1355 
0
Dangling CNAMEs are essentially CNAMEs in your authoritative zone that point to 3rd party recourses that no longer exist and could be reused by adversaries as a subdomain takeover.
This concern has come up a few times so this basic solution is what I came up with working within the confines of the Infoblox NIOS Reporting platform:
High level:
- CSV export all CNAMEs from a zone via GUI or API (be sure to export in Infoblox CSV import format)
- Upload this CSV file to Reporting as a lookup and add a lookup definition
- Load the Dangling CNAMEs dashboard
This will provide a report of all CNAMEs in a zone that fail to resolve to an IP address.
This could be run as a scheduled report to keep the results automatically updated and also trigger alerts and/or send an email with the results.
There are some issues which include keeping the current list of CNAMEs current as this would require periodic updating and there is not an API/automatic method to push this into the Reporting. The other issue is that the available dnslookup Splunk script only looks up A records. If a CNAME happens to point to a name that only has a TXT record, for example, it won’t resolve and would therefore show up on the list of unresolved CNAMEs in the report.
Here is a sample of what the report would look like and how to build it:
Example API call to create the CSV export (or just grab it fro the GUI):
curl --location --request POST 'https://gridmaster/wapi/v2.9/fileop?_function=csv_export' \
--header 'Content-Type: application/json' \
--data-raw '{
"_object": "record:cname",
"zone":"domain-name.tld"
}'
To upload a lookup table: Reporting -> Settings -> Lookups -> add-new:
Choose upload CSV file and save as cnames.csv:
Add-new for lookup definition and add as cnames from lookup file cnames.csv:
Go to Reporting - > Dashboards -> Create new dashboard:
Create Dashboard and then select “Source” to edit the source. Completely replace the XML with the below snippet and save:
<dashboard>
<label>Dangling CNAMEs</label>
<row>
<panel>
<title>Total Dangling CNAMEs</title>
<single>
<search>
<query>| inputlookup cnames | lookup dnslookup clientip as fqdn* OUTPUT clienthost as Resolved | where isnull(Resolved) | stats count by fqdn* | eventstats sum(count) as Total | dedup Total | table Total</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
</single>
</panel>
</row>
<row>
<panel>
<title>CNAMEs not resolved</title>
<table>
<search>
<query>| inputlookup cnames | lookup dnslookup clientip as fqdn* OUTPUT clienthost as Resolved | where isnull(Resolved) | stats count by fqdn* | eventstats sum(count) as totalCount | table fqdn*</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</dashboard>
Now you should have a dashboard similar to this which contains the total and full list of all the dangling CNAMEs:
Reminder... this requires the manual upload (and updating) of the list of CNAMEs to monitor and the report will list "false positives" if a CNAME fails to resolve to an IP address for any other reason.
Hope this helps someone!
1355 0
1355 0
Hello Mervin,
Apologies as this appears to be my fault once again 
The CSV export of the CNAMES must be in "CSV Import" format and not the "visible data" format.
When you export via the GUI be sure to choose the CSV export option of "Export data in Infoblox CSV Import Format".
I believe this may be the issue and please let me know if this is the case. You will need to generate a new export and remove/replace the cnames.csv you have uploaded and the corresponding LookUp Table file as the field mappings are different.
Thank you!
1355 0
1355 0
Hi Mervin,
Yes, I had intended to include a screen shot in my last reply but unfortunately this did not appear.
To generate the CSV in Infoblox Import format you can follow these steps:
1. Navigate to the zone you wish to generate the CNAME export from
2. Apply a filter for Type Equals CNAME record
3. Choose the "Export" function and then the option for "Export data in Infoblox CSV Import Format"
This will provide a CSV output in a different format that is compatible with the CSV import function and also the expected format and columns for the Dangling CNAME Report to properly extract the data.
See the screen shot below for a visual example:
Thank you!
1355 0
Hi Steve,
I have managed to get the dashboard working, thx for you help.
Still i have a question:
The dashboard says there are a total of 528 Dangling cnames, but shows only 5 in the "CNAMEs not resolved" view.
1355 0
