DNS-006 recommended Domain Management

Unused domains and subdomains identified

Stale DNS records and unused domains/subdomains are identified and cleaned up. Dangling CNAMEs and unused subdomains are subdomain takeover risks.

Question to ask

"Any domains you're paying for that point to a server that no longer exists?"

Verification guide

Severity: Recommended

Stale DNS records are subdomain takeover risks. A CNAME pointing to a decommissioned Heroku app or S3 bucket can be claimed by an attacker.

Check automatically:

List all DNS records (requires API access):

# Cloudflare
curl -X GET "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records?per_page=100" \
  -H "Authorization: Bearer $CF_API_TOKEN" | jq '.result[] | {type, name, content, proxied}'

Check for dangling CNAMEs:

# For each CNAME record, verify the target still resolves
dig CNAME subdomain.example.com +short
# Then check if the target resolves
dig A <target> +short

Check for known takeover-vulnerable services:

# Common patterns for subdomain takeover
# - CNAME to *.herokuapp.com (app deleted)
# - CNAME to *.s3.amazonaws.com (bucket deleted)
# - CNAME to *.github.io (repo deleted)
# - CNAME to *.azurewebsites.net (app deleted)

Ask user:

"Are there any domains you're not actively using?"
"When was the last time someone cleaned up DNS records?"
"Are there any subdomains from decommissioned projects?"

Pass criteria:

DNS records reviewed within last 6 months
No dangling CNAMEs to decommissioned services
Unused domains/subdomains documented or removed

Fail criteria:

DNS records never reviewed
Dangling CNAMEs found (subdomain takeover risk)
Domains pointing to infrastructure that no longer exists

Evidence to capture:

Total DNS record count per domain
Any dangling or suspicious records found
Unused domains/subdomains identified

Section

20. Domain & Email Infrastructure

Error Tracking & Reliability

Unused domains and subdomains identified

What to check

Related items

Verification guide