Ensure that any dangling DNS records are deleted from your Amazon Route 53 public hosted zones in order to maintain the integrity and authenticity of your domains/subdomains and to protect against domain hijacking attacks.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When an ephemeral AWS resource such as an Elastic IP (EIP) is released into the Amazon’s Elastic IP pool, an attacker may acquire the EIP resource and effectively control the domain/subdomain associated with that EIP in your Route 53 DNS records. In other words, if you haven't removed the DNS records that are pointing to EIPs that you have released, a malicious person who gets the same EIP from the AWS IP pool can control the domain/subdomain that you have mentioned in your DNS entries. Since there is no real authentication of the links between your DNS records and their EIPs, it is highly recommended to check regularly for any dangling DNS entries and remove them from your Route 53 hosted zones.
Audit
To identify dangling DNS records within your Amazon Route 53 public hosted zones, perform the following actions:
Remediation / Resolution
To adhere to DNS security best practices and remove any dangling DNS records available within your Amazon Route 53 hosted zones, perform the following:
References
- AWS Documentation
- Amazon Route 53 FAQs
- Working with Public Hosted Zones
- Working with Records
- Deleting Records
- Elastic IP Addresses
- AWS Command Line Interface (CLI) Documentation
- route53
- list-hosted-zones
- list-resource-record-sets
- change-resource-record-sets
- ec2
- describe-addresses