id: detect-dangling-cname

info:
  name: CNAME Detect Dangling
  author: pdteam,nytr0gen
  description: A CNAME detect dangling condition was discovered. Most commonly this relates to failing to remove records from the zone once they are no longer needed.
  severity: info
  tags: dns,takeover
  reference:
    - https://securitytrails.com/blog/subdomain-takeover-tips
    - https://nominetcyber.com/dangling-dns-is-no-laughing-matter/
    - https://nabeelxy.medium.com/dangling-dns-records-are-a-real-vulnerability-361f2a29d37f
    - https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cve-id:
    cwe-id: CWE-200

dns:
  - name: "{{FQDN}}"
    type: A

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "NXDOMAIN"

      - type: word
        words:
          - "IN\tCNAME"

    extractors:
      - type: regex
        group: 1
        regex:
          - "IN\tCNAME\t(.+)"

# Enhanced by mp on 2022/03/13