Log In
Request Demo Start 30-Day Trial
Back
Glossary Glossary

Dangling DNS Record




A dangling DNS record is any DNS entry that points to a resource that is no longer available or in use. Examples of commonly affected DNS record types are A (IP address), name server (NS), and canonical name (CNAME) records.

Dangling DNS records can surface when records are not updated after a server migration, service decommissioning, or domain name expiration or transfer. Regardless of the cause, these records become part of an organization’s digital footprint.

Table of Contents

Dangling DNS Record: A Deep Dive

What Are Some Examples of a Dangling DNS Record?

While there are several types of DNS records, we will focus on only three of them in this post—A, NS, and CNAME records. 

Dangling A Record

Consider a scenario where a website hosted on a server with the domain name example[.]com and the IP address 93[.]184[.]215[.]14 was moved to another hosting provider, but the A record was not updated.

Users trying to access example[.]com will experience a downtime. Their devices will query the DNS for the IP address, but the stale A record will point them to the old server (93[.]184[.]215[.]14), which likely won’t be accessible on the Internet.

Dangling NS Record

A dangling NS record emerges in the following scenario: A company sets up its website with a domain registrar and configures two NSs (e.g., ns1[.]example[.]com and ns2[.]example[.]com). These NSs are hosted by a DNS provider company.

After a few years, the company decides to switch to a new DNS provider, consequently updating its domain registrar settings with the new NSs provided by the new DNS company (e.g., newns1[.]example[.]com and newns2[.]example[.]com).

However, they forget to remove the old NS records from their domain registrar, allowing it to list both sets of NSs, thus making the old ones dangling.

Dangling CNAME Record

A dangling CNAME record surfaces when an alias or a CNAME in the DNS points to a nonexistent domain or subdomain. For example, a company sets up a CNAME record pointing from sample[.]com to example[.]com. That means everyone accessing sample[.]com is redirected to example[.]com.

Later on, the company decides not to renew example[.]com, but fails to update the CNAME record. An attacker can register example[.]com and potentially take control of sample[.]com. 

What Are the Dangers of a Dangling DNS Record?

Here are some of the specific attacks that threat actors may launch by taking advantage of dangling DNS records.

Dangling Domain Hijacking

This refers to an attack where the threat actors exploit expired or abandoned domain names. The attackers then take control of the domain and direct users to malicious or phishing websites.

There have also been cases where domain owners accidentally failed to renew their registrations, allowing other entities to swoop in and take over their domains.

Subdomain Takeover

A subdomain takeover occurs when an attacker gains control of a subdomain to host phishing sites, distribute malware, or damage the reputation of the root domain’s owner. It is among the most dangerous types of DNS attacks since it can affect many users and may be difficult to detect (given that the subdomain may appear legitimate).

Subdomain takeover usually starts with a forgotten subdomain, which creates a dangling DNS record. Here’s a common scenario.

the dangers of dangling DNS records: subdomain takeover
  1. DNS record creation: Company Z sets up a CNAME record in their DNS for their customer support portal by pointing help[.]companyz[.]com to companyz[.]servicedesk[.]com.
  2. Discontinued service: Company Z discontinues its use of the Service Desk and instead switches to its new, in-house support system. Company Z now has a new subdomain for their support portal, support[.]companyz[.]com.
  3. Incomplete decommissioning: Company Z cancels their Service Desk subscription, deactivating their previous portal. However, they forget to remove the CNAME record that points help[.]companyz[.]com to companyz[.]servicedesk[.]com.
  4. Dangling DNS record: The subdomain help[.]companyz[.]com is now dangling. It points to a now nonexistent Service Desk portal.
  5. Subdomain takeover: When attackers discover the dangling DNS record, they create an account with Service Desk and request the subdomain companyz[.]servicedesk[.]com. Traffic to help[.]companyz[.]com is routed to the attacker-controlled companyz[.]servicedesk[.]com.

Malware Distribution

Attackers can host malware on a server a dangling record points to. Remember Company Z’s dangling DNS record for help[.]companyz[.]com? The attackers now control it.

They can host malware on companyz[.]servicedesk[.]com so users trying to access Company Z’s old support site are unknowingly redirected to download malware disguised as legitimate software or tricked into clicking a malicious link.

Are Dangling DNS Records Only a Concern for Large Organizations?

No, the dangers dangling DNS records pose not only affect large organizations.  While large organizations may have more complex DNS configurations and thus a higher number of potential dangling records, the risk remains significant for small and medium-sized businesses (SMBs) and even individuals with personal websites or projects.

How Do You Prevent Dangling DNS Records?

Dangling DNS records expand an organization’s attack surface as they can serve as potential attack vectors for malicious actors. To help avoid their occurrence, organizations can employ these measures.

  • Automate domain discovery and subdomain enumeration: Tools like external attack surface management (EASM) platforms can automatically create a comprehensive inventory of all your domains and subdomains. That reduces the risk of overlooking records that may become dangling.
  • Review and update DNS records regularly: Schedule periodic reviews of DNS records to identify outdated records or those associated with inactive services.
  • Create and implement a service decommissioning process: This process may explicitly address DNS record handling, with steps to remove or update relevant records before or immediately after a service is decommissioned.
  • Monitor DNS health for errors or warnings: Scan assets regularly to detect any security misconfiguration or issue in domains, subdomains, mail servers, and NSs.

Key Takeaways

  • A dangling DNS record emerges when any record type points to a nonexistent or outdated resource.
  • Dangling DNS records can cause security vulnerabilities if the outdated resource gets compromised.
  • Dangling DNS records can lead to domain hijacking, subdomain takeover, and malware distribution.
  • Automating domain discovery and subdomain enumeration can help avoid dangling DNS records.

Ready to detect potential instances of dangling DNS records? Kick off your 30-day free trial with Attaxion today.

Interested to Learn More?