Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 19)
Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware
FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications
See all Unit 42 Threat Research
Table of Contents
Network Security

What Is Dangling DNS?

2 min. read
Table of Contents

To understand dangling DNS, you have to understand the DNS basics. DNS is a protocol that translates user-friendly domain names, such as paloaltonetworks.com, which is easy to remember and recognize, to a numerical IP address. The IP addresses for each domain are stored in authoritative DNS servers, which act like the phone books of the internet. When you type a website address into a browser, the browser first connects to a recursive DNS server and asks the question, “What is the IP address for paloaltonetworks.com?” The recursive DNS server sends a query to the authoritative server for the answer.

What Is a CNAME

Common types of records stored in a DNS authoritative server are Start of Authority (SOA), IP addresses, name servers (NS), pointers for reverse DNS lookups (PTR), and canonical name records (CNAME).

A CNAME is a type of DNS database record that acts as an alias for another domain and points to a domain instead of an IP address. CNAME records are typically used to point several websites owned by the same organization to a primary website, register the same domains across different countries so that each domain points to the parent domain, and much more.

Let’s suppose your company, with the domain supercompany[.]com, launches a new service or product and creates a new subdomain name of superproduct[.]supercomany[.]com. When this subdomain is set as an alias to the parent domain, which everyone recognizes, the subdomain, superproduct[.]supercomany[.]com, will have a CNAME record that points to supercompany[.]com.

Dangling DNS

While DNS records point domain names to other domains, when a domain is abandoned, that DNS record is left dangling, where it is now called a Dangling DNS record. Because it is abandoned, this domain can be easily hijacked by threat actors and used to gain initial access into a network. Attackers often use this Dangling DNS technique for phishing and other social engineering attacks. For example, say superproduct.supercomany.com is pointed to another domain, such as superproduct.com, or an external host or IP, such as compute1234.amazonaws.com, and the company moves away from the name superproduct.com or the compute node hosting it, but they forget the CNAME superproduct.supercomany.com is still pointed to the expiring domain or external hostname/IP. This now means the main domain supercomany.com is prime for attacker’s to host their malicious site. A hacker can install an SSL certificate with superproduct.supercomany.com on it and deliver malicious content at the expense of their company's reputation.

To learn about DNS security from Palo Alto Networks, visit https://www.paloaltonetworks.com/network-security/advanced-dns-security. For more information on Dangling DNS, read our blog, Dangling Domains: Security Threats, Detection and Prevalence.

Dangling DNS FAQs

Dangling DNS records can pose significant security risks because they point to domains or services that are no longer valid or under the domain owner's control. Attackers can exploit these records by registering expired domains, gaining control over subdomains, and using them to intercept traffic, steal sensitive data, conduct phishing attacks, or distribute malware. This can result in unauthorized access to systems, data breaches, or impersonation of legitimate services.
A subdomain takeover occurs when an attacker gains control over a subdomain still active in DNS records but points to a resource no longer under the domain owner’s control. Dangling DNS records, especially CNAME or MX records, often lead to subdomain takeovers. For example, suppose a CNAME record points to an external service decommissioned. In that case, an attacker can register that external domain and hijack the subdomain, enabling them to host malicious content or intercept communications intended for the legitimate domain.
Organizations can protect themselves by regularly auditing and updating their DNS records to remove any no longer needed or point to decommissioned resources. They should also implement security measures such as enabling DMARC (Domain-based Message Authentication, Reporting, and Conformance) and DKIM (DomainKeys Identified Mail) for email authentication, which can help prevent misuse of DNS records in phishing or spoofing attacks. Additionally, using DNS alias records tied to active resources can prevent dangling references from occurring.
Dangling DNS vulnerabilities can be exploited in various ways, such as through DNS MX records that point to expired domains, allowing attackers to intercept emails or use the domain for phishing campaigns. Similarly, attackers can target unused CNAME records to take over subdomains and host malicious content. Organizations with multiple domains and subdomains should pay close attention to these records to prevent unauthorized use.
Dangling DNS records concern organizations of all sizes, from startups to large enterprises. While large organizations may have more extensive DNS infrastructures and thus a higher risk of overlooked records, even small companies can be targeted if their DNS records are not adequately managed. Regularly monitoring and maintaining DNS entries are critical to reducing this risk, regardless of the organization's size.

Related Content

Get the latest news, invites to events, and threat alerts