Beyond DMARC: How Red Sift OnDMARC supports comprehensive DNS hygiene

Registrable domains and DNS play a crucial role in establishing online identity and trust, but their importance is often taken for granted. During new service setups, record updates are often overlooked, accumulating outdated entries. As infrastructure teams become increasingly overstretched,  services may be incorrectly shut down without proper cleanup, leaving behind a sprawl of records. These orphaned entries continue to delegate trust on behalf of your company, often necessarily and sometimes at a heightened risk to security

This results in DNS configuration drift—referring to the gradual changes or inconsistencies in DNS settings that occur over time due to manual updates, neglected maintenance, or misconfigurations—leading to significant cybersecurity and wider business risks. Earlier this year, we published our guide to the SubdoMailing campaign, where threat actors were abusing SPF records to authorize the sending of millions of emails disguised as legitimate domains and subdomains. 

In addition to allowing attackers to impersonate your legitimate domains, leftover DNS records can leave you vulnerable to domain takeovers that can be weaponized for a range of attacks including credential theft, phishing, defacement, and malware distribution—all under the guise of your company’s trusted domains.

In this blog, we’ll discuss one particular type of threat arising from unmanaged DNS records: cookie harvesting.

How a single dangling DNS record could lead to major issues

Example.com is a platform made up of several products and features under subdomains that all share the same logged-in cookie—a common yet insecure practice unintentionally facilitated by browser settings.

An attacker notices a subdomain is no longer in use but still has a dangling CNAME pointing to the previously used hosted service. Since this service has yet to implement ownership verification – a common oversight even from the biggest providers –  the attacker reclaims it,  effectively taking over the subdomain.

The attacker then initiates a campaign on social media targeting the platform’s followers, luring them to the compromised subdomain to harvest their logged cookies. Users who are not already logged in are directed to the legitimate login portal. With those cookies, the attacker can now impersonate users on the platform.

Among the affected users is an admin of the platform, granting the attacker full access to all data. The attacker can then sell the data to illegitimate and bad actors, extort the company to keep the breach hidden, or blackmail individual users with kompromat found in the exfiltrated data.

While this may seem like an extreme example, it’s a real threat that happens due to poor domain estate and DNS record management, an often challenging but critical cybersecurity task.

Domain management: A complex process

Before joining Red Sift as a Customer Engineer, Antony served as an Information Security Manager at a company that had accumulated hundreds of domains over years of mergers and acquisitions. Each acquisition brought with it its own unique collection of corporate, product, brand, and marketing domains. Like most companies, all domains were set to auto-renew, but with no regular process to review which domains were still required, the inventory continued to expand unchecked.

One project Antony led was inventorying all of the organization’s domains and DNS records, identifying all assets still in use under those domains, and cleaning up records and domains that were no longer needed.

This process took countless hours of work over six months and involved: 

  • Finding all domains across several registrars,
  • Collecting all DNS zones, 
  • Reviewing each record,
  • Categorizing and prioritizing records,
  • Identifying  responsible contacts as over the years many of the original requestors had since left the company, and
  • Coordinating with stakeholders to confirm which assets could be safely cleaned up or migrated.

How OnDMARC supports DNS and domain management

To streamline the challenge ahead, Antony introduced Red Sift OnDMARC into the company. OnDMARC simplifies the management of DMARC, SPF, and DKIM records,  ensuring email deliverability across the organization. With OnDMARC, Antony was able to easily identify which domains were still being actively used for sending emails, detect the systems used to send those emails, and clean up outdated sources that were no longer needed, rapidly achieving ‘p=reject’ for most of the organization’s domains.

Since then, Red Sift OnDMARC has introduced DNS Guardian which uses Certificate Transparency logs (CT logs) and other proprietary sources to automatically and continuously identify dangling DNS records and hijacked subdomains.

With DNS Guardian, Antony would have been made aware of the highest risk issues immediately, allowing him to focus on remediating critical vulnerabilities as soon as possible, minimizing the risk or impact of potential exploits.

Sign up today to learn more about Red Sift OnDMARC, now with DNS Guardian!

PUBLISHED BY

Red Sift

14 Nov. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Security

How to drive cybersecurity as a top business priority

Jack Lilley

Everyone has a role to play in protecting the enterprise. Whether you’re shaping strategy or implementing solutions, aligning efforts to mitigate critical risks ensures a stronger, more resilient enterprise. If you missed Red Sift’s recent webinar on “From Data to Buy-In: Driving Cybersecurity as a Top Business Priority” we’ve got you covered. The session…

Read more
DMARC

BreakSPF: How to mitigate the attack

Red Sift

BreakSPF is a newly identified attack framework that exploits misconfigurations in the Sender Policy Framework (SPF) a widely used email authentication protocol. A common misconfiguration involves overly permissive IP ranges, where SPF records allow large blocks of IP addresses to send emails on behalf of a domain. These ranges often include shared infrastructures like…

Read more
Certificates

Never miss an expiring certificate again with Red Sift Certificates Lite

Francesca Rünger-Field

SSL/TLS certificates are the backbone of secure, uninterrupted digital experiences—but managing them effectively to prevent downtime remains a persistent challenge. With browser and certificate authorities looking to reduce certificate durations to as little as 90 or even 47 days, keeping track of renewals has never been more critical. That’s why we’re excited to introduce…

Read more
DMARC

Navigating G-Cloud 14 for DMARC solutions: A guide for former NCSC Mail…

Francesca Rünger-Field

Navigating G-Cloud 14 for DMARC solutions: A guide for former NCSC Mail Check users With the NCSC discontinuing key features of its Mail Check service, including DMARC aggregate and TLS reporting, after March 2025, UK public sector organisations must prepare for this change by transitioning to alternative email security solutions. To support this shift,…

Read more