What is a subdomain takeover?

A subdomain takeover occurs when a CNAME points to a deprovisioned service, allowing an attacker to claim it and serve content on your subdomain.

Which services are most vulnerable?

GitHub Pages, AWS S3, Heroku, Netlify, and Azure are the most commonly exploited services for subdomain takeovers.

How do I check for dangling DNS records?

Use DomainPreflight's Dangling Records tool — it scans certificate logs and checks CNAMEs against known takeover fingerprints.

Glossary

Subdomain Takeover — Detection and Prevention

A subdomain takeover occurs when a subdomain's DNS record points to an external service that has been deleted or deprovisioned, allowing an attacker to claim that service and serve content on your subdomain. Common targets include GitHub Pages, AWS S3 buckets, Heroku apps, and Netlify sites.

How Subdomain Takeovers Happen

When you delete a Heroku app but forget to remove the CNAME record pointing to it, the subdomain is left dangling. An attacker can register a new Heroku app with the same name and immediately serve content on your subdomain — passing off phishing pages as legitimate.

High-Risk Services

Services most commonly exploited for subdomain takeovers include:

GitHub Pages (*.github.io)
AWS S3 (*.s3.amazonaws.com)
Heroku (*.herokuapp.com)
Netlify (*.netlify.app)
Azure (*.azurewebsites.net)

How to Prevent Subdomain Takeovers

Remove DNS records when deprovisioning services
Regularly audit CNAMEs in your DNS
Use DomainPreflight's Dangling Records tool to scan for vulnerable subdomains

Scan for dangling records

Open Dangling Records →