DNS is more than name resolution

DNS is one of the first things attackers inspect because it describes how an organization exposes services to the internet. Domains, subdomains, CNAME records, A records, MX records, and TXT records can reveal active systems, forgotten environments, third-party dependencies, and stale infrastructure.

A DNS mistake may not look like a vulnerability at first. It may just be an old record. But if that record points to a resource that no longer exists, it can become a takeover path.

Dangling records and subdomain takeover

A dangling DNS record exists when DNS still points to a service that has been removed or deprovisioned. This often happens with cloud platforms, static hosting providers, CDN configurations, storage buckets, or SaaS products.

Example:

help.example.com CNAME old-support-provider.example.net

If the support provider account was deleted but the DNS record remains, an attacker may be able to claim that provider-side resource and serve content under help.example.com. The DNS record gives the attacker the organization’s trusted subdomain.

Common DNS exposure patterns

  • Stale CNAME records: subdomains point to removed cloud apps, SaaS tenants, or CDN distributions.
  • Old A records: domains point to IP addresses that no longer host the intended service.
  • Wildcard DNS: broad records make unexpected hostnames resolve and hide inventory gaps.
  • Forgotten staging domains: test environments remain reachable and weaker than production.
  • Zone transfer exposure: misconfigured DNS servers reveal full zone contents through AXFR.
  • Open resolvers: DNS servers answer recursive queries from the internet and can be abused for amplification.

Why stale DNS is dangerous

DNS records are often created during launches and migrations, but cleanup is less disciplined. A project ends, a cloud resource is deleted, a vendor is replaced, or a staging system is removed. The DNS record remains because nothing breaks visibly in production.

Attackers look for exactly this condition. A trusted subdomain can be used for phishing, malicious downloads, OAuth redirect abuse, cookie scope confusion, or brand impersonation. Even when takeover is not possible, stale DNS can reveal old architecture and third-party relationships.

What good DNS hygiene looks like

  1. Maintain an inventory of all public zones and subdomains.
  2. Review CNAME records that point to cloud, CDN, storage, and SaaS providers.
  3. Remove records immediately when resources are deprovisioned.
  4. Check whether old A records still point to systems you control.
  5. Disable public zone transfer unless explicitly required and restricted.
  6. Monitor newly created DNS records as part of change control.
  7. Review TXT records for stale verification tokens and abandoned integrations.

Where Front Screen helps today

Front Screen currently checks several DNS-adjacent and externally visible signals:

  • DNS resolution: whether a domain resolves to public IPv4 addresses for scanning.
  • DNS service exposure: whether DNS over TCP/53 is publicly reachable.
  • DNS amplification risk: DNS/53 is included in DDoS amplification exposure checks.
  • Open resolver behavior: checks whether a DNS service answers recursive queries for external domains.
  • Zone transfer risk: checks whether AXFR appears to be allowed.
  • DNS version disclosure: checks for exposed version.bind information.
  • Reverse DNS and identity: PTR, forward-confirmation, BGP ASN, and prefix context.
  • Related exposure checks: web reachability, TLS posture, HTTP security headers, data leak paths, and exposed admin or infrastructure services.

Dangling CNAME and full subdomain takeover detection require broader DNS inventory and provider-specific validation. Front Screen’s current external checks still help identify public DNS behavior, reachable DNS services, identity context, and exposed systems behind resolved names.

Bottom line

DNS records should be reviewed like firewall rules or public services. If a record points to something you no longer control, it can become an attacker-controlled asset under your domain. The safest DNS record is one that is still needed, still owned, and still monitored.