Dangling DNS Records: Removing Unused CNAMEs

Source: dmarcian

Author: Steven Iacoviello

URL: https://dmarcian.com/dangling-dns-cname-records/

ONE SENTENCE SUMMARY:

Dangling CNAMEs can delegate SPF to attackers, enabling DMARC-passing spoofing; maintain DNS hygiene, monitor sources, and alert on changes.

MAIN POINTS:

1. CNAME records alias one domain to another canonical domain in DNS.
2. Organizations delegate SPF or DKIM via CNAMEs to third-party vendors for easier management.
3. SPF delegation through CNAME lets the target domain owner control authorized sending IPs.
4. Dangling CNAMEs persist after services retire, pointing to nonexistent or abandoned resources.
5. Domain ownership changes can let attackers weaponize dangling CNAME targets for malicious hosting.
6. Abusers can publish their own SPF under the acquired CNAME target and send authorized mail.
7. DMARC p=reject won’t stop aligned SPF mail if attackers control the delegated SPF path.
8. Regularly review vendors and delete obsolete CNAMEs and other unnecessary DNS records.
9. Examine MAIL FROM subdomains for SPF delivered via CNAME, removing unused delegations.
10. DMARC reporting and alerting reveal anomalies like new sources, 100% SPF alignment, 0% DKIM.

TAKEAWAYS:

1. Removing unused CNAMEs prevents domain-takeover abuse paths in DNS and email authentication.
2. Delegated SPF via CNAME is powerful; treat the CNAME target as a critical trust boundary.
3. DMARC visibility can expose dangling-CNAME exploitation patterns before major damage occurs.
4. Automated monitoring for new subdomains and DNS changes speeds detection and response.
5. Alerting integrations (email, Slack, Teams, webhooks) help operationalize continuous DNS hygiene.