Universities serving porn from dangling DNS records

[labrown]

Ars Technica published an article about big-name universities serving porn from dangling CNAME records after the intended target was decommissioned and then malicious actors grabbed up the target resource for their own purposes.

Seems like something dnscontrol could help police.

[chicks-net]

I've typo'd cnames a few times. It would be nice to have a warning about this before deploying an update to DNS.

My only regret about dnscontrol catching these is that folks don't update their DNS that often so there could be slippage between updates that gets missed. Having something like a nagios plugin that runs periodically would help catch issues that crop up between DNS updates. A github action on a cron would be a better modern paradigm than a nagios plugin, but the nagios context helps convey a check that will either pass or fail -- and notify on failures.

[TomOnTime]

dnscontrol could catch cname's pointing to missing labels if the destination domain is mentioned in dnsconfig.js. (and a warning would be an excellent idea).

However the attack mentioned only works when the destination is out of dnscontrol's control. That said, it would be easy to write code that did DNS looksups for those cases... but I think that sgould be an external utility.

Something like:

dnscontrol print-ir | check_dangling_cnames

or

dnscontrol check_dangling_cnames