Dangling DNS Record

How attackers find and exploit it

• Enumerate the target's full DNS footprint using passive sources (certificate transparency logs, passive DNS databases, search-engine scraping) and active brute-force of subdomain wordlists to build a candidate list of records.
• Resolve each record and flag candidates whose CNAME targets a known third-party service fingerprint, whose A/AAAA record points to an IP that returns no service or a default cloud landing page, or whose NS/MX target domain is unregistered.
• Query the suspected target service directly: request the cloud FQDN or hit the IP on common ports to confirm it returns a 'NoSuchBucket', '404 Not Found', 'There isn't a GitHub Pages site here', or provider-specific 'unclaimed' response indicating the resource is free to claim.
• Re-claim the released resource by registering the same bucket or app name with the cloud provider, allocating the freed elastic IP, re-registering the expired delegated domain, or onboarding the unclaimed SaaS endpoint to the attacker's own account.
• Serve attacker-controlled content from the now-hijacked subdomain, obtain a domain-validated TLS certificate for it via an ACME challenge to lend it legitimacy, and use it for cookie theft, phishing, malware delivery, or interception of email and API traffic that still resolves to the dangling name.

How to detect it on your surface

• Export the complete set of resource records from every authoritative and secondary zone you operate, including records held at registrars and third-party managed-DNS providers, so the inventory is not limited to your primary zone file.
• For each A/AAAA record, cross-check the target IP against your current cloud inventory and IPAM to confirm the address is still allocated to and controlled by your organization.
• For each CNAME record, identify the target service and verify the corresponding resource (bucket, app, distribution, page, SaaS tenant) still exists and is owned by you, treating common cloud and SaaS suffixes as high priority.
• For NS and MX records, confirm every delegated nameserver domain and mail-exchange domain is registered, unexpired, and under your control, since a lapsed delegation target is as exploitable as a freed IP.
• Reconcile the DNS inventory against your decommissioning and change-management tickets to surface records whose backing resource was deleted but whose entry was never removed.

Detection signals

• A CNAME or HTTP request to the target returns a provider 'unclaimed resource' fingerprint such as 'NoSuchBucket' (S3), 'There isn't a GitHub Pages site here.', Heroku's 'No such app', or Azure's default 'Web App - Unavailable' page.
• An A/AAAA record resolves to an IP that no longer answers on expected ports, returns connection refused, or now serves an unrelated default cloud splash page indicating the IP was recycled to another tenant.
• An NS or MX record delegates to a domain whose WHOIS shows it is unregistered or expired, or whose nameservers return SERVFAIL/REFUSED for the delegated zone.
• DNS resolution succeeds (NOERROR with a valid answer) while the underlying service health check, TLS handshake, or application monitor for that hostname has been failing, indicating a live pointer to dead or foreign infrastructure.

Validate before you report

• Resolve the record end to end and capture the live answer chain (A/AAAA, CNAME target, delegated NS, or MX host) as timestamped evidence rather than relying on the cached zone file.
• Probe the resolved target on its expected protocol and record the exact response body, status code, and any provider claim-state fingerprint that proves the resource is released and re-registrable.
• Confirm reclaimability without hijacking production: check whether the cloud FQDN or bucket name is available to register, or whether the delegated domain shows as available at the registrar, to distinguish a truly orphaned target from one merely behind a firewall.
• Determine the blast radius by checking whether cookies, CSP allowlists, OAuth redirect URIs, or email routing for the parent domain extend to the dangling name, since this separates a low-impact orphan from a high-impact takeover path.
• Document the responsible owner and the decommissioning gap by correlating the record against asset and change records, so the validated finding ships with the context needed to remediate and to prevent recurrence.

What looks like this but isn't

• An internal-only or split-horizon record that resolves to an RFC 1918 private IP or an intentionally non-public target is not exploitable from the internet; confirm the record is actually externally resolvable before flagging it.
• A record pointing to a temporarily stopped or scaled-to-zero resource you still own (for example a paused App Service or a stopped instance retaining its reserved IP) looks dead but is not reclaimable by an attacker; verify ownership and reservation state, and treat alias records that auto-empty on deletion as self-healing.

Remediation

• Immediately remove the dangling record from the authoritative zone, or repoint it to a current resource you own, prioritizing NS and MX records and any subdomain that shares cookies or trust with the parent domain.
• If the target may already be hijacked, treat it as an incident: revoke and rotate any secrets, OAuth tokens, or session cookies that could have been exposed to the subdomain, and review logs for traffic sent to the orphaned name.
• Where the provider supports it, bind the record's lifecycle to the resource using alias-style records that automatically empty when the backing resource is deleted, and enable domain-ownership verification (for example a TXT verification record) so no other tenant can claim the name.
• Fix the process that left the record behind by adding 'remove or repoint DNS record' as a mandatory, gated step in every decommissioning runbook before the underlying resource is torn down.
• Reverse the teardown order going forward: serve maintenance content or repoint the name, update or delete the DNS record, wait for TTL/propagation, and only then deprovision the cloud resource, as recommended by the OWASP prevention guidance.
• Re-scan the full external surface after cleanup to confirm the record is gone and that no sibling records share the same root cause.

Operational checklist

• Maintain a service catalog mapping every public DNS record to its backing resource and a named owner, refreshed continuously rather than at audit time only.
• Run automated dangling-record detection across all zones and registrars on a recurring schedule, covering A/AAAA, CNAME, NS, and MX records.
• Apply deletion locks or change controls to any resource that has a custom DNS name so the pointer must be removed before the resource can be destroyed.
• Prefer lifecycle-coupled alias records and enforce per-service ownership verification (claim tokens, verification TXT records) wherever the platform offers them.
• Keep DNS record TTLs deliberately short for resources that change frequently so cleanup propagates quickly, and review CT logs for unexpected certificates issued against your subdomains.
• Gate every decommissioning ticket on a DNS-cleanup sign-off and reconcile completed teardowns against the live zone weekly.

Weakness references (CWE)

• CWE-459 — Incomplete Cleanup
• CWE-672 — Operation on a Resource after Expiration or Release