In the complex world of DNS and cloud services, it's easy to forget a record here and there. But what if one of those forgotten DNS records could allow an attacker to hijack part of your domain?
What Is a CNAME, anyway?
Before diving into the risks, let’s cover the basics.
A CNAME(Canonical Name) is a type of DNS record that maps one domain to another. For example:
objectivec
CopyEdit
blog.example.com → CNAME →example-blog.squarespace.com
When a user visits blog.example.com, DNS redirects them to the service behind example-blog.squarespace.com. This makes CNAMEs super handy for pointing your branded domains to cloud services.
Enter the Dangling CNAME
A dangling CNAME occurs when the CNAME record points to a domain or service that no longer exists - but the DNS record remains active.
Imagine you once hosted an app at myapp.herokuapp.com, and you had a CNAME like this:
objectivec
CopyEdit
app.example.com → CNAME →myapp.herokuapp.com
Later, you delete the Heroku app… but forget to delete the CNAME.
Now, your DNS is pointing users to a non-existent resource.
Why This Is Dangerous: Subdomain Takeovers
Here’s where things get scary.
An attacker can:
- Notice that app.example.com still points to myapp.herokuapp.com, which no longer exists.
- Register a new app on Heroku with the exact same name: myapp.herokuapp.com
- Boom. app.example.com now points to their app.
This is called a subdomain takeover.
Once the attacker has control:
- They can serve malicious content under your domain.
- Phish users who trust your domain.
- Steal session cookies, data, or login credentials.
- Wreck your SEO and your brand’s reputation.
And because it’s technically your domain, detection and prevention can be harder.
Real-World Examples
Many high-profile organisations - including tech giants - have been caught with dangling CNAMEs. In many cases, researchers have reported these as critical vulnerabilities, earning significant bug bounties.
Subdomain takeovers have been leveraged in phishing campaigns, malware distribution, and even cryptocurrency scams.
Company A did not know that had a dangling CNAME, even when an attacker took control, added an SPF record and used it to send emails from a variety of shopping websites. Close to 1 million were sent in 3 weeks. All were sent SPF aligned and undetected.
How to Protect Yourself
The good news? You can easily defend against this class of vulnerabilities.
✅ 1. Audit Your DNS Regularly
✅ 2. Clean Up
✅ 3. Monitor for Dangling Records
✅ 4. Use DNS Providers with Safety Nets
Final Thoughts
Dangling CNAMEs are one of those "set-it-and-forget-it" misconfigurations that can come back to haunt you - badly. Fortunately, with regular hygiene and a bit of automation, they're also one of the easiest vulnerabilities to prevent.
If you are managing a domain and relying on third-party services, it is time to double-check your DNS. Because sometimes, what you do not see can hurt you.
Want a checklist or script to help automate CNAME audits? Drop a comment or get in touch - we'll be happy to help you lock things down.
