All vulnerabilities
HighA05:2021CWE-16Infrastructure & Cloud

DNS Misconfiguration

DNS Zone Transfer attacks, missing DNSSEC, absent CAA records, and low-TTL rebinding vectors expose infrastructure details and enable subdomain takeover in vibe-coded apps.

What Is DNS Misconfiguration?

DNS (Domain Name System) is the internet's phone book — it maps your domain to IP addresses, mail servers, and service endpoints. Misconfigurations in DNS can expose your entire infrastructure map to attackers, enable subdomain takeovers, or allow certificate misissue.

For vibe-coded apps deployed on Vercel, Netlify, Railway, or similar platforms, DNS is configured once and rarely revisited — making it a common source of critical security gaps.

Attack Scenarios

Zone Transfer (AXFR) — Full Infrastructure Map

A DNS zone transfer is meant to replicate zone data between authoritative nameservers. When misconfigured to accept transfers from any IP, an attacker gets a complete map of your infrastructure:

dig AXFR vibewshield.com @ns1.example.com

Response reveals all subdomains:

admin.vibewshield.com.       IN A   10.0.1.50
staging.vibewshield.com.     IN CNAME  staging-xyz.vercel.app
dev.vibewshield.com.         IN A   192.168.1.100
internal-api.vibewshield.com IN A   10.0.2.30

Now the attacker knows your internal IP ranges, staging environments, and admin panels — all from a single DNS query.

DNS Rebinding — Same-Origin Policy Bypass

DNS rebinding exploits low TTL values to trick a browser into re-resolving a domain mid-session:

  1. Attacker registers evil.com with TTL=1s, initially pointing to attacker's IP
  2. Victim visits evil.com in browser
  3. Attacker's server responds with JavaScript, then DNS TTL expires
  4. Attacker changes DNS to point evil.com127.0.0.1
  5. JavaScript re-fetches from evil.com — browser sends request to localhost
  6. Same-origin policy is bypassed — attacker can now access your local admin interfaces

TTL values under 60 seconds (without CDN protection) are the key indicator.

Missing CAA Records — Unauthorized Certificate Issue

Certificate Authority Authorization (CAA) records tell CAs which ones are allowed to issue SSL certificates for your domain:

; Missing CAA = any CA can issue for your domain
vibewshield.com.  IN CAA  0 issue "letsencrypt.org"

Without CAA records, a compromised or rogue CA can issue valid certificates for your domain — enabling MITM attacks that browsers won't warn users about.

Real-World Impact

  • Full subdomain enumeration via AXFR — attacker maps your entire infrastructure
  • Subdomain takeover — staging subdomains pointing to deleted Vercel/Netlify deployments can be claimed
  • Unauthorized certificate issuance — rogue HTTPS certificates for your domain
  • DNS rebinding → localhost SSRF — internal admin panels and APIs exposed to malicious websites

How to Fix

Restrict zone transfers to authoritative NS only:

// named.conf
zone "example.com" {
    type master;
    allow-transfer { ns2.example.com; };  // Only your secondary NS
    // NOT: allow-transfer { any; };
};

Add CAA records:

example.com.  IN CAA  0 issue "letsencrypt.org"
example.com.  IN CAA  0 issuewild "letsencrypt.org"
example.com.  IN CAA  0 iodef "mailto:security@example.com"

Enable DNSSEC:

Most DNS providers (Cloudflare, Route 53) offer one-click DNSSEC. It cryptographically signs your zone so resolvers can verify records haven't been tampered with.

Minimum TTL for rebinding protection:

Keep A record TTLs at 300 seconds (5 minutes) or higher. TTLs under 60 seconds combined with no CDN protection are a rebinding risk.

Clean up dangling CNAMEs:

# Check if CNAME target still exists
dig CNAME staging.example.com
# If target (e.g., staging-xyz.vercel.app) is gone → remove the CNAME record

What VibeWShield Detects

VibeWShield's Level 2 DNS Intelligence scanner:

  • Attempts AXFR zone transfers against all discovered nameservers — reports CRITICAL if any NS accepts
  • Checks for missing CAA records — reports MEDIUM (any CA can issue certs for your domain)
  • Detects DNS rebinding risk: A record TTL < 60s without CDN protection → MEDIUM
  • Checks DNSSEC configuration — missing DNSKEY → INFO
  • Scans TXT records for service verification tokens that reveal connected third-party services
  • Extends domain_info with SOA, SRV records, and CNAME-based hosting provider detection (Vercel, Netlify, Railway, Fly.io, 18+ providers)
#dns#zone-transfer#axfr#dnssec#caa#rebinding#infra

Free security scan

Test your app for DNS Misconfiguration

VibeWShield automatically checks for DNS Misconfiguration and 40+ other vulnerabilities using 63 scanners — in under 3 minutes, no signup required.

Scan your app free