Question 1

What is a subdomain takeover?

Accepted Answer

A subdomain takeover occurs when a DNS record (typically a CNAME) points to an external service — like GitHub Pages, Heroku, or AWS S3 — that has been deprovisioned. An attacker can register the same resource name on the cloud platform, causing the victim's subdomain to serve attacker-controlled content. This enables cookie theft, phishing on a trusted domain, and bypassing CORS policies.

Question 2

How do I detect dangling DNS records?

Accepted Answer

Use DNS enumeration tools like subfinder or amass to list all subdomains, then resolve each CNAME and check for error responses such as 'No such app' (Heroku), 'There isn't a GitHub Pages site here', or NXDOMAIN. Automated tools like subjack and nuclei have templates specifically for detecting takeover-vulnerable subdomains. Run these checks on a schedule — ideally every few hours.

Question 3

What cloud services are vulnerable to subdomain takeover?

Accepted Answer

Many cloud platforms are potentially vulnerable, including GitHub Pages, Heroku, AWS S3 static websites, AWS Elastic Beanstalk, Azure, Shopify, Fastly, Ghost, Tumblr, and others. The risk depends on whether the platform allows re-registration of previously used resource names. Some platforms have added protections, but the safest approach is always to remove DNS records before deleting cloud resources.

Question 4

How do I prevent subdomain takeover?

Accepted Answer

Follow three practices: (1) Always delete DNS records before decommissioning cloud resources — never the other way around. (2) Audit your DNS zone regularly and remove any CNAMEs pointing to resources you no longer own. (3) Automate monitoring with tools like subjack or nuclei in your CI/CD pipeline to catch dangling records before attackers do. Treat DNS records as infrastructure-as-code and review changes in pull requests.

Subdomain	Type	Target	Status
www.megacorp.com	CNAME	megacorp.github.io	Active
api.megacorp.com	A	203.0.113.50	Active
staging.megacorp.com	CNAME	old-app.herokuapp.com	Dangling
docs.megacorp.com	CNAME	megacorp-docs.s3-website-us-east-1.amazonaws.com	Active
blog.megacorp.com	CNAME	megacorp.ghost.io	Active

Subdomain Takeover

Challenges

Frequently Asked Questions