What is a subdomain takeover?

A subdomain takeover happens when a DNS record (often a CNAME) still points at a third-party service whose resource has been deleted or released. An attacker registers the abandoned name on that service and starts serving content under your subdomain.

Which providers are most often abused?

Anywhere you can claim a hostname without proving ownership of the parent domain. Historic offenders include S3 buckets, Azure resources, Heroku apps, GitHub Pages, and SaaS hostnames where the customer-facing name is the only identifier.

How do I detect dangling records at scale?

Export every CNAME and ALIAS across your DNS zones, resolve each one, and flag any that return an unclaimed banner or NXDOMAIN at the upstream provider. Schedule that check to run continuously so future cleanups do not reintroduce risk.

DNS Security

How to fix subdomain takeover risk

Name: Barrion
Availability: InStock
Author: Barrion

Quick fix guide with step-by-step instructions. Barrion detects this finding in your scans; use this page to remediate it.

What it is

A subdomain takeover happens when a DNS record (often a CNAME) still points at a third-party service that no longer owns the resource. An attacker can register the abandoned name on that service and start serving content on your subdomain.

Why it matters

A working subdomain under your brand can host phishing pages, set cookies on your origin, or bypass CORS and SSO trust boundaries. The fix is cheap, but the reputational and security damage from a successful takeover is not.

How it is exploited

An attacker scans your DNS for CNAME or NS records that still point at S3 buckets, Heroku apps, GitHub Pages, or SaaS hostnames you no longer own. They re-register the target name on that provider and immediately serve their own content under your subdomain. From there they run phishing pages on a trusted hostname, set or read same-site cookies that your auth flows trust, and trade on your brand to harvest credentials.

How to fix it

Inventory dangling CNAMEs. Pull every CNAME and ALIAS record across your DNS zones and resolve them. Flag any that point at S3 buckets, Azure resources, Heroku apps, GitHub Pages, or SaaS hostnames that no longer respond or return a clear unclaimed banner.
Remove the dangling records. Delete DNS entries that point at services you no longer use. Removing the record is the safest action because it immediately closes the takeover window.
Reclaim upstream services you still need. If the subdomain is still in use, recreate or rename the resource at the upstream provider before re-pointing DNS. Verify the new resource answers on the expected hostname before flipping production traffic.
Monitor continuously. Schedule recurring scans for new dangling records so future cleanups do not reintroduce risk. Wire the alerts into the same channel your platform team already watches for DNS changes.

References

Frequently asked questions

What is a subdomain takeover?: A subdomain takeover happens when a DNS record (often a CNAME) still points at a third-party service whose resource has been deleted or released. An attacker registers the abandoned name on that service and starts serving content under your subdomain.
Which providers are most often abused?: Anywhere you can claim a hostname without proving ownership of the parent domain. Historic offenders include S3 buckets, Azure resources, Heroku apps, GitHub Pages, and SaaS hostnames where the customer-facing name is the only identifier.
How do I detect dangling records at scale?: Export every CNAME and ALIAS across your DNS zones, resolve each one, and flag any that return an unclaimed banner or NXDOMAIN at the upstream provider. Schedule that check to run continuously so future cleanups do not reintroduce risk.

Check your site for this finding.

Run Barrion's free dns security check to see if this applies to your app, with a full report and remediation steps.

Run free check →All fix guides