What Is Dangling DNS?
To understand dangling DNS, you have to understand the DNS basics. DNS is a protocol that translates user-friendly domain names, such as paloaltonetworks.com, which is easy to remember and recognize, to a numerical IP address. The IP addresses for each domain are stored in authoritative DNS servers, which act like the phone books of the internet. When you type a website address into a browser, the browser first connects to a recursive DNS server and asks the question, “What is the IP address for paloaltonetworks.com?” The recursive DNS server sends a query to the authoritative server for the answer.
What Is a CNAME
Common types of records stored in a DNS authoritative server are Start of Authority (SOA), IP addresses, name servers (NS), pointers for reverse DNS lookups (PTR), and canonical name records (CNAME).
A CNAME is a type of DNS database record that acts as an alias for another domain and points to a domain instead of an IP address. CNAME records are typically used to point several websites owned by the same organization to a primary website, register the same domains across different countries so that each domain points to the parent domain, and much more.
Let’s suppose your company, with the domain supercompany[.]com, launches a new service or product and creates a new subdomain name of superproduct[.]supercomany[.]com. When this subdomain is set as an alias to the parent domain, which everyone recognizes, the subdomain, superproduct[.]supercomany[.]com, will have a CNAME record that points to supercompany[.]com.
While DNS records point domain names to other domains, when a domain is abandoned, that DNS record is left dangling, where it is now called a Dangling DNS record. Because it is abandoned, this domain can be easily hijacked by threat actors and used to gain initial access into a network. Attackers often use this Dangling DNS technique for phishing and other social engineering attacks. For example, say superproduct.supercomany.com is pointed to another domain, such as superproduct.com, or an external host or IP, such as compute1234.amazonaws.com, and the company moves away from the name superproduct.com or the compute node hosting it, but they forget the CNAME superproduct.supercomany.com is still pointed to the expiring domain or external hostname/IP. This now means the main domain supercomany.com is prime for attacker’s to host their malicious site. A hacker can install an SSL certificate with superproduct.supercomany.com on it and deliver malicious content at the expense of their company's reputation.
To learn about DNS security from Palo Alto Networks, visit https://www.paloaltonetworks.com/network-security/dns-security.html. For more information on Dangling DNS, read our blog, Dangling Domains: Security Threats, Detection and Prevalence.