SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
high Infrastructure

Subdomain Takeover

A subdomain takeover occurs when a DNS record points to an external service (like a GitHub Pages, Heroku app, or S3 bucket) that no longer exists. An attacker can claim that service and now control content served from your subdomain, including the ability to obtain an SSL certificate for it.

What SecurityStatus Checks

  • CNAME records pointing to external services that return a 'not found' or 'no such app' error
  • Known takeover-vulnerable patterns for GitHub Pages, Heroku, Netlify, Azure, AWS S3, Shopify, etc.
  • A record pointing to cloud IPs that are no longer assigned to your account
  • Abandoned subdomains with live DNS but no associated service

Why This Matters

A subdomain takeover on status.yourdomain.com or login.yourdomain.com lets an attacker serve phishing pages on your trusted domain, capture cookies (if poorly scoped), or trick users into trusting malicious content. The attacker can obtain a valid SSL certificate, making the phishing page appear completely legitimate.

How to Fix It

  1. 1

    Identify all CNAME records pointing to external services

    Audit your DNS zone for CNAME records. For each CNAME, verify the target service still exists and is associated with your account.

  2. 2

    Remove DNS records for deprovisioned services

    The moment you delete a Heroku app, GitHub Pages site, or S3 bucket, immediately delete the corresponding DNS record. Never leave dangling CNAME records.

  3. 3

    Check for known vulnerable services

    Services like GitHub Pages, Heroku, Netlify, Fastly, Zendesk, and many others have known takeover signatures. SecurityStatus checks your subdomains against a database of these patterns.

  4. 4

    Establish a decommission process

    Include DNS cleanup as a mandatory step in your service decommission checklist. DNS records are often forgotten when teams delete apps and infrastructure.

Frequently Asked Questions

Can a subdomain takeover affect my main domain?
Directly, no — the takeover is scoped to the subdomain. Indirectly, yes — cookies scoped to .yourdomain.com are accessible from all subdomains, including a taken-over one. If session cookies are scoped this broadly, a takeover can lead to session theft.
What services are most commonly used for subdomain takeovers?
GitHub Pages, Amazon S3, Heroku, Azure App Services, Netlify, Fastly, and Shopify are among the most commonly exploited. The technique works on any service where you can claim a specific namespace.
How do I fix a takeover that has already happened?
First, remove the dangling DNS record to stop the attacker's ability to renew their claim. Then investigate what the attacker may have done with the subdomain (phishing, cookie collection, content hosting). Report to affected users if needed.

Related Guides

info Subdomain Discovery Read Guide high Subdomain SSL Coverage Read Guide

Check Your Domain Now

Run all 38 security checks including Subdomain Takeover and get your domain's security grade in under 2 minutes.

Scan Your Domain Free