Dangling CNAME Report

Posts: 140
38     0

Dangling CNAMEs are essentially CNAMEs in your authoritative zone that point to 3rd party recourses that no longer exist and could be reused by adversaries as a subdomain takeover.


This concern has come up a few times so this basic solution is what I came up with working within the confines of the Infoblox NIOS Reporting platform:


High level: 


  • CSV export all CNAMEs from a zone via GUI or API
  • Upload this CSV file to Reporting as a lookup and add a lookup definition
  • Load the Dangling CNAMEs dashboard


This will provide a report of all CNAMEs in a zone that fail to resolve to an IP address.


This could be run as a scheduled report to keep the results automatically updated and also trigger alerts and/or send an email with the results.


There are some issues which include keeping the current list of CNAMEs current as this would require periodic updating and there is not an API/automatic method to push this into the Reporting. The other issue is that the available dnslookup Splunk script only looks up A records. If a CNAME happens to point to a name that only has a TXT record, for example, it won’t resolve and would therefore show up on the list of unresolved CNAMEs in the report.


Here is a sample of what the report would look like and how to build it:


Example API call to create the CSV export (or just grab it fro the GUI):


curl --location --request POST 'https://gridmaster/wapi/v2.9/fileop?_function=csv_export' \
--header 'Content-Type: application/json' \
--data-raw '{
    "_object": "record:cname",

To upload a lookup table: Reporting -> Settings -> Lookups ->  add-new:




Choose upload CSV file and save as cnames.csv:




Add-new for lookup definition and add as cnames from lookup file cnames.csv:




Go to Reporting - > Dashboards -> Create new dashboard:




Create Dashboard and then select “Source” to edit the source. Completely replace the XML with the below snippet and save:


  <label>Dangling CNAMEs</label>
      <title>Total Dangling CNAMEs</title>
          <query>| inputlookup cnames |  lookup dnslookup clientip as cname OUTPUT clienthost as Resolved | where isnull(Resolved) | stats count by cname | eventstats sum(count) as Total | dedup Total | table Total</query>
        <option name="drilldown">none</option>
      <title>CNAMEs not resolved</title>
          <query>| inputlookup cnames-csv |  lookup dnslookup clientip as fqdn* OUTPUT clienthost as Resolved  | where isnull(Resolved) | stats count by fqdn*  | eventstats sum(count) as totalCount | transpose | replace "fqdn*" with FQDN | transpose header_field=column | table FQDN</query>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>

Now you should have a dashboard similar to this which contains the total and full list of all the dangling CNAMEs:




Reminder... this requires the manual upload (and updating) of the list of CNAMEs to monitor and the report will list "false positives" if a CNAME fails to resolve to an IP address for any other reason.


Hope this helps someone!

Steve S.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You