StackShield

Subdomain Discovery

Medium

DNS reconnaissance and subdomain discovery using Fierce.

Estimated fix time: 30 minutes

What is Subdomain Discovery?

Fierce performs DNS reconnaissance by brute forcing subdomains and checking for misconfigured DNS entries. It discovers subdomains that may be running vulnerable or forgotten services, which are prime targets for subdomain takeover attacks.

Security Impact

Severity: Medium

  • Discovery of forgotten or unmaintained services
  • Subdomain takeover opportunities
  • Exposure of internal staging or development environments
  • Mapping of infrastructure for targeted attacks
  • Discovery of shadow IT services

How to Fix

1. Audit and Clean Up Subdomains

Regularly review all DNS records and remove unused subdomains:

# List all subdomains using your DNS provider's API or dashboard
# Remove any subdomains that:
# - Point to decommissioned services
# - Are no longer in active use
# - Point to third-party services you no longer use

2. Protect Against Subdomain Takeover

Ensure all subdomains point to active, claimed resources:

# Check for dangling CNAME records
dig CNAME old-app.yourdomain.com

# If it points to a service you no longer use (e.g., Heroku, S3, GitHub Pages),
# either reclaim the resource or remove the DNS record

3. Use Wildcard DNS Carefully

; Avoid wildcard DNS records in production
; They can mask dangling subdomains
; *.yourdomain.com.  IN  A  1.2.3.4  ; Avoid this

; Instead, explicitly define each subdomain
www.yourdomain.com.   IN  A  1.2.3.4
app.yourdomain.com.   IN  A  1.2.3.4

4. Restrict Development/Staging Subdomains

# Protect staging subdomains with authentication
server {
    server_name staging.yourdomain.com;

    # IP restriction
    allow 10.0.0.0/8;
    allow YOUR_OFFICE_IP;
    deny all;

    # Or use basic auth
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

5. Monitor for New Subdomains

Set up monitoring to detect unauthorized subdomain creation:

  • Use Certificate Transparency logs to monitor new certificates
  • Set up alerts for DNS record changes
  • Regularly scan your own domains to catch drift

Verification

After cleanup, Fierce should discover fewer subdomains. All discovered subdomains should point to active, properly secured services.

  • DNS Reconnaissance
  • Subdomain Takeover
  • DNS Security

Automatically detect this issue

StackShield can automatically scan your Laravel application for this security issue and alert you when it's detected.

Start Free Trial
Was this guide helpful?

Related Security Issues

Subdomain Takeover

Detects unclaimed subdomains pointing to external services.

Medium

DNS Security

Checks DNS configuration and security settings.

Medium

DNS Reconnaissance

Comprehensive DNS enumeration and zone transfer testing using DNSRecon.

Medium