What is Dangling DNS?

A dangling DNS record is a CNAME record that points to a resource which no longer exists. A dangling DNS record can be exploited in what is known as subdomain takeover.

Let’s say we have a CNAME record which points to example.azurewebsites.net. example.azurewebsites.net is our Azure App Service instance. We no longer need our App Service instance, so we delete it, and in doing so our domain name example.azurewebsites.net is also deleted.

Our CNAME record is still pointing to example.azurewebsites.net so we should delete our CNAME record too. If we forget to delete our CNAME record, which sometimes happens, we will leave our CNAME record “dangling”. Dangling DNS records are low hanging fruit for attackers, allowing them to grab them and exploit them.

Azure App Service takes the name of your instance and appends the suffix .azurewebsites.net, meaning an attacker can easily create a new App Service instance using our old domain name example.azurewebsites.net. All of our user traffic would then be directed to the attacker’s App Service instance.