, while the previous IPs are deprecated. However, he forgets to update or remove the old DNS records. These old records are vulnerable to subdomain takeover attacks and can be exploited very easily.
- Service Decommissioning or Discontinuation
An email server, hosting account, or third-party service provider is discontinued or decommissioned, however, the DNS records like MX, A, and CNAME records are still active and configured. Attackers can exploit these active Dangling DNS records to impersonate the discontinued service.
The Risks of Dangling DNS Records
Hidden DNS vulnerabilities like Dangling DNS can lead to domain exploitation and cyber threats.
What is a Subdomain Takeover Attack?
When an attacker detects a dangling DNS entry that points to a deconfigured resource, he immediately jumps on the chance. The attacker takes over the (sub)domain that the dangling DNS record points to, thereby routing the entire traffic to an attacker-controlled domain with complete access to the domain’s content and resources.
Subsequent impacts of your domain/subdomain being hijacked by an attacker:
A deconfigured domain or server can become a breeding ground for malicious resources manipulated by an attacker that the domain owner has no control over. This means that the attacker can completely exercise dominance over the domain name to run an illegal service, launch phishing campaigns on unsuspecting victims and malign your organization’s good name in the market.
Are Your DNS Records at Risk of Dangling?
The answer is Yes. The following email authentication records may be vulnerable to dangling DNS issues:
Email authentication protocols like DMARC are configured by adding a TXT record to your DNS. Apart from configuring a policy for your domain’s emails, you can also leverage DMARC to enable a reporting mechanism to send you a wealth of information about your domains, vendors, and email sources.
- SPF record
Another commonly used email source verification system, SPF exists in your DNS as a TXT record containing a list of authorized sending sources for your emails.
- TLS-RPT
SMTP TLS reports (TLS-RPT) are an additional reporting mechanism configured along with MTA-STS to send domain owners notifications in the form of JSON reports on deliverability issues due to failures in TLS encryption between two communicating email servers.
- DKIM CNAME records
CNAME records create domain name aliases to point one domain to another. You can use CNAME to point a subdomain to another domain that contains all information and configurations pertaining to the subdomain.
For example, the subdomain mail.domain.com is an alias for CNAME info.domain.com. Hence when a server looks up mail.domain.com it will be routed to info.domain.com.
Your DKIM authentication system is often added to the DNS as a CNAME record.
Each of these entries contains valuable information about your organizational domain, email data, IP addresses, and email sending sources. Syntax errors that you may often overlook can result in dangling records that may go undetected for long periods of time. A domain that has been discontinued by the host with a DKIM CNAME or SPF record pointing to it may also cause the same issues.
Note: It is important to note that MX, NS, A, and AAA records are also susceptible to Dangling DNS issues. For the sake of this article, we have only covered email authentication records that have these implications, offering solutions on how to fix them.
How to Find Dangling DNS Records?
Identifying DNS records that are pointing to unprovisioned resources in their nascent stage can help protect your brand. You can go about it in two ways: manual and automated.
1. Manual Dangling DNS Detection
Although time-intensive, a manual audit can help uncover outdated DNS records:
- Audit your DNS entries: Cross-check all DNS records in your DNS management system against the active resources in your environment. Look for entries pointing to non-existent services or IPs.
- Validate DNS configurations: Use tools like nslookup or dig to query each record and verify that the corresponding resource is provisioned and active.
- Check for orphaned services: Investigate services such as third-party hosting, cloud platforms, or CDN providers that may have been terminated without removing the associated DNS entries.
While manual methods are thorough, they are prone to human error and can become unmanageable for domains with large or complex DNS configurations.
2. Automated Dangling DNS Detection
A DNS monitoring tool can prove to be useful in such circumstances. Look at it as a roster for your domains and subdomains, i.e. one platform that assembles all the relevant data pertaining to them in an organized manner that can be easily monitored from time to time.
PowerDMARC does just that. When you sign up for our domain monitoring tool we provide you access to a customized dashboard that assembles all your registered root domains. Our brand new feature can now automatically add system-detected subdomains for users without them even having to go for manual registration.
Check Your Domain’s Records for Free!
If you don’t want to commit to full-time service for your domain monitoring, you can check your domain with the help of our PowerAnalyzer tool. It’s free! Once you enter your domain name and click on “Check now”, you will be able to view all your DNS record configurations along with any detected misconfigurations with tips on how to resolve them quickly.
- 5 Common DNS Vulnerabilities and How to Protect Your Network - December 24, 2024
- Introducing DNS Timeline and Security Score History - December 10, 2024
- PowerDMARC One-Click Auto DNS Publishing with Entri - December 10, 2024