All guides
High severityDNS & Email Security

Subdomain takeover: how it happens and how to prevent it

A subdomain takeover happens when a DNS record (usually a CNAME) still points to a third-party service you no longer use. An attacker re-registers that resource and starts serving their content on your subdomain.

What it is

You point blog.yourdomain.com at a hosting service via CNAME, then delete the hosting resource but forget the DNS record. The record now 'dangles' — it points at an unclaimed slot anyone can claim.

Common targets are GitHub Pages, S3 buckets, Heroku apps, Azure sites, Shopify, and similar platforms that let new users claim a previously-used hostname.

Why it matters

Whoever claims the resource controls a page on your real domain. That's perfect for phishing, stealing cookies scoped to your domain, and bypassing protections that trust your origin.

Because the content is on your legitimate subdomain, users and even some security tools trust it implicitly.

How to fix it

Remove dangling DNS records

Audit your DNS for CNAME/ALIAS records pointing at external services. If the target resource no longer exists, delete the record.

Decommission in the right order

When you retire a hosted resource, remove the DNS record first (or at the same time), not after. The window between deleting the resource and the record is the vulnerable period.

Re-claim if needed

If you still want the subdomain, re-provision the resource on the service so the hostname resolves to something you control.

FAQ

How do I know if I'm vulnerable?

Look for subdomains whose CNAME points to a service that returns an 'unclaimed' or 'no such app' page. AppSafe fingerprints these automatically.

Is an A record vulnerable too?

Usually less so, because IPs aren't re-assignable on demand the way named service slots are — but cloud IPs can be reused, so retired records should still be removed.

Is your app affected?

AppSafe checks for this and dozens of other issues in one free scan.

Scan my app free

Related guides

SPF and DMARC: stop email spoofing of your domain

Stop attackers from emailing the world as you.

CORS misconfiguration: the wildcard and reflection traps

Allow every origin and any site can read your API.

Exposed .env files: how attackers find your secrets

A single reachable .env can hand over your whole stack.

Subdomain Takeover — How It Happens and How to Prevent It