<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1513714122482019&amp;ev=PageView&amp;noscript=1">

4 min read

Dangling Domains: An Easily Overlooked Threat to the DNS Ecosystem

Keeping your ecommerce website secure

What is DNS? 

DNS, or Domain Name System, is an integral part of any website. DNS converts user-friendly domain names into resources (including IP addresses) that are more comprehensible to machines. When you type in a website’s domain name, your computer sends a request to find the IP address responsible for all the website’s data.

Think of this system as a translator that helps to connect us to the websites we want to visit, the DNS server plays an intrinsic role in locating websites and connecting users to them and that’s why attackers find the Domain Name System so attractive.

It's obvious as to why you wouldn’t want anything getting in the way of you and your website’s users, but despite your domain owner’s best efforts, you may need to invest more energy than you think into maintaining a secure environment for your organization’s sensitive data.  

If a hacker decides that they want to redirect your users to a website that doesn’t belong to you, they can do so if they’re able to implement one of several DNS attacks. You’re probably wondering what makes your DNS records safe, or unsafe, from attackers. Unfortunately, there are multiple methods that attackers use to hijack domain names for malicious purposes and it's possible that your website is at risk. Let's take a look at a few:  

DNS Hijacking 

DNS was not designed with security in mind, as it was created in 1983 when the internet was much less used, therefore, there is no system to authenticate if the response to a DNS resolver’s request is coming from the authoritative server that was originally queried. This means that hijackers can easily forge a fake response, thus redirecting users.

This lack of security has led to one form of DNS attacks called “Cache Poisoning” which can occur when hackers exploit vulnerabilities in a website’s cache components. A cache stores responses to a DNS resolver’s query somewhere in between the user and the server so it’s easier to access the site as your request doesn’t have to find its way all the way back to the source every time. If the DNS resolver must send many requests back to the authoritative server, this can cause issues if the website has too much traffic for the server to handle.

If your website is particularly busy, a cache is a great way to ease some of the pressure from too many requests for your server, but puts your website in a vulnerable position as there’s now another area from which hackers can exploit you and your website’s users.

This attack method involves hackers impersonating the authoritative server, sending false responses to the DNS server so that queries will return an incorrect response, and then sending users to the wrong websites. Since the cache stores information for a certain set amount of time, the spoofed data will remain until it expires or is manually removed.

Cache poisoning is particularly damaging as it can be difficult to detect. Thus, it’s important to be prepared for the impact this can have on your organization and your users. Using various technologies such as DNSSEC are critical to ensure security.

Dangling Domains

Dangling domains are domain records that have been abandoned and released which can result in attackers targeting these vulnerabilities in your DNS with malicious intent. For example, if your CNAME DNS record leads to a sub-domain that has expired, and if your domain owner doesn’t purge the name from the DNS server, it can be re-registered by an attacker.

There are many reasons why you may have DNS records unattended, if you don’t offer a service anymore and the domain is still present even if it isn’t registered and active, it’s just waiting to be targeted. Sometimes, there are multiple records, some of which are still working, so these services are not interrupted and the dangling records are left exposed. Hackers will often employ both of these man-in-the-middle methods to try to exploit you.  

A test run by Unit 42 by Palo Alto Network resulted in shocking results. They found 317,000 unsafe dangling domains in total, signaling a serious threat to even well-maintained DNS zones. As stated previously, it requires constant monitoring and maintenance to detect these activities which is why it’s so important to be aware of the ownership and traffic of the DNS records that your services depend on and purging the ones that your services don’t.  

What now? 

You’re probably wondering why this has gone on for so long without any regulation. How is it possible that hackers could ever have this much power over the internet? I, for one, am feeling very vulnerable and would rather close my laptop and walk away rather than continue writing this, but alas, there is a light at the end of this tunnel. Enter DNSSEC.

The Internet Engineering Task Force created the Domain Name System Security Extensions throughout the 1990’s to regulate, secure and tirelessly authenticate all of the data between you and the servers that host the websites you visit.

These extensions allow domain owners to sign all DNS data with a key that is then configured into the recursive resolver. The resolver has a list of keys that it can trust, resulting in a sequence called the “chain of trust” that can lead to any location which should prevent hackers from penetrating any and all data as long as it’s signed.

This miracle of modern internet has its flaws, however, namely that it can only be effective if it’s deployed widely across the internet. It’s not automatic, it requires changing a few lines in the resolver’s configuration file, but most common resolvers support it. Also, as this system isn’t automated yet, there is some maintenance required from the DNS zone owner to create this chain of command and ensure a protected search process for your users.

Configuration of this extension occurs in the same place one would go to communicate any other changes to the zone, such as designating authoritative name servers, etc. Plus, there’s really no amount of energy that isn’t worth preventing the irreversible damage a hacker could cause to your business or your users.

Remember to regularly check whether your sub-domains have expired and always purge the ones you aren’t currently using. Oh, and one more thing: If you’re looking for help with your site, Virid has over 25 years of experience building and growing ecommerce websites, and most importantly, keeping them safe. 

To learn more about DNS hijacking and how to prevent it, check out these resources: 

https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en 

https://unit42.paloaltonetworks.com/dangling-domains/ 

https://www.spamhaus.org/resource-hub/dns/dangling-dns-and-the-dangers-of-subdomain-hijacking/ 

https://www.paloaltonetworks.com/cyberpedia/what-is-a-dangling-dns