Subdomain takeover is a critical vulnerability that allows attackers to claim control of your subdomain and serve malicious content under your brand. This can lead to phishing attacks, credential theft, and severe reputation damage. Here's how to protect yourself.

What is Subdomain Takeover?

Subdomain takeover occurs when a subdomain points to an external service that has been deprovisioned, but the DNS record remains. An attacker can then register the same resource on the external service and serve content through your subdomain.

The Attack Lifecycle

Discovery: Company creates subdomain blog.example.com pointing to third-party service
Configuration: Third-party service is configured to serve content for blog.example.com
Deprovisioning: Company stops using the service but forgets to remove the DNS record
Takeover: Attacker registers blog.example.com on the same third-party service
Exploitation: Attacker now controls content served at blog.example.com

Why Subdomain Takeover is Dangerous

If your parent domain sets cookies with Domain=.example.com, the attacker's subdomain receives those cookies. This can include session tokens.

Phishing Under Your Brand

Attackers can host convincing phishing pages at your-subdomain.example.com. Users trust your domain and enter credentials.

OAuth Token Theft

If OAuth callbacks ever used the vulnerable subdomain, attackers might be able to intercept authorization flows.

Content Injection

If your main site loads resources from the subdomain (scripts, styles, iframes), attackers can inject malicious content.

Email Spoofing

Some takeovers allow attackers to receive email sent to the subdomain or configure email authentication records.

Vulnerable Services and Patterns

High-Risk Services

These services have been frequently exploited for subdomain takeover:

GitHub Pages: CNAME to username.github.io
Heroku: CNAME to app-name.herokuapp.com
AWS S3: CNAME to bucket.s3.amazonaws.com
AWS CloudFront: CNAME to distribution.cloudfront.net
Azure: CNAME to *.azurewebsites.net
Shopify: CNAME to shops.myshopify.com
Zendesk: CNAME to *.zendesk.com
Fastly: CNAME to *.fastly.net
Pantheon: CNAME to *.pantheonsite.io
Tumblr: CNAME to domains.tumblr.com

Identifying Vulnerable Records

Look for DNS records pointing to external services that return:

404 or "Not Found" pages
"No such app" or "Project not found" errors
"There isn't a GitHub Pages site here"
"NoSuchBucket" (AWS S3)
"Fastly error: unknown domain"

Detection Methods

Manual DNS Enumeration

# Find all subdomains
dig +short AXFR example.com @ns1.example.com  # Zone transfer (if allowed)

# Check specific records
dig CNAME blog.example.com
dig A staging.example.com

# Verify if external service responds
curl -I https://blog.example.com

Automated Scanning

Use tools designed for subdomain enumeration and takeover detection:

Subfinder: Passive subdomain enumeration
Amass: Comprehensive subdomain discovery
Subjack: Subdomain takeover vulnerability checker
Nuclei: Vulnerability scanner with takeover templates

Continuous Monitoring

Set up alerts for:

New DNS records in your domain
Changes to existing CNAME records
HTTP responses indicating unclaimed resources
Certificate Transparency logs for your domain

Prevention Strategies

DNS Hygiene

Remove before deprovisioning: Delete DNS records before canceling external services
Regular audits: Quarterly review of all DNS records
Documentation: Maintain a record of what each subdomain is used for
Ownership tracking: Assign owners to each subdomain

Verification Records

Some services allow you to prove domain ownership via TXT records. Always configure these:

_verification.blog.example.com TXT "service-verification=abc123"

Reserved Subdomains

Pre-register common subdomains on services you use, even if you don't need them yet:

blog, www, app, api, mail, ftp
staging, dev, test, beta, demo
admin, portal, dashboard, console
shop, store, checkout, cart

Avoid Dangling CNAMEs

When possible, use A records pointing to IP addresses you control instead of CNAMEs to third parties. If you must use CNAMEs, implement monitoring.

Remediation

If You Find a Vulnerable Subdomain

Verify: Confirm the takeover vulnerability exists
Claim: If possible, claim the resource on the external service to prevent attackers
Remove: Delete the dangling DNS record
Investigate: Check if the subdomain was already taken over
Audit: Review logs for suspicious activity
Monitor: Watch for attackers trying to exploit the gap

If You've Been Compromised

Immediate: Remove the DNS record to stop the attack
Assessment: Determine what content was served and for how long
Cookie rotation: If cookies could have been stolen, invalidate sessions
User notification: Alert affected users if credentials may have been phished
Incident report: Document the incident for future prevention

Service-Specific Mitigations

GitHub Pages

Use a custom domain with a verification record or host pages directly on a subdomain you fully control.

AWS S3

Create the bucket before the DNS record. Use bucket policies that explicitly require your domain.

Heroku

Keep apps in a "maintenance mode" rather than deleting them if you might reuse the domain.

CloudFront

Configure Alternate Domain Names (CNAMEs) with SSL certificates that require domain validation.

Organizational Best Practices

Centralized DNS Management

Use a single team or system to manage DNS records. Avoid giving direct access to marketing, product, or external agencies.

Offboarding Procedures

Include DNS cleanup in your service offboarding checklist. When a vendor relationship ends or a project is decommissioned, DNS records should be verified.

Asset Inventory

Maintain a comprehensive inventory of:

All domains and subdomains owned
What each subdomain is used for
Which external services they point to
Who is responsible for each one

Subdomain Takeover Prevention Checklist

Remove DNS records before deprovisioning services
Audit DNS records quarterly
Monitor for dangling CNAMEs automatically
Use verification records where supported
Document subdomain ownership and purpose
Include DNS in offboarding procedures
Pre-register common subdomains on key services
Use SecScanner to detect vulnerable subdomains
Restrict who can create DNS records
Train teams on subdomain takeover risks

Subdomain takeover is preventable with proper hygiene and monitoring. Make DNS management part of your security program and regularly audit your attack surface.

What is Subdomain Takeover?

The Attack Lifecycle

Discovery: Company creates subdomain blog.example.com pointing to third-party service
Configuration: Third-party service is configured to serve content for blog.example.com
Deprovisioning: Company stops using the service but forgets to remove the DNS record
Takeover: Attacker registers blog.example.com on the same third-party service
Exploitation: Attacker now controls content served at blog.example.com

Why Subdomain Takeover is Dangerous

If your parent domain sets cookies with Domain=.example.com, the attacker's subdomain receives those cookies. This can include session tokens.

Phishing Under Your Brand

Attackers can host convincing phishing pages at your-subdomain.example.com. Users trust your domain and enter credentials.

OAuth Token Theft

If OAuth callbacks ever used the vulnerable subdomain, attackers might be able to intercept authorization flows.

Content Injection

If your main site loads resources from the subdomain (scripts, styles, iframes), attackers can inject malicious content.

Email Spoofing

Some takeovers allow attackers to receive email sent to the subdomain or configure email authentication records.

Vulnerable Services and Patterns

High-Risk Services

These services have been frequently exploited for subdomain takeover:

GitHub Pages: CNAME to username.github.io
Heroku: CNAME to app-name.herokuapp.com
AWS S3: CNAME to bucket.s3.amazonaws.com
AWS CloudFront: CNAME to distribution.cloudfront.net
Azure: CNAME to *.azurewebsites.net
Shopify: CNAME to shops.myshopify.com
Zendesk: CNAME to *.zendesk.com
Fastly: CNAME to *.fastly.net
Pantheon: CNAME to *.pantheonsite.io
Tumblr: CNAME to domains.tumblr.com

Identifying Vulnerable Records

Look for DNS records pointing to external services that return:

404 or "Not Found" pages
"No such app" or "Project not found" errors
"There isn't a GitHub Pages site here"
"NoSuchBucket" (AWS S3)
"Fastly error: unknown domain"

Detection Methods

Manual DNS Enumeration

# Find all subdomains
dig +short AXFR example.com @ns1.example.com  # Zone transfer (if allowed)

# Check specific records
dig CNAME blog.example.com
dig A staging.example.com

# Verify if external service responds
curl -I https://blog.example.com

Automated Scanning

Use tools designed for subdomain enumeration and takeover detection:

Subfinder: Passive subdomain enumeration
Amass: Comprehensive subdomain discovery
Subjack: Subdomain takeover vulnerability checker
Nuclei: Vulnerability scanner with takeover templates

Continuous Monitoring

Set up alerts for:

New DNS records in your domain
Changes to existing CNAME records
HTTP responses indicating unclaimed resources
Certificate Transparency logs for your domain

Prevention Strategies

DNS Hygiene

Remove before deprovisioning: Delete DNS records before canceling external services
Regular audits: Quarterly review of all DNS records
Documentation: Maintain a record of what each subdomain is used for
Ownership tracking: Assign owners to each subdomain

Verification Records

Some services allow you to prove domain ownership via TXT records. Always configure these:

_verification.blog.example.com TXT "service-verification=abc123"

Reserved Subdomains

Pre-register common subdomains on services you use, even if you don't need them yet:

blog, www, app, api, mail, ftp
staging, dev, test, beta, demo
admin, portal, dashboard, console
shop, store, checkout, cart

Avoid Dangling CNAMEs

When possible, use A records pointing to IP addresses you control instead of CNAMEs to third parties. If you must use CNAMEs, implement monitoring.

Remediation

If You Find a Vulnerable Subdomain

Verify: Confirm the takeover vulnerability exists
Claim: If possible, claim the resource on the external service to prevent attackers
Remove: Delete the dangling DNS record
Investigate: Check if the subdomain was already taken over
Audit: Review logs for suspicious activity
Monitor: Watch for attackers trying to exploit the gap

If You've Been Compromised

Immediate: Remove the DNS record to stop the attack
Assessment: Determine what content was served and for how long
Cookie rotation: If cookies could have been stolen, invalidate sessions
User notification: Alert affected users if credentials may have been phished
Incident report: Document the incident for future prevention

Service-Specific Mitigations

GitHub Pages

Use a custom domain with a verification record or host pages directly on a subdomain you fully control.

AWS S3

Create the bucket before the DNS record. Use bucket policies that explicitly require your domain.

Heroku

Keep apps in a "maintenance mode" rather than deleting them if you might reuse the domain.

CloudFront

Configure Alternate Domain Names (CNAMEs) with SSL certificates that require domain validation.

Organizational Best Practices

Centralized DNS Management

Use a single team or system to manage DNS records. Avoid giving direct access to marketing, product, or external agencies.

Offboarding Procedures

Include DNS cleanup in your service offboarding checklist. When a vendor relationship ends or a project is decommissioned, DNS records should be verified.

Asset Inventory

Maintain a comprehensive inventory of:

All domains and subdomains owned
What each subdomain is used for
Which external services they point to
Who is responsible for each one

Subdomain Takeover Prevention Checklist

Remove DNS records before deprovisioning services
Audit DNS records quarterly
Monitor for dangling CNAMEs automatically
Use verification records where supported
Document subdomain ownership and purpose
Include DNS in offboarding procedures
Pre-register common subdomains on key services
Use SecScanner to detect vulnerable subdomains
Restrict who can create DNS records
Train teams on subdomain takeover risks

Subdomain takeover is preventable with proper hygiene and monitoring. Make DNS management part of your security program and regularly audit your attack surface.

What is Subdomain Takeover?

The Attack Lifecycle

Why Subdomain Takeover is Dangerous

Cookie Theft

Phishing Under Your Brand

OAuth Token Theft

Content Injection

Email Spoofing

Vulnerable Services and Patterns

High-Risk Services

Identifying Vulnerable Records

Detection Methods

Manual DNS Enumeration

Automated Scanning

Continuous Monitoring

Prevention Strategies

DNS Hygiene

Verification Records

Reserved Subdomains

Avoid Dangling CNAMEs

Remediation

If You Find a Vulnerable Subdomain

If You've Been Compromised

Service-Specific Mitigations

GitHub Pages

AWS S3

Heroku

CloudFront

Organizational Best Practices

Centralized DNS Management

Offboarding Procedures

Asset Inventory

Subdomain Takeover Prevention Checklist

Related Articles

Email Security with SPF, DKIM, and DMARC: A Complete Guide

Certificate Transparency: How It Protects Your Domain

TLS/HTTPS Security Essentials: Protecting Your Website in 2025

Check Your Website Security

What is Subdomain Takeover?

The Attack Lifecycle

Why Subdomain Takeover is Dangerous

Cookie Theft

Phishing Under Your Brand

OAuth Token Theft

Content Injection

Email Spoofing

Vulnerable Services and Patterns

High-Risk Services

Identifying Vulnerable Records

Detection Methods

Manual DNS Enumeration

Automated Scanning

Continuous Monitoring

Prevention Strategies

DNS Hygiene

Verification Records

Reserved Subdomains

Avoid Dangling CNAMEs

Remediation

If You Find a Vulnerable Subdomain

If You've Been Compromised

Service-Specific Mitigations

GitHub Pages

AWS S3

Heroku

CloudFront

Organizational Best Practices

Centralized DNS Management

Offboarding Procedures

Asset Inventory

Subdomain Takeover Prevention Checklist

Related Articles

Email Security with SPF, DKIM, and DMARC: A Complete Guide

Certificate Transparency: How It Protects Your Domain

TLS/HTTPS Security Essentials: Protecting Your Website in 2025

Check Your Website Security