CNAME Record (Canonical Name Record) (CNAME Record)

Security Glossary - DNS

Definition: A CNAME record maps one domain name to another domain name (the canonical name). When a DNS resolver encounters a CNAME, it follows the alias to the target domain and resolves that instead. CNAMEs are commonly used to point subdomains to hosting services, CDNs, or other domains that manage their own IP addresses.

Why CNAME Record Matters

CNAME records are essential for pointing subdomains to external services. When you use a CDN like CloudFront or a hosting platform like Netlify, you create a CNAME from your subdomain (www.example.com) to their domain (d1234.cloudfront.net). This way, when the service changes IP addresses, your DNS automatically follows.

A critical limitation is that CNAME records cannot coexist with other record types at the same name. This means you cannot create a CNAME for your apex domain (example.com) if you also have MX records there for email. The DNS specification forbids this. Many DNS providers offer workarounds like ALIAS or ANAME records that behave like CNAMEs at the apex.

Misconfigured CNAMEs are a common source of subdomain takeover vulnerabilities. If you have a CNAME pointing to a service you no longer use (like a decommissioned Heroku app), an attacker can claim that service endpoint and serve content under your domain name.

How to Check

A DNS health checker shows all CNAME records for your domain. Verify each CNAME points to a valid, active target. Check for dangling CNAMEs that point to decommissioned services, as these are subdomain takeover risks. Verify no CNAME records conflict with other record types at the same name.

Frequently Asked Questions

Can I use a CNAME for my root domain?
The DNS specification does not allow CNAME records at the zone apex (root domain) because they conflict with required records like SOA and NS. Some DNS providers offer ALIAS or ANAME records as a workaround that behaves like a CNAME but resolves at the DNS server level.
Do CNAME records affect performance?
CNAMEs add one extra DNS lookup because the resolver must first resolve the CNAME target to an IP address. In practice this adds minimal latency (a few milliseconds) because DNS resolvers cache aggressively. For most sites, the operational convenience outweighs the tiny latency cost.
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.