Explore DigiCert ONE Platform

Trust Lifecycle Manager

Unified certificate automation and visibility.

CertCentral

Globally trusted certificates for websites and applications.

Private CA

Private trust for users, devices, and infrastructure.

DNS

Fast, resilient DNS to optimize security and availability.

Enterprise Trust

Software Trust Manager

Secure, policy-driven signing across your software supply chain.

Device Trust Manager

Identity, onboarding, and lifecycle management for devices and IoT.

Content Trust

Verified media and document integrity at enterprise scale.

Messaging Trust

Stop spoofing, secure messages, deliver verified logos in every inbox.

Integrations

AWS

Google Cloud

HashiCorp

Cloudflare

See all integrations

By Use Case

Prevent Outages With Automation

Automate discovery, renewal, and governance to eliminate certificate-related downtime.

Prepare For 47 Day TLS Certificates

Ensure automated certificate lifecycle management and full visibility.

Become Post Quantum Ready

Upgrade cryptographic agility and prepare systems for quantum-safe security.

Enable Zero Trust

Authenticate every user, device, and workload with strong identity and policy controls.

By Use Case

Modernize PKI

Replace legacy infrastructure with scalable, automated, cloud-ready PKI.

Leverage AI with Trusted Identity

Use AI-enhanced identity verification for users, applications, and digital interactions.

Maintain Compliance

Meet regulatory requirements with centralized auditability, policy enforcement, and reporting.

By Industry

Financial Services

Healthcare

TLS/SSL Certificates

Single Domain

Multi Domain

Wildcard Domain

Signing Certificates

Code Signing

Document Signing Certificates

S/MIME Email Certificates

Mark Certificates

Trust Services

eIDAS/PKIo

DigiCert DNS

DigiCert Store

Company

About DigiCert

Why DigiCert

Careers

Leadership

Professional Services

Corporate Resources

Blog

Events

Customer Stories

Newsroom

Webinars

YouTube Channel

Partners

Become a Partner

Channel Partner Directory

Technology Partner Directory

Cloud Partner Directory

Partner Portal

Resource Center

Reports

Datasheets

White Papers

e-Books

Solution Briefs

Videos

Infographics

Additional Resources

Blog

Customer Stories

Events

FAQs

Demos

Webinars

DigiCert Labs

Quick Links

Support

CertCentral

Trust Calendar

Vercara DNS

DigiCert Labs

QuoVadis

Valimail

Support

PKI Support

Tools

Tools: S/MIME Certificate Linter

Tools: SSL Install Diagnostics

Tools: Certificate Utility for Windows

Tools: CSR Creator

Tools: Check CSR

Tools: SSL Certificate Installation Instructor

Resources

Documentation

API Documentation

Knowledgebase

Solutions

FAQs

What is PKI?

What is an SSL Certificate?

What is SSL, TLS & HTTPS?

How TLS/SSL Works

What's the Difference Between DV, OV & EV SSL Certificates?

Contact Support

Americas

Europe, Middle East Africa

Asia Pacific, Japan

Dangling DNS Records and the Risk of Domain Hijacking

staffwriter

Sometimes, clutter builds up, even online. It's common for domains and subdomains to evolve with changing infrastructure, third-party services, and product rollouts. However, when DNS records point to decommissioned services or expired resources are left behind—unmonitored and unmanaged—they become a liability. These abandoned DNS records are not just clutter; they're attack surfaces that can potentially lead to more serious security risks, such as domain hijacking.

Because many users and security tools implicitly trust subdomains under a legitimate domain, a hijacked subdomain can bypass filters, firewalls, and user skepticism. This creates a backdoor for malicious actors without triggering traditional perimeter defenses.

The risk is amplified in organizations with complex DNS environments or frequent cloud migrations, where old services are retired, but DNS cleanup lags. Without good DNS management, organizations can have abandoned records that go undetected for extended periods.

What are Dangling DNS Records?

DNS records are like a map that directs traffic to the right location on the internet. When these records are kept up-to-date, everything works well. However, sometimes, records are improperly maintained.

A dangling DNS record (usually CNAME or A records) is an abandoned record that points to a resource or asset you no longer control. Think of it like having mail sent to your old address—the address may still be valid, but you cannot access the mail or stop the new resident from opening it. These records typically emerge when a cloud-hosted app (e.g., on AWS, Azure, GitHub, or other service) is deleted, but the DNS record pointing to it is never removed.

In this state, DNS continues to resolve the subdomain to a now-unclaimed external service, creating an opportunity for exploitation.

Why are Dangling DNS Records a Security Threat?

Dangling DNS records are easy targets because they point to resources that no longer exist, perhaps an old cloud instance or storage bucket, but can still be claimed. The DNS system doesn't verify ownership over the target resource (or if it even still exists) and will continue to blindly route traffic there. Malicious actors can easily create new resources using the same name in these abandoned records. Some of the most common risks associated with dancing DNS records include:

Subdomain Takeover: Bad actors register expired resources that abandoned records point to, hijack the subdomain, and impersonate your organization.
Reputation Damage: If attackers use the hijacked subdomain for phishing attacks or malware distribution, your business may face reputational harm or loss of customer trust.
Long-Term Exposure: Many dangling records go unnoticed for months or years, increasing the window for exploitation.

Unless security teams are actively scanning for DNS records pointing to unclaimed services, dangling records often go undetected for months or years, making them low-effort, high-reward targets for attackers.

The Role of DNS Hygiene in Dangling DNS Records

Dangling DNS records are often a symptom of poor DNS hygiene. Think of it as the digital equivalent of regular car maintenance or home repair. These small habits to maintain your digital infrastructure add up and help prevent security issues down the line. Good DNS hygiene includes:

Keeping DNS records accurate and up-to-date and removing obsolete or unused entries.
Using change approval workflows, version control, and access logs.
Using analytics and hygiene tools, monitor for resolution failures, sudden spikes in traffic, or unusual record behavior.
Implementing security controls such as Domain Name System Security Extensions (DNSSEC) and access logging.

Implementing robust DNS hygiene procedures helps organizations detect (and prevent) dangling DNS records by establishing a disciplined, proactive approach to tracking, auditing, and cleaning up DNS configurations.

What is a Subdomain Hijacking, and How Does it Relate to Dangling DNS?

A subdomain takeover is a malicious act where an attacker takes control of a legitimate subdomain, often thanks to dangling DNS records. When a subdomain's DNS entry points to a third-party service no longer in use, a threat actor can step in. They register the service and take over the subdomain. This allows the bad actor to serve malicious content using the trusted domain name. It's like finding an abandoned home with the keys left in the door.

A notable, real-world example of the risk of dangling DNS records came in 2020 when security researchers identified over 670 Microsoft subdomains vulnerable to takeover due to misconfigured DNS entries pointing to unclaimed Azure services. Some of the vulnerable subdomains included identityhelp.microsoft.com and data.teams.microsoft.com.

Once malicious actors have control of a subdomain, they can use it for various scams. Because users and security tools are likely to trust the site, it becomes ideal for impersonation or credential harvesting. Alternatively, they may utilize hijacked subdomains to host malicious websites and distribute malware.

The proliferation of subdomains used in cloud services highlights the need for robust DNS management procedures to prevent the associated security risks.

What Should You Do with Old Subdomains?

Old subdomains significantly increase the risk of dangling DNS records, especially when businesses rely on cloud services that are quick to deploy and just as easy to delete. To reduce the risk of old subdomains creating an expanded attack surface, organizations can follow these best practices:

Implement Regular Audits: Regular audits of DNS records can help identify which subdomains are still in use and which should be decommissioned.
Remove or Repoint Dangling DNS Records: If a subdomain is decommissioned, domain owners should delete the DNS record. If the subdomain is still active but the resource has moved, update the record to point to the new location.
Use Security Tools: Tools (scanners, asset inventory tools, or even free tools provided by your DNS service provider) can help detect dangling CNAME or A records that point to unclaimed third-party services.
Redirect When Necessary: If a subdomain has SEO value or is commonly bookmarked, set up a 301 redirect to a new location rather than letting it go dark.
Use a DNS Service Provider: Many DNS providers offer real-time monitoring and critical security features like DNSSEC, which helps prevent more advanced forms of DNS hijacking.

Keep Your DNS Records Clean with DNS Made Easy

Dangling DNS records may be digital clutter, but they can become active security threats overnight. A simple CNAME left behind can lead to subdomain takeover, data theft, or phishing—all under your brand's name.

Selecting a DNS provider is a critical step in adopting good DNS hygiene. DNS Made Easy helps reduce the risk of DNS-based attacks and enhances readability and availability with lightning-fast resolution, built-in security controls, and global propagation in sections.

Don't settle for less when it comes to your critical infrastructure. Explore how DNS Made Easy can elevate your DNS performance.