Subdomain Takeover

What is Subdomain Takeover?

Subdomain takeover occurs when a DNS record points to an external service (like Heroku, AWS, or GitHub Pages) that you no longer control. Attackers can claim the service and serve malicious content on your subdomain.

Security Impact

Severity: High

• Phishing attacks using your domain
• Malware distribution
• Reputation damage
• SEO poisoning
• Session hijacking

How to Fix

1. Audit DNS Records

# List all DNS records
dig yourdomain.com ANY

# Check specific subdomain
dig subdomain.yourdomain.com

# Check CNAME records
dig subdomain.yourdomain.com CNAME

2. Remove Dangling DNS Records

Remove CNAME records pointing to services you no longer use:

# Vulnerable
blog.yourdomain.com CNAME myblog.herokuapp.com

# If you deleted the Heroku app, remove this DNS record!

3. Monitor Common Services

Services vulnerable to takeover:

• Heroku: *.herokuapp.com
• GitHub Pages: *.github.io
• AWS S3: *.s3.amazonaws.com
• Azure: *.azurewebsites.net
• Shopify: *.myshopify.com

4. Verify Subdomains

# Check if subdomain resolves
nslookup app.yourdomain.com

# Check what it points to
dig app.yourdomain.com CNAME

5. Implement CAA Records

# DNS CAA record
yourdomain.com. CAA 0 issue "letsencrypt.org"
yourdomain.com. CAA 0 issuewild ";"

Prevention

1. Document all subdomains
2. Before deleting services, remove DNS records
3. Regular DNS audits
4. Use DNS monitoring tools
5. Implement DNS CAA records

Verification Steps

1. List all DNS records
2. Verify each CNAME resolves correctly
3. Check for orphaned records
4. Test subdomain accessibility
5. Use automated scanners

Tools

• dig, nslookup - DNS queries
• can-i-take-over-xyz - Service fingerprints
• Security scanners with subdomain takeover detection

Related Issues

• DNS Security
• Email Security