Remote DNS Manipulation at Scale: How IONIX Uncovered 20,000 Malicious Subdomains from a Single Abused NS Record
Our threat-hunting team just uncovered a mass-produced remote DNS-manipulation campaign that hijacked an entire nameserver (NS) delegation belonging to a Fortune 500 company. Within hours, the attacker used that foothold to create over 9,500 brand-new subdomains, all resolving to the same criminal infrastructure serving illicit gambling pages. Reverse-IP analysis shows the same host is already abusing hundreds of other Fortune500 enterprises and public-sector organizations worldwide, in multiple industries (e.g., Retail, Banking, Insurance, Manufacturing, Critical Infrastructure and more).
This post explains what happened, why NS-record takeovers are so dangerous, and how IONIX customers are automatically protected.
In this article
The Discovery
During an analysis for a customer, IONIX flagged an explosion of never-before-seen hostnames under a customer’s domain. Every hostname pointed to two seemingly innocuous parent subdomains:
- zzz.xxx.example.com
- yyy.xxx.example.com
Because both parents had dangling Azure DNS NS records, an attacker was able to claim the entire nameserver set, giving them carte blanche to create and control thousands of child subdomains—without any compromise of the customer’s own systems required.
Key Facts
| Metric | Details |
| New subdomains created | ~9,500 in < 48 hours |
| Content hosted | Indonesian-language mobile gambling storefronts |
| Attack vector | Orphaned nameserver delegation (dangling NS) |
| Impact | Brand damage, SEO poisoning, potential phishing foothold |
Remote DNS Manipulation Matters, and It Is Dangerous
Subdomain abuses are nothing new, but most spotlight orphaned CNAMEs or S3 buckets. Dangling NS records are rarer—and far more catastrophic. Seizing a nameserver effectively gives an attacker their own registrar-grade control panel for any and all descendants of that zone.
Large-scale research backs up the trend:
- A longitudinal study across 12 cloud providers found 20,904 hijacks involving dangling DNS resources between 2020-2023 (APNIC Blog)
- Cyber-press outlets warn that dangling-DNS exploitation is “one of the fastest-growing threats to supply-chain security” in 2025 (Cyber Security News)
NS-level takeovers amplify those risks by:
- Mass Production – attackers can spin up thousands of fully brand-consistent hostnames for SEO poisoning, spreading malware, or illicit commerce.
- Evasion – DNS records appear legitimate in WHOIS and passive-DNS feeds, bypassing many allow-lists and e-mail filters.
- Persistence – unless the victim reclaims the delegation, the threat actor retains perpetual control.
How We Caught It (and Stopped It)
IONIX continuously maps the entire external attack surface for every customer, flagging anomalous DNS patterns in real time. Our platform:
- Maps all DNS delegations for known and unknown domains and subdomains, to identify anomalies
- Detects dangling NS, CNAME, MX and other delegations.
- Confirms exploitability by simulating attacker registration scenarios.
- Auto-blocks malicious resolutions through Active Protection, neutralizing live threats while the customer remediates.
In this case, Active Protection neutralized multiple similar potential takeovers minutes after detection, and our research team issued a coordinated disclosure to the company’s security team.
Ripple Effects—It’s Not Just One Brand
A reverse-IP sweep linked the attacker’s server to domains referencing multiple Fortune 100 companies, technology vendors and even government entities—evidence of a broader, automated campaign. Our ongoing investigation suggests:
- Multiple cloud DNS providers are in play, not just Azure.
- The threat actor recycles infrastructure to monetize gambling traffic (e.g.,through SEO Poisoning) but could pivot to phishing or brand impersonation at will.
- Dozens of additional dangling NS delegations remain vulnerable across sectors.
Recommendations for Defenders
- Discover and Create an Inventory of all DNS delegations (NS, CNAME, MX, A, etc.) and decommission unused records.
- Monitor for “shadow subdomains.” Sudden bursts of new hostnames are a red flag.
- Leverage continuous external exposure management. Point-in-time scans miss fast-moving DNS abuse.
- Enable protective controls. IONIX Active Protection can automatically sinkhole or block malicious resolutions before they reach users.
Indicators of Compromise
| Type | Value | Description |
| IP Address | 213.209.129.72 | Server hosting the malicious gambling and SEO poisoning infrastructure |
| Hosting Provider | Railnet LLC | Hosting Provider to the malicious compromise |
| DNS Infrastructure | Misconfigured A records or NS records to Azure or AWS Infrastructure | Attackers exploited both A records, but especially manipulated DNS with Azure or Route 53 DNS Servers that were misconfigured |
What’s Next
Attackers are industrializing remote DNS manipulation—escalating from single S3 bucket grabs to full nameserver takeovers that manufacture thousands of malicious domains overnight. Organizations can’t rely on passive defenses or periodic audits alone.
IONIX gives security teams real-time visibility, rapid takedown and expert threat-hunting support to stay ahead of these evolving campaigns.
Want to see how your external attack surface stacks up? Contact us for a complimentary risk assessment.
