Manage Dangling DNS Records

Updated
  • Updated on Oct 10, 2025
  • Published on Aug 11, 2025
  • 1 minute(s) read
Prev Next

Dangling DNS records pose a significant security risk, particularly for organizations with extensive domain and DNS portfolios. These records, which point to deprovisioned or non-existent resources, can enable subdomain takeovers, allowing threat actors to redirect traffic to malicious sites.

Dangling DNS Records

Subdomain takeovers occur when a DNS record, such as a CNAME, MX, or NS record, references a resource that no longer exists. CNAME records are especially critical due to their ability to map hostnames and delegate IP resolution. Silent Push pre-aggregates global DNS data weekly, flagging dangling records by subtracting current A and AAAA records from CNAME, MX, and NS records. An optional live check, enabled by default, confirms the dangling status of identified records, ensuring accurate results.

Prerequisites

Ensure you have access to the Attack Surface Mapping module.

For best results, enable Validate Danglers (live DNS lookup) to confirm records are truly dangling.

Get a Dangling DNS Record Count

The Dangling DNS Records Count query provides a fast way to determine the exact number of dangling records for a domain, offering a high-level overview of potential risks.

  1. From the left navigation menu, select Attack Surface Mapping > Potential Vulnerabilities > Dangling DNS Records Detection.

  2. Click Create New to open the surface interface.

  3. Select a record type to search for (CNAME, MX, or NS).

  4. Specify a domain name in Source (wildcards are supported, e.g., *.example.com).

  5. (Optional) Check Validate Danglers to perform a live DNS lookup and confirm dandling status.

  6. Click Search.

  7. (Optional) Once results populate:

    • Review counts and changes via integrated visualizations.

    • Click Copy API URL to integrate findings into your security stack (e.g., SIEM or alerting tools).

    • Export or save for further analysis.

Tips and troubleshooting

  • Query failures: If a search fails, the app will now display a clear error message. Review your source domain syntax and try simplifying (e.g., avoid complex wildcards).

  • Data access: Basic searches show up to one year of data by default. For historical data (>1 year), click the highlighted Load More option.

  • Limitations: No target domain filtering or Foreign Targets Only here. Use the Advanced Query Builder for those.

  • Related features: Explore dangling counts or full reports.