Dangling domains have become more of a threat recently according to a report by researchers Daiping Liu and Ruian Duan from Palo Alto. They used a comprehensive tool that allows them to detect these dangling domains and have found that there are around 317,000 of them in total. A dangling domain can happen for multiple reasons, one of these include a DNS record pointing to a non-existent resource. If a CNAME points to a certain instance, and that instance is deleted but the CNAME record is not, it leaves the CNAME record “dangling”. This can easily be exploited by a knowledgeable threat actor and then used to carry out malicious activity on a previously used domain. The Palo Alto report breaks down the dangling domain types and those include 63.1% being expired rdata, 36.9% from GitHub and 0.1% from WordPress.
Analyst Notes
Microsoft’s Article provides some extremely useful remediation tactics. Those tactics can be found listed below:
1. From your DNS zone, remove all CNAME records that point to FQDNs of resources no longer provisioned.
2. To enable traffic to be routed to resources in your control, provision additional resources with the FQDNs specified in the CNAME records of the dangling subdomains.
3. Review your application code for references to specific subdomains and update any incorrect or outdated subdomain references.
4. Investigate whether any compromise has occurred and take action per your organization’s incident response procedures.
Note: If your application logic is such that secrets such as OAuth credentials were sent to the dangling subdomain, or privacy-sensitive information was sent to the dangling subdomains, that data might have been exposed to third parties.
5. Understand why the CNAME record was not removed from your DNS zone when the resource was deprovisioned and take steps to ensure that DNS records are updated appropriately when Azure resources are deprovisioned in the future.
https://unit42.paloaltonetworks.com/dangling-domains/
https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
https://dl.acm.org/doi/pdf/10.1145/2976749.2978387
