DNS Spy DNS Spy
Features Pricing API Free Tools Learn Blog Contact
Log in

Dangling CNAME Detection

What This Check Does

The Dangling CNAME Detection check identifies CNAME records in your DNS zone whose target hostnames do not resolve to any IP address. These 'dangling' CNAMEs often point to decommissioned services, expired cloud resources, or deleted third-party platforms — and they represent a serious security vulnerability known as subdomain takeover.

DNS Spy resolves the target of every CNAME record in your zone. If any target fails to resolve, the CNAME is flagged as dangling.

Why It Matters

Subdomain takeover is one of the most exploited DNS vulnerabilities today. When a CNAME record points to a service that no longer exists (e.g., a deleted Heroku app, an expired Azure resource, or a decommissioned S3 bucket), an attacker can claim that resource and serve their own content on your subdomain. This allows them to host phishing pages, steal cookies, or serve malware — all under your domain's trusted reputation.

Dangling CNAMEs are particularly dangerous because they often go unnoticed for months or years. Teams decommission services without cleaning up DNS records, creating silent vulnerabilities. Regular automated scanning is essential to catch these before attackers do.

Good vs. Bad Configuration

Bad Configuration

blog.example.com CNAME old-app.herokuapp.com — The Heroku app was deleted months ago, but the CNAME still exists. An attacker could create a new Heroku app with this name and take over your subdomain.

Good Configuration

All CNAME records point to active, resolvable targets. When services are decommissioned, the corresponding DNS records are promptly removed. Example: blog.example.com CNAME example.ghost.io — The Ghost blog is active and resolving.

How DNS Spy Monitors This

DNS Spy's enterprise monitoring resolves the target of every CNAME record in your zone during each cycle. If any target fails to resolve, an alert is triggered immediately with details about the dangling CNAME and the risk it poses. This continuous scanning catches dangling CNAMEs as soon as they appear, giving you time to remediate before attackers can exploit them.

DNS Spy

Features

Resources

Company