| /Joshua |
Contents
Dangling DNS MX http://dnsinstitute.com/research/dangling-mx/
1. whois
PDF screenshot This paper shares examples of a novel approach to finding Dangling DNS targets where, due to typos or lack of tracking, DNS MX records may point to domains that are available for third-party purchase and potentially be abused for impersonation, social engineering attacks, and private information theft with partial (like collect some messages) or complete (for two-way communications) email take over.
List of Dangling MX Targets that are Squatted with screenshots
List of Dangling MX Targets that are not registered (NXDOMAIN)
List of Dangling MX Targets under Provider Domains
Potential Email Compromise via Dangling DNS MX (PDF)Abstract:
Routing of email generally relies on DNS MX (Mail Exchange) resource records. In addition, the MX definition may be used in Sender Policy Framework (SPF) rules.
In this paper, we explore Dangling MX record targets which are available for third-party purchase and control. Depending on corresponding, potentially valid MX records and SPF rules, the vulnerabilities range from little impact to complete two-way email communication compromise, without snooping or man-in-the-middle techniques. Even if the organization does not use the domain for email, a third-party could still use it in a phishing attack where the phisher can actually use a valid and legitimate domain for increased credibility.
We discovered 393 domain names with a Dangling MX record. This paper shares real-world examples of Dangling MX records and techniques for finding them. While the Dangling MX concept is already known, this paper also describes a novel vulnerability and research approach where the Dangling MX or other DNS target is an existing registered domain, but available for purchase or unknown third-party use.
2. domain list
Unregistered Dangling MX Targets http://dnsinstitute.com/research/dangling-mx/dangling-mx-nxdomain.html
Unregistered Dangling DNS Targets under Provider Domains http://dnsinstitute.com/research/dangling-mx/dangling-mx-nxdomain-provider-domains.html
3. history
We identified 25 domains with DNS targets that were under names that don't exist (NXDOMAIN) but are available to be registered or assigned via a subdomain hosting or DNS hosting service provider. We are still researching these, but at least a few appear to be vulnerabilities. If you know of any others, can explain these, or can assist with contacts, please let us know.
Potential Email Compromise via Dangling DNS MX /Joshua Joshua Avery Reed DNS Institute J. C. Reed July 25, 2020 file:///home/tmaeno/Downloads/dangling-mx-202007-1.pdf