Dangling Dns in Adonisjs (Typescript)

Dangling DNS occurs when a subdomain record (like api.example.com) points to a cloud resource (e.g., AWS S3 bucket, Azure blob, or Heroku app) that has been deprovisioned, but the DNS entry remains. Attackers can claim the orphaned resource and serve malicious content under your domain. In Adonisjs applications built with Typescript, this risk is amplified when route definitions or service configurations rely on environment variables for external API endpoints without validation.

For example, if your Adonisjs app uses a third-party service via a subdomain like payments.provider.com and that service is decommissioned but the DNS CNAME record still points to the old cloud resource, an attacker can take over payments.provider.com. If your Adonisjs code makes unauthenticated requests to this endpoint — common in webhook handlers, payment callbacks, or external API integrations — the attacker can intercept sensitive data, inject malicious responses, or perform SSRF-like attacks.

Typescript’s static typing does not prevent this misconfiguration; it only ensures compile-time safety. The vulnerability arises at runtime when the app trusts DNS-resolved endpoints without verifying ownership or validating responses. middleBrick detects such risks by scanning for unauthenticated exposure to external domains and flagging endpoints that interact with potentially dangling DNS targets, especially when those targets lack proper authentication or input validation.

To mitigate dangling DNS risks in an Adonisjs + Typescript application, implement runtime validation of external service responses and enforce strict allowlists for trusted domains. Below is a Typescript middleware for Adonisjs that validates outbound requests to external APIs, ensuring they only resolve to approved domains and verifying response integrity.

import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'

interface AllowedDomain {
  domain: string
  requireHttps: boolean
  allowedPaths?: RegExp[]
}

const ALLOWED_EXTERNAL_DOMAINS: AllowedDomain[] = [
  { domain: 'api.stripe.com', requireHttps: true, allowedPaths: [/^\/v1\/]/ },
  { domain: 'api.paypal.com', requireHttps: true, allowedPaths: [/^\/v2\/]/ },
]

export default class ExternalRequestValidator {
  public async handle({}: HttpContextContract, next: () => Promise) {
    await next()
  }

  public static validateOutboundUrl(url: string): boolean {
    try {
      const parsed = new URL(url)
      const { hostname, protocol } = parsed

      const allowed = ALLOWED_EXTERNAL_DOMAINS.find(d => {
        if (d.requireHttps && protocol !== 'https:') return false
        return d.domain === hostname
      })

      if (!allowed) return false

      if (allowed.allowedPaths) {
        const pathMatch = allowed.allowedPaths.some(re => re.test(parsed.pathname))
        if (!pathMatch) return false
      }

      return true
    } catch {
      return false
    }
  }
}

// Usage in a service
import ExternalRequestValidator from 'App/Middleware/ExternalRequestValidator'

export async function processPayment(payload: any) {
  const endpoint = `https://api.stripe.com/v1/payment_intents`

  if (!ExternalRequestValidator.validateOutboundUrl(endpoint)) {
    throw new Error('Blocked request to unauthorized or potentially dangling domain')
  }

  const response = await fetch(endpoint, { method: 'POST', body: JSON.stringify(payload) })
  // Further validate response structure and signature
  return response.json()
}

This approach ensures that even if a DNS record becomes dangling, the Adonisjs application will not communicate with the orphaned domain unless it is explicitly allowlisted. Combine this with regular DNS inventory checks and automated alerts for unresolved or changing CNAME records to reduce exposure window.