Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Domain pointing to non-existing page on a service

Author: Government Security Group

Domain pointing to non-existing page on a service

Impact: Critical

What this means

A domain or a subdomain, is configured to redirect to a page on a third-party service such as Akamai or Azure Front Door, but the page does not exist. This situation occurs when the CNAME record points to a service that is no longer active or has been decommissioned.

This is most likely because:

  • the service was decommissioned but the DNS records were not updated
  • there was an error or typo in the configuration of the DNS records
  • the service was never properly set up or has been moved to a different address without updating the DNS configuration

When a domain points to a non-existing page, a malicious actor could potentially exploit this by creating a page on the third-party service using the same subdomain. This can lead to an attacker gaining control over the subdomain and serving malicious content or phishing pages.

Why this is a problem

When a subdomain is vulnerable to takeover, it can be used by attackers to:

  • redirect users to fraudulent websites
  • distribute malware
  • conduct phishing attacks by mimicking legitimate services
  • compromise user data and privacy through session hijacking or cookie theft

This can severely damage the reputation of the affected domain and lead to further security breaches.

How to check if the problem is still there

Use dig to query the CNAME record for the subdomain.

Example

dig cname subdomain.example.gov.uk +short
subdomain.supplier.co.uk

Check if the CNAME record resolves to a non-existing page. Take the output of the previous command and check for a further CNAME record.

dig CNAME subdomain.example.gov.uk +short

sudomain.anothersupplier.co.uk

Keep following the CNAME chain until you don’t get a response for the CNAME query. When you reach a domain without a CNAME check for an A record.

dig a subdomain.example.gov.uk

If the response is `NXDOMAIN` (Non-Existent Domain), it indicates that the page does not exist on the third-party service.

You may also be able to verify the status of the third-party service by visiting the URL in a web browser to see if the page exists. If the page returns a 404 error or similar, it confirms that the page does not exist.

This may not be fool proof as some URLs may only respond to traffic forwarded from a specific previous location.

How to fix it

Update the DNS records:

  • remove or correct any CNAME records that point to non-existing pages
  • ensure that all DNS records are pointing to valid and active services

Decommission unused subdomains. If the subdomain is no longer needed, remove the DNS records to prevent potential misuse.

Monitor DNS configurations:

  • regularly audit DNS records to ensure they are up-to-date and correctly configured
  • implement monitoring tools to detect and alert on any misconfigurations or changes
  • act on notifications from the Cyber and Domains Protection team

By keeping your DNS records properly configured and pointing to valid services, you can mitigate the risk of subdomain takeover and ensure that your domain’s users are directed to the intended destinations.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now