Registrable domains and DNS play a crucial role in establishing online identity and trust, but their importance is often taken for granted. During new service setups, record updates are often overlooked, accumulating outdated entries. As infrastructure teams become increasingly overstretched, services may be incorrectly shut down without proper cleanup, leaving behind a sprawl of records. These orphaned entries continue to delegate trust on behalf of your company, often necessarily and sometimes at a heightened risk to security
This results in DNS configuration drift—referring to the gradual changes or inconsistencies in DNS settings that occur over time due to manual updates, neglected maintenance, or misconfigurations—leading to significant cybersecurity and wider business risks. Earlier this year, we published our guide to the SubdoMailing campaign, where threat actors were abusing SPF records to authorize the sending of millions of emails disguised as legitimate domains and subdomains.
In addition to allowing attackers to impersonate your legitimate domains, leftover DNS records can leave you vulnerable to domain takeovers that can be weaponized for a range of attacks including credential theft, phishing, defacement, and malware distribution—all under the guise of your company’s trusted domains.
In this blog, we’ll discuss one particular type of threat arising from unmanaged DNS records: cookie harvesting.
How a single dangling DNS record could lead to major issues
Example.com is a platform made up of several products and features under subdomains that all share the same logged-in cookie—a common yet insecure practice unintentionally facilitated by browser settings.
An attacker notices a subdomain is no longer in use but still has a dangling CNAME pointing to the previously used hosted service. Since this service has yet to implement ownership verification – a common oversight even from the biggest providers – the attacker reclaims it, effectively taking over the subdomain.
The attacker then initiates a campaign on social media targeting the platform’s followers, luring them to the compromised subdomain to harvest their logged cookies. Users who are not already logged in are directed to the legitimate login portal. With those cookies, the attacker can now impersonate users on the platform.
Among the affected users is an admin of the platform, granting the attacker full access to all data. The attacker can then sell the data to illegitimate and bad actors, extort the company to keep the breach hidden, or blackmail individual users with kompromat found in the exfiltrated data.
While this may seem like an extreme example, it’s a real threat that happens due to poor domain estate and DNS record management, an often challenging but critical cybersecurity task.
Domain management: A complex process
Before joining Red Sift as a Customer Engineer, Antony served as an Information Security Manager at a company that had accumulated hundreds of domains over years of mergers and acquisitions. Each acquisition brought with it its own unique collection of corporate, product, brand, and marketing domains. Like most companies, all domains were set to auto-renew, but with no regular process to review which domains were still required, the inventory continued to expand unchecked.
One project Antony led was inventorying all of the organization’s domains and DNS records, identifying all assets still in use under those domains, and cleaning up records and domains that were no longer needed.
This process took countless hours of work over six months and involved:
- Finding all domains across several registrars,
- Collecting all DNS zones,
- Reviewing each record,
- Categorizing and prioritizing records,
- Identifying responsible contacts as over the years many of the original requestors had since left the company, and
- Coordinating with stakeholders to confirm which assets could be safely cleaned up or migrated.
How OnDMARC supports DNS and domain management
To streamline the challenge ahead, Antony introduced Red Sift OnDMARC into the company. OnDMARC simplifies the management of DMARC, SPF, and DKIM records, ensuring email deliverability across the organization. With OnDMARC, Antony was able to easily identify which domains were still being actively used for sending emails, detect the systems used to send those emails, and clean up outdated sources that were no longer needed, rapidly achieving ‘p=reject’ for most of the organization’s domains.
Since then, Red Sift OnDMARC has introduced DNS Guardian which uses Certificate Transparency logs (CT logs) and other proprietary sources to automatically and continuously identify dangling DNS records and hijacked subdomains.
With DNS Guardian, Antony would have been made aware of the highest risk issues immediately, allowing him to focus on remediating critical vulnerabilities as soon as possible, minimizing the risk or impact of potential exploits.
To learn more about Red Sift OnDMARC, now with DNS Guardian, get a demo today!
