Dangling Dns with Mutual Tls
How Dangling Dns Manifests in Mutual Tls
Dangling DNS records in Mutual TLS environments create a particularly insidious attack vector. When a DNS record points to a Mutual TLS-enabled service endpoint but the service is decommissioned or migrated, attackers can register the original domain and obtain a valid certificate, then intercept Mutual TLS traffic meant for the legitimate service.
The attack typically unfolds in three stages. First, the organization removes a Mutual TLS service but fails to clean up DNS records pointing to it. Second, an attacker registers the domain or acquires the IP address and obtains a certificate (often through Let's Encrypt or other automated services). Third, the attacker intercepts Mutual TLS traffic, potentially extracting sensitive data or injecting malicious payloads.
In Mutual TLS specifically, the impact is amplified because both client and server authentication occur. An attacker with a valid certificate can impersonate either party, making detection significantly harder. The client may trust the malicious server because it presents a valid certificate, while the server may trust the malicious client because it also presents valid credentials.
Consider a financial services API that used Mutual TLS for all client communications. When the service was migrated to a new endpoint, the old DNS record remained active. An attacker registered the abandoned domain, obtained a certificate, and began intercepting Mutual TLS traffic. Because the attacker's certificate was valid, client applications continued to trust the malicious endpoint, exposing sensitive financial data.
Common Mutual TLS code paths vulnerable to dangling DNS include:
// Vulnerable Mutual TLS client code
SSL_CTX *ctx = SSL_CTX_new(TLS_client_method());
SSL_CTX_load_verify_locations(ctx, "/path/to/ca.pem", NULL);
SSL_CTX_use_certificate_file(ctx, "client-cert.pem", SSL_FILETYPE_PEM);
SSL_CTX_use_PrivateKey_file(ctx, "client-key.pem", SSL_FILETYPE_PEM);
// Vulnerable Mutual TLS server code
SSL_CTX *ctx = SSL_CTX_new(TLS_server_method());
SSL_CTX_load_verify_locations(ctx, "/path/to/ca.pem", NULL);
SSL_CTX_use_certificate_file(ctx, "server-cert.pem", SSL_FILETYPE_PEM);
SSL_CTX_use_PrivateKey_file(ctx, "server-key.pem", SSL_FILETYPE_PEM);
SSL_CTX_use_certificate_chain_file(ctx, "ca-chain.pem", SSL_FILETYPE_PEM);
The vulnerability lies not in the Mutual TLS implementation itself, but in the DNS resolution step that occurs before the TLS handshake. When a client resolves a dangling DNS record, it connects to an unexpected endpoint that may have a valid certificate, bypassing the trust guarantees Mutual TLS is designed to provide.
Mutual Tls-Specific Detection
Detecting dangling DNS in Mutual TLS environments requires a multi-layered approach. The most effective strategy combines DNS monitoring, certificate analysis, and active scanning of Mutual TLS endpoints.
DNS monitoring should track record age and changes. Set up alerts for DNS records that haven't been updated in over 90 days, especially those pointing to Mutual TLS services. Tools like dig or nslookup can help identify stale records:
# Check DNS record age
dig +nocmd +noall +answer +ttlid example.com
# Check certificate validity
openssl s_client -connect example.com:443 -servername example.com -showcerts
Certificate transparency logs provide another detection layer. Services like crt.sh or Certificate Transparency Logs API can reveal certificates issued for your domains. Monitor for certificates issued to domains that should no longer be active:
# Query certificate transparency logs
curl "https://crt.sh/?q=example.com&output=json" | jq '.name_value'
Active scanning with middleBrick specifically tests Mutual TLS endpoints for dangling DNS vulnerabilities. The scanner attempts to establish Mutual TLS connections to identified endpoints and analyzes certificate chains, DNS resolution paths, and service responses. For Mutual TLS APIs, middleBrick performs these checks:
| Check Type | Mutual TLS Specific | Detection Method |
|---|---|---|
| Certificate Chain Analysis | Yes | Verifies certificate validity and issuer chain |
| DNS Resolution Path | Yes | Checks if resolved IP matches expected service | Service Response Analysis | Yes | Compares service responses to known good baselines |
middleBrick's CLI can be used to scan Mutual TLS APIs directly:
# Scan a Mutual TLS API endpoint
middlebrick scan https://api.example.com --output json
# Scan with specific Mutual TLS checks
middlebrick scan --mTLS --dangling-dns https://api.example.com
The scanner identifies anomalies such as certificates issued to decommissioned domains, unexpected service responses, or mismatched certificate subjects. These findings are categorized by severity and mapped to OWASP API Security Top 10 risks, helping teams prioritize remediation efforts.
Mutual Tls-Specific Remediation
Immediate remediation steps:
- Remove or update DNS records - Immediately remove or update any DNS records pointing to decommissioned Mutual TLS services. Use low TTL values during transitions to minimize propagation delays.
- Revoke certificates - If possible, revoke certificates associated with decommissioned endpoints. Contact your Certificate Authority to initiate revocation procedures.
- Update client configurations - Ensure all Mutual TLS client applications are updated with new endpoint information. This may require coordinated deployment across multiple teams.
Code-level fixes for Mutual TLS implementations:
// Improved Mutual TLS client with endpoint validation
SSL_CTX *ctx = SSL_CTX_new(TLS_client_method());
SSL_CTX_load_verify_locations(ctx, "/path/to/ca.pem", NULL);
SSL_CTX_use_certificate_file(ctx, "client-cert.pem", SSL_FILETYPE_PEM);
SSL_CTX_use_PrivateKey_file(ctx, "client-key.pem", SSL_FILETYPE_PEM);
// Add hostname validation
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback);
// Validate endpoint before connection
const char *expected_endpoint = "api.example.com";
const char *resolved_endpoint = resolve_dns(endpoint);
if (strcmp(expected_endpoint, resolved_endpoint) != 0) {
fprintf(stderr, "DNS resolution mismatch: %s vs %s\n", endpoint, resolved_endpoint);
exit(1);
}
Server-side improvements:
// Mutual TLS server with enhanced validation
SSL_CTX *ctx = SSL_CTX_new(TLS_server_method());
SSL_CTX_load_verify_locations(ctx, "/path/to/ca.pem", NULL);
SSL_CTX_use_certificate_file(ctx, "server-cert.pem", SSL_FILETYPE_PEM);
SSL_CTX_use_PrivateKey_file(ctx, "server-key.pem", SSL_FILETYPE_PEM);
SSL_CTX_use_certificate_chain_file(ctx, "ca-chain.pem", SSL_FILETYPE_PEM);
// Configure strict verification
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback);
SSL_CTX_set_verify_depth(ctx, 2);
// Implement certificate pinning
SSL_CTX_add_client_CA(ctx, "client-ca.pem");
Long-term process improvements include implementing DNS lifecycle management, establishing certificate expiration monitoring, and creating automated validation for Mutual TLS endpoint changes. Consider using service discovery mechanisms that don't rely solely on DNS, such as Consul or etcd, which provide additional validation layers.
For organizations using middleBrick's continuous monitoring, set up alerts for Mutual TLS-specific findings. The Pro plan's continuous monitoring can automatically scan Mutual TLS endpoints on a configurable schedule, alerting your team when dangling DNS vulnerabilities are detected. This proactive approach helps catch issues before they can be exploited.