Glossary Glossary

Dangling DNS Record




A dangling DNS record is any DNS entry that points to a resource that is no longer available or in use. Examples of commonly affected DNS record types are A (IP address), name server (NS), and canonical name (CNAME) records.

Dangling DNS records can surface when records are not updated after a server migration, service decommissioning, or domain name expiration or transfer. Regardless of the cause, these records become part of an organization’s digital footprint.

Table of Contents

Dangling DNS Record: A Deep Dive

What Are Some Examples of a Dangling DNS Record?

While there are several types of DNS records, we will focus on only three of them in this post—A, NS, and CNAME records. 

Dangling A Record

Consider a scenario where a website hosted on a server with the domain name example[.]com and the IP address 93[.]184[.]215[.]14 was moved to another hosting provider, but the A record was not updated.

Users trying to access example[.]com will experience a downtime. Their devices will query the DNS for the IP address, but the stale A record will point them to the old server (93[.]184[.]215[.]14), which likely won’t be accessible on the Internet.

Dangling NS Record

A dangling NS record emerges in the following scenario: A company sets up its website with a domain registrar and configures two NSs (e.g., ns1[.]example[.]com and ns2[.]example[.]com). These NSs are hosted by a DNS provider company.

After a few years, the company decides to switch to a new DNS provider, consequently updating its domain registrar settings with the new NSs provided by the new DNS company (e.g., newns1[.]example[.]com and newns2[.]example[.]com).

However, they forget to remove the old NS records from their domain registrar, allowing it to list both sets of NSs, thus making the old ones dangling.

Dangling CNAME Record

A dangling CNAME record surfaces when an alias or a CNAME in the DNS points to a nonexistent domain or subdomain. For example, a company sets up a CNAME record pointing from sample[.]com to example[.]com. That means everyone accessing sample[.]com is redirected to example[.]com.

Later on, the company decides not to renew example[.]com, but fails to update the CNAME record. An attacker can register example[.]com and potentially take control of sample[.]com. 

What Are the Dangers of a Dangling DNS Record?

Here are some of the specific attacks that threat actors may launch by taking advantage of dangling DNS records.

  • Dangling domain hijacking: This refers to an attack where the threat actors exploit expired or abandoned domain names. The attackers then take control of the domain and direct users to malicious or phishing websites.
  • Subdomain takeover: When an outdated DNS record points a subdomain to a domain that is no longer active, attackers can register the domain to gain control of the subdomain.
  • Malware distribution: Attackers can host malware on a server a dangling record points to. When users try to access the intended website or subdomain, they may unknowingly get redirected to download malware disguised as legitimate software or tricked into clicking a malicious link.

How Do You Prevent Dangling DNS Records?

Dangling DNS records expand an organization’s attack surface as they can serve as potential attack vectors for malicious actors. To help avoid their occurrence, organizations can employ these measures.

  • Automate domain discovery and subdomain enumeration: Tools like external attack surface management (EASM) platforms can automatically create a comprehensive inventory of all your domains and subdomains. That reduces the risk of overlooking records that may become dangling.
  • Review and update DNS records regularly: Schedule periodic reviews of DNS records to identify outdated records or those associated with inactive services.
  • Create and implement a service decommissioning process: This process may explicitly address DNS record handling, with steps to remove or update relevant records before or immediately after a service is decommissioned.
  • Monitor DNS health for errors or warnings: Scan assets regularly to detect any security misconfiguration or issue in domains, subdomains, mail servers, and NSs.

Key Takeaways

  • A dangling DNS record emerges when any record type points to a nonexistent or outdated resource.
  • Dangling DNS records can cause security vulnerabilities if the outdated resource gets compromised.
  • Dangling DNS records can lead to domain hijacking, subdomain takeover, and malware distribution.
  • Automating domain discovery and subdomain enumeration can help avoid dangling DNS records.

Ready to detect potential instances of dangling DNS records? Kick off your 30-day free trial with Attaxion today.

Interested to Learn More?