Pierre-Olivier Mercier
5ccdd8892f
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Add individual reference pages for all domain health checkers (EN/FR), update the homepage feature descriptions in both languages to highlight monitoring, notifications, and domain availability checks.
42 lines
3.2 KiB
Markdown
42 lines
3.2 KiB
Markdown
---
|
|
date: 2026-06-11T09:00:00+02:00
|
|
author: nemunaire
|
|
title: Dangling records
|
|
description: "Scans a zone for CNAME/MX/SRV/NS records whose targets resolve to NXDOMAIN or whose external domain has expired and could be re-registered."
|
|
weight: 140
|
|
---
|
|
|
|
The **Dangling subdomains** checker scans a zone for pointer records (`CNAME`, `MX`, `SRV`, `NS`) whose targets have gone stale: they resolve to NXDOMAIN, or their external registrable domain has expired, is in `pendingDelete`, or was recently re-registered. This is the subdomain-takeover attack class popularised in 2017, where institutions ended up serving hostile content from CNAMEs pointing at decommissioned third-party services after attackers re-registered the lapsed targets.
|
|
|
|
This is a **zone-level** checker: it needs the full zone content and runs a single pass over it, consolidating findings by owner rather than producing one result per record.
|
|
|
|
## What it checks
|
|
|
|
The checker walks every service in the working zone and extracts pointer records from `CNAME`, special CNAME, `MX`, unknown `SRV` and orphan (bare `NS`/`CNAME`/`MX`) bodies. For each `(owner, type, target)` triple it classifies the target as in-zone or external (relative to the zone's registrable domain), performs a single time-bounded DNS resolution to detect immediate breakage, and publishes a discovery entry so a companion `domain_expiry` checker can run RDAP/WHOIS on external targets.
|
|
|
|
It emits one finding per impacted owner, ranked by descending severity:
|
|
|
|
| Signal | Severity | Source |
|
|
|--------|----------|--------|
|
|
| Target NXDOMAIN | Critical | Local DNS resolution |
|
|
| Target SERVFAIL | Warning | Local DNS resolution |
|
|
| Target NOERROR with empty answer | Info | Local DNS resolution |
|
|
| Registrable domain expired | Critical | `whois` related observation |
|
|
| Registrable status `pendingDelete` / `redemptionPeriod` | Critical | `whois` related observation |
|
|
| Registrable domain registered within the last 90 days | Warning | `whois` related observation |
|
|
|
|
{{% notice style="info" title="WHOIS signals need a companion checker" %}}
|
|
The DNS-resolution signals (NXDOMAIN, SERVFAIL, empty answer) work on their own. The WHOIS-driven signals (expired, `pendingDelete`, recently registered) only fire when the host's `domain_expiry` checker subscribes to this checker's external-target discovery entries and publishes a per-target `whois` observation. Without that wiring, the checker still works as a DNS-only dangling detector.
|
|
{{% /notice %}}
|
|
|
|
## Options
|
|
|
|
| Option | Meaning | Default |
|
|
|--------|---------|---------|
|
|
| Skip live DNS resolution | When set, the checker only reports the static structure of pointer records (offline analysis), without resolving targets. | `false` |
|
|
|
|
## In happyDomain
|
|
|
|
Enable this checker on the domain from the {{< relref "/pages/checks" >}} view; the domain name and zone content are filled in automatically. Because it is zone-scoped, it runs over the whole zone in a single pass.
|
|
|
|
Related checkers: {{< relref "/reference/checkers/alias" >}} validates the structure of individual alias chains, and {{< relref "/reference/checkers/domain-expiry" >}} watches your own domains' expiry — the same WHOIS machinery that powers this checker's external-target signals.
|