Skip to main content
SecScannerSecScanner
Security ChecksFree ToolsPricingBlog
Get Started
Sign InGet Started
Security ChecksSubdomain Takeover
DNSCritical PriorityPro

Subdomain Takeover Test — Check DNS Records for Hijack Risk

Updated June 2026·SecScanner Team

Subdomain takeover occurs when DNS records point to deprovisioned external services that attackers can claim. If a CNAME or A record points to a cloud service, GitHub Pages, Heroku app, or other platform that no longer has your account associated, an attacker can register that resource and serve content from your subdomain.

Why It Matters

Attackers can serve malicious content from your trusted subdomain, steal cookies set for parent and sibling domains, bypass same-origin policy controls, and conduct highly convincing phishing attacks using your brand's domain. A single dangling DNS record can compromise your entire user base.

How We Check

We check CNAME and A records pointing to external platforms and test for unclaimed resource indicators — HTTP 404s with platform-specific error messages, 'NoSuchBucket' responses from S3, GitHub Pages 404 pages, Heroku error pages, and similar signals that indicate the resource is claimable.

How to Fix

Remove DNS records for decommissioned services before canceling the associated service accounts. Regularly audit all subdomains for dangling CNAMEs. When deprovisioning cloud resources, always remove the DNS record first — then delete the cloud resource. Use a subdomain inventory spreadsheet or automated monitoring to catch new risks.

Frequently Asked Questions

What is subdomain takeover?

Subdomain takeover is an attack where an attacker claims an external service (GitHub Pages, Heroku, S3, etc.) that your DNS record points to but is no longer provisioned by you. Once they control the service, they can serve content on your subdomain, steal cookies, and run phishing campaigns from your trusted domain.

How do I test my domain for subdomain takeover vulnerabilities?

Enter your domain in SecScanner's free subdomain takeover test above. We check CNAME records for dangling pointers to cloud platforms and detect platform-specific error responses that indicate an unclaimed resource. For manual testing, run `dig CNAME sub.yourdomain.com` and check whether the pointed service is still provisioned.

Which services are most commonly exploited for subdomain takeover?

The most common platforms are: GitHub Pages (custom domain not claimed), Heroku (app deleted but CNAME remains), AWS S3 (bucket deleted), Azure (app service removed), Fastly, Shopify, Zendesk, and Tumblr. Any service that uses CNAMEs and allows claiming custom domains is a potential target.

How do I prevent subdomain takeover?

Always remove DNS records before deprovisioning the associated cloud resource — never in the other order. Maintain an inventory of all subdomains and their associated services. Set up automated monitoring (like SecScanner's continuous monitoring) to alert you when a subdomain shows takeover indicators.

Can subdomain takeover steal cookies?

Yes — if cookies are set with Domain=.yourdomain.com (parent domain), they're sent to all subdomains including a taken-over one. This enables session hijacking. Additionally, an attacker-controlled subdomain can set cookies for parent and sibling domains, poisoning sessions across your entire site.

What is a dangling DNS record?

A dangling DNS record (also called an orphaned or stale DNS record) is a CNAME or A record that still exists in your DNS but points to an external resource that no longer belongs to you. These are the root cause of subdomain takeover vulnerabilities.

Related Security Checks

DNS

DNS Security

DNS

CAA DNS Records

Check Your Website Now

Run a free security scan to check for Subdomain Takeover issues and 62+ other security vulnerabilities.

Scan Your Website Free

Product

  • Security Checks
  • Free Tools
  • SSL Checker
  • Vulnerability Scanner
  • Email Security
  • Pricing
  • Compliance
  • Security Reports

Popular Checks

  • CSP Check
  • HSTS Check
  • TLS Version Check
  • SSL Expiry Check
  • SPF/DKIM/DMARC Check
  • Cookie Security Check
  • JS Vulnerability Scan
  • OCSP Stapling Check

Resources

  • Blog
  • Glossary
  • Contact

Legal

  • Terms of Use
  • Privacy Policy
  • Refund Policy
  • Cookie Policy

© 2025-2026 SecScanner. All rights reserved.