Search for dangling DNS records

  • Updated on May 2, 2023
  • Published on Mar 4, 2023
  • 1 minute(s) read

Subdomain takeovers are a common threat for any organization with extensive domain and DNS holdings. On a basic level, they enable threat actors to redirect traffic intended for an organization’s domain, to a site performing malicious activity.

Takeovers occur when a DNS record points to a deprovisioned resource - such DNS records are also known as dangling DNS entries.

CNAME records are of particular importance in subdomain takeovers, given their ability to map hostnames together, and delegate IP resolution.

Searching for dangling DNS records

Silent Push pre-aggregates global DNS data, and flags any records that are considered to be dangling, on a weekly basis.

We achieve this by collecting all current CNAME, MX or NS records and subtracting all current A and AAAA records – the remaining CNAME, MX and NS records are then searchable on the platform.

We’ve also programmed an optional live check (enabled by default) to confirm the current dangling state of all results returned by the API.

  1. Navigate to Attack Surface Mapping > Potential Vulnerabilities > Dangling DNS Detection

  2. Select a record type to search for (CNAME, MS or MX)

  3. Specify a domain name in Source (wildcards are supported)

  4. Specify a domain name in Target (wildcards are supported)

  5. Tick Foreign Targets Only to target records outside of the source domain

  6. Tick Validate Danglers to confirm the status of dangling records with live DNS lookup

  7. Click Search

  8. (Optional) Once the results have been populated, click Copy API URL for use in your existing security stack