What Is Dangling DNS?
To understand dangling DNS, you have to understand the DNS basics. DNS is a protocol that translates user-friendly domain names, such as paloaltonetworks.com, which is easy to remember and recognize, to a numerical IP address. The IP addresses for each domain are stored in authoritative DNS servers, which act like the phone books of the internet. When you type a website address into a browser, the browser first connects to a recursive DNS server and asks the question, “What is the IP address for paloaltonetworks.com?” The recursive DNS server sends a query to the authoritative server for the answer.
What Is a CNAME
Common types of records stored in a DNS authoritative server are Start of Authority (SOA), IP addresses, name servers (NS), pointers for reverse DNS lookups (PTR), and canonical name records (CNAME). A CNAME acts as an alias from one domain to another.
Let’s suppose your company, with domain supercompany[.]com, launches a new service or product. Supercompany creates the subdomain superproduct[.]supercomany[.]com but decides to point the existing domain, which everyone recognizes, to the new subdomain. In this case, supercompany.com becomes the canonical name (CNAME) for superproduct.supercomany.com.
An issue with CNAMEs can arise when Supercomany decides to move away from superproduct and launch wonderproduct instead. This will eliminate the need for the subdomain superproduct.supercomany.com. However, the company neglects to remove the CNAME entry from their authoritative DNS server, leaving it dangling.
An attacker who sees the expired domain can register it with a third party. The attacker now controls superproduct.supercomany.com, can see any traffic that is still going to it, and use it in any way that suits them, including redirecting the traffic to their own site for malicious activity.
To learn about DNS security from Palo Alto Networks, visit https://www.paloaltonetworks.com/network-security/dns-security.html.