Dangling DNS records are a real security issue and without going into too much detail as to why this is, here is a quick overview of what “dangling DNS” means in the context of AWS.
If you do want to know more about the in-depth problem of dangling DNS we can highly recommend this paper by the University of Delaware and College of William and Mary.
In the context of AWS a dangling DNS record means that a Route53 DNS entry (Resource Record) that pointed at an IP address in your cloud exists, but the IP address is not “owned” by you anymore.
As mentioned in our cloud security paper all Cloud Providers make use of well-known IP address ranges and DNS is often publicly enumerable, by design.
Technically this means that anybody can enumerate one’s DNS zone and look for entries that do not successfully resolve anymore. These are usually of the following types:
AWS currently does not provide any out of the box detection for dangling DNS records in Route 53.
These two entries “test.argos-dev.io” and “blog.argos-dev.io” are both (intentionally) configured as dangling entries. We assume that we have owned those IPs, but nowhere in our environment do we actually have these IPs in our pool. Yes, 220.127.116.11 could technically be seen as a “false positive” because maybe someone really wanted a domain name on top of Google DNS, but let’s ignore that for the purpose of this.
Using the AWS CLI we can automate part of the job to find dangling records. Follow these steps for each AWS Account you own:
Instead of doing this manually, why not use a service like ARGOS that does this automatically and continuously for you?
Identification of this issue is already covered by ARGOS and if set up, ARGOS can send you a message like this into your Slack channel.
If you have not signed up to ARGOS yet then why not spend a few minutes (seriously, minutes!) and sign up to our free trial and see if you have any dangling AWS DNS entries in your Route 53.
Sign up at https://argos-security.io