Dangling DNS records: what they mean for identity governance

TL;DR: Dangling DNS records that point to decommissioned cloud services can let attackers take over trusted subdomains, bypass perimeter controls, and use an organisation’s own domain for phishing or malware delivery, according to DigiCert. The core issue is identity and ownership drift: records outlive the assets they were meant to represent, so governance fails before detection does.

NHIMG editorial — based on content published by DigiCert: Dangling DNS Records and the Risk of Domain Hijacking

By the numbers:

• Over 670 Microsoft subdomains were found vulnerable to takeover due to misconfigured DNS entries pointing to unclaimed Azure services.

Questions worth separating out

Q: How should security teams prevent dangling DNS records from creating takeover risk?

A: Security teams should tie DNS record retirement to the same workflow that decommissions the underlying service.

Q: Why do dangling DNS records create more risk than simple broken links?

A: Because they preserve organisational trust after the asset has gone.

Q: What signs show that DNS hygiene has drifted out of control?

A: Look for records that point to retired cloud services, unexplained resolution failures, subdomains with no clear owner, and changes that are not tied to an approved decommissioning workflow.

Practitioner guidance

• Bind DNS cleanup to service decommissioning Require DNS record removal or repointing as a mandatory step in cloud service retirement, subdomain migration, and third-party offboarding.
• Scan for unclaimed or orphaned DNS targets Use inventory and monitoring tools to detect CNAME and A records that resolve to decommissioned services, expired cloud resources, or external targets no longer under organisational control.
• Treat subdomains as governed assets Assign clear ownership, review cadence, and logging for every subdomain, including marketing, product, and integration endpoints.

What's in the full article

DigiCert's full blog post covers the operational detail this post intentionally leaves for the source:

• Concrete examples of how CNAME and A records become dangling after cloud retirement
• Practical DNS hygiene steps for scanning, repointing, and removing obsolete records
• The subdomain takeover scenario explained in the context of user trust and phishing risk
• DNSSEC and logging considerations for teams managing exposed public namespaces

👉 Read DigiCert's analysis of dangling DNS records and domain hijacking risk →

Dangling DNS records: what they mean for identity governance?

Explore further

View Full Forum →  |  NHI Foundation Course →