01 What is a Subdomain Takeover?
A subdomain takeover occurs when a DNS record points to a service that is no longer active. An attacker can claim that same service and use it to host their own content on your subdomain, effectively hijacking your reputation.
02 How It Happens
It usually starts with a CNAME record. For example, if blog.example.com points to a GitHub Pages site that you've since deleted, but you forgot to remove the DNS record, an attacker can create a new GitHub repository and claim blog.example.com for themselves.
03 The Risks Involved
An attacker can host phishing pages, distribute malware, or steal cookies from your main domain. Because the content is hosted on your trusted subdomain, visitors (and search engines) are more likely to believe it's legitimate.
04 How to Detect Orphaned DNS
Regularly auditing your DNS zone files is key. You should look for CNAME, ALIAS, or A/AAAA records that point to external providers. Verify that each of these subscriptions or services is still active.
05 Prevention Best Practices
Rule #1: Delete the DNS record first. Never decommission a service (like a cloud bucket or a hosting plan) before removing the corresponding DNS records. Automating your DNS management can also help reduce human error.
06 Frequently Asked Questions
How do I know if I have orphaned DNS records?
You can use a DNS auditing tool or a website checker like LamaniSecure to list your subdomains and check if their CNAME records point to inactive or unclaimed services.
Which services are most vulnerable to takeovers?
Cloud services like GitHub Pages, AWS S3 buckets, Heroku, and Azure are common targets if the records are not deleted after the service is decommissioned.
Can an attacker steal cookies via a subdomain?
Yes. If an attacker takes over a subdomain, they can often access cookies scoped to the parent domain, leading to session hijacking.