With that, they have now hijacked that university’s subdomain. Given the reputations universities have, search queries then flow to the top of Google’s results.
Shakhov wrote:
The root cause is simple: organizations create DNS records and never clean them up. There is no expiry date on a CNAME record. Nobody gets an alert when the target stops responding. And most university IT departments don’t maintain a comprehensive inventory of their subdomains and where they point.
This is compounded by how universities operate—they are highly decentralized. Individual departments, labs, research groups, and student organizations can often request subdomains independently. When people leave, there is no decommissioning process for the DNS records they created.
Finding hijacked subdomains is straightforward. People need only enter site:[university].edu “xxx” or site:[university].edu “porn” for an affected institution, and scores of results will appear. In some cases, the subdomains returned no longer lead to porn sites, but as of Friday morning, many still did.
The lesson here is clear: Any organization with a website should compile a running inventory of all subdomains along with the purpose of each one and its corresponding CNAME record. Then staff should regularly audit the list in search of “dangling” records, meaning those that remain even after the official subdomain has gone dark. Any subdomain found to be inactive should have its CNAME removed.
Clearly, many universities and other organizations are flouting this common-sense practice. Shakhov said only a handful of the affected universities have expunged dangling CNAME records since he went public with his findings earlier this month. Even then, several of them have failed to get the URLs delisted by Google. That results in the indexed remaining visible in search results. Inquiries sent to UC Berkeley, Columbia, and Washington University didn’t receive responses before publication.
