Dangling DNS is a growing security issue that affects organizations of all sizes, regardless of industry. It refers to DNS records that remain active in an organization’s DNS zone even after the resource they point to has been deleted, decommissioned, or transferred away. While this may appear to be a minor administrative oversight, it can create a direct and exploitable security gap for attackers.

The blog explains what Dangling DNS is, how it occurs, why it has become more common, and what organizations can do to detect and prevent it.

Overview of Dangling DNS

DNS records map domain names to the resources that serve them, such as servers, cloud storage, or third-party applications. A dangling DNS record is one that still resolves but no longer points to a resource controlled by the organization that owns the domain.

This typically occurs with CNAME records, but A, AAAA, NS, and MX records can also become dangling. If the resource a record points to is deleted and the corresponding DNS entry is not removed, the subdomain remains active without an owner. On many cloud platforms, the underlying resource name can then be claimed by a different account, including one controlled by an attacker.

How do Dangling DNS Records Occur?

Dangling DNS records are rarely created intentionally. They are typically the result of incomplete decommissioning processes. Common causes include:

  • Removal of cloud resources, such as storage buckets, app services, or content delivery endpoints, without removing the associated DNS records.
  • Changes to third-party service providers, such as help desk platforms or marketing tools, without updating or removing the corresponding CNAME records.
  • Subdomains are created for temporary projects, campaigns, or testing environments that are never cleaned up after the project ends.
  • Organizational changes, including mergers, acquisitions, and rebranding efforts, often leave behind subdomains that are no longer tracked.
  • A lack of centralized ownership over DNS records, particularly in organizations where multiple teams can independently create subdomains.

Why Is This Issue Becoming More Significant?

The increased use of cloud infrastructure and third-party services has significantly expanded the number of DNS records that organizations manage. Cloud resources are created and removed rapidly, while DNS management often struggles to keep pace.

Several recent reports illustrate the scale of the issue:

Report 1: 

An investigation conducted between late 2024 and early 2025 identified approximately 150 deleted Amazon S3 buckets previously used by major corporations and government agencies, whose existing DNS records still referenced. Over the course of the investigation, these records received more than 8 million requests from systems attempting to retrieve resources such as container images and configuration files.

Report 2:

In 2023, a security research firm demonstrated the prevalence of this issue by taking control of subdomains belonging to government agencies, universities, media organizations, and financial institutions across multiple countries. It is estimated that more than 1,000 organizations had similarly exposed subdomains.

Report 3:

A 2020 report identified more than 670 Microsoft subdomains that were vulnerable to takeover due to DNS records pointing to unclaimed cloud resources. These findings indicate that dangling DNS records are present across organizations of varying sizes and sectors. They also suggest that the issue is often identified through external research rather than internal reviews.

Application security starts with visibility. Get to know how comprehensive the web Application security testing helps uncover vulnerabilities before they become breaches.

Cyber Security Squad – Newsletter Signup

Security Risks Associated with Dangling DNS

A claimed dangling DNS record can enable subdomain takeover and lead to several security risks, including:

  • Cookie and Session Exposure: 

Many applications scope cookies to the parent domain (e.g.,example.com) so authentication tokens are shared across subdomains. If an attacker takes over a hijacked subdomain, the browser will send these cookies to them as well, allowing session hijacking or impersonation of logged-in users. The hijacked subdomain can be loaded as an iframe within the legitimate site, as same-domain framing is often trusted by default. This allows attackers to steal cookies, display fake login forms, or send requests using the victim’s active session.

  • Bypass of Security Controls:

Many organizations configure security settings like CSP, CORS, and OAuth to automatically trust all subdomains under their main domain. This makes management easier because new subdomains don’t need to be added manually. A forgotten subdomain taken over through a dangling DNS issue may still be treated as trusted. Attackers can exploit this trust to run malicious scripts, steal tokens, or access sensitive areas.

  • Issuance of Valid TLS Certificates:

Most certificate authorities issue SSL/TLS certificates after verifying that the requester controls the domain or subdomain. As a result, the malicious site appears secure, displays the padlock icon in the browser, and shows no security warnings. This makes it more convincing to users and harder for security tools to identify as malicious.

  • Malware or Malicious Update Distribution: 

Organizations often use subdomains to host software downloads, updates, configuration files, and other resources that are automatically accessed by systems, applications, or devices. If an attacker takes over an unused subdomain through a dangling DNS issue, trusted systems may unknowingly download malicious files from it. This can allow attackers to spread malware, harmful updates, or altered configurations to internal systems, business partners, or end users, creating a serious supply chain security risk.

Blog Form

Book Your Free Cybersecurity Consultation Today!

People working on cybersecurity

Prevention Measures for Dangling DNS Attacks

  • Regularly Audit DNS Records

Organizations should periodically review all DNS records to identify subdomains that point to services, cloud resources, or third-party platforms that are no longer active. Removing outdated or unnecessary records reduces the attack surface and prevents attackers from claiming abandoned resources associated with those subdomains.

  • Monitor for Dangling Subdomains

Implement continuous monitoring to detect subdomains that resolve to non-existent or unclaimed services. Automated tools can help security teams quickly identify dangling DNS entries and take corrective action before they become an entry point for attackers.

  • Maintain an Accurate Asset Inventory

Keeping a comprehensive inventory of all domains, subdomains, applications, and third-party services helps organizations track ownership and usage. A well-maintained asset inventory makes it easier to identify forgotten or unused subdomains that could otherwise be overlooked and become vulnerable to takeover.

Conclusion

Dangling DNS is often overlooked, but it can create significant security risks for organizations. Attackers can hijack abandoned subdomains to launch phishing attacks, distribute malware, steal data, or exploit trust relationships. As cloud and third-party service usage grow, so does the risk of dangling DNS records. Organizations should maintain proper DNS hygiene, regularly audit assets, monitor for abandoned subdomains, and conduct periodic security assessments. These measures can significantly reduce the risk of subdomain takeover and strengthen overall security posture. A proactive approach to DNS management is essential to preventing attackers from exploiting these often-forgotten assets.

FAQs

  1. Why are dangling DNS records a security risk?

     Dangling DNS records can allow attackers to hijack trusted subdomains and use them for phishing campaigns, malware distribution, credential theft, etc. Since the subdomain belongs to a legitimate domain, users may be more likely to trust it.

  2. How can organizations detect dangling DNS records?

    Organizations can identify dangling DNS records by regularly auditing their DNS infrastructure, maintaining an accurate asset inventory, and using automated monitoring tools that detect subdomains pointing to inactive or unclaimed resources.

  3. Which cloud services are commonly affected by dangling DNS issues?

    Cloud platforms and third-party services such as storage buckets, web hosting, CDNs, SaaS, and application hosting environments commonly experience dangling DNS vulnerabilities.

  4. How can organizations prevent subdomain takeover attacks?

    Organizations can prevent subdomain takeovers by regularly reviewing DNS records, removing unused entries, and monitoring for abandoned subdomains. They should also maintain accurate asset inventories and delete DNS records when associated services are decommissioned.

  5. Can a valid SSL/TLS certificate be obtained for a hijacked subdomain?

     Yes. If an attacker successfully takes control of a dangling subdomain, they may be able to prove ownership to a certificate authority and obtain a valid SSL/TLS certificate. This makes the malicious site appear legitimate and trustworthy to users.

  6. How often should organizations review their DNS records?

    Organizations should review their DNS records regularly, ideally as part of routine security audits or asset management processes. Frequent reviews help identify abandoned subdomains and reduce the risk of dangling DNS vulnerabilities being exploited.

  7. What are the signs of a potential dangling DNS issue?

    Common signs include “resource not found,” “service unavailable,” or deleted resource errors. These errors may suggest that the DNS record still exists while the underlying service no longer does.