Glossary
Subdomain Takeover — Detection and Prevention
Takeover happens when status.yourdomain.com still CNAMEs to GitHub or S3 you deleted — an attacker claims that bucket or repo and suddenly hosts a phishing page on your subdomain.
How Subdomain Takeovers Happen
You tear down the Heroku app but leave the CNAME. Someone else creates a new app with the same target name. Now they control your hostname.
High-Risk Services
Classic sinks:
- GitHub Pages (*.github.io)
- AWS S3 (*.s3.amazonaws.com)
- Heroku (*.herokuapp.com)
- Netlify (*.netlify.app)
- Azure (*.azurewebsites.net)
How to Prevent Subdomain Takeovers
- Delete DNS when you kill the cloud resource
- Audit CNAMEs quarterly — boring but cheap
- Run our dangling scan when you inherit a zone
Scan your zone for takeover bait
Open Dangling Records →