Remove Dangling DNS Records

Risk Level: High (not acceptable risk)

Ensure that dangling DNS records are removed from your public Cloud DNS zones in order to maintain the integrity and authenticity of your domains/subdomains and to protect against domain hijacking.

Security

When an ephemeral Google Cloud resource like an external IP address is released, it becomes available for others to use. An attacker could potentially acquire this IP and intercept traffic intended for your domain/subdomain hosted in Cloud DNS, or launch Denial-of-Service (DoS) attacks. Since you have no control over who gets the released IP, it is highly recommended to regularly check for any unused DNS records pointing to these IPs and remove them from your Cloud DNS zones.

Audit

To identify anhy dangling DNS records within your public Cloud DNS zones, perform the following operations:

Using GCP Console

Sign in to the Google Cloud Management Console.
Select the Google Cloud Platform (GCP) project that you want to access from the top navigation bar.
Navigate to Network services console available at https://console.cloud.google.com/net-services.
In the navigation panel, choose Cloud DNS and select the ZONES tab to access the Cloud DNS zones configured for the selected GCP project.
Click inside the Filter box, select Zone type and choose Public, to list only the public DNS zones available for your project.
Click on the name (link) of the public DNS zone that you want to examine.
Click inside the Filter box, select Type and type A, choose OR, and select Type and type AAAA, to list only the A and AAAA records defined for the selected DNS zone.
Click on the name of the DNS record that you want to examine.
In the Routing data section, under Data, copy the external IP address configured for the selected DNS record.
Navigate to VPC network console at https://console.cloud.google.com/networking.
In the navigation panel, choose IP addresses and select the EXTERNAL IP ADDRESSES tab to list the external IP addresses reserved for the selected GCP project.
Click inside the Filter box, select IP address, paste the IP address copied at step no. 9, and press Enter. If the specified IP address is no longer reserved for your GCP project, the Cloud CDN console will return the following message: No rows to display. If the address associated with your DNS record is no longer available within your Google Cloud account, the DNS record pointing to the missing IP becomes a dangling DNS record and can be removed from your Cloud DNS zone.
Repeat steps no. 8 – 12 for each DNS record that you want to examine.
Repeat steps no. 6 – 13 for each public DNS zone that you want to examine.
Repeat steps no. 2 – 14 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

Run projects list command (Windows/macOS/Linux) with custom query filters to list the IDs of the Google Cloud Platform (GCP) projects currently available in your Google Cloud account:
```
gcloud projects list
  --format="table(projectId)"
```
The command output should return the requested GCP project identifiers (IDs):
```
PROJECT_ID
cc-main-project-123123
cc-data-project-112233
```
Run dns managed-zones list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and type of each DNS zone available within the selected project:
```
gcloud dns managed-zones list 
  --project cc-main-project-123123 
  --format="table(name,visibility)"
```
The command output should return the name and type (public or private) of each DNS zone created for your project. A public zone has the VISIBILITY attribute set to public:
```
NAME: trendmicro
VISIBILITY: public

NAME: visionone
VISIBILITY: public
```
Run dns record-sets list command (Windows/macOS/Linux) with the name of the public DNS zone that you want to examine as the identifier parameter and custom output filtering to describe the value (data) for each DNS record created for your DNS zone:
```
gcloud dns record-sets list 
  --zone=trendmicro 
  --format="table(type,rrdatas)"
```

The command output should return the DNS record type and the associated data:

TYPE: A
RRDATAS: ['35.209.130.67']

TYPE: NS
RRDATAS: ['ns-cloud-a1.googledomains.com.', 'ns-cloud-a2.googledomains.com.', 'ns-cloud-a3.googledomains.com.']

TYPE: SOA
RRDATAS: ['ns-cloud-a1.googledomains.com. cloud-dns-hostmaster.google.com. 1 21600 3600 259200 300']

Run compute addresses list command (Windows/macOS/Linux) with custom filtering to list the external IP addresses reserved for your GCP account:
```
gcloud compute addresses list 
  --filter "addressType~EXTERNAL"
  --format="table(name,status,address)"
```
The command output should return a list with external IP addresses available for consumption:
```
NAME: tm-project5-app-ipv4
STATUS: RESERVED
ADDRESS: 35.186.10.46

NAME: tm-web-portal-ipv4
STATUS: RESERVED
ADDRESS: 35.105.56.10
```
If one or more IP addresses configured for A and AAAA records, returned at step no. 6, are no longer reserved for your GCP account, they will not be listed by the compute addresses list command at step no. 8. If an IP address associated with a DNS record is no longer reserved for your Google Cloud account, the DNS record pointing to the missing IP becomes a dangling DNS record and can be removed from your Cloud DNS zone.
Repeat steps no. 5 - 8 for each public DNS zone that you want to examine.
Repeat steps no. 3 – 9 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that all dangling DNS records are removed from your public Cloud DNS zones, perform the following operations:

Using GCP Console

Sign in to the Google Cloud Management Console.
Select the Google Cloud Platform (GCP) project that you want to access from the top navigation bar.
Navigate to Network services console available at https://console.cloud.google.com/net-services.
In the navigation panel, choose Cloud DNS and select the ZONES tab to access the Cloud DNS zones configured for the selected GCP project.
Click inside the Filter box, select Zone type and choose Public, to list only the public DNS zones available for your project.
Click on the name (link) of the public DNS zone that you want to configure.
Click inside the Filter box, select Type and type A, choose OR, and select Type and type AAAA, to list only the A and AAAA records defined for the selected DNS zone.
Select the dangling DNS records with missing IP addresses and choose DELETE RECORD SETS.
In the Delete record sets? box, choose DELETE to confirm the removal of the selected DNS records.
Repeat steps no. 6 – 9 for each public DNS zone that you want to configure.
Repeat steps no. 2 – 10 for each GCP project deployed within your Google Cloud account.

Using GCP CLI

Run dns record-sets delete command (Windows/macOS/Linux) to remove the dangling DNS record with missing IP address from your Cloud DNS zone:
```
gcloud dns record-sets delete trendmicro.com. 
  --project cc-main-project-123123 
  --type=A 
  --zone=trendmicro
```

The command output should return the full URI of the deleted DNS record set:

Deleted [https://dns.googleapis.com/dns/v1/projects/cc-main-project-123123/managedZones/trendmicro/rrsets/trendmicro.com./A].

Repeat steps no. 1 and 2 for each dangling DNS record that you want to delete.
Repeat steps no. 1 – 3 for each public DNS zone that you want to configure.
Repeat steps no. 1 – 4 for each GCP project deployed within your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
DNS zones overview
Create, modify, and delete zones
Quickstart: Set up DNS records for a domain name with Cloud DNS

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud dns managed-zones list
gcloud dns record-sets list
gcloud dns record-sets delete
gcloud compute addresses list

Publication date May 1, 2024

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related CloudDNS rules