Dangling DNS: A Hidden Security Risk You Shouldn’t Ignore

Lots of online attacks can be solved with the help of software and some tools. The situation with dangling DNS is a little bit different and particularly relates to the lack of internal processes within the organization and human mistakes.

In this article, we will discuss processes connected with dangling DNS and some prevention mechanisms.  

What is a Dangling DNS?

Dangling DNS is a vulnerability that happens when DNS records show the removed or no longer user resource. At the same time, despite the possible removal of the domain, the DNS entry is not deleted or updated.

This situation creates risks when an attacker can use this situation and set up the resource at the unclaimed destination or even register the expired resource.

How Does DNS Dangling Happen?

Example 1:

Let’s start from the first example where is a subdomain that was previously used to send emails, but now it is non-functioning. This service isn’t used, and you have decommissioned the node and host, but somehow forgot to delete the CNAME.

This means that this forgotten record is dangling DNS, because it is impossible to control it. Because of such a vulnerability, hackers can use this situation for phishing or other attempts to attack. When the vulnerability is detected by such scammers, they give the Azure resource the same FQDN that was earlier used. From this point, all the traffic can be controlled by the hackers because of the CNAME. Via CNAME, all the DNS resources are transmitted to the 3rd party service.

Example 2:

Another case scenario relates to the subdomain that doesn’t exist but was previously used to send email to 3rd third-party company. The CNAME indicates the domain of a company that doesn’t exist. Because the domain has expired, it can be used by anyone.

Hackers can easily detect this information and use this domain. After that, they can own the old subdomain's DNS resources, including DKIM, A, and MX records.

What Are the Potential Risks of DNS Dangling?

In case the DNS record indicates the domain that isn’t available, the first step that should be done is its removal from the DNS zone. If that isn’t done, then there will be obvious consequences that we have already discussed in the above-mentioned examples.

Because the usage of the subdomains is legitimate, hackers can easily utilize malware or other malicious content. When the hacker gains power over the subdomain, it is possible to arrange everything as needed and even intercept requests. When real users visit this service, the attacker’s server gets session tokens, and that can lead to unauthorized access to the accounts of the users.

Subdomains that are used by hackers are very realistic and, in some situations, even DMARC cannot stop such illegal activity. Hackers can just utilize an authenticated subdomain.   

Another possible threat is when a hacker acquires an IP to intercept traffic. After the decommissioned of the specific domain, the information about its IP is still available. So attackers can use this IP and log requests.

Such malicious services can escalate to the following types of attacks:

• MITM or Man-in-the-Middle Attack.
• XSS or Cross-Site Scripting.
• CSRF
• CORS bypass.

How Can It Be Prevented?

There are several effective mechanisms that can help with the prevention of dangling DNS. Most of the recommendations revolve around the optimization of some fundamental processes.

• Regular DNS audits. During the regular checks, it is possible to identify where all the entry points are controlled and active. Depending on the number of resources, such checks should be done at least once a quarter or more frequently, depending on the needs.
• Monitoring of domain expirations. This should be a constant practice to prevent some major risks.
• Decommissioning processes. During the decommissioning of the resources, it is highly important to delete all the associated DNS entries, and that should be done as soon as possible.