What Is a Dangling CNAME?

A dangling CNAME is a DNS alias that still points to a third-party hostname even though the underlying service has been removed, renamed, or released. The DNS record remains in place, but the target no longer represents a live, controlled resource.

That situation can create operational issues such as broken subdomains, and in some cases it can create subdomain takeover risk if the target can be re-claimed by someone else.

Many SaaS platforms assign customer hostnames under their own domain. If you delete the service but leave your CNAME in place, another party may be able to register or claim the abandoned destination and cause your subdomain to serve their content.

Even where takeover is not possible, dangling aliases still create confusion during incident response, DNS audits, and decommissioning projects.

• The CNAME target returns NXDOMAIN or no useful service response
• The hostname points to a known SaaS provider but the tenant no longer exists
• The target returns a default error page suggesting the resource is unclaimed
• The alias belongs to an old migration, test environment, or retired vendor integration
• No team can identify who owns the subdomain or why it still exists

Start by confirming the exact CNAME chain and then check whether the destination hostname still resolves or serves an active resource. Review the vendor pattern as well, because different providers use different signals to indicate whether a hostname is claimable, suspended, or simply misconfigured.

Do not assume every dead-looking CNAME is exploitable. Some are just stale records, while others are genuinely takeover-prone. The difference depends on the provider's control model.

• Remove the CNAME if the subdomain is no longer needed
• Recreate or reassign the backing service if the name is still in use
• Document ownership of third-party DNS aliases during onboarding and offboarding
• Review certificate, CDN, and SaaS-related subdomains as part of periodic audits
• Monitor for abandoned aliases after migrations or vendor changes

The best long-term fix is operational discipline. Every time a third-party service is retired, the corresponding DNS alias should be reviewed immediately so stale subdomains do not accumulate over time.

• Dangling CNAME Checker
• What Is a CNAME Record?
• How to Run a DNS Audit