Skip to main content
KBY Technologies Logo
cd ../incident-runbooks
sys/runbooks/dns-cname-records-pointing-to-deprovisioned-azure-aws-resources-creating-subdomain-takeover-vulnerabilities.md
Cloud DNS Securityhigh severity

DNS CNAME records pointing to deprovisioned Azure/AWS resources creating subdomain takeover vulnerabilities

Severity
high
Reviewed
18 Jul 2026
Target time
~15 minutes

01 Incident diagnostics

The Symptom
A marketing microsite or staging subdomain (e.g. promo.company.com) starts serving unrelated content, a parking page, or an obvious phishing clone. Security scanners flag valid TLS certificates issued for the subdomain that your team never requested. Some cases surface only as a generic Azure 404 'Web App Not Found' page or an S3 'NoSuchBucket' XML error visible to customers.
Detection
Export the zone and grep for provider default suffixes: for f in $(az network dns record-set cname list --resource-group rg-dns --zone-name company.com --query "[].cname" -o tsv); do dig +short $f; done | grep -E 'azurewebsites.net|cloudapp.net|blob.core.windows.net|s3.amazonaws.com|elb.amazonaws.com'. A CNAME resolving to NXDOMAIN, a generic 404, or a bucket 'NoSuchBucket' response confirms an orphaned pointer with no matching live resource.
Root Cause
Azure App Service hostnames and AWS S3 bucket names are allocated from a shared, tenant-independent namespace. Deleting the resource releases the name back into that pool without touching the CNAME record in your DNS zone, because the decommission workflow (az webapp delete, aws s3 rb) has no coupling to the DNS provider. Any subsequent tenant, including an attacker, can then provision an identically named resource and inherit incoming traffic for that CNAME with zero domain-ownership validation.
Prevention
Couple DNS record deletion to the same Terraform/Bicep apply that tears down the resource, using explicit depends_on so azurerm_dns_cname_record or aws_route53_record is destroyed in the identical plan. Run a daily dnsx-based dangling-CNAME sweep against the exported zone file in CI, alerting on any record resolving to NXDOMAIN or a provider 'not found' response. Maintain a CMDB tag mapping each DNS record to its owning resource ID so decommission tickets are blocked until the linked record is confirmed removed.
Blast Radius
  • Any dangling CNAME can be claimed to host phishing content served over a trusted company subdomain, inheriting SameSite cookie scope and bypassing CSP domain allowlists that trust *.company.com
  • Let's Encrypt HTTP-01 validation succeeds against the hijacked subdomain, producing a fully valid HTTPS certificate for the attacker's content
  • OAuth redirect URIs or SAML ACS endpoints referencing the abandoned subdomain become viable token-theft targets if still whitelisted in app registrations
  • Decommissioned marketing microsites, PoC environments, and vendor-integration subdomains are the highest-frequency source, since they are deleted without a DNS cleanup ticket
03

Apply the intervention

Before you execute

Confirm the incident scope, obtain approved privileged access, and capture the current configuration before applying changes.

Potentially destructive change. Confirm scope, backup and rollback access before copying these commands.

Fix commands and configuration

1. Inventory CNAME targets against live resources: az network dns record-set cname list --resource-group rg-dns --zone-name company.com -o table 2. Confirm the Azure resource no longer exists: az resource show --ids /subscriptions//resourceGroups//providers/Microsoft.Web/sites/ 2>&1 | grep -i 'ResourceNotFound' 3. For AWS zones, list CNAMEs and probe bucket status: aws route53 list-resource-record-sets --hosted-zone-id --query "ResourceRecordSets[?Type=='CNAME']" && aws s3api head-bucket --bucket 4. Delete the orphaned record immediately: az network dns record-set cname delete --resource-group rg-dns --zone-name company.com --name promo --yes 5. AWS equivalent: aws route53 change-resource-record-sets --hosted-zone-id --change-batch file://delete-cname.json 6. If the record must be preserved for continuity, reclaim the namespace defensively before publishing: az webapp create --resource-group rg-dns --plan asp-holding --name --runtime "NODE|18-lts", or aws s3api create-bucket --bucket --region
04

Verify, roll back or escalate

Verify recovery

Repeat the detection checks after the intervention and confirm that the original symptom no longer occurs.

Rollback

Stop if impact increases. Restore the captured pre-change configuration or approved backup, then reassess before retrying.

Escalate when

Escalate to the platform owner or security incident lead when recovery is unavailable, scope is uncertain, or privileged access cannot be verified.

After recovery

Prevent recurrence and continue investigating

Related material stays below the operational procedure so it cannot distract from containment and recovery.