Subdomain Takeover: Risk and Protection

An abandoned subdomain can be hijacked. Learn to detect and prevent this risk.

Subdomain takeover is a vulnerability where an attacker takes control of a legitimate subdomain via a "dangling" DNS record. Typical scenario: you have a CNAME blog.example.com pointing to your-blog.heroku.com, then you delete the Heroku blog but forget the CNAME. An attacker can create your-blog.heroku.com and take control of blog.example.com. This enables phishing, cookie theft, and attacks on your parent domain.

Signs of Vulnerability

  • A subdomain shows a cloud service error page ("There isn't a GitHub Pages site here")
  • CNAME points to a service you no longer use
  • The subdomain returns 404 or a parking page
  • You have many subdomains and no up-to-date inventory

At-Risk Services

  • Cloud platforms: GitHub Pages, Heroku, Azure, AWS S3, Shopify - if you delete the service but keep the CNAME.
  • CDN and SaaS: Fastly, Cloudfront, Zendesk - same principle if subscription is cancelled.
  • Old campaigns: landing.example.com for a finished marketing campaign, pointing to an abandoned service.

Detection and Cleanup

  1. Audit all your subdomains: retrieve the complete list from your DNS provider.
  2. Identify CNAMEs: for each CNAME, verify the target exists and belongs to you.
  3. Test responses: curl each subdomain and look for telltale error pages.
  4. Cleanup: immediately delete DNS records pointing to services you no longer control.

Continuous Detection with MoniTao

MoniTao can identify takeover risks:

  • Monitoring all your subdomains to detect suspicious error pages
  • Alert if a CNAME returns an unconfigured service response
  • Automatic inventory of your DNS records

Takeover Prevention

  • Delete DNS BEFORE deleting the cloud service, not after
  • Maintain an up-to-date inventory of all subdomains and their usage
  • Regularly audit DNS to identify dangling records
  • Use tools like subjack or can-i-take-over-xyz to scan your domains

FAQ - Subdomain Takeover

What can an attacker do with a takeover?

Host phishing on your domain, steal cookies if same-site, display malicious content under your brand.

Are all CNAMEs vulnerable?

No, only those pointing to services where anyone can create an account with a custom name (GitHub Pages, Heroku, etc.).

How to know if I've been taken over?

Visit your subdomains. If you see content you didn't create, it's a takeover.

Is takeover illegal?

Yes, it's considered computer intrusion in most jurisdictions. Report it to authorities.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing