What Is a Subdomain Takeover and How to Prevent It

A subdomain takeover is an attack where an external party gains control of one of your subdomains by exploiting a DNS record that points to a service you no longer use. The subdomain still resolves — it appears to be yours — but an attacker controls the content it serves.

It's distinct from domain hijacking, which involves seizing control of your domain registration. Subdomain takeovers don't require access to your registrar at all.

---

How Subdomain Takeovers Happen

The attack relies on what's called a dangling DNS record — a CNAME or A record that points to an external resource that no longer exists or is no longer claimed by you.

The typical sequence:

1. Your team sets up api.yourcompany.com as a CNAME pointing to a Heroku app: your-app.herokuapp.com
2. Later, the Heroku app is decommissioned and deleted from your Heroku account
3. The DNS CNAME record is never cleaned up
4. api.yourcompany.com still resolves — it points to your-app.herokuapp.com — but that Heroku app name is now unclaimed
5. An attacker registers your-app.herokuapp.com on their own Heroku account
6. They now control what api.yourcompany.com serves

From a DNS perspective, api.yourcompany.com appears to be your subdomain. From a browser perspective, it loads content from the attacker's server.

---

Why This Is Serious

An attacker who controls one of your subdomains can:

• Serve phishing pages under your brand and domain
• Steal session cookies if your cookies are scoped to the parent domain
• Bypass Content Security Policy (since the subdomain is trusted)
• Send email from your subdomain if SPF/DKIM aren't tightly scoped
• Achieve XSS attacks against users who trust your domain

Because the subdomain is genuinely under your DNS namespace, browser security signals (HTTPS, domain name) don't protect users. The subdomain looks legitimate.

---

Services Commonly Exploited

Any cloud service that provides a unique hostname you can CNAME to is a potential attack vector when that service is deprovisioned:

• Heroku — app names on herokuapp.com
• GitHub Pages — custom domain configurations
• Netlify, Vercel — deployment subdomains
• AWS S3 — bucket-based static hosting
• Azure / AWS services — load balancer and CDN endpoints
• Shopify, Zendesk, HubSpot — customer subdomain configurations

---

Detection: DNS Monitoring as Your Early Warning

The key to catching subdomain takeover risk is monitoring your DNS records for changes and auditing for dangling CNAMEs.

What to watch for:

• CNAME records that resolve to NXDOMAIN (the target doesn't exist)
• CNAME records pointing to services you've recently decommissioned
• New subdomains you don't recognise appearing in your DNS

DNS record change monitoring alerts you when any DNS record in your zone changes — including if someone takes over a target and the IP behind a CNAME shifts. See DNS security monitoring for how to interpret DNS change alerts in a security context.

---

Prevention

1. Audit your DNS records regularly

Review all CNAME records. For each one, verify the target still exists and is still claimed by you. See how to audit your DNS records for security issues.

2. Remove records when you decommission services

When you delete a Heroku app, Netlify site, or AWS resource, remove the corresponding DNS record immediately. Treat DNS cleanup as part of your offboarding checklist for any cloud service.

3. Use DNSSEC where possible

DNSSEC doesn't prevent subdomain takeover directly, but it prevents DNS response spoofing and adds a layer of integrity verification.

4. Monitor for NXDOMAIN CNAMEs

Automated scanning tools can flag CNAMEs that point to non-existent targets. Combine automated scanning with monitoring that alerts on any unexpected DNS changes.

---

Related Articles

• DNS Security Monitoring: What to Watch For
• How to Audit Your DNS Records for Security Issues
• How to Monitor Nameserver Changes
• How to Prevent Domain Hijacking