An organizational subdomain pointed to a now defunct external domain previously hosted on behalf of the organization. When the site was no longer needed/funded, a DNS CNAME remained in the public DNS record until this was identified.
You have a subdomain aka rtncf-rci.ral.r4.fws.gov has a CNAME record that points to a .org domain (to be more specific it was pointing to rtncf-rci.ncusfws.org). The nslookup command shows the DNS configuration.
nslookup rtncf-rci.ral.r4.fws.gov 8.8.8.8
The .org domain, on the other hand, was free and an attacker can buy it and take possession of the .gov domain. In fact I bought it (for just 7 dollars) and created a simple HTML PoC with a link to my BugBounty profiles. In fact if you execute the nslookup now you will see that the .gov domain points to the .org domain (the one I bought) which in returns points to my GitHub page (I did not want to spend money on a hosting so I used a free GitHub page).
A subdomain takeover is pretty risky, especially for gov websites because the user assumes that it is on the correct domain, here is a list of the major risks of subdomain takeover:
Visit https://rtncf-rci.ral.r4.fws.gov
Remove the CNAME entry. As soon as you remove the CNAME entry I will delete the GitHub page.
As I said before as soon as you remove the CNAME entry I will delete the GitHub page.
Best regards,
thelicato