Dangling Dns in Koa
How Dangling DNS Manifests in Koa
Dangling DNS in Koa applications typically occurs when your API's domain or subdomain points to infrastructure that's no longer under your control. This creates a critical security vulnerability where attackers can register the orphaned infrastructure and intercept traffic meant for your Koa application.
The most common scenario involves Koa applications deployed on platforms like Vercel, Heroku, or AWS where the deployment is removed but DNS records aren't cleaned up. For instance, if you have a Koa API at api.example.com deployed to Vercel, and you delete the Vercel project without removing the DNS record, that subdomain becomes a dangling DNS entry.
In Koa applications, this manifests particularly in middleware that handles authentication and CORS. Consider a Koa application with authentication middleware:
const Koa = require('koa');
const Router = require('@koa/router');
const app = new Koa();
const router = new Router();
// Authentication middleware
app.use(async (ctx, next) => {
const authHeader = ctx.headers.authorization;
if (!authHeader) {
ctx.status = 401;
ctx.body = { error: 'Missing authorization' };
return;
}
await next();
});
router.get('/api/data', async (ctx) => {
ctx.body = { data: 'sensitive information' };
});
app.use(router.routes());
app.listen(3000);
If api.example.com becomes a dangling DNS entry pointing to a cloud provider's default landing page, an attacker could register an account with that provider and deploy a malicious application to the same infrastructure. All authentication headers and sensitive data would flow to the attacker's application instead of yours.
Another Koa-specific manifestation occurs with subdomain wildcard routing. If your Koa application uses dynamic subdomain handling:
router.get('/:org/sales', async (ctx) => {
const org = ctx.params.org;
// Process org-specific data
ctx.body = await getSalesData(org);
});
A dangling DNS for orphaned-org.example.com could allow attackers to craft requests that bypass your intended routing logic, potentially exposing data meant for other organizations.
Koa-Specific Detection
Detecting dangling DNS in Koa applications requires both network-level and application-level approaches. The first step is to identify all domains and subdomains that should resolve to your Koa application.
For network-level detection, you can use DNS lookup tools to verify what infrastructure each domain points to. In a Koa context, you should check:
- All domains configured in your CORS middleware
- Domains used in absolute URL generation (for password reset links, etc.)
- Domains in your API documentation and OpenAPI specs
- Domains in your automated testing suites
Here's a Koa-specific detection script that checks your application's domain configuration:
const dns = require('dns/promises');
const Koa = require('koa');
const Router = require('@koa/router');
const checkDanglingDNS = async (domain) => {
try {
const records = await dns.resolveAny(domain);
// Check if records point to expected infrastructure
const validIPs = [
'192.0.2.0/24', // Example: Your actual IP range
'2001:db8::/32' // Example: Your IPv6 range
];
const isExpected = records.some(record => {
if (record.address) {
return validIPs.some(range =>
ip.cidrSubnet(range).contains(record.address)
);
}
return false;
});
return isExpected;
} catch (error) {
console.log(`DNS check failed for ${domain}:`, error.message);
return false;
}
};
const app = new Koa();
const router = new Router();
router.get('/health', async (ctx) => {
const domains = [
'api.example.com',
'app.example.com',
'admin.example.com'
];
const results = await Promise.all(
domains.map(checkDanglingDNS)
);
ctx.body = {
domains: domains.map((d, i) => ({
domain: d,
valid: results[i]
}))
};
});
app.use(router.routes());
app.listen(3000);
For automated detection, middleBrick's API security scanner can identify dangling DNS vulnerabilities by testing your Koa application's endpoints against known dangling DNS patterns. The scanner checks if your API endpoints respond from unexpected infrastructure and flags potential subdomain takeover risks.
middleBrick specifically tests for dangling DNS by:
- Resolving your API's domain to verify it points to expected infrastructure
- Checking for common cloud provider takeover signatures
- Testing authentication flows to ensure they're not being intercepted
- Scanning for exposed API keys or tokens that might indicate infrastructure compromise
The scanner runs in 5-15 seconds without requiring credentials, making it ideal for Koa applications in development or production environments.
Koa-Specific Remediation
Remediating dangling DNS in Koa applications requires both immediate fixes and long-term monitoring. The first step is to identify and remove any dangling DNS records from your DNS provider (Cloudflare, Route53, etc.).
For Koa applications, implement defensive coding practices to reduce the impact if dangling DNS occurs:
const Koa = require('koa');
const Router = require('@koa/router');
const helmet = require('helmet');
const app = new Koa();
// Enhanced security middleware
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
connectSrc: ["'self'", 'api.example.com']
}
}
}));
// Domain validation middleware
app.use(async (ctx, next) => {
const allowedDomains = [
'api.example.com',
'www.example.com',
'app.example.com'
];
const host = ctx.headers.host.split(':')[0];
if (!allowedDomains.includes(host)) {
ctx.status = 400;
ctx.body = { error: 'Invalid domain' };
return;
}
await next();
});
// Enhanced authentication with domain binding
app.use(async (ctx, next) => {
const authHeader = ctx.headers.authorization;
if (authHeader) {
try {
const token = authHeader.replace('Bearer ', '');
const payload = jwt.verify(token, process.env.JWT_SECRET);
// Bind token to expected domain
if (payload.domain !== ctx.headers.host) {
ctx.status = 401;
ctx.body = { error: 'Domain mismatch' };
return;
}
} catch (error) {
ctx.status = 401;
ctx.body = { error: 'Invalid token' };
return;
}
}
await next();
});
const router = new Router();
router.get('/api/data', async (ctx) => {
ctx.body = { data: 'sensitive information' };
});
app.use(router.routes());
// Health check with domain verification
router.get('/health', async (ctx) => {
const host = ctx.headers.host.split(':')[0];
const isValidDomain = await checkDomain(host);
ctx.body = {
status: isValidDomain ? 'healthy' : 'suspicious',
domain: host
};
});
app.listen(3000);
For long-term protection, integrate middleBrick's continuous monitoring into your Koa application's lifecycle. The Pro plan ($499/month) includes scheduled scans that automatically check for dangling DNS and other API security issues.
middleBrick's CLI tool makes it easy to add security scanning to your Koa development workflow:
npm install -g middlebrick
middlebrick scan https://api.example.com --output json
You can also integrate middleBrick into your CI/CD pipeline using the GitHub Action:
- name: Run middleBrick Security Scan
uses: middlebrick/middlebrick-action@v1
with:
api-url: 'https://api.example.com'
fail-on-severity: 'high'
output-format: 'json'
This ensures that any new dangling DNS vulnerabilities are caught before deployment. The GitHub Action can be configured to fail builds if security scores drop below your threshold, preventing vulnerable Koa applications from reaching production.