Dangling IP Domain Takeover; TLDR;

What is it? Why should you care? And who came up with this terrible name?

Picture this: Your organization sets up DNS records to point to an IP or resource you own—standard procedure, all good. But then, life happens. Projects shift, things get decommissioned, and someone forgets to clean up the DNS entries. No big deal, right?

Wrong. Your cloud provider, being the efficient machine it is, happily hands that now-unclaimed IP over to some random person. And if your DNS is still pointing there? Boom. That lucky stranger now controls your domain or subdomain like they just won the internet lottery. So, yeah… clean up your DNS records. We don’t have an answer for you on the terrible name, and suppose the alternative Orphaned IPs or DNS records doesn’t sound much better. Be a good DNS steward and don’t leave your DNS Entries \ IPs to become Orphans.

How Dangling IPs became more Common

The rapid expansion of cloud providers and increasing reliance on third-party infrastructure have made it far easier to spin up and tear down resources on demand. In the past, organizations typically used static, dedicated IP ranges, which were simpler to track and retire properly. Today, DNS records frequently point to dynamically allocated cloud IPs. Because these addresses are ephemeral, it’s common for an IP to be released and reassigned while the associated DNS record lingers—leading to a far greater risk of dangling IP issues than ever before.

Root Cause

Provisioning systems with public IP addresses in the cloud isn’t inherently a problem, nor is creating DNS records that point to those systems. The real danger arises when the IP is released (for example, after decommissioning or scaling down a cloud instance), yet the DNS record remains intact. At that point, your DNS is effectively pointing to an IP address you no longer own or control. Because cloud providers can reassign these IPs to other tenants, there’s a risk that a malicious actor could end up on the receiving end of Internet traffic meant for your domain—placing you squarely in the DNS Danger Zone.

How to Detect and Fix This Issue

At first glance, resolving this problem seems simple: review your DNS records and verify that every IP address they reference is still under your organization’s control. If you find a DNS entry pointing to an IP you no longer own, remove it immediately.

However, the real challenge arises when multiple teams or individuals have access to your domain or DNS providers. With numerous contributors making changes, orphaned DNS entries can easily slip through the cracks. That’s why it’s critical to establish clear ownership and oversight over DNS management—ideally by enforcing regular audits and maintaining a centralized system to track which IPs are actively in use.

One of the most effective ways to prevent this issue is through continuous DNS monitoring. By routinely comparing your domain’s DNS records against the IP addresses currently allocated in your cloud infrastructure—using scripts, monitoring tools, or provider APIs—you can quickly identify discrepancies. Additionally, some scanning solutions can detect and flag records that point to expired or decommissioned IPs, alerting you to potential security risks before an attacker can exploit them.

How to Identify and Exploit a Dangling IP

1. Provision an IP Address – Acquire an IP from a cloud provider.
2. Check Historical Associations – Use reverse or passive DNS databases to determine if any domains previously resolved to this IP.
   • Useful sources: VirusTotal Passive DNS Relations, Rapid7 Sonar Forward DNS.
3. Verify Current DNS Records – Perform a live DNS query to check if any domains or subdomains are still pointing to your newly assigned IP.
4. Confirm Takeover – If an active domain remains linked to the IP you control, congratulations—you’ve successfully hijacked a dangling IP.
5. Rinse and Repeat – Continue the process to find more vulnerable addresses. Consider automating the steps above as they are highly repeatable.