medium6 min readLast updated May 27, 2026

DNS Orphan Records: Find and Clean Up Abandoned DNS Entries

Orphan DNS records are subdomains pointing to servers that no longer exist. Learn how to find them, why they are a security risk, and how to clean them up safely.

What is an orphan DNS record?

An orphan DNS record is a DNS entry -- typically an A, AAAA, or CNAME record -- that points to a resource that no longer exists. The DNS record remains in your zone file, but the server, service, or IP address it references has been decommissioned.

Common examples:

  • An A record pointing to an IP address that your company no longer owns
  • A CNAME pointing to a Heroku app that was deleted six months ago
  • An MX record for a subdomain that used to run a separate mail service
  • A TXT record for a domain verification challenge that was completed years ago

These records are the digital equivalent of leaving your old office keys under the doormat -- after someone else has moved into the building.

Why are orphan records a security risk?

Subdomain takeover

The most serious risk. If a CNAME points to a deprovisioned cloud service, an attacker can claim that service and control your subdomain. See our full guide on subdomain takeover for details on how this works and which services are vulnerable.

IP address reuse

When you release a cloud IP address, it goes back into the provider's pool. Someone else -- potentially a malicious actor -- can be assigned that same IP. If your A record still points to it, your subdomain now resolves to their server.

Information leakage

Orphan records reveal your infrastructure history. Attackers can see which cloud providers you use, what services you have tried, and how your infrastructure has evolved. This is useful reconnaissance.

Certificate abuse

If an attacker gains control of a resource that your DNS points to, they can request a valid TLS certificate for your subdomain from any certificate authority that supports HTTP-01 validation. This gives them a trusted HTTPS connection on your domain. Keep your TLS certificates monitored to catch unexpected issuances.

Common causes of orphan records

  • Decommissioned servers -- a server is shut down but nobody removes the DNS record
  • Cancelled hosting or SaaS subscriptions -- the service is gone but DNS still points to it
  • Cloud infrastructure changes -- migrating from one cloud provider to another without cleaning up old records
  • Developer testing -- temporary subdomains created for staging or testing that are never removed
  • Employee turnover -- the person who set up the record has left the company, and nobody knows it exists
  • Mergers and acquisitions -- inherited domains with DNS records that nobody reviewed

How to find orphan records

Step 1: Export your DNS zone

Start by getting a full list of your DNS records. Most DNS providers let you export a zone file:

# If using BIND
dig axfr yourcompany.com @your-dns-server

# Or export from your DNS provider's dashboard (Cloudflare, Route53, etc.)

Step 2: Check each record with dig

# Check if an A record's IP is responsive
dig +short staging.yourcompany.com
# Returns: 203.0.113.42

# Check if anything is actually running there
curl -sI http://203.0.113.42 --connect-timeout 5
# If connection refused or timeout, it may be orphaned

Step 3: Check CNAME targets

# Check if the CNAME target still exists
dig +short CNAME old-blog.yourcompany.com
# Returns: yourcompany.ghost.io

dig +short yourcompany.ghost.io
# If NXDOMAIN -- this is an orphan

Step 4: Automate with a script

For larger DNS zones, automate the check:

#!/bin/bash
# Simple orphan DNS checker
DOMAIN="yourcompany.com"

echo "Checking A records..."
dig axfr "$DOMAIN" @your-dns-server | grep -E "IN\s+A\s+" | while read line; do
  name=$(echo "$line" | awk '{print $1}')
  ip=$(echo "$line" | awk '{print $NF}')
  if ! curl -sI "http://$ip" --connect-timeout 3 > /dev/null 2>&1; then
    echo "POSSIBLY ORPHANED: $name -> $ip"
  fi
done

echo "Checking CNAME records..."
dig axfr "$DOMAIN" @your-dns-server | grep -E "IN\s+CNAME\s+" | while read line; do
  name=$(echo "$line" | awk '{print $1}')
  target=$(echo "$line" | awk '{print $NF}')
  if ! dig +short "$target" > /dev/null 2>&1; then
    echo "DANGLING CNAME: $name -> $target"
  fi
done

Using DNSRecon

DNSRecon is a Python tool that can help enumerate and audit DNS records:

pip install dnsrecon
dnsrecon -d yourcompany.com -t std

How to clean up orphan records safely

Deleting DNS records without care can break things. Follow this process:

1. Document the record

Before deleting, note what the record is, what it pointed to, and when it was created (if known). Store this in your DNS inventory.

2. Verify it is actually orphaned

Do not just check once -- check multiple times over a few days. Some services have intermittent availability.

# Check on different days and from different locations
dig +short suspect-subdomain.yourcompany.com
curl -sI https://suspect-subdomain.yourcompany.com --connect-timeout 10

3. Check for dependencies

Search your codebase, configuration management, and documentation for references to the subdomain. Also check:

  • Email routing -- does anything send to @subdomain.yourcompany.com?
  • Application configs -- do any services reference this hostname?
  • Monitoring systems -- will removing it trigger false alerts?
  • External integrations -- do any partners or vendors use this endpoint?

4. Remove the record

Delete the DNS record through your DNS provider's dashboard or API.

5. Monitor after removal

Watch your support channels and monitoring for a few weeks after removal. If something breaks, you can re-add the record quickly.

Prevention: Keeping DNS clean going forward

  1. Maintain a DNS inventory with an owner assigned to every record
  2. Include DNS cleanup in decommissioning checklists for servers and services
  3. Review DNS records quarterly -- flag anything without a clear owner
  4. Use infrastructure-as-code (Terraform, Pulumi) for DNS so records are tracked in version control
  5. Set up automated monitoring to detect orphan records as they appear

If your ports and services are also a concern, review our guide on open ports security to ensure your network exposure matches your expectations.

How SurfaceScan helps

SurfaceScan continuously enumerates all subdomains in your attack surface and checks each DNS record for signs of orphaning. It detects A records pointing to unresponsive IPs, CNAMEs targeting non-existent resources, and records that no longer serve any content. Orphan records are flagged in the DNS section with details on what the record points to and why it is considered orphaned, so you can clean them up before they become a subdomain takeover risk.

Related articles

Open Ports: Which Ones Are Dangerous and How to Close Them

Not all open ports are a problem, but some should never be exposed to the internet. Learn which ports are dangerous, why, and how to close them safely.

Subdomain Takeover: How Attackers Hijack Your Subdomains

Subdomain takeover happens when a DNS record points to a deprovisioned service. Learn how to detect dangling CNAMEs, prevent takeover, and protect your domains.

← Back to Help Center