Home/ Glossary/ Subdomain Takeover

Subdomain Takeover (Subdomain Takeover)

Security Glossary - Web Security

Definition: Subdomain takeover occurs when a subdomain's DNS record (typically a CNAME) points to an external service that is no longer in use. An attacker can claim the abandoned service endpoint and serve their own content under the victim's subdomain. This allows phishing, cookie theft, and reputation damage because the content appears to come from the legitimate domain.

Why Subdomain Takeover Matters

Subdomain takeover is a common vulnerability in organizations that use many external services. A typical scenario: a marketing team creates blog.example.com pointing to a hosted blog platform. Later they stop using the platform but do not remove the DNS record. An attacker signs up for the same platform, claims the abandoned endpoint, and now serves their content at blog.example.com.

The impact is severe because the attacker's content is served under your domain. They can set cookies for your parent domain (potentially hijacking sessions), host convincing phishing pages, distribute malware under your brand's trust, and damage your domain reputation.

Services commonly involved in subdomain takeover include AWS S3 buckets, Heroku apps, GitHub Pages, Azure services, Shopify, and various SaaS platforms. Prevention requires maintaining an inventory of all subdomains and their external service associations, and promptly removing DNS records when services are decommissioned.

Real-World Example

In 2020, security researchers identified over 670 Microsoft subdomains vulnerable to takeover due to dangling DNS records pointing to deprovisioned Azure services. Attackers could claim these subdomains and host malicious content under microsoft.com, bypassing cookie scoping and CSP policies that trusted the parent domain.

Checking Your Setup

A DNS health checker identifies CNAME records pointing to external services. Regularly audit these to verify the services are still active. If a CNAME points to an unclaimed service endpoint, either remove the DNS record or reclaim the endpoint.

Check DNS Health

Frequently Asked Questions

How do I check for subdomain takeover risk?
List all your subdomains and their CNAME targets. For each CNAME pointing to an external service, verify the service is still active and under your control. Look for DNS responses indicating the target no longer exists (NXDOMAIN for the service, error pages, etc.).
How do I prevent subdomain takeover?
Maintain a registry of all subdomains and their purposes. Remove DNS records immediately when decommissioning external services. Use automated monitoring that alerts on dangling CNAME records. Some organizations avoid CNAME records for external services, using A records instead.

Related Terms

CNAME Record (Canonical Name Record) Subdomain Domain Name System Phishing Domain Reputation
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.