Subdomain Takeover: The Vulnerability Hiding in Your DNS 🎯
Subdomain Takeover: The Vulnerability Hiding in Your DNS 🎯
Ever delete a Heroku app but forget to remove the DNS record? Congratulations, you might have just handed hackers a free subdomain on your domain! 🎁
Let me tell you about one of the sneakiest vulnerabilities that barely gets talked about, but shows up in bug bounty reports ALL THE TIME.
What is Subdomain Takeover? 🤔
The simple version: You have a subdomain (like blog.yoursite.com) pointing to a service you don't control anymore. A hacker claims that service and boom - they control your subdomain!
Real scenario I saw in a security community:
A company had careers.company.com pointing to a GitHub Pages site. They deleted the GitHub repo but forgot to remove the DNS record. Someone registered that GitHub username and put up a phishing page. On the company's own subdomain! 😱
How Does This Even Happen? 🧐
It's actually embarrassingly common. Here's the typical flow:
- You set up
blog.yoursite.com→ points toyourproject.herokuapp.com - You delete your Heroku app (the project is done!)
- DNS record still exists pointing to
yourproject.herokuapp.com - Hacker creates a NEW Heroku app with the same name
- Your subdomain now shows THEIR content
Think of it like keeping your mailbox labeled "Smith Family" after you moved out. New residents? They're getting your mail! 📬
Services Most Vulnerable 🎭
In my experience hunting bugs, these services are takeover goldmines:
The usual suspects:
- GitHub Pages (the classic!)
- Heroku
- AWS S3 buckets (website hosting)
- Netlify
- Vercel
- Azure websites
- Zendesk
- Shopify stores
- Tumblr blogs
Why these? They let you claim custom domains, and when you abandon them, someone else can swoop in!
Real Talk: The Danger Level 💀
"It's just a subdomain, who cares?"
Hold up! Here's why this is BAD:
- Phishing on YOUR domain - Emails from
support.yourcompany.comlook legit - Cookie stealing - Cookies for
*.yourcompany.commight be accessible - Reputation damage - Malicious content on your domain = your problem
- SEO hijacking - They can manipulate search results for your domain
- OAuth attacks - Some apps trust subdomains for redirects
I saw a case where hackers used a taken-over subdomain to bypass email filters because the domain was whitelisted. Ouch! 🤦♂️
How to Find Your Vulnerable Subdomains 🔍
The manual way (painful):
# Check if a subdomain has a dangling CNAME
dig blog.yoursite.com CNAME
# Look for NXDOMAIN or "doesn't exist" errors
# If you see these but the DNS record exists... BINGO!
The smart way (use tools):
As someone who's active in security communities, these are the go-to tools:
# Subfinder - find all subdomains
subfinder -d yoursite.com -o subdomains.txt
# SubOver - check for takeovers
subover -l subdomains.txt
# Can I Take Over XYZ - comprehensive scanner
python3 can-i-take-over-xyz.py -f subdomains.txt
Pro tip from bug bounty hunters: Automate this! Run it weekly on your domains.
The Good vs Bad ❌✅
BAD - Abandoned DNS Records:
# DNS Configuration
blog.yoursite.com. CNAME old-project.github.io.
# ^ GitHub repo deleted 6 months ago
# ^ DNS record still exists
# ^ 🚨 TAKEOVER RISK!
What happens:
- Hacker creates GitHub repo
old-project - Enables GitHub Pages
- Your subdomain now loads their content
GOOD - Clean DNS Management:
# Before deleting ANY cloud service:
1. Check DNS records (all of them!)
2. Remove CNAME/A records FIRST
3. THEN delete the service
4. Document what points where
# Or use wildcard protection
*.yoursite.com → points to YOUR server with 404 page
How to Fix This Right Now! 🛠️
Step 1: Audit Your DNS
# Export ALL your DNS records
# Check every CNAME pointing to external services
# Question for each record:
# "Do I still control the target?"
# If no → DELETE IT!
Step 2: Regular DNS Hygiene
Create a spreadsheet (yes, really!):
| Subdomain | Points To | Service | Last Verified | Owner |
|---|---|---|---|---|
| blog.yoursite.com | Netlify | Active | 2026-02-03 | @dev-team |
| old.yoursite.com | Heroku | DELETED | 🚨 REMOVE | N/A |
Step 3: Implement Monitoring
// Simple monitoring script (run weekly)
const dns = require('dns');
const subdomains = [
'blog.yoursite.com',
'api.yoursite.com',
'cdn.yoursite.com'
];
subdomains.forEach(subdomain => {
dns.resolveCname(subdomain, (err, addresses) => {
if (err) {
console.log(`⚠️ ${subdomain} has DNS issues!`);
// Send alert to Slack/email
} else {
console.log(`✅ ${subdomain} → ${addresses[0]}`);
// Verify you still control the target
}
});
});
Defense Strategies 🛡️
1. Use CAA Records
# DNS CAA Record
yoursite.com. CAA 0 issue "letsencrypt.org"
# This restricts who can issue SSL certs for your domain
# Makes takeovers less impactful
2. Claim Defensive Subdomains
# Register these on services you DON'T use:
yourcompany.github.io
yourcompany.herokuapp.com
yourcompany.netlify.app
# Point them to a 404 page you control
# Can't take over what's already claimed!
3. Wildcard Catch-All
# In your DNS
*.yoursite.com → your-404-server.com
# Then EXPLICITLY allow only active subdomains
# This way unknown subdomains = your control
4. Regular Audits (Automate This!)
# Cron job - every Monday 9am
0 9 * * 1 /usr/local/bin/check-subdomains.sh
# Alert to Slack if issues found
# Trust me, future you will thank present you!
The Bug Bounty Angle 💰
Want to find these vulnerabilities?
- Use Amass/Subfinder to enumerate subdomains
- Run SubOver to check for takeovers
- Actually attempt the takeover (on your OWN domains first!)
- Screenshot proof
- Submit to bug bounty program
Pro tips from my bug hunting experience:
- Old companies = more forgotten subdomains
- Check acquisitions (merged companies often forget DNS)
- Look for seasonal subdomains (holiday2019.site.com still up in 2026?)
- Test staging/dev environments (often forgotten)
Average bounty: $500-$2000 depending on impact. Not bad for a DNS lookup! 💸
The 5-Minute Security Win ⚡
Do this RIGHT NOW:
# 1. List all your DNS records
dig yoursite.com ANY
# 2. For each CNAME, verify you control the target
dig subdomain.yoursite.com CNAME
# 3. Test if the target exists
curl -I https://the-target.service.com
# 4. If "Not Found" but CNAME exists = DELETE THE DNS RECORD!
Takes 5 minutes. Could save you from a security incident.
Real-World Horror Story 💀
A friend's company had admin.company.com pointing to an old Heroku app. They forgot about it for 2 years.
Someone took it over, created a fake login page, and sent phishing emails to employees using the REAL company domain.
17 employees entered their credentials before it was caught.
All because of one forgotten DNS record.
Don't be that company! 🙅♂️
Your Action Plan 📋
Today:
- Export all DNS records
- Check every CNAME/A record
- Delete records pointing to abandoned services
- Document what each subdomain does
This Week:
- Set up DNS monitoring
- Create a subdomain inventory spreadsheet
- Test for existing takeovers
- Add CAA records
Monthly:
- Audit DNS records
- Verify ownership of external services
- Check for new subdomains (DNS zones creep!)
- Update documentation
Tools I Actually Use 🔧
# Discovery
- subfinder (fast, accurate)
- amass (comprehensive but slow)
- assetfinder (good for quick checks)
# Takeover Detection
- subjack (fast, customizable)
- nuclei (with subdomain-takeover templates)
- can-i-take-over-xyz (great reference list)
# Monitoring
- DNSdumpster (manual checks)
- SecurityTrails (commercial, but powerful)
- Custom scripts (cron + curl = ❤️)
The Bottom Line 🎯
Subdomain takeover is:
- Easy to miss (out of sight, out of mind)
- Easy to exploit (literally just claim a username)
- Easy to prevent (delete old DNS records!)
The fix is simple: Before you delete ANY cloud service, remove the DNS record FIRST. Make it a company policy. Add it to your offboarding checklist.
Think of DNS like your house keys. When you move out, you change the locks. You don't leave the old keys working and hope nobody finds them! 🔑
Resources That Don't Suck 📚
- Can I Take Over XYZ? - Comprehensive service list
- Subdomain Takeover Scanner - Automated detection
- DNS Dumpster - Free subdomain enumeration
- HackerOne Reports - Real takeover reports to learn from
Found a subdomain takeover? Responsibly disclose it! Most companies have bug bounty programs and will thank you (with $$$).
Want to discuss security? Connect with me on LinkedIn - I love talking about this stuff!
More security tips coming! Follow this blog for weekly security content! 🔐
P.S. - Go check your DNS records RIGHT NOW. I'll wait. ⏰