Subdomain Takeover
What is Subdomain Takeover?
Subdomain TakeoverAn attack in which a dangling DNS record (often a CNAME) points to an unclaimed cloud or SaaS resource, letting an attacker register that resource and impersonate the subdomain.
Subdomain takeover happens when a DNS record on a victim's domain still points to an external service that is no longer in use - the canonical case is a CNAME like assets.example.com -> example-bucket.s3.amazonaws.com when the underlying bucket, GitHub Pages site, Heroku app, or Azure resource has been deleted. An attacker who can re-register the same external name now controls content served under the victim's subdomain, including cookies, OAuth callbacks, CORS-trusted origins, and brand reputation. Detection relies on continuously inventorying DNS records, fingerprinting takeover-vulnerable providers, and reconciling with cloud inventories. Mitigation involves removing or repointing dangling CNAMEs, enforcing DNS hygiene at decommission, and using domain ownership tokens where available.
● Examples
- 01
An attacker registers a deleted GitHub Pages site whose CNAME still points to docs.example.com.
- 02
An expired Azure Traffic Manager profile lets an attacker reclaim the same FQDN and serve phishing pages.
● Frequently asked questions
What is Subdomain Takeover?
An attack in which a dangling DNS record (often a CNAME) points to an unclaimed cloud or SaaS resource, letting an attacker register that resource and impersonate the subdomain. It belongs to the Network Security category of cybersecurity.
What does Subdomain Takeover mean?
An attack in which a dangling DNS record (often a CNAME) points to an unclaimed cloud or SaaS resource, letting an attacker register that resource and impersonate the subdomain.
How does Subdomain Takeover work?
Subdomain takeover happens when a DNS record on a victim's domain still points to an external service that is no longer in use - the canonical case is a CNAME like assets.example.com -> example-bucket.s3.amazonaws.com when the underlying bucket, GitHub Pages site, Heroku app, or Azure resource has been deleted. An attacker who can re-register the same external name now controls content served under the victim's subdomain, including cookies, OAuth callbacks, CORS-trusted origins, and brand reputation. Detection relies on continuously inventorying DNS records, fingerprinting takeover-vulnerable providers, and reconciling with cloud inventories. Mitigation involves removing or repointing dangling CNAMEs, enforcing DNS hygiene at decommission, and using domain ownership tokens where available.
How do you defend against Subdomain Takeover?
Defences for Subdomain Takeover typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Subdomain Takeover?
Common alternative names include: Dangling CNAME takeover, Dangling DNS takeover.
● Related terms
- attacks№ 338
DNS Hijacking
An attack that redirects DNS resolution to attacker-controlled answers by modifying client settings, router configurations, resolver responses, or authoritative DNS records.
- attacks№ 343
DNS Spoofing
An attack that injects falsified DNS responses to redirect victims from a legitimate domain to an attacker-controlled IP address.
- attacks№ 349
Domain Hijacking
The unauthorized takeover of control over a registered domain name at the registrar or registry level, allowing an attacker to redirect traffic, email, and trust to malicious infrastructure.
- network-security№ 1159
TLS (Transport Layer Security)
The IETF-standardized cryptographic protocol that provides confidentiality, integrity, and authentication for traffic between two networked applications.
- network-security№ 092
BGP Hijacking
An attack in which an autonomous system announces IP prefixes it does not legitimately own, attracting and potentially intercepting global Internet traffic.
- attacks№ 337
DNS Cache Poisoning
An attack that inserts forged records into a DNS resolver's cache so subsequent queries return attacker-chosen addresses until the TTL expires.
● See also
- № 344DNS Tunneling
- № 342DNS Rebinding