Managing DNS records can be a slow and cumbersome process. Most often, you’re stuck maintaining them using the web interface provided by the DNS vendor. The more domains and DNS records you manage, the higher the probability that one or more entries will be neglected. Here’s why it’s important to keep your DNS records current and prevent a subdomain takeover attack.
What is Subdomain Takeover Attack?
A DNS record becomes stale when the resource it points to is no longer under your control. The A record is the most common type of these "dangling" DNS misconfigurations found in the wild. DNS A records that point to an IP address belonging to a hosting service with a high turnover rate, such as Digital Ocean or Linode, are much more susceptible to a subdomain takeover attack.
For example, you may have set up a test copy of your web site using the subdomain test.example.com and created a DNS A record pointed at a Linode VM. But, you forgot to delete the DNS record after completing your test and destroying the VM.
The hosting company is going to reallocate that IP address to another resource in the near future. If the new owner of the IP address has ill intentions, your domain’s reputation is in danger.
How is a stale DNS record discovered?
To exploit a stale DNS record, the attacker has to do a bit of fishing. The first step is to create a virtual machine, which will be allocated an IP address.
The second step is to set up a web server and monitor web traffic. A basic out-of-the-box web site configuration is all that is needed. Because the attacker doesn’t care what web page is served up. They only care about what shows up in the logs.
Once the VM and web server are up and running, they simply monitor the logs and wait for something to pop up. All it takes is one request — from a bot, a probe, or a random google search — for the attacker to discover the subdomain pointed at their IP address.
With VMs costing as little as $5 per month, it’s quite easy for an attacker to spin up several VMs and leave them monitoring multiple IP addresses for a few days. If the web server logs don't show any hits after a few days, they simply destroy the VM, create a new one, and move on to another IP.
How is a stale DNS record exploited?
Now that the attacker has access to a web server receiving traffic directed at one of your subdomains, they can set up their own web site that piggybacks on the reputation of your domain. The first thing they will do is create a free SSL certificate using a service like Let’s Encrypt. This increases the legitimacy of whatever content they decide to host.
Next, they’ll upload the contents of the web site that will be masquerading under your subdomain. For example, they could create a form that mimics your web site to trick visitors into entering personal information. The unsuspecting visitors will have no idea the information they submit is being delivered to a nefarious third party.
Another thing they could do is upload a slew of spammy content, verify the subdomain with google, and submit it for indexing. Anyone searching on google, will see the subdomain as being reputable and therefore more likely to click on the results that appear during their search.
How to keep DNS records from going stale
The solution is to regularly audit your DNS records and identify any subdomains that are no longer in use. Before you delete them, however, make sure the subdomain isn’t already being exploited. If it is, it may be necessary to repoint the record to an IP you control to reclaim ownership of the subdomain.
The final step is to delete any stale DNS records that you find during your audit.
Another solution that helps is to enable Google Search Console for your domains and configure it to alert you if anyone claims authority over one of your subdomains.