Skip to main content

A lightweight Python utility to detect dns records that are suspected as dangling.

Project description

DDFR - Dangling Domains Finder

A lightweight Python utility to detect dns records that are suspected as dangling.


Do you have a large cloud environment with many services and VMs? Then probably some of your domain names are pointing to unclaimed IP addresses due to improper deprecation of services/VMs.

DDFR to the rescue!

Basically, the tool gets a list of your DNS records and checks if the pointed IPs belongs to your cloud accounts.

Behind the scenes

  1. You provide DDFR with a list of your DNS records (see Usage section).

  2. You provide DDFR with a list of all your registered cloud IPs in one of the following ways:

    • Allow DDFR to automatically collect all of your registered IPs from Palo Alto's Prisma Cloud product.
    • Manually provide a file with your registered cloud IPs.
  3. DDFR compares the lists to see if there are domains pointing to IPs not owned by you and therefore suspected as dangling.

    NOTE: DDFR also provides you with a mechanism to reduce false positives, read more about it below.

  4. DDFR generates a report of the suspected DNS records.



  • [Optional] To pull records from Prisma Cloud, fill in the required environment variables:
export PRISMA_API_KEYID = your-value-here
export PRISMA_API_SECRET = your-value-here
export PRISMA_URL = your-value-here

PIP (recommended)

pip install ddfr


git clone
pip install .

Recommended Python Version

DDFR was developed and tested only with Python3.


Short Form Long Form Description
-d --domains Full path to a file contains your DNS records
-i --ips Full path to a file contains your owned ips (if non-existent will pull from prisma)
-cn --ssl-common-names Full path to a file contains key words that should appear in your CNs (for reducing false positives)
-r --ranges Full path to a file contains AWS ip ranges
-o --output Full path to output directory

Domains file needs to be in the following format (JSON):

[{"name": "domain name", "record_type": "DNS type (CNAME,A)", "record_value": "value (ip,ec2 domain name)"}]

Usage Examples

  • Pull ips form prisma
    ddfr -d "domains.json" -r "aws-ranges.txt" -cn "common-names.txt"
  • Receive ips from a file
    ddfr -d "domains.json" -r "aws-ranges.txt" -cn "common-names.txt" -i "my-ips.txt"

The Motivation for Creating DDFR

Subdomains takeovers have become a popular technique used by attackers and bug bounty hunters.

DNS records that points to unclaimed IP addresses is a specific use case of this attack that is pretty hard to catch (for both blue and red teams).

As a red-teamer, this kind of takeovers are hard to find as they require many resources to perform a successful attack (bruteforcing VMs IP addresses attached by the cloud providers) and reverse DNS lookup.

As a blue-teamer, companies nowadays have thousands of DNS records which makes it extremely hard to find manually.

By being able to pull your company's DNS records from your DNS management system be it AWS Route53 or any other, you can proactively look for those dangling records with this tool and mitigate these takeovers.


  • Automate AWS ranges fetching
  • Support for more cloud providers


Feel free to fork the repository and submit pull-requests.



Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ddfr-0.9.1.tar.gz (9.7 kB view hashes)

Uploaded Source

Built Distribution

ddfr-0.9.1-py3-none-any.whl (10.2 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page