Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Remove AWS Route 53 Dangling DNS Records

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (should be achieved)
Rule ID: Route53-011

Ensure that any dangling DNS records are deleted from your Amazon Route 53 public hosted zones in order to maintain the integrity and authenticity of your domains/subdomains and to protect against domain hijacking attacks.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When an ephemeral AWS resource such as an Elastic IP (EIP) is released into the Amazon’s Elastic IP pool, an attacker may acquire the EIP resource and effectively control the domain/subdomain associated with that EIP in your Route 53 DNS records. In other words, if you haven't removed the DNS records that are pointing to EIPs that you have released, a malicious person who gets the same EIP from the AWS IP pool can control the domain/subdomain that you have mentioned in your DNS entries. Since there is no real authentication of the links between your DNS records and their EIPs, it is highly recommended to check regularly for any dangling DNS entries and remove them from your Route 53 hosted zones.


Audit

To identify dangling DNS records within your Amazon Route 53 public hosted zones, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Route 53 dashboard at https://console.aws.amazon.com/route53/.

03 In the left navigation panel, under Dashboard, click Hosted Zones.

04 Select Public Hosted Zones from the dropdown list available under the dashboard top menu to list all your Route 53 public hosted zones.

05 Select the hosted zone that you want to examine then click on the Go to Records Sets button to access its DNS records.

06 On the DNS public hosted zone page, select A from the Record Type dropdown list to list all the A (Address) records in the selected zone.

07 Copy the EIP address available in the Value column for each listed A record.

08 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

09 In the left navigation panel, under NETWORK & SECURITY section, choose Elastic IPs.

10 Paste each EIP copied at step no. 7 in the Filter by tags and attributes or search by keyword box and press Enter. For each verified EIP that no longer exist within the selected AWS region, the EC2 console will return the following message: "No Addresses found matching your filter criteria".

11 Change the AWS region from the navigation bar and repeat step no. 10 for the rest of the regions that have Elastic IPs allocated. If an EIP resource copied at step no. 7 is no longer available in your AWS account, the DNS entry that points to the missing EIP qualifies as dangling DNS record and can be removed from you Amazon Route 53 hosted zone.

Using AWS CLI

01 Run list-hosted-zones command (OSX/Linux/UNIX) to retrieve a list with all the DNS hosted zones associated with your AWS account:

aws route53 list-hosted-zones

02 The command output should return an array with all the DNS zones available and their metadata (including each hosted zone ID - highlighted):

{
    "HostedZones": [
        {
            "ResourceRecordSetCount": 8,
            "CallerReference": "ABCDABCD-ABCD-ABCD-ABCD-ABCDABCDABCD",
            "Config": {
                "PrivateZone": false
            },
            "Id": "/hostedzone/AAAABBBBCCCCDD",
            "Name": "cloudconformity.com."
        }
    ]
}

03 Run list-resource-record-sets command (OSX/Linux/UNIX) using the ID of the Route 53 hosted zone returned at the previous step to list the Elastic IP addresses linked to the DNS A records created for the selected hosted zone:

aws route53 list-resource-record-sets
	--hosted-zone-id AAAABBBBCCCCDD
	--query "ResourceRecordSets[?Type == 'A'].ResourceRecords[*].Value[]"

04 The command output should return an array with all the requested EIPs:

[
    "54.173.232.201",
    "52.190.127.186"
]

05 Run describe-addresses command (OSX/Linux/UNIX) using each EIP returned at the previous step as query parameter value to describe the metadata for the selected EIP (if any). Execute describe-addresses command for each Elastic IP returned at the previous step:

aws ec2 describe-addresses
	--region us-east-1
	--query "Addresses[?PublicIp == '54.173.232.201']"

06 The command output should return an array that contains the metadata for the requested EIP resource, or an empty array if the EIP is no longer available in the selected AWS region, as shown in the example below:

[]

07 Change the AWS region by updating the --region command parameter value and repeat step no. 5 and 6 for the rest of the regions that have Elastic IPs (EIPs) allocated. If an EIP address returned at step no. 4 is no longer available in your AWS account, the DNS entry that points to the missing EIP qualifies as dangling DNS record and can be deleted from you Amazon Route 53 hosted zone.

Remediation / Resolution

To adhere to DNS security best practices and remove any dangling DNS records available within your Amazon Route 53 hosted zones, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Route 53 dashboard at https://console.aws.amazon.com/route53/.

03 In the left navigation panel, under Dashboard, click Hosted Zones.

04 Select Public Hosted Zones from the dropdown list available under the dashboard top menu to list all your Route 53 public hosted zones.

05 Select the hosted zone that you want to modify then click on the Go to Records Sets button to access its DNS records.

06 On the DNS hosted zone page, select the dangling DNS record that you want to remove (see Audit section part I to identify the right DNS entry), then click Delete Record Set button from the dashboard top menu.

07 Inside Confirm dialog box, click Confirm to delete the dangling record from the selected AWS Route 53 hosted zone.

08 Repeat steps no. 5 – 7 to remove dangling DNS records from other Route 53 hosted zones created in your AWS account.

Using AWS CLI

01 To delete a dangling DNS records from your public hosted zone, you must create first an Amazon Route 53 change file (i.e. a JSON file) and define the DNS records that you want to remove. The following command example describes a change file that defines a dangling record with the EIP address set to 54.173.232.201, named remove-record-set.json:

{
  "Comment": "Dangling DNS A record from cloudconformity.com hosted zone",
  "Changes": [
    {
      "Action": "DELETE",
      "ResourceRecordSet": {
        "Name": "sandbox.cloudconformity.com.",
        "Type": "A",
        "TTL": 86400,
        "ResourceRecords": [
          {
            "Value": "54.173.232.201"
          }
        ]
      }
    }
  ]
}

02 Run change-resource-record-sets command (OSX/Linux/UNIX) using the ID of the hosted zone that you want to modify and the AWS Route 53 change file created at the previous step (i.e. remove-record-set.json) as command parameters to remove the dangling DNS record from the selected zone:

aws route53 change-resource-record-sets
	--hosted-zone-id AAAABBBBCCCCDD
	--change-batch file://remove-record-set.json

03 The command output should return the request metadata. The record set status should be set to PENDING at this moment. The removal process may take few minutes:

{
    "ChangeInfo": {
        "Status": "PENDING",
        "Comment": "Dangling DNS A record from cloudconformity.com hosted zone",
        "SubmittedAt": "2018-07-25T21:38:21.737Z",
        "Id": "/change/ABCDABCDABCDAB"
    }
}

04 Repeat steps no. 1 – 3 to delete any dangling DNS records from other Route 53 hosted zones created in your AWS account.

References

Publication date Aug 1, 2018