Skip to main content

Please log into UltraDNS for full Help Center and Community access

Dangling DNS Records Report

Updated

The Dangling DNS Records Report is designed to scan for and identify hidden security gaps caused by a Dangling DNS (CNAME) record, which occurs when a CNAME points to a resource that is no longer active or claimed.

Dangling DNS Records occur when a domain's DNS record points to a resource that no longer exists or is incorrectly configured. This can happen when services (like hosting or email servers) are moved or deleted, but the DNS records are not updated accordingly. As a result, users or applications trying to access the domain can encounter errors or downtime because they are directed to non-existent or outdated resources. This can most commonly occur when CNAME records are not updated accordingly.

 

The Dangling DNS Records Report can't be run for domains with more than 20,000 records.

 

Additional details can be found on our Dangling DNS Records blog.

 

Dangling DNS Records Report

Click the Run Report button to start the Dangling DNS Records report. A toaster message appears when the report is complete, and any identified Dangling DNS records are displayed.

 

Dangling_DNS_Records-Overview.png

 

The Dangling DNS Records results page displays the following details for your domain, allowing filtering and sorting options for the Host and Record details.

  • Host - The host name for the record being identified as a Dangling DNS record.
  • Record Type - Indicates the Record Type that is identified as dangling. Record types include A, AAAA, and CNAME.
  • Points To - The destination that the record in question is currently configured to resolve to.
  • Description - The reason why the record is being flagged as a Dangling DNS record. A brief hover-over explanation provides additional details as to why the record is flagged. The Description field may also contain the Ultimate Target details, which identify the final resolved destination during the lookup.

 

Dangling_DNS_Records-Hover_Over.png

 

Additional Dangling DNS Records Details

Why would the "Points To" match the "Ultimate Target" value?

CNAME Chain Misconfiguration: In some cases, you might have a CNAME record pointing to another domain (e.g., www.example.com CNAME anotherdomain.com). If the "anotherdomain.com" is misconfigured, the lookup could fail. However, the "points to" could still show as the CNAME target, and after trying to resolve the CNAME (which doesn't lead to a valid IP or domain), the "ultimate target" might match the same as the "points to" if it points back to an invalid or non-existent domain.

Broken Redirection: If there are DNS records where the "points to" is pointing to a target that ultimately fails to resolve (for example, an outdated or incorrect IP address in an A record, or a CNAME that points to a now-deleted domain), the "ultimate target" can end up being the same as the "points to." This is because DNS resolution fails to find a new valid target and essentially loops back or settles on the original reference (which might still be pointing to a non-functioning resource).

Misconfigured Alias: A record might be configured as an alias (e.g., a CNAME) pointing to a domain that is now non-existent or improperly configured. If the ultimate target is still resolved to the same domain, the "points to" and "ultimate target" will show the same — even though they don't actually lead to a working resource.

Let's look at an example with a CNAME:

  1. www.example.com CNAME oldwebsite.com (this is the DNS record)
  2. oldwebsite.com no longer exists or has been deleted.
  3. Here, "points to" is oldwebsite.com (because of the CNAME record).
  4. The "ultimate target" might also be oldwebsite.com since the DNS resolution could end up in a loop or invalid state, and the lookup never progresses beyond this CNAME.

In this case, both the "points to" and the "ultimate target" match because DNS resolution has no further valid target to resolve to, leaving the lookup stuck at the original CNAME record.

CNAME Loop

A common issue found in Dangling DNS Records is a CNAME Loop. A CNAME Loop refers to an instance where 2 or more CNAME records point to each other, creating an endless cycle of redirection. This loop prevents DNS resolution from reaching an endpoint and can result in the failure to resolve the domain name to an IP address, causing the DNS query to never complete successfully.

Consequences of a CNAME Loop:

  • Resolution Failure: The most immediate consequence is that users trying to visit the domain will not be able to access the site, as the DNS query will never resolve.
  • Increased Latency: The resolver might keep retrying the query, adding unnecessary load to the DNS infrastructure.
  • Potential Downtime: This can lead to downtime for the domain, as it prevents users from reaching the website or service.
  • Error Messages: Users may encounter error messages like "This site can’t be reached" or "DNS_PROBE_FINISHED_NXDOMAIN", indicating a DNS resolution failure.

Related to

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles