What causes a subdomain takeover?

It is caused by a dangling DNS record: a CNAME or other record that still references a cloud service, hosting platform, or SaaS endpoint that has been cancelled or deleted, leaving the target available for anyone to claim.

How do I prevent subdomain takeovers?

Remove the DNS record before decommissioning the service it points to, audit your zones regularly for records that resolve to unclaimed endpoints, and monitor DNS so new or dangling records are flagged.

Home
/
Help
/
What is Subdomain Takeover?

What is Subdomain Takeover?

Q: What is a subdomain takeover?

A subdomain takeover is when an attacker gains control of a subdomain because its DNS record still points to an external service that has been deprovisioned. The attacker re-registers that service and serves content from your subdomain.

A subdomain takeover happens when a subdomain points (usually via a CNAME) to a third-party service that is no longer claimed — so an attacker registers that service and serves their own content from your subdomain. Because the subdomain genuinely belongs to your domain, the hijacked page inherits your brand's trust, cookies, and sometimes more.

What is a subdomain takeover?

A subdomain takeover occurs when a subdomain — say blog.example.com — points to an external service that is no longer in use, and an attacker claims that service for themselves. The DNS record is still valid and still belongs to you, so visitors and browsers treat the attacker's content as legitimately yours.

How it happens: dangling DNS records

The root cause is a dangling DNS record — a record that points somewhere that no longer answers for you. The classic sequence is:

You create a CNAME from a subdomain to a hosted service — a static site host, cloud storage bucket, support tool, or PaaS app.
Later, the service is cancelled or the app is deleted — but the DNS record is forgotten and left in place.
An attacker finds the dangling record, re-registers the same resource name on that platform, and now controls whatever your subdomain serves.

Platforms historically associated with this pattern include static-site and PaaS hosts, object storage, and SaaS tools that let anyone claim a custom hostname without verifying domain ownership.

Why it is dangerous

Convincing phishing — attackers host credential-harvesting pages on a real subdomain of your brand.
Cookie and session theft — cookies scoped to the parent domain may be readable from the hijacked subdomain.
Reputation and SEO abuse — your domain can be used to serve spam or malware.

How to find vulnerable records

Inventory every subdomain and check where it points. Any CNAME that resolves to a third-party platform should map to a resource you still own and that still responds. Records that return a platform's "no such app" or "bucket not found" page are dangling and need immediate attention. Doing this once is not enough — services are decommissioned continuously, so dangling records appear over time.

How to prevent subdomain takeovers

Delete the DNS record first — when retiring a service, remove its DNS record before you tear down the resource it points to.
Audit regularly — review your zones for records pointing at external services, and confirm each target is still claimed.
Monitor continuously — ZoneWatcher tracks every record in your zones and alerts you when records are added, changed, or left pointing somewhere they should not, so dangling CNAMEs do not sit unnoticed.

Subdomain takeover sits alongside DNS hijacking in the broader picture of DNS security best practices.

What is a subdomain takeover?

How it happens: dangling DNS records

Why it is dangerous

How to find vulnerable records

How to prevent subdomain takeovers

Never miss a DNS change again.Start monitoring in minutes.

Never miss a DNS change again.
Start monitoring in minutes.