Ciberataques: Phishing, suplantación, email spoofing...

DNS Dangling Attacks: Subdomain Takeover

/ 4 minutes of reading

DNS Dangling attacks exploit vulnerabilities caused by poor domain management, such as lack of DNS hygiene or neglected domains.

What DNS Dangling is

DNS Dangling attacks exploit the insecurity of DNS records pointing to external resources that have been deleted or are no longer controlled by the original owner.

This can happen when a domain or subdomain is configured to point to a cloud service (such as AWS, Azure, GitHub Pages, etc.), but the associated resource has been deleted or has expired.

It is often related to corporate subdomains that point to the service provider’s URL to mask the provider’s URL.

How it works

  1. A Website administrator creates a subdomain (e.g., sub.example.com) and points it to an external service.
  2. The resource on the external service is deleted or expires, but the DNS record still points to it.
  3. An attacker detects that the resource is no longer in use and registers a new resource on that same service with the same name.
  4. Since the DNS record remains active, the attacker gains control of the subdomain and can host malicious content, perform phishing, or redirect traffic.

DNS Dangling examples

Example 1: AWS S3 Bucket takeover

A company creates a repository to store internal corporate images and documents with a subdomain archivos.empresa.com linked to a bucket in AWS S3 (empresa-bucket.s3.amazonaws.com).

After some time, the company decides to free up resources it no longer uses, including the file repository, but does not delete the CNAME DNS record that points to it.

A cybercriminal detects that the bucket no longer exists and creates a new bucket on AWS with the same name (empresa-bucket.s3.amazonaws.com).

Now, all traffic directed to archivos.empresa.com is controlled by the attacker, who can host malicious content or carry out phishing attacks. Thus, employees, clients, or suppliers who receive emails impersonating the company’s identity with links to malicious files hosted in the bucket will click on them without suspicion, since the URL archivos.empresa.com is legitimate.

Example 2: Orphan Subdomain in Azure

A bank uses a hosting service in Microsoft Azure for a promotional campaign for its financial product aimed at startups (startups.banco.com).

The subdomain startups.banco.com is configured to point to a resource in Azure (banco.azurewebsites.net).

Once the campaign ends, the bank decides to delete the Azure resource, but forgets to remove the CNAME record pointing to banco.azurewebsites.net.

A cybercriminal detects that the Azure resource no longer exists and registers a new one with the same name (banco.azurewebsites.net).

Now, they can control the subdomain startups.banco.com and upload a cloned page to steal customer credentials or send phishing emails from the domain startups.banco.com, redirecting recipients to a fake website.

Phishing emails disguised as legitimate messages

If the domain has SPF, DKIM, or DMARC records configured to allow sending emails from that subdomain, cybercriminals will be able to send fraudulent emails that will be detected as legitimate.

This happens because the security protocols will validate that sender (startup.banco.com) as legitimate—authorized to send on behalf of banco.com. As a result, email clients receiving those fraudulent emails will be instructed by the protocols to “let them through.”

This significantly increases the credibility of those fraudulent emails in the eyes of users, and therefore, the success rate of the phishing campaign.

How to prevent DNS Dangling attack

These types of attacks exploit vulnerabilities caused by poor domain portfolio management. Therefore, we recommend a series of best practices aimed at improving this management:

  • Conduct regular audits to detect:

    • DNS records pointing to services that no longer exist.

    • Expired domains and DNS entries.

    • Unnecessary CNAMEs or those pointing to deleted resources.

    • Outdated SPF records.

  • Centralize the registration and management of domains and subdomains to have exhaustive control over what is registered, with what contact information, and for how long it will be renewed.

  • Maintain equally thorough control of domain and DNS expiration dates.

  • Establish a service decommissioning protocol to verify the proper removal of DNS records.

  • Implement monitoring solutions that detect the expiration of DNS services.

Recommended reading: Sitting Duck attacks

While DNS Dangling attacks target subdomains with active DNS records, another common technique does the opposite: targeting expired DNS records of active domains. These types of attacks are known as Sitting Duck, and we cover them in this article.

In these cases, it’s clear that monitoring the expiration of DNS records for active domains is just as important!

Do you need help against online fraud?

Write to us with your inquiry, and we will get in touch with you soon.

He leído y acepto la Política de Privacidad
Scroll to Top