DEV Community

Cover image for Shadow DNS: The Subdomains Your Team Forgot Exist
Kishore Bhavnanie
Kishore Bhavnanie

Posted on • Originally published at dnsassistant.com

Shadow DNS: The Subdomains Your Team Forgot Exist

Your marketing team launches a product campaign. They need a landing page fast, so they spin up launch.yourbrand.com and point it at a third-party campaign tool. The campaign runs, it succeeds, everyone moves on. Six months later, the marketing tool subscription lapses and the hosted resource is deprovisioned. But the DNS record still exists, still pointing at infrastructure your company no longer controls. Nobody in IT ever knew the subdomain existed, and nobody remembers to remove it. That is shadow DNS, and it is one of the most common and overlooked risks in modern domain management.

Shadow DNS is the DNS equivalent of shadow IT: DNS records, subdomains, and configurations created outside the visibility and governance of the team responsible for the domain. It accumulates quietly, spreads across teams and vendors, and becomes an attack surface that no one is watching precisely because no one knows it is there.

This article explains what shadow DNS is, how it forms, why it is dangerous, and how to bring it back under control.


First, a Note on the Term

"Shadow DNS" is used in a few different ways, so it is worth being clear. Recently, security researchers have used the term to describe a specific malware operation where compromised routers redirect devices to rogue DNS resolvers for ad fraud and traffic manipulation. That is a real and serious threat, but it is a different thing from what we are discussing here.

In this article, shadow DNS means the governance problem: the DNS records and subdomains within your own domains that exist outside your central oversight. This is the more common, more preventable, and for most organizations more relevant issue. It is the DNS you own but have lost track of.


How Shadow DNS Forms

Shadow DNS rarely comes from bad intent. It comes from the normal, distributed way modern organizations operate, where many teams and tools can influence DNS without a central checkpoint.

Marketing and Campaign Subdomains

This is the classic source. Marketing teams create subdomains for campaigns, events, product launches, and promotions, often pointing them at third-party platforms: landing page builders, email marketing tools, event registration systems, or webinar platforms. Each of these requires a DNS record (usually a CNAME) pointing at the vendor's infrastructure. These get created quickly, under deadline pressure, frequently without IT involvement, and rarely get cleaned up when the campaign ends.

SaaS and Third-Party Integrations

Every SaaS tool that wants a branded subdomain (help.yourbrand.com for a support platform, status.yourbrand.com for a status page, mail.yourbrand.com for an email service) needs a DNS record pointing at its infrastructure. As organizations adopt more tools, these records multiply. When a tool is replaced or abandoned, the DNS record often outlives the subscription.

Developer and Testing Environments

Engineering teams create subdomains for staging, testing, demos, and preview environments. These proliferate naturally in fast-moving development, and temporary environments have a way of leaving permanent DNS records behind.

Decentralized DNS Management

In many organizations, more than one person or team can edit DNS, or DNS is managed across multiple providers and registrars. Without a single source of truth, records get added in one place and forgotten in another. The larger the organization, the more fragmented this becomes.

Mergers, Acquisitions, and Reorganizations

When companies merge or acquire, they inherit each other's entire DNS footprint, often poorly documented. Domains and subdomains created by the acquired organization become shadow DNS for the acquiring one, since no one on the new team has visibility into what exists or why.


Why Shadow DNS Is Dangerous

Shadow DNS is not just untidy. It is a genuine security risk, and the danger scales with how much of it accumulates.

Subdomain Takeover

This is the headline risk. When a subdomain points at a third-party service (via CNAME) and that service is later deprovisioned, the DNS record becomes "dangling," it points at infrastructure that no longer belongs to you. An attacker who claims that abandoned resource on the third-party platform can then serve their own content from your subdomain, inheriting your domain's trust and reputation. We cover this attack in depth in our subdomain takeover guide, and it was the mechanism behind the large-scale Borrowed Trust campaign. Shadow DNS is where takeover-vulnerable records come from: subdomains created outside governance are exactly the ones nobody remembers to decommission.

Expanded Attack Surface

Every subdomain is a potential entry point. Shadow subdomains may run outdated software, expose forgotten admin panels, or host applications that never received security review. Because IT does not know they exist, they never get patched, monitored, or included in security assessments.

Phishing and Brand Abuse

A subdomain of your legitimate domain carries your brand's trust. If an attacker takes over a shadow subdomain, they can host convincing phishing pages under your real domain name, far more credible than a lookalike domain because it genuinely is your domain.

Certificate and Email Exposure

Shadow DNS can include forgotten email-related records or subdomains that affect your security posture. A subdomain without proper email authentication can be exploited for spoofing, and forgotten records can undermine the email authentication you have carefully configured elsewhere.

Compliance and Audit Gaps

Security frameworks and audits increasingly expect a complete inventory of your internet-facing assets. Shadow DNS means your actual attack surface is larger than your documented one, a gap that undermines compliance and leaves you unable to answer a basic question: what does our organization actually expose to the internet?


Bringing Shadow DNS Under Control

Eliminating shadow DNS is not a one-time cleanup. It is an ongoing discipline of visibility and governance. Here is how to approach it.

1. Build a Complete DNS Inventory

You cannot govern what you cannot see. Start by discovering every domain and subdomain your organization actually has, not the list you think you have, but the real one. This means going beyond your documented records to actively discover subdomains that exist in the wild. Certificate Transparency logs, which record every TLS certificate issued, are one powerful discovery source, since most live subdomains have certificates. Subdomain discovery tools surface names you had forgotten or never knew about.

2. Audit What Each Record Points At

For every subdomain, determine what it points at and whether that target is still valid. Records pointing at third-party services are the priority: verify the service is still active and still yours. Dangling records pointing at deprovisioned cloud resources or lapsed SaaS accounts are your immediate takeover risk and should be removed or reclaimed.

3. Establish DNS Governance

Create a process for how DNS records get created and, critically, retired. This might include a central request process, a single source of truth for DNS across the organization, and clear ownership for each subdomain. The goal is to prevent new shadow DNS from forming while you clean up the old.

4. Make Decommissioning a Required Step

The root cause of shadow DNS is that records get created but never removed. Build DNS cleanup into your offboarding processes: when a campaign ends, a tool is retired, or a project is decommissioned, removing the associated DNS records should be a required checklist item, not an afterthought.

5. Monitor Continuously

Because shadow DNS forms continuously through normal operations, a one-time audit is not enough. New subdomains will appear, records will change, and services will be deprovisioned. Continuous monitoring is what keeps your inventory accurate over time and catches the moment a record becomes dangling or a new subdomain appears.


How DNS Assistant Helps

Shadow DNS is fundamentally a visibility problem, and visibility is exactly what DNS Assistant provides for the domains you monitor:

  • Subdomain discovery uses Certificate Transparency logs and other techniques to surface subdomains of your monitored domains, helping you find the shadow subdomains you had lost track of and build an accurate inventory.
  • Dangling DNS and subdomain takeover detection across 22+ cloud providers identifies the records that point at deprovisioned infrastructure, the takeover-vulnerable records that shadow DNS tends to produce.
  • Continuous record monitoring detects when records on your monitored domains change or when a subdomain's target shifts, so your inventory stays current and dangling records are caught as they form.
  • Email authentication and TLS posture checks surface subdomains and records with weak configurations that expand your exposure.
  • Real-time alerting via email, Slack, Microsoft Teams, webhooks, and SMS, so changes are caught when they happen.

The core value is turning the invisible visible. Shadow DNS is dangerous specifically because no one is watching it; continuous discovery and monitoring is how you start watching, and keep watching, the parts of your DNS footprint that would otherwise slip out of view.


Find Your Shadow DNS

The free DNS lookup tool at dnsassistant.com/tools and the Free Domain Risk Report let you inspect the records, DNSSEC status, email authentication, and TLS posture of a domain you already know about, a useful starting point for understanding your configuration.

Uncovering shadow DNS goes a step further: continuous subdomain discovery and dangling DNS detection across 22+ cloud providers surface the subdomains you had lost track of and the records pointing at deprovisioned infrastructure. These are part of the full monitoring platform. To bring your shadow DNS into the light, sign up at dnsassistant.com.

Top comments (0)