Analysis Summary

Cybersecurity experts have highlighted a rising threat in the form of Dangling DNS attacks, where attackers exploit abandoned or misconfigured DNS records—especially CNAME records—to hijack subdomains of legitimate organizations. This typically happens when companies decommission cloud resources, discontinue SaaS services, or migrate infrastructure without cleaning up corresponding DNS configurations. For example, if a business stops using Zendesk but leaves behind a DNS record like support.YourBiz.com pointing to YourBiz.zendesk.com, an attacker can register the abandoned Zendesk subdomain and take control of the subdomain under the organization’s domain.

Researchers revealed over 1,250 such instances in the past year, with most of them linked to deprovisioned cloud resources. These vulnerabilities are particularly alarming when they affect assets involved in software supply chains, turning what may seem like a minor oversight into a major vector for supply chain compromise. Attackers essentially inherit trust that had already been built between the organization and its users, leveraging that trust to serve malicious content under the guise of a legitimate subdomain.

One common example includes AWS S3 buckets. When an S3 bucket tied to a subdomain is deleted but the DNS record remains active, attackers can recreate the bucket or use similar tactics to hijack that subdomain. Researcher investigation from October 2024 to January 2025 found 150 deleted S3 buckets that still received over 8 million requests, some involving critical resources like container images, software updates, and VPN configurations. If hijacked, attackers could have silently pushed malicious updates or software through these trusted paths.

To mitigate such threats, organizations must adopt strict DNS hygiene practices. Regular DNS audits should be conducted to identify and remove stale or unused records. Runtime security solutions should also be in place to catch suspicious behavior when preventative measures fail. Being proactive about DNS record management is essential to protect infrastructure, data, and users from these subtle yet impactful attacks.

Impact

• Sensitive Credentials Theft
• Gain Access
• Reputation Damage

Remediation

• Review all DNS records periodically to identify and remove entries pointing to decommissioned or unused services.
• Immediately delete DNS records (especially CNAMEs and A records) that point to third-party services no longer in use.
• Use automated tools to detect DNS resolution failures or error messages (e.g., "No Such Bucket" in AWS), which may indicate a takeover risk.
• Integrate DNS updates into service decommissioning checklists to ensure records are cleaned up when infrastructure changes.
• Train teams on the risks of dangling DNS records and proper procedures during cloud migrations or SaaS cancellations.
• Use security tools to monitor for unusual traffic or behavior on subdomains, which may signal compromise or misuse.
• Avoid wildcard DNS records that can unintentionally expose large parts of the domain to takeover.
• Leverage security platforms that can automatically detect and alert on DNS misconfigurations or subdomain takeover risks.