Dangling DNS and Subdomain Takeovers

Detectify's Surface Monitoring is easy to set up. Connect to your DNS provider and start monitoring all your subdomains with a few clicks. Uncover unknown assets, cover DNS infrastructure and potential domain takeovers. Whenever a new subdomain is discoverable on the Internet, our tool alerts you and adds it to your inventory for continuous monitoring and vulnerability scanning.

Detectify were the first to research hostile subdomain takeovers as an attack vector back in 2014. From abandonware and mismatched DNS wildcards, we now run more than 600 tests for subdomain takeovers. It’s not uncommon to have hundreds of thousands of DNS records. While there are rigid processes for changes to firewall rules, changes to DNS records are usually made with much less oversight. For instance, development teams can update DNS records using Infrastructure as Code (IaC). With Detectify you can keep up with a sprawling DNS footprint and improve your security controls.

Detectify makes it easy to find dangling DNS records and potential subdomain takeovers. Findings without proper triage and remediation is yet of little value. Collaborate on the platform with members of your security team and developers. Or make use of our powerful integrations to fit your workflows. From Jira and Slack to Datadog and Splunk. Connect using Workato, a flexible iPaaS, or with our versatile API.

Subdomain takeover occurs when an attacker gains control of a subdomain belonging to a legitimate domain of the target. This often happens because the subdomain's DNS record hasn't been properly de-provisioned or points to a service that is no longer in use. Hostile subdomain takeover is a term coined by Detectify Security Researchers (read the original writeup). It refers to when an attacker takes control of a service no longer in use but that the target still has a DNS record pointing a subdomain to. As the DNS record points to a vacant service, this is also referred to as dangling DNS entries.

The severity of a subdomain takeover is very contextual. The takeover is usually only considered severe if it compromises other systems or gives direct access to user data (such as cookies).

Spinning up a fake page on the compromised subdomain for phishing purposes is bad enough. Consider an attacker getting control of one out of many Name Server (NS) delegations for the root (apex) zone. Then the severity can get worse than the most critical form of SQL injection. This can, over time, give the attacker access to all traffic destined for the vulnerable domain, including all its subdomains.