Exposure Scanner Scan My Account
Exposure Scanner / Amazon Route 53

Route 53 DNS Exposure

Are your DNS configurations exposing internal infrastructure details?

What this looks like in the scanner
securecompass.io/public-exposure-scanner
Critical
staging.example.com
CNAME record points to decommissioned S3 bucket - vulnerable to subdomain takeover
High
internal-api.example.com
Internal hostname resolves via public DNS exposing private IP 10.0.1.47 and infrastructure topology
Medium
example.com
Public hosted zone does not have DNSSEC signing enabled

What does Amazon Route 53 public exposure mean?

Route 53 hosted zones and DNS records can inadvertently expose internal hostnames, IP addresses, and infrastructure topology. Subdomain takeover is possible when DNS records point to decommissioned resources.

Why it matters

DNS reconnaissance is the first step in most attacks. Exposed internal hostnames and dangling DNS records provide attackers with a roadmap of your infrastructure and potential entry points via subdomain takeover.

How to check manually

  1. 1Audit DNS records for references to decommissioned resources
  2. 2Check for CNAME records pointing to unclaimed S3 buckets or CloudFront distributions
  3. 3Review private hosted zones for accidental public exposure
  4. 4Verify DNSSEC is enabled for public zones

Quick check with AWS CLI

List all hosted zones and their record counts
aws route53 list-hosted-zones --query "HostedZones[].{Name:Name,Id:Id,Private:Config.PrivateZone,Records:ResourceRecordSetCount}"
Find CNAME records that might be dangling
aws route53 list-resource-record-sets --hosted-zone-id YOUR_ZONE_ID --query "ResourceRecordSets[?Type=='CNAME'].{Name:Name,Target:ResourceRecords[0].Value}"
Check DNSSEC status for a hosted zone
aws route53 get-dnssec --hosted-zone-id YOUR_ZONE_ID --query "Status.ServeSignature"

Common misconfigurations

Dangling CNAME records pointing to deleted resources
Internal hostnames resolvable from public DNS
Missing DNSSEC on public hosted zones
Wildcard DNS records that match unintended subdomains

Check all 22 resource types at once

Instead of checking each service manually, scan your entire AWS account and see every public exposure ranked by risk.

Scan My Account

Related exposure types

Amazon CloudFront
Are your CloudFront distributions exposing origin servers or sensitive content?
Amazon S3
Are your S3 buckets accessible from the internet?
Elastic Load Balancer
Are your load balancers exposing internal services to the internet?